1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

max time kernel
2695s
max time network
2583s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30/10/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

4.8MB
MD5

ecae8b9c820ce255108f6050c26c37a1
SHA1

42333349841ddcec2b5c073abc0cae651bb03e5f
SHA256

1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
SHA512

9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
SSDEEP

49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K

Score

8^/10

defense_evasion discovery execution motw persistence phishing spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
517	3644	powershell.exe
519	5764	powershell.exe
521	6796	powershell.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast	DeviceCensus.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5796	powershell.exe
2936	powershell.exe
6580	powershell.exe
4300	powershell.exe
5592	powershell.exe
2356	powershell.exe
3708	powershell.exe
6776	powershell.exe
5104	powershell.exe
2128	powershell.exe
5328	powershell.exe
2880	powershell.exe
6320	powershell.exe
5224	powershell.exe
1168	powershell.exe
5352	powershell.exe
2196	powershell.exe
3212	powershell.exe
3144	powershell.exe
6808	powershell.exe
5340	powershell.exe
4604	powershell.exe
4452	powershell.exe
6596	powershell.exe
700	powershell.exe
5008	powershell.exe
4528	powershell.exe
4112	powershell.exe
6776	powershell.exe
600	powershell.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
482	camo.githubusercontent.com
483	camo.githubusercontent.com
485	camo.githubusercontent.com
501	camo.githubusercontent.com
715	discord.com
479	camo.githubusercontent.com
591	discord.com
592	discord.com
652	discord.com
651	discord.com
706	discord.com
486	camo.githubusercontent.com
498	camo.githubusercontent.com
594	discord.com
643	discord.com
593	discord.com
705	discord.com
480	camo.githubusercontent.com
481	camo.githubusercontent.com
484	camo.githubusercontent.com
590	discord.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
1401	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	DiscordPTBSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Update.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	DeviceCensus.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	DeviceCensus.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1796530414\LICENSE	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1796530414\_metadata\verified_contents.json	Discord.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5504_1945147560\neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1391917286\manifest.fingerprint	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1796530414\_platform_specific\win_x64\widevinecdm.dll.sig	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1796530414\manifest.fingerprint	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1391917286\_metadata\verified_contents.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1796530414\_platform_specific\win_x64\widevinecdm.dll	Discord.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5504_611135898\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1391917286\Google.Widevine.CDM.dll	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1391917286\manifest.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5504_1796530414\manifest.json	Discord.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe

Executes dropped EXE 53 IoCs

pid	Process
4112	AnyDesk.exe
544	AnyDesk.exe
1336	AnyDesk.exe
1604	AnyDesk.exe
6080	AnyDesk.exe
4252	AnyDesk.exe
6984	DiscordSetup.exe
6932	Update.exe
2728	DiscordSetup.exe
6240	Update.exe
5460	DiscordPTBSetup.exe
576	Update.exe
2880	DiscordPTBSetup.exe
6652	Update.exe
2100	DiscordPTBSetup.exe
6684	Update.exe
6416	Update.exe
6600	Update.exe
4700	Update.exe
7000	Update.exe
3944	DiscordSetup.exe
328	Update.exe
6516	DiscordSetup.exe
6924	Update.exe
3944	Discord.exe
6052	Discord.exe
7152	Update.exe
4720	Discord.exe
5356	Discord.exe
6600	Update.exe
5504	Discord.exe
5956	Discord.exe
272	Discord.exe
7136	Discord.exe
7164	Discord.exe
6184	Discord.exe
6764	Discord.exe
6468	Discord.exe
6600	Discord.exe
6948	Discord.exe
6972	Discord.exe
6588	Discord.exe
6224	Discord.exe
3076	Discord.exe
7164	Discord.exe
4272	Discord.exe
6440	gpu_encoder_helper.exe
6572	gpu_encoder_helper.exe
7072	gpu_encoder_helper.exe
4192	Discord.exe
6212	Discord.exe
7860	Discord.exe
6276	Discord.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3848	sc.exe
3980	sc.exe
6344	sc.exe
3532	sc.exe
3436	sc.exe
5912	sc.exe
3744	sc.exe
4256	sc.exe
2880	sc.exe
4208	sc.exe
5544	sc.exe
3744	sc.exe
6160	sc.exe
4580	sc.exe
5344	sc.exe
440	sc.exe
4652	sc.exe
6424	sc.exe
7140	sc.exe
7096	sc.exe
1456	sc.exe
5656	sc.exe
6160	sc.exe
6004	sc.exe
940	sc.exe
3312	sc.exe
1752	sc.exe
1884	sc.exe
404	sc.exe
4160	sc.exe
4796	sc.exe
600	sc.exe
1376	sc.exe
1904	sc.exe
5468	sc.exe
4236	sc.exe
5612	sc.exe
3816	sc.exe
6468	sc.exe
100	sc.exe
6060	sc.exe
5164	sc.exe
1176	sc.exe
1252	sc.exe
3148	sc.exe
4128	sc.exe
5044	sc.exe
6236	sc.exe
6644	sc.exe
2180	sc.exe
2936	sc.exe
4112	sc.exe
3264	sc.exe
6600	sc.exe
2412	sc.exe
5152	sc.exe
844	sc.exe
3204	sc.exe
3472	sc.exe
852	sc.exe
5544	sc.exe
416	sc.exe
4524	sc.exe
2604	sc.exe

Loads dropped DLL 56 IoCs

pid	Process
1336	AnyDesk.exe
544	AnyDesk.exe
3944	Discord.exe
6052	Discord.exe
4720	Discord.exe
5356	Discord.exe
4720	Discord.exe
4720	Discord.exe
4720	Discord.exe
4720	Discord.exe
5504	Discord.exe
5956	Discord.exe
5504	Discord.exe
272	Discord.exe
7136	Discord.exe
272	Discord.exe
272	Discord.exe
272	Discord.exe
272	Discord.exe
7164	Discord.exe
6184	Discord.exe
6764	Discord.exe
5400	taskmgr.exe
5400	taskmgr.exe
6468	Discord.exe
6600	Discord.exe
6468	Discord.exe
6948	Discord.exe
6972	Discord.exe
6588	Discord.exe
6948	Discord.exe
6948	Discord.exe
6948	Discord.exe
6948	Discord.exe
6224	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
7164	Discord.exe
4272	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
3076	Discord.exe
4192	Discord.exe
6212	Discord.exe
6212	Discord.exe
7860	Discord.exe
6276	Discord.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zO0E66D5FD\Update.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0E6F48CD\Update.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DiscordPTBSetup.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTBSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTBSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTBSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4604	PING.EXE
816	cmd.exe
1700	PING.EXE
6628	cmd.exe
6668	PING.EXE
4872	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
7152	ipconfig.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\URL Protocol	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9168\\Discord.exe\",-1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{8A2740B7-6063-4A7A-BD27-15DF83EABF3C}	Discord.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{19532DAA-E9B1-4373-85A6-C85134C47F75}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9168\\Discord.exe\",-1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	DiscordPTBSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9168\\Discord.exe\" --url -- \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9168\\Discord.exe\" --url -- \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Discord	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
404	reg.exe
408	reg.exe
7016	reg.exe
7060	reg.exe
4128	reg.exe
5404	reg.exe
416	reg.exe
5476	reg.exe
2128	reg.exe
2336	reg.exe
4284	reg.exe
4912	reg.exe
5764	reg.exe
6800	reg.exe
844	reg.exe
1600	reg.exe
7044	reg.exe
4036	reg.exe
6112	reg.exe
3192	reg.exe
3312	reg.exe
3708	reg.exe
2356	reg.exe
5596	reg.exe
3144	reg.exe
5068	reg.exe
456	reg.exe
940	reg.exe
4436	reg.exe
5476	reg.exe
6108	reg.exe
6864	reg.exe
1356	reg.exe
5764	reg.exe
7152	reg.exe
6196	reg.exe
4452	reg.exe
5504	reg.exe
5352	reg.exe
6176	reg.exe
4192	reg.exe
4072	reg.exe
6628	reg.exe
1176	reg.exe
6632	reg.exe
2184	reg.exe
2000	reg.exe
4580	reg.exe
1752	reg.exe
2444	reg.exe
6180	reg.exe
2184	reg.exe
5496	reg.exe
3264	reg.exe
5068	reg.exe
2020	reg.exe
6832	reg.exe
5764	reg.exe
5832	reg.exe
4556	reg.exe
7160	reg.exe
4528	reg.exe
7148	reg.exe
4192	reg.exe

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DiscordPTBSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0E66D5FD\Update.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0E6F48CD\Update.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
7128	NOTEPAD.EXE
2564	NOTEPAD.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1700	PING.EXE
6668	PING.EXE
4604	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4432	AnyDesk.exe
1336	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4524	AnyDesk.exe
4524	AnyDesk.exe
4524	AnyDesk.exe
4524	AnyDesk.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe
5340	powershell.exe
5340	powershell.exe
5340	powershell.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
5352	powershell.exe
5352	powershell.exe
5352	powershell.exe
3364	WMIC.exe
3364	WMIC.exe
3364	WMIC.exe
3364	WMIC.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
3436	WMIC.exe
3436	WMIC.exe
3436	WMIC.exe
3436	WMIC.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
5352	WMIC.exe
5352	WMIC.exe
5352	WMIC.exe
5352	WMIC.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
5352	powershell.exe
5352	powershell.exe
5352	powershell.exe
852	WMIC.exe
852	WMIC.exe
852	WMIC.exe
852	WMIC.exe
1804	WMIC.exe
1804	WMIC.exe
1804	WMIC.exe
1804	WMIC.exe
5504	powershell.exe
5504	powershell.exe
5504	powershell.exe
5576	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4044	AnyDesk.exe
1604	AnyDesk.exe
5400	taskmgr.exe
5856	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	AnyDesk.exe
Token: 33	4112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4112	AUDIODG.EXE
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	4112	AnyDesk.exe
Token: SeDebugPrivilege	4112	AnyDesk.exe
Token: SeDebugPrivilege	544	AnyDesk.exe
Token: 33	2460	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2460	AUDIODG.EXE
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	5340	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	5352	powershell.exe
Token: SeDebugPrivilege	1420	firefox.exe
Token: SeIncreaseQuotaPrivilege	3364	WMIC.exe
Token: SeSecurityPrivilege	3364	WMIC.exe
Token: SeTakeOwnershipPrivilege	3364	WMIC.exe
Token: SeLoadDriverPrivilege	3364	WMIC.exe
Token: SeSystemProfilePrivilege	3364	WMIC.exe
Token: SeSystemtimePrivilege	3364	WMIC.exe
Token: SeProfSingleProcessPrivilege	3364	WMIC.exe
Token: SeIncBasePriorityPrivilege	3364	WMIC.exe
Token: SeCreatePagefilePrivilege	3364	WMIC.exe
Token: SeBackupPrivilege	3364	WMIC.exe
Token: SeRestorePrivilege	3364	WMIC.exe
Token: SeShutdownPrivilege	3364	WMIC.exe
Token: SeDebugPrivilege	3364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3364	WMIC.exe
Token: SeRemoteShutdownPrivilege	3364	WMIC.exe
Token: SeUndockPrivilege	3364	WMIC.exe
Token: SeManageVolumePrivilege	3364	WMIC.exe
Token: 33	3364	WMIC.exe
Token: 34	3364	WMIC.exe
Token: 35	3364	WMIC.exe
Token: 36	3364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3364	WMIC.exe
Token: SeSecurityPrivilege	3364	WMIC.exe
Token: SeTakeOwnershipPrivilege	3364	WMIC.exe
Token: SeLoadDriverPrivilege	3364	WMIC.exe
Token: SeSystemProfilePrivilege	3364	WMIC.exe
Token: SeSystemtimePrivilege	3364	WMIC.exe
Token: SeProfSingleProcessPrivilege	3364	WMIC.exe
Token: SeIncBasePriorityPrivilege	3364	WMIC.exe
Token: SeCreatePagefilePrivilege	3364	WMIC.exe
Token: SeBackupPrivilege	3364	WMIC.exe
Token: SeRestorePrivilege	3364	WMIC.exe
Token: SeShutdownPrivilege	3364	WMIC.exe
Token: SeDebugPrivilege	3364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3364	WMIC.exe
Token: SeRemoteShutdownPrivilege	3364	WMIC.exe
Token: SeUndockPrivilege	3364	WMIC.exe
Token: SeManageVolumePrivilege	3364	WMIC.exe
Token: 33	3364	WMIC.exe
Token: 34	3364	WMIC.exe
Token: 35	3364	WMIC.exe
Token: 36	3364	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4532	AnyDesk.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
6932	Update.exe
1420	firefox.exe
6240	Update.exe
576	Update.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
4432	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe
5400	taskmgr.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
4044	AnyDesk.exe
4044	AnyDesk.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1604	AnyDesk.exe
1604	AnyDesk.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
1420	firefox.exe
6380	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4524	4532	AnyDesk.exe	82
PID 4532 wrote to memory of 4524	4532	AnyDesk.exe	82
PID 4532 wrote to memory of 4524	4532	AnyDesk.exe	82
PID 4532 wrote to memory of 4432	4532	AnyDesk.exe	83
PID 4532 wrote to memory of 4432	4532	AnyDesk.exe	83
PID 4532 wrote to memory of 4432	4532	AnyDesk.exe	83
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1784 wrote to memory of 1420	1784	firefox.exe	102
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 32	1420	firefox.exe	103
PID 1420 wrote to memory of 716	1420	firefox.exe	104
PID 1420 wrote to memory of 716	1420	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4044
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7539adb-f3b7-4809-ac47-08a2ab03232a} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" gpu
    3⤵
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d89db420-af28-4696-a8ae-2cd5f6c3091f} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" socket
    3⤵
    PID:716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2912 -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 3012 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8b003f4-8430-4c28-921f-cb44e42dc6f5} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3708 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd356cc-3338-4d70-b7d5-fd32f3f69266} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:4672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dc75ace-6c75-47b0-9d4d-7c50fb334224} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" utility
    3⤵
    - Checks processor information in registry
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 3 -isForBrowser -prefsHandle 5396 -prefMapHandle 5300 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2153d4e-5233-4444-8683-b3f2153c5d0d} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5148 -prefMapHandle 5292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48b2b6c8-ddd7-4de7-93ef-f11e380702ce} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5864 -prefMapHandle 5860 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {681f9710-5eb3-426d-970b-62413ce6a483} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 6 -isForBrowser -prefsHandle 5772 -prefMapHandle 6108 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb5e35b6-52bc-406f-bcd5-9c0559ae5735} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6284 -childID 7 -isForBrowser -prefsHandle 6176 -prefMapHandle 6168 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e68ac7f6-72bf-4f8b-a6c1-f2e40e59dc5f} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:2864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6420 -childID 8 -isForBrowser -prefsHandle 6468 -prefMapHandle 6476 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {265e550c-aafe-41ed-ab0c-e6c664fca080} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 9 -isForBrowser -prefsHandle 6076 -prefMapHandle 6068 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a5530f-3de1-446b-861b-0d6a72a9387b} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6796 -childID 10 -isForBrowser -prefsHandle 6748 -prefMapHandle 6776 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac31b105-fdb6-4023-a80d-e2a517ae99c6} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6948 -childID 11 -isForBrowser -prefsHandle 7024 -prefMapHandle 7020 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14fce8b2-cef3-4b84-8bbf-5bf8bb2c082f} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:5308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7180 -parentBuildID 20240401114208 -prefsHandle 6920 -prefMapHandle 7148 -prefsLen 31215 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da073e78-6fcd-4d26-90a8-574507457c8c} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" rdd
    3⤵
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7212 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 7024 -prefMapHandle 7200 -prefsLen 31215 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9348f847-554e-4d4b-b0a7-e7b3b775b083} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" utility
    3⤵
    - Checks processor information in registry
    PID:6116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7532 -childID 12 -isForBrowser -prefsHandle 7504 -prefMapHandle 7512 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {700eee6f-4e65-4230-bd96-b0032b72b54e} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:1868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7752 -childID 13 -isForBrowser -prefsHandle 7672 -prefMapHandle 7676 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41511fa2-ce2b-400c-9737-7c144e3453a1} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:3704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7892 -childID 14 -isForBrowser -prefsHandle 7672 -prefMapHandle 7716 -prefsLen 28497 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ddd7df2-1934-4262-be1d-d322e370b15c} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8340 -childID 15 -isForBrowser -prefsHandle 8332 -prefMapHandle 6684 -prefsLen 28537 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e13097ae-816d-412d-be4d-95a75a04cdd1} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:1616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8492 -childID 16 -isForBrowser -prefsHandle 6168 -prefMapHandle 8188 -prefsLen 28537 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33d3f65e-0f9b-4edf-ba87-591ac6d44136} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:324
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:544
    - - C:\Users\Admin\Downloads\AnyDesk.exe
        
        "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1604
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7476 -childID 17 -isForBrowser -prefsHandle 6640 -prefMapHandle 5648 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9773de56-ec08-4845-ba89-bf0e3d4c342f} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:5016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6692 -childID 18 -isForBrowser -prefsHandle 8320 -prefMapHandle 5668 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd259408-9a55-4d5a-8b95-107eeb296181} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:2796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8772 -childID 19 -isForBrowser -prefsHandle 8320 -prefMapHandle 9032 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb8756f5-3661-4964-a002-3d98cb49d844} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6864
- - C:\Users\Admin\Downloads\DiscordSetup.exe
    "C:\Users\Admin\Downloads\DiscordSetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6984
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:6932
- - C:\Users\Admin\Downloads\DiscordPTBSetup.exe
    "C:\Users\Admin\Downloads\DiscordPTBSetup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5460
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:576
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log
      4⤵
      System Location Discovery: System Language Discovery
      Opens file in notepad (likely ransom note)
      PID:7128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6524 -childID 20 -isForBrowser -prefsHandle 6676 -prefMapHandle 9036 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebd9c388-9206-4228-b8ff-bd33a9cab79c} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8976 -childID 21 -isForBrowser -prefsHandle 9384 -prefMapHandle 7524 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e2daf97-9d11-4f33-b6b9-4f3604f49add} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8576 -childID 22 -isForBrowser -prefsHandle 9012 -prefMapHandle 9020 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b68c39e9-faea-4b95-ae32-c1085f0d8f6e} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:7008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8696 -childID 23 -isForBrowser -prefsHandle 8708 -prefMapHandle 1532 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8acd92f6-5905-47ec-9249-71fab74803a9} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:4176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 24 -isForBrowser -prefsHandle 8128 -prefMapHandle 7892 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db89ab3c-de32-4a4d-af95-d81b5651b319} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:7620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9384 -childID 25 -isForBrowser -prefsHandle 9500 -prefMapHandle 6244 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bedc4bc-91f5-47ed-8a18-94054151d84b} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:7128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9952 -childID 26 -isForBrowser -prefsHandle 9964 -prefMapHandle 9988 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba63c233-2420-4769-9f96-ffedc1552c0c} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10220 -childID 27 -isForBrowser -prefsHandle 9612 -prefMapHandle 9400 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d7906fb-0f83-4e2e-abf5-ef0409bdf949} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10356 -childID 28 -isForBrowser -prefsHandle 10364 -prefMapHandle 10372 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f1ad3ee-aa29-4c20-be24-fc54d88943d8} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10368 -childID 29 -isForBrowser -prefsHandle 10408 -prefMapHandle 10404 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d87d492-8e81-489c-bf47-d765d6bc3f75} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:2796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11192 -childID 30 -isForBrowser -prefsHandle 11184 -prefMapHandle 11176 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f66f995-94dc-463e-a270-3387221f6e18} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:7544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11184 -childID 31 -isForBrowser -prefsHandle 11280 -prefMapHandle 11284 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63676a9e-5ee5-4990-8eb4-5532b06b3930} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11816 -childID 32 -isForBrowser -prefsHandle 11932 -prefMapHandle 11820 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc96bc00-95bc-4585-b03f-60f19fcfafe6} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:5040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6480 -childID 33 -isForBrowser -prefsHandle 10012 -prefMapHandle 10188 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec09893a-5c25-41b3-a9f2-b6a6f1848baf} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:7816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -childID 34 -isForBrowser -prefsHandle 8236 -prefMapHandle 9812 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7e694e1-4443-49b6-a321-cf6973ba6d9a} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9560 -childID 35 -isForBrowser -prefsHandle 12016 -prefMapHandle 12020 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c005444-42fa-42a6-b38c-9f538701a647} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12364 -childID 36 -isForBrowser -prefsHandle 8432 -prefMapHandle 12396 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ff03cda-c664-49a4-b5e2-0903ce1bec3c} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:4560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12688 -childID 37 -isForBrowser -prefsHandle 12772 -prefMapHandle 12768 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28420935-e52a-4ed2-b5eb-67774ae0c4b1} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12928 -childID 38 -isForBrowser -prefsHandle 12660 -prefMapHandle 12664 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93407a42-ab4f-45c5-9ac3-12df0d03d2df} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:6612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12340 -childID 39 -isForBrowser -prefsHandle 12936 -prefMapHandle 8472 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e5735ab-a74e-49c4-a0d9-4a2d753ca4a1} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8016 -childID 40 -isForBrowser -prefsHandle 13220 -prefMapHandle 13216 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adc4bcb4-6603-4430-904c-04ab0c72054c} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13328 -childID 41 -isForBrowser -prefsHandle 13336 -prefMapHandle 13340 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {834b8ea9-1ff9-4431-93f2-89161b0e06fb} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 42 -isForBrowser -prefsHandle 13220 -prefMapHandle 13368 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ff18b14-bc69-4874-99f5-0ad504a7d010} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11712 -childID 43 -isForBrowser -prefsHandle 13716 -prefMapHandle 13640 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19645389-d072-4b53-9807-7ae7978dc055} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13724 -childID 44 -isForBrowser -prefsHandle 13836 -prefMapHandle 13840 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4882fd27-5ff3-4bd9-9d11-0593e8ddf8dc} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14012 -childID 45 -isForBrowser -prefsHandle 14020 -prefMapHandle 14024 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b270118-7934-42ec-ae87-6dbfabe50ae0} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14216 -childID 46 -isForBrowser -prefsHandle 14224 -prefMapHandle 14228 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fad82c2-aacb-42a4-80bc-50da3b8b5a70} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13792 -childID 47 -isForBrowser -prefsHandle 13816 -prefMapHandle 13828 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be4107be-4569-4d8c-bbcb-50aee63584ae} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14296 -childID 48 -isForBrowser -prefsHandle 13696 -prefMapHandle 13700 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b9c809e-e9d4-4ffc-8626-71290198e2ac} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13716 -childID 49 -isForBrowser -prefsHandle 13604 -prefMapHandle 13744 -prefsLen 28593 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaca984b-a345-4fcd-961d-76708c05e40e} 1420 "\\.\pipe\gecko-crash-server-pipe.1420" tab
    3⤵
    PID:8460
- - C:\Program Files\Mozilla Firefox\crashreporter.exe
    "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\minidumps\6aff06f9-977c-4d38-a0e9-bffa4a819786.dmp"
    3⤵
    PID:9632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1752

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6080

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
1⤵
PID:6060
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:2936
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4716
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:4580
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:4368
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:4252
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:1904
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:476
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:3816
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:1448
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
  2⤵
  PID:2004
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5100
- C:\Windows\System32\cmd.exe
  cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
  2⤵
  PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:5836
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\find.exe
  find /i "True"
  2⤵
  PID:5612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"
    3⤵
    PID:6056
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:3264
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2980
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_AIO.cmd"
      4⤵
      PID:2412
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:5404
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:5676
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:2336
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:5152
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:416
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:3760
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:4796
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:5596
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
      4⤵
      PID:3400
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1016
  - - C:\Windows\System32\cmd.exe
      cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
      4⤵
      PID:4540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:3680
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5352
  - - C:\Windows\System32\find.exe
      find /i "True"
      4⤵
      PID:1448
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4872
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4604
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:2664
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:3312
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:4272
  - - C:\Windows\System32\find.exe
      find "127.69.2.7"
      4⤵
      PID:5520
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:3860
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:4960
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:5644
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:3436
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:5052
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:756
  - - C:\Windows\System32\mode.com
      mode 76, 33
      4⤵
      PID:5612
  - - C:\Windows\System32\choice.exe
      choice /C:123456789H0 /N
      4⤵
      PID:2104
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:5656
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:2252
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:2196
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:1456
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:5544
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:2184
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5148
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5868
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5744
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      PID:404
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:5476
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:4580
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      PID:4644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      PID:4256
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      PID:1664
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:2128
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      PID:4368
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1904
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:6068
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:3204
  - - C:\Windows\System32\cmd.exe
      cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
      4⤵
      PID:3680
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:5020
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:2928
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:4960
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:3472
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4604
  - - C:\Windows\System32\find.exe
      find /i "Subscription_is_activated"
      4⤵
      PID:4460
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "
      4⤵
      PID:404
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:6108
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5352
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:5496
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:5644
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:4648
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:4128
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:816
    - - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1700
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:2980
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:5708
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5404
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:5796
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4796
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5596
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4268
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5156
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      Modifies registry key
      PID:2336
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      PID:5008
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:4192
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      PID:6052
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      Modifies registry key
      PID:3708
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      Modifies registry key
      PID:404
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:4284
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      PID:1252
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:3744
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:440
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:5912
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:1176
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:1752
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:844
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      Modifies registry key
      PID:5764
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      Modifies registry key
      PID:5068
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      PID:4528
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      PID:2240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      Modifies registry key
      PID:5832
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      PID:5508
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      Modifies registry key
      PID:2356
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      Modifies registry key
      PID:4912
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:5344
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:3204
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
      4⤵
      PID:4644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
      4⤵
      Modifies registry key
      PID:940
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
      4⤵
      PID:1536
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:408
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:5496
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
      4⤵
      PID:5548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
      4⤵
      PID:4548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
      4⤵
      PID:3388
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:3148
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:5612
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:4436
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      PID:4980
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:3264
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:1356
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      PID:4460
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      PID:5148
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:5596
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      PID:4268
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:4796
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:1456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      PID:5744
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      Modifies registry key
      PID:456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      PID:5144
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      Modifies registry key
      PID:5476
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      Modifies registry key
      PID:4452
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      PID:4252
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      PID:1548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      PID:5924
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:440
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:5912
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
      4⤵
      PID:1176
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
      4⤵
      Modifies registry key
      PID:1752
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
      4⤵
      Modifies registry key
      PID:844
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
      4⤵
      Modifies registry key
      PID:5764
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
      4⤵
      Modifies registry key
      PID:5068
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
      4⤵
      Modifies registry key
      PID:4528
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
      4⤵
      PID:2240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
      4⤵
      Modifies registry key
      PID:1600
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:3816
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:4256
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:5504
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:3144
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      PID:520
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      PID:5052
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      PID:3184
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:5352
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:2444
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:3192
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:3472
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:4128
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5468
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:4112
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:2412
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:5656
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:852
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3264
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:4236
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:5044
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5148
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:5544
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:416
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4796
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5152
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:2880
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4192
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:4524
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:404
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4580
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:1252
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:2604
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3744
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:4208
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:5836
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:100
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:4820
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
      4⤵
      PID:5020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3212
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "13" "
      4⤵
      PID:3144
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:5012
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      PID:5052
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        5⤵
        
        PID:3184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5352
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:1356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:852
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:5404
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:5164
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:5148
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:2252
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:3400
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:5008
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
      4⤵
      PID:456
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
      4⤵
      PID:6052
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
      4⤵
      PID:6108
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:1904
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:4452
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:1188
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:5924
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:2184
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:5664
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
      4⤵
      PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5504
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "
      4⤵
      PID:5656
  - - C:\Windows\System32\find.exe
      find /i "Ready"
      4⤵
      PID:5548
  - - C:\Windows\System32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
      4⤵
      PID:3192
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
      4⤵
      PID:4900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      PID:5148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4452
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:4208
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
      4⤵
      PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
      4⤵
      PID:3184
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:2084
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:5496
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
      4⤵
      PID:4436
  - - C:\Windows\System32\find.exe
      find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
      4⤵
      PID:4900
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
      4⤵
      PID:5868
  - - C:\Windows\System32\find.exe
      find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
      4⤵
      PID:4236
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
      4⤵
      PID:1356
  - - C:\Windows\System32\find.exe
      find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
      4⤵
      PID:4604
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "
      4⤵
      PID:5044
  - - C:\Windows\System32\find.exe
      find /i "ed655016-a9e8-4434-95d9-4345352c2552"
      4⤵
      PID:4344
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
      4⤵
      PID:5156
  - - C:\Windows\System32\find.exe
      find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
      4⤵
      PID:2412
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"
      4⤵
      PID:4192
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:1016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:416
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
      4⤵
      PID:3744
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        5⤵
        
        PID:1252
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
      4⤵
      PID:5460
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        5⤵
        
        PID:5012
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        
        PID:5468
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "
      4⤵
      PID:2444
  - - C:\Windows\System32\find.exe
      find "AAAA"
      4⤵
      PID:5496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:4900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3708
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:3364
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temE85D.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:6108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5148
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:4784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3144
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "
      4⤵
      PID:4236
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:1356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
      4⤵
      PID:2880
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b -1073740956
      4⤵
      PID:408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:4540
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:5468
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f
      4⤵
      PID:2472
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
      4⤵
      PID:6108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:3212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5796
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2936
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:6456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:7004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
      4⤵
      PID:7052
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b -1073740956
      4⤵
      PID:7088
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:7104
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:7112
  - - C:\Windows\System32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:7152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
      4⤵
      Blocklisted process makes network request
      PID:3644
  - - C:\Windows\System32\findstr.exe
      findstr /i "PurchaseFD DeviceAddResponse"
      4⤵
      PID:4900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
      4⤵
      Blocklisted process makes network request
      PID:5764
  - - C:\Windows\System32\findstr.exe
      findstr /i "PurchaseFD DeviceAddResponse"
      4⤵
      PID:4252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"
      4⤵
      Blocklisted process makes network request
      PID:6796
  - - C:\Windows\System32\find.exe
      find /i "traceId"
      4⤵
      PID:6868
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
      4⤵
      PID:6832
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess
      4⤵
      PID:6536
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:6816
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations
      4⤵
      PID:6484
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:6492
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
      4⤵
      PID:6532
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:6640
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      PID:6924
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:7044
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:7016
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      PID:7028
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      PID:6188
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      Modifies registry key
      PID:6180
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      PID:6148
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      PID:7064
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType
      4⤵
      Modifies registry key
      PID:7060
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges
      4⤵
      PID:7096
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions
      4⤵
      Modifies registry key
      PID:7148
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
      4⤵
      PID:7120
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security
      4⤵
      PID:7116
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo
      4⤵
      Modifies registry key
      PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:6068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6580
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:3848
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5412
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:5544
  - - C:\Windows\System32\choice.exe
      choice /C:10 /N
      4⤵
      PID:2980

C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:4284

C:\Windows\system32\usoclient.exe
"C:\Windows\system32\usoclient.exe" StartScan
1⤵
PID:5924

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=ed655016-a9e8-4434-95d9-4345352c2552;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4344

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:5344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
1⤵
PID:5496
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o
  2⤵
  PID:5052
- - C:\Windows\system32\Clipup.exe
    "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temE773.tmp
    3⤵
    - Checks SCSI registry key(s)
    PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:6248

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:6684

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:6720

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6080

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:7144

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5356

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\93459e19-7193-4bc6-b2f6-34b714d42316_Microsoft-Activation-Scripts-master.zip.316\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
1⤵
PID:6784
- C:\Windows\system32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:6160
- C:\Windows\system32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5064
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:3436
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:3484
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:4548
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:1196
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:2792
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:3944
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:2180
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\93459e19-7193-4bc6-b2f6-34b714d42316_Microsoft-Activation-Scripts-master.zip.316\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
  2⤵
  PID:5008
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
1⤵
PID:1000
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:4652
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:6236
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:6732
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:6316
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:6600
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:7164
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:6736
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:5416
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:2928
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
  2⤵
  PID:6592
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:6644
- C:\Windows\System32\cmd.exe
  cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
  2⤵
  PID:6632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6596
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:7156
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6808
- C:\Windows\System32\find.exe
  find /i "True"
  2⤵
  PID:6832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6776
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"
    3⤵
    PID:6396
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:6468
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:7000
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_AIO.cmd"
      4⤵
      PID:476
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:7136
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:7124
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:6160
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:5064
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2412
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:3484
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:1376
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:4036
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
      4⤵
      PID:3944
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:5744
  - - C:\Windows\System32\cmd.exe
      cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
      4⤵
      PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5328
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:6224
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:4192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:600
  - - C:\Windows\System32\find.exe
      find /i "True"
      4⤵
      PID:6756
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:6628
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6668
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:7152
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:6608
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:6584
  - - C:\Windows\System32\find.exe
      find "127.69.2.7"
      4⤵
      PID:6764
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:6648
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:5156
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:5592
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:700
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:6684
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:6704
  - - C:\Windows\System32\mode.com
      mode 76, 33
      4⤵
      PID:5612
  - - C:\Windows\System32\choice.exe
      choice /C:123456789H0 /N
      4⤵
      PID:5764
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:6692
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:7128
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:6052
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:4344
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:6892
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:6836
  - - C:\Windows\System32\mode.com
      mode 76, 25
      4⤵
      PID:6820
  - - C:\Windows\System32\choice.exe
      choice /C:120 /N
      4⤵
      PID:2604
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:6884
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:6108
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:6260
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5452
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:6596
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:1384
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:844
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:1448
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:7084
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      PID:3184
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      PID:7136
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:3312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:4072
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      Modifies registry key
      PID:4128
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      PID:4548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:5404
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      Modifies registry key
      PID:4036
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:6004
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:5220
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:5744
  - - C:\Windows\System32\cmd.exe
      cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
      4⤵
      PID:7092
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        
        PID:6520
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:3268
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:5408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        
        PID:4048
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:5928
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:4632
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:3364
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        
        PID:1456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6320
  - - C:\Windows\System32\find.exe
      find /i "Subscription_is_activated"
      4⤵
      PID:6316
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:6348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:700
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "
      4⤵
      PID:6632
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:7156
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
      4⤵
      PID:3728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:7124
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:852
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:2412
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:1376
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:5816
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5304
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:6096
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:7076
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:1220
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:6488
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:6272
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5908
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:1640
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      PID:4244
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      PID:6748
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:4192
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:4556
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      PID:2880
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      Modifies registry key
      PID:416
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:2020
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      PID:4048
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:6236
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:6240
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:2044
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:600
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:3980
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:6644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      PID:6664
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      PID:6476
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      Modifies registry key
      PID:7152
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      PID:6668
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      PID:7164
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      Modifies registry key
      PID:6864
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      Modifies registry key
      PID:6628
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      PID:6364
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      PID:6312
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:6344
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:5764
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      Modifies registry key
      PID:6112
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      PID:6712
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      PID:4284
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:7160
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:6800
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      PID:7128
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      Modifies registry key
      PID:6632
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:3532
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:940
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      PID:6456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      Modifies registry key
      PID:6832
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      PID:6884
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      PID:6468
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      PID:1448
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      PID:6972
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      Modifies registry key
      PID:2184
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      PID:6820
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:3744
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:100
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:6196
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      PID:2568
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      PID:5664
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:1176
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      PID:3400
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:2000
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      PID:2604
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:6108
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:6424
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      PID:3448
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:3312
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:6160
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:3436
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4548
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:1376
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:1884
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5816
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:2180
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:7140
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5744
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:6060
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:7096
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:6520
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:5164
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:3680
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:4244
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:5832
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
      4⤵
      PID:6224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5008
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "15" "
      4⤵
      PID:2088
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:600
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      PID:6672
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        5⤵
        
        PID:6584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
      4⤵
      PID:6296
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:3848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:6364
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:6624
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:6676
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:6428
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:6348
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:6536
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:6868
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
      4⤵
      PID:6632
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
      4⤵
      PID:6892
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
      4⤵
      PID:5080
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:6184
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:6808
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:328
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:844
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:1448
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:6596
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:4460
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
      4⤵
      PID:476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        5⤵
        
        PID:5488
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "
      4⤵
      PID:6160
  - - C:\Windows\System32\find.exe
      find /i "Ready"
      4⤵
      PID:5104
  - - C:\Windows\System32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
      4⤵
      PID:2412
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
      4⤵
      PID:5404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      PID:1884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      PID:6740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2880
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:2928
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
      4⤵
      PID:6360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
      4⤵
      PID:6864
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value 2>nul
      4⤵
      PID:6684
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value
        5⤵
        
        PID:6544
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:6324
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:6676
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "
      4⤵
      PID:7128
  - - C:\Windows\System32\find.exe
      find /i "59eb965c-9150-42b7-a0ec-22151b9897c5"
      4⤵
      PID:3212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="KBN8V-HFGQ4-MGXVD-347P6-PDQGT"
      4⤵
      PID:6848
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:1384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:5140
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
      4⤵
      PID:6972
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
        5⤵
        
        PID:1448
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
      4⤵
      PID:6820
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
      4⤵
      PID:2184
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
      4⤵
      PID:6524
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\59eb965c-9150-42b7-a0ec-22151b9897c5" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"
      4⤵
      PID:2000
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\59eb965c-9150-42b7-a0ec-22151b9897c5" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:3184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:6260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5104
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:6600
  - - C:\Windows\System32\find.exe
      find /i "STOPPED"
      4⤵
      PID:6056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:6956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2128
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:3744
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temD24B.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:7032
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:5248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5224
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "
      4⤵
      PID:6932
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:6752
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE" 2>nul
      4⤵
      PID:6004
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE
        5⤵
        
        PID:5928
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(6952834)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul
      4⤵
      PID:6984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$([DateTime]::Now.addMinutes(6952834)).ToString('yyyy-MM-dd HH:mm:ss')"
        5⤵
        
        PID:6772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':regdel\:.*';& ([ScriptBlock]::Create($f[1])) -protect"
      4⤵
      PID:2980
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
      4⤵
      PID:7164
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
      4⤵
      PID:1828
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
      4⤵
      PID:6624
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
      4⤵
      PID:6708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
      4⤵
      PID:5284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5592
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6324

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:6520

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:5832

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7160
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temD151.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:4160
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3212

C:\Users\Admin\Downloads\DiscordSetup.exe
"C:\Users\Admin\Downloads\DiscordSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:6240

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5400

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4632
- C:\Users\Admin\Downloads\DiscordPTBSetup.exe
  C:\Users\Admin\Downloads\DiscordPTBSetup.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6652

C:\Users\Admin\Downloads\DiscordPTBSetup.exe
"C:\Users\Admin\Downloads\DiscordPTBSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6684

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\DiscordPTBSetup.exe"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
PID:5856
- C:\Users\Admin\AppData\Local\Temp\7zO0E66D5FD\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E66D5FD\Update.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6416
- C:\Users\Admin\AppData\Local\Temp\7zO0E6F48CD\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E6F48CD\Update.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6600

C:\Users\Admin\Downloads\Update.exe
"C:\Users\Admin\Downloads\Update.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4700

C:\Users\Admin\Downloads\Update.exe
"C:\Users\Admin\Downloads\Update.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7000

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SquirrelSetup.log
1⤵
- Opens file in notepad (likely ransom note)
PID:2564

C:\Users\Admin\Desktop\DiscordSetup.exe
"C:\Users\Admin\Desktop\DiscordSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3944
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19223:82:7zEvent18459
1⤵
PID:848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6380

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Discord-1.0.9168-full.txt
1⤵
PID:5228

C:\Users\Admin\Desktop\DiscordSetup.exe
"C:\Users\Admin\Desktop\DiscordSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6516
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6924
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --squirrel-install 1.0.9168
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3944
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9168 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.0.0 --initial-client-data=0x52c,0x538,0x520,0x530,0x540,0x7ff64495a538,0x7ff64495a544,0x7ff64495a550
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6052
  - - C:\Users\Admin\AppData\Local\Discord\Update.exe
      C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7152
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,10718721979717942755,403831703237127783,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4720
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2480,i,10718721979717942755,403831703237127783,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2372 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5356
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:6176
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
      4⤵
      Modifies registry class
      PID:3860
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
      4⤵
      Modifies registry class
      PID:4432
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe\",-1" /f
      4⤵
      Modifies registry class
      PID:4464
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe\" --url -- \"%1\"" /f
      4⤵
      Modifies registry class
      PID:6464
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --squirrel-firstrun
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:6468
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9168 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.0.0 --initial-client-data=0x524,0x528,0x52c,0x518,0x530,0x7ff64495a538,0x7ff64495a544,0x7ff64495a550
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6600
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2180,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6948
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2388,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6972
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2600,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2596 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6588
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3988,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3964 --enable-node-leakage-in-renderers /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6224
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4148,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4144 --enable-node-leakage-in-renderers /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Checks processor information in registry
      PID:3076
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" nvidia
        5⤵
        Executes dropped EXE
        
        PID:6440
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" amd
        5⤵
        Executes dropped EXE
        
        PID:6572
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" intel
        5⤵
        Executes dropped EXE
        
        PID:7072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c ""C:\Windows/System32/nvidia-smi.exe""
        5⤵
        
        PID:3268
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6440
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4208,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7164
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4352,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/handoff?rpc=6463&key=a6399062-4b52-43ad-979e-b407c43c90a7
      4⤵
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:3532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffb0c2a46f8,0x7ffb0c2a4708,0x7ffb0c2a4718
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        5⤵
        
        PID:7448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
        5⤵
        
        PID:7456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
        5⤵
        
        PID:7524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        5⤵
        
        PID:7752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        5⤵
        
        PID:7764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        5⤵
        
        PID:3668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5888 /prefetch:8
        5⤵
        
        PID:5516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,17371936452644559061,668298425714432905,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5628 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:1368
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=1172,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2596 --enable-node-leakage-in-renderers /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4192
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3504,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2668 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6212
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4128,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4176 --enable-node-leakage-in-renderers /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7860
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4524,i,12223541886657941364,12009163998177672499,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4512 --enable-node-leakage-in-renderers /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      PID:6276

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6600
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:5504
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9168 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.0.0 --initial-client-data=0x544,0x540,0x53c,0x54c,0x480,0x7ff64495a538,0x7ff64495a544,0x7ff64495a550
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5956
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2344,i,1370949502509873577,16610815177921661597,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2336 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:272
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2528,i,1370949502509873577,16610815177921661597,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7136
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
    3⤵
    - Modifies registry class
    PID:404
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2988,i,1370949502509873577,16610815177921661597,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2984 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7164
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
    3⤵
    - Modifies registry class
    PID:5508
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe\",-1" /f
    3⤵
    - Modifies registry class
    PID:3076
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe\" --url -- \"%1\"" /f
    3⤵
    - Modifies registry class
    PID:6100
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4164,i,1370949502509873577,16610815177921661597,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6184
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4216,i,1370949502509873577,16610815177921661597,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8168

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:9076

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1328

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:9288

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:9800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
997c02c58d08084dc3add213a1423bea

SHA1
bdebad616f5973c24bee81f28ff3d7977f6df586

SHA256
fac11bfc9d31501b72fb52424cb32d99aa57087f6ff8bf077edcf308e3948215

SHA512
291101ad29d84d4f51eed691454ba65d7b2df1b2a07e28bea7a48ccd3433675fa0c10cfab06aae9ec2bccfdbcaf3749deb30e6a1a9f4dce902e6a0c450cf5f61

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
899B

MD5
923ce4120dffd5255bfccd38b53d9403

SHA1
49a6ee78cc1616864e2e35b76396add0452ee09c

SHA256
f7a53c5a32dd9fbd55a36bdb756f33ecf0f42f25eca8b6fafabd1fc516659e24

SHA512
5338a2425a753c1438447c1715443d3be21013e0a665a5b1c0ac1f1ecf474368bff9ad131ac7e8f94b4a75cfaa74fb976661d90181ca6ada109492efefdc1568

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\DiscordPTB.exe.sig

Filesize
1KB

MD5
b5e920fb8e65c77c1bec5cce4bebacae

SHA1
0f1e879ef99e9f15df77455e0bfca66f0652591a

SHA256
ed47b60c34893f19a66691d8391cc4d436b8b8d0a8d8277dbb110922956b4e4c

SHA512
61e3a66d938fbb68fd29905e9604ac50810077f750f01efe473baca375c0b3f8b7649e51734995d080e81415171eb7621a8896310de28e0aa5b92b5f9f03be9f

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\chrome_100_percent.pak

Filesize
147KB

MD5
3c72d78266a90ed10dc0b0da7fdc6790

SHA1
6690eb15b179c8790e13956527ebbf3d274eef9b

SHA256
14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7

SHA512
b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\chrome_200_percent.pak

Filesize
222KB

MD5
3969308aae1dc1c2105bbd25901bcd01

SHA1
a32f3c8341944da75e3eed5ef30602a98ec75b48

SHA256
20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6

SHA512
f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\d3dcompiler_47.dll

Filesize
4.5MB

MD5
3507d4d7f5b34f9ce62075a2c4fb853b

SHA1
c99f57be359d72f01c1b58cc696797790260c142

SHA256
9489124759292316d11eae5ffb67b74bfaf0e1853b968137b047567f31c76232

SHA512
7c690e6f8cc6ba24889e9492569eec107842bda361066e08b799a9198b8efa28f12d910437600161f0b85faeb3af8b87815ebf0fb681042d5a5f8dd6f3066c86

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\discord_wer.dll

Filesize
444KB

MD5
49af04e46f42d400ed3885a46964a6c7

SHA1
ebf03f48598fda81907919b83e72d6cdc74eb716

SHA256
4e35c499dc71ec160e00a410c9d5cb35598dc755cc12d66282d6a9be77f133c8

SHA512
78988e664c94fb53c93c33084fb00e1be745bdcf97fc9860e0116e51c4efbdc099893abb84642cd662e5528d0ff5944f328fb941a2ba0f3b30a466d6dbc0e53f

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\ffmpeg.dll

Filesize
4.2MB

MD5
c01a8a5007088b9537aad639c3c554a0

SHA1
10146445a17a973a65ac76f1d3140afbcb1b3308

SHA256
14142f17c60ab5ba782208344b9775eaf53a0732a997aaf6e0bc3dba5a3c0bcc

SHA512
84cbe9560c49987a775d58401071e31af6584fe5ab4a24f2ff9feee6740b3739c86c88775f53b1f1eb07912a42ab7210c769a60e67df19af4733ff3f8ec978ba

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\icudtl.dat

Filesize
10.0MB

MD5
ffd67c1e24cb35dc109a24024b1ba7ec

SHA1
99f545bc396878c7a53e98a79017d9531af7c1f5

SHA256
9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92

SHA512
e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\installer.db

Filesize
20KB

MD5
4e05c2789db59c88a783184e6362339c

SHA1
722ab2189e5e34c40eb3f3bb90d084e00c4f705e

SHA256
2d22f2d88e374a61e0f6323ce46c9759319a5b567e1eb2f1d2d4bd0015359ba8

SHA512
a2ac268b8f8b08b403440d04c1a30e80f5b39ad0f13ae1cc6a3f11ba8f9f30a212940bb47b46eb00f0a5d511ecff92f068a33835203640d0feb5dd47c2d67c44

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\libEGL.dll

Filesize
479KB

MD5
a1726290a21548d9d485fd9ec8017bd3

SHA1
e928e66eed6d62ef25f4b2dc1bb57e4ddf668ef8

SHA256
d207033766ec35292e6be95c6dc3f3e2715fa6327d9eb0837dd7d8ce50b05c67

SHA512
736bf5d37bd325d80f8baa7206fe6138c805b354675a99856831f1a3f50418d458c1c7ae91a5855fbaa2f40ac3d0056bdba5e7c1443ab00a450493a6da47f8c2

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\libGLESv2.dll

Filesize
8.0MB

MD5
6598c970030d23b14ef7bbd8c2db3954

SHA1
dcda2bef70990f75ea1e7db7980c136a9cff9c2f

SHA256
9e3669074c8c3cbe2f83120ce9d4d68fd0cdb33383339ab5b4c12804e95a0af3

SHA512
fa0fc46d1df2fd1bd40eab41dd2512dc0a3c60460967bb0cf3a7e524d153e4bc65ea433f3dce80d3b792e3e57aefa1073bd2a136314d0cbb484f7c34549f49b6

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\af.pak

Filesize
508KB

MD5
09455048c30cecbb17d6e0e95e4c01da

SHA1
6572850b07df45933ed57754f72c44895a7ef662

SHA256
e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa

SHA512
f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\am.pak

Filesize
822KB

MD5
1c47cbc228940f5c645f2fd77602253e

SHA1
474a5006ae9ae774b5d420c2f1fb0d0f2ff36afb

SHA256
5245154c986ca89ef53a24a4246345e3db01ebe47219f1d0772935b03e81e37b

SHA512
dd4e7c1e26759001ab1ef63f93e847e2908c78d943c7546c88e1988d96a6625f9de9e0ab8b38af4c7b07202e1a5488023cc3429075de6c9b9394307c88442673

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ar.pak

Filesize
901KB

MD5
513e6bea67200feef37fb2e8c7fcec36

SHA1
b0edbb5846b8ddfd95ad74905e890892192279d3

SHA256
00a9c88b644807369637ddb78d9832d7137b5f1c64ca9720a36bfccea8c38d98

SHA512
fbc184640fc419b50f6b1a78168a9efb63f8ac4c151baed17b5e9b9d333a360dce109351654ebf1c71c97471917c922456cf9c816118c6c781efdee14d8360fb

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\bg.pak

Filesize
938KB

MD5
e1322b5cdbb96d2cf4a5fa5993c2acc6

SHA1
e813a5685b1885c2788c4826a8f8659493febbf5

SHA256
39707fb80e38e9404accac5f12ff1f3745589bd80b1586e2208b27c0c8eafcc2

SHA512
2c6e766d671bc4ac772196e40b818039fc88f02eeaa59f78c78558e5e2670c1fb7fed9391684160c0af5a92acf8991533b298b5aabc3919c706f23f094f2ac15

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\bn.pak

Filesize
1.2MB

MD5
880e325d5643051ad7e29c2280fab954

SHA1
cc46cff349031f9036cafafd3c091d1a5ab93f2f

SHA256
2fbcb9524eba04637e3f6c2874f7fce917326ba90877e1715eae4b35f141dd3d

SHA512
d16d085bd51ad267738c649f6bbfb15b8ce5ac73b838cfb7e2ab0f4c135317c358b83a7b5d3506c492f75b97edb8d1eeee9733d12c9eca1bc51012d660b9e912

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ca.pak

Filesize
571KB

MD5
84b1e5be23e838708773d4e022f99986

SHA1
53e411d571605a0a86a1040bff32a5e951ce9ee8

SHA256
faff0931e9479b76d2b6247739d4f934023a64bbe8578be08e2dd0eb053231f6

SHA512
8afc396b859fbd0c03d1b7604f5cd80d41fd8e3df52ab88ba22a31a6a0df447671377f2ad0f6797682da6aa32d7c779defa1097ee140af207adc94575957fca8

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\cs.pak

Filesize
589KB

MD5
709ed2e9426081c9e86d9abdc74b44a3

SHA1
f55fc17c8b9bc5f09a539ecb8b995c1b43fc4d25

SHA256
6597d0dadf724999741e0f24953ce9be02c8b98ecb8a382115b205edde87c160

SHA512
992ba983cb8b24bf0ff190715c5845f34b13f17227486350fc736c872ac8f0b21347f5f6d13e2e204e928ec664e283ca65b65f72d9910725f55d737b6c5fda40

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\da.pak

Filesize
533KB

MD5
96bbef1eee0b0a197ec834839c00e11c

SHA1
35adba0aafbb4d19015e11dde1f37de87292252d

SHA256
600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c

SHA512
e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\de.pak

Filesize
569KB

MD5
3a9f06d1708b7620e2639851024ed0b8

SHA1
51c0d824bf38250ec0aae58e63141489931f02ec

SHA256
91da97794994f6544707299fee6b775745dc3891fc879d8e8a05844c6383eb53

SHA512
08e80783de403651af208387a3191db30d1353cc25f310c917a1133b2622e4b6809bc2bd881517678e9229e6492705c5f45be3e849c0512c4a651c5b7026c926

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\el.pak

Filesize
1.0MB

MD5
4009c890acb9b81928e6e1a4b593dd62

SHA1
83083e9c948ebba18fa990e230ee33fceae43cbc

SHA256
897b6fae230e6a3cd14e16eb537f96d820950f5a4537fe146a732ab028b7124d

SHA512
b4c87024d3cd612b8af6f73b31853936614f4315ba9a48b4687120dc64e1794c568c4e074e41ae6f8dedeab61484e145dc0ca3bdb95482fd85492fddc26ab6ce

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\en-GB.pak

Filesize
463KB

MD5
ceba44242f8b24b70c9b59b5094d8da8

SHA1
84e16c522ad397289a923e5cd4b012e2d323af4e

SHA256
b0fd61679565a7649c90214efecdf6e1231a8e7895dad93452bfa1425417d5b7

SHA512
31cd936157a7408a43dcba597f6e098499dd4c5fc011ef818ce93eb7a05c9d354229c3b2295dbc290a6d3f3600373f18f75b334ba9013a5dc0be44c82f2e51bd

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\en-US.pak

Filesize
467KB

MD5
d47cded365a28d27906414035c1cb3ca

SHA1
429123c86f6ca48a89bedc9a26027e01508e6db9

SHA256
46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c

SHA512
1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\es-419.pak

Filesize
562KB

MD5
ae62374bc2e71d9abed6e0c1d4bfe309

SHA1
624a8210376e11814485fe90a8825bb6ca883188

SHA256
48bd8f17823ce0f0a6f1c9fda020d5b5655e2419634f92725ab263339d9a321a

SHA512
345794d617dd3aa200ca248566e9ba36dc846af9afe259545b5a61e787b1b52e112c7eb68bc025b0d2076790a4b77a82a724bc213fad9f0f38db6054332bfced

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\es.pak

Filesize
562KB

MD5
070cbd6f42db1cb9b6a2f74e03d6b124

SHA1
f8830e1c8a601123d85fd75188ed01833f910691

SHA256
91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4

SHA512
2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\et.pak

Filesize
511KB

MD5
294c830b9e6667c8d5e7287cabd6a4b6

SHA1
52f44b97b71624bee6360301e8f6f34cfa428e72

SHA256
198674c98f10c36205161e382cc31560a4bf0de5f597a0c65f7f95777dc9bb24

SHA512
ade98fa9cc25148979f325660ed3f0f649a38709ea34b759796c4e202b3c30e76da3b8c17ecf2e1948db4a5be26af23c3a6e6b28f9445ceff68d251a5645db5b

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\fa.pak

Filesize
836KB

MD5
e5d53b9d5756871d684d018fb0c745b5

SHA1
b00a40704c91b33c2aa0f6829ae3dd886ba7177d

SHA256
8b93023af6428322b9b13aca5da9bd395a9c4775c72b758df8eb564d35d15cbd

SHA512
e722f114485cbbb5284d23f1ad1061213f40083c5da2ac9753e1416f75f7cee9d8315e6f4582322d992beb9a8cacefb607ee0b1737e3a6da775fc059a17c3fb1

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\fi.pak

Filesize
521KB

MD5
925f45e80be419aa0125096ebb81a23f

SHA1
e73a32362952dc0aea997ee408da090f1886a438

SHA256
bf20054eb68d3d67d17d2a8c594d896c9c33fbbd562535d0c7e6cf6c940a8732

SHA512
8510e2e9749b4342eb8d79bbfb983c43293f7f37d138464c96053a79685c578a148dd54013d211b02115256f174f51a74ca9155883055801bbe146053de52eb0

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\fil.pak

Filesize
590KB

MD5
a96f6f164897e62c984e9a61f6c3f7cb

SHA1
3ab2a714eb8e9b57e8a39792d152606ba0ef6a3a

SHA256
ff21df22f24c92a06f6bbda2c70b57e098d7bb6754988a5ada087aed9bc8b8af

SHA512
cd522884b66c940d64eb1377f9dd60143ae984fa7d144aa9d83b82a006b5da2ee9eabdcf046d362b2096d8a6b8486f36a10ac9f0642bb8cfb1e7903fda4c41f9

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\fr.pak

Filesize
608KB

MD5
fe0ea306a7b48ee2750af3a263d9f3d1

SHA1
877968909cfbbe499911b4d8b807a593c4be52c7

SHA256
955de4737419c06609227c63c2fbba7c8abf497fb976c99a4dc9f5d5105afbd1

SHA512
07978311caa9be82bd398100d1d8367c5ca840ffcc166b73aeea0bc7c86b53db13bf648decfb3f54a43b9d199e0d98fcd29fdfb291a703502369b025eccdf872

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\gu.pak

Filesize
1.2MB

MD5
cd212ed25482d2b5a246440b62c4fbbf

SHA1
197f3616dec4fb308e0ec5a17458ef8a2d027cd1

SHA256
0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37

SHA512
207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\he.pak

Filesize
734KB

MD5
06e89cfa4c6f4bfb7aaead492c4f08f2

SHA1
39d943e0eb1637cd3f5a7b66ebcd28e76c89aaeb

SHA256
6b7937f16ae53457ac9a0c18fbac68b2076200b0fc98cb781415fdaf18c49301

SHA512
8b6d33657eda8a3f1d1bfd55135de88953d21916e72df646fec2b5f5b17e9e15849f428b0fd83143f375ada174aa953be8f07fa8ba90ca4d07dd1b859d034b4c

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\hi.pak

Filesize
1.2MB

MD5
e3b31e519b925414176ef2d9546c356c

SHA1
7cebb1c5fd9c78f704bb9e5c463f67c5426d0171

SHA256
82fbb97e7d9634df3c806439e144cf8d153d840bad98f6e790726841a91acd13

SHA512
fc3e735f010776cbdaba1592e6f685a1fb4773ab5062f5ba9ed95d9bcab2f0ce9ab024ed95158263450fc58c3197b84e38883262a588d6d92c4e623c61b4d200

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\hr.pak

Filesize
567KB

MD5
92e6ef5db4c0191282ce2dd3645461ea

SHA1
045d3ed58a625516af741c9e2f85680fc1561ed4

SHA256
f8d6694f1c05ca259a31e0427ba7cef5b57f0c4b33493fda21003911a5da6f07

SHA512
08b09857f173ef2a3067d60120167223b4ec7414ff6117d206bb12213ce9563c8d7923fc0ce6e7df0ea5d8ae2b3ded2a23993ab43bc46bea3c08df1bf59e16ea

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\hu.pak

Filesize
611KB

MD5
40807c6b0eefd2a2f16cf0ac2c28ed53

SHA1
1b416b29e59ef41e1f18b168947e42b7fa969d2e

SHA256
533ae7e865898b61ecfdec68c581b3c4858f2c3ec1fe496ab02c61db0362d941

SHA512
487cf71df0f2e59ce1151c146651f567b624ac0e48f770a2f1da76b27933aa2bdc30990788e2dba4543a11b9e5d3da6f31badb26d7f3a5c87088c5b4e1bd7756

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\id.pak

Filesize
504KB

MD5
a20c777901a144622f8a5520583af79b

SHA1
3506f8e07ee301bb195eb185032ebdc7fd231272

SHA256
fd44af213520242ba41f4c9003ddeedc71f923cb37e25b14e595f3e652ae18dd

SHA512
6a53bc2f5d0e4660767d21070d19f0c407fe676b9e9cbdc20e6016e333b2ad33da225bfc2833a0c0724e1b6245ca6ee3cc0e782ac955d6aebac3dc468db79a1d

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\it.pak

Filesize
554KB

MD5
acfd6f4b73b87455acb703e59303db33

SHA1
70eabbca61eb365191cd1256f3be40ea9223b2d5

SHA256
cae7bd535284f5f156c1466820aae2bcc0b0c0ba378ad0f04eef3a145deed9b9

SHA512
bfd52bc383f1f5a7d559968bdd779198c81286796564499174c3b5b9bbc7112f427e8316f78fb09ebc668c5cbf94c89c37e97abb00c9b87b5c5c108028fc549d

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ja.pak

Filesize
675KB

MD5
63cbeb056020b6ee8cfad26c7c6abb79

SHA1
99bf018555eec56aae4b19d10c85ac506f4164a7

SHA256
aad9e17b2170b76248d61a3bac9b1bebc44b94885403ec2cc21a31397bf029b4

SHA512
5aa4e764f06f0e8490dab89a8b3754cccdd41739b4654ac8e30de160cad335f681fa5dd7782482aaf66ff1d827ce0c34df85c23c334a35035a3a4e3d0f305343

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\kn.pak

Filesize
1.3MB

MD5
f4c1e83eabd580c0b4c63b2dc510ce6a

SHA1
fc1d9fed0f073504b022606e424e7cc9796648b2

SHA256
79fd72e764a1d8ad623892e563e174463f29d6ce61a2ae29af102d71da4b8e25

SHA512
927e6ff4c7d1c28c89afdf44c62643740a94b01e9f6e927e543834c833e1b4abf97de1489c6717f9054243c180474fc695a70c4ea8852d95c690f38c785705e1

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ko.pak

Filesize
572KB

MD5
626e172ad9b55ba0a1e2802ce5e10d0d

SHA1
ecd855a47448609e8e9d7bdd80f92edd494ca77c

SHA256
7111342770c33aaaffdd6fd9ef15095a6d89e48d2468c19172c0eb9b6f26ebdf

SHA512
d42594259929e35b763e71cb7022d34a11bf75a4b9bb058e251cbbe8e80bccdfb284eed1c6367f98e3023134c24d50542c64673d80e29230fdd057de70a10d5c

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\lt.pak

Filesize
615KB

MD5
b02bf54687716b5d5f18aee02411a980

SHA1
4cf766077382c49fb89d59d861de0f482f989798

SHA256
0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b

SHA512
aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\lv.pak

Filesize
614KB

MD5
df9985ecfc958f343ab7e56e71149d71

SHA1
fc0d2c4a194d500a1f4cfafcd9102186016ba5a3

SHA256
7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2

SHA512
0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ml.pak

Filesize
1.4MB

MD5
265d7fbee9a021895d51209dc0181f90

SHA1
30e37013971bacd3ee93ad2fca01cb59a26d6a87

SHA256
682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad

SHA512
028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\mr.pak

Filesize
1.1MB

MD5
af7c7d72a968e1936f26a3c755157f6b

SHA1
2ec71950847f5fb4b85697b6acd05224c28bb092

SHA256
e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5

SHA512
d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ms.pak

Filesize
528KB

MD5
06f24bba6fa8e9a009b3062227d4c259

SHA1
f50b0da2a86a138d16022f5642d96ff1a3ce7568

SHA256
cdfcbd86ddf584621bb2966c2d43f18096f974edb795cac0d1db43a60f3bc24c

SHA512
02239741f103c8b63072abab475ac313cb48612cac36890b7946fd816028fcba9be7ecc17ba5b934016d8817c52855ef208bffe5191d0eed35aa5243527e2150

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\nb.pak

Filesize
512KB

MD5
cf18f58e8e4e37b2e5fa7ef8269a294f

SHA1
c60d6e84f5cfe4cadbf4efed9b5998307b20fb9f

SHA256
3f1ed8ff0207c678b6a0a98e82fefd6340e35b7d16689672dfa90d9ee63921c6

SHA512
8f336fc50943d693ee80475250d2dbfc1401c615da571115f2c02551959028125b91ea6ffe22171dd12241688703e1869402146ef4e85a46059fe022759da953

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\nl.pak

Filesize
530KB

MD5
d7048d029ab3ff807dff790113328574

SHA1
07872f608062aa482532edda0dd2e1de31669380

SHA256
0e9c114529b9ec20118bb96ffeea05d1a408e4eb621e3fc65f49353195d1af96

SHA512
050b0eacf5b4da024d1a2af54f3511c4671756b0dab3f961d8acee5d1695eb29fba7768246dd5b3bcc253136df97e49a305832c37943380dc337776cb1fb1549

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\pl.pak

Filesize
591KB

MD5
4003c253ef85ec0ff8a65204955994b0

SHA1
af3074fb622445f6429899cb33a33bbcc60e5e5a

SHA256
4db10dace60cc56b610a7f92caebf4e7e98ddcaf8dac4f5a87db8f750f51ef8e

SHA512
5624c8f6268c8a8dbf1a69a032ebb89e670685cb736a3cb42a65e2dca118a85e076818b58ba2e392991eff7921495167616107f402c841a8456b5b5888b70ca1

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\pt-BR.pak

Filesize
555KB

MD5
0711b3f59ac95761899b013b3b242c93

SHA1
73fe7a4f60a6b92a966f1177c71bf85c6f95004f

SHA256
be445bfcd9429570e5006063b1c8299a41e762e8e0c2b63551bcf16cb6fb868b

SHA512
aad5ff84d1833db418a46961a5e3abd040e19e5a87bd6763039f8db7dda19c3cd9d7ea862585080636c2888ab1a50f2ba579cbc0ca0df8135537f1cc7543882b

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\pt-PT.pak

Filesize
558KB

MD5
fbff8ba7e31acc6c26c0e4b7277cbbd0

SHA1
b9acdcbe2f0f429474acc4dd883d668cde9d3165

SHA256
477d6666bed083b27335a479c71279ad41a674f7b6a412ada1bba18be542ddc7

SHA512
ffdbb2773f18038f5d4cf145f3311feae25110ceb8efd9c895267f98acef7e901dd7d843f7c5291cd333fc81b80da301d0c92e5c0d6857da7e4eb68a5a0c540b

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ro.pak

Filesize
579KB

MD5
5d5a27c52ae905fd85f5d50cb793e7ca

SHA1
b858bba1ef66c4d3943be19a4bf8a508c23e6671

SHA256
9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579

SHA512
f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ru.pak

Filesize
951KB

MD5
4ec91cdba9839e214ef7c008775e9e6e

SHA1
ea9f0f22ee1bca09ac38c01300cc91e2fc8aee51

SHA256
64f069a34be4966a9c28361e1c4914ce23bf96faa3bb5533fc3d233bfeac5cc1

SHA512
8c49ca910bfff175a4d88778ea34437a5acb0d52e349160f31091bd33d8ed76524950fe3e0f508c243ed76b289a550291ec68a7e0c1c426a64fbff0579c94d14

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\sk.pak

Filesize
598KB

MD5
b7d16d6702d4b4b5d3a9e4c3e0e13eb2

SHA1
6b2f1591ec51c4a7cf1435fbec7b5af94e0b5d4b

SHA256
e93580dffc1715edb37965c5787048e3e282d0477f277668ca7f49cfda7142c0

SHA512
a09950a9bb3f9814d946857e32901a9b6d73b4862a85f00b7f1f035ce0cab5af4ebf3aa003731ffa8ccea88d71866ec01d9ce578fc0b13b3cfdd3df332a0c40c

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\sl.pak

Filesize
574KB

MD5
48ead6e0160cbc6cbacb247cd3643110

SHA1
b39a91bb90f26c74dbc9fa28b257b705b54f2b81

SHA256
fc4cc46ff82cb8a41181e825a3d4e4508753fb68ff01a60486b7df4a4e11e89b

SHA512
c037d352d315805a18796a121e47c73d37d68e735c9334e11b393235ae75b803cbc03cf7cf8480683bc68c9b98fba9f5a7b045b650598e5d9367ab58a24e75f1

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\sr.pak

Filesize
883KB

MD5
5c811e0c9b775886bc11b46703cb67a0

SHA1
e9a777cc72263c7e7c4bfaa36e41b29e405a2a18

SHA256
4c524e149c02c37034ec92dd90f20f463413f2650ac9f32d52ef7260f9a34f1b

SHA512
d7db44fbfff3e3204b92aff44dc02c184344853d85fd79cd962bcad8efe85a13d1aaf9ed69a6e81fcc6e690afa4b1ba7cf1764225916f398c0f960d56e5bc57c

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\sv.pak

Filesize
516KB

MD5
b75471d16a5b4cfbb43ea86d3077e63a

SHA1
302958743c97218d13a72ade3a22e4181922531f

SHA256
ec0f43dae8e52169396f289dfeb5d49b7f9258bafb0ed3060dd652fa744e5264

SHA512
63556f738df1527ad96cca95f3e37934b054df83cfacd4e120745ceeb0536d4bc1919c66acff3e5253a62824c032ae7e8f9496df13b9ccb6fe00f67920a63cb1

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\sw.pak

Filesize
543KB

MD5
912db9e797ea3e277f18e72173f26ad5

SHA1
a83461503becad16ea0d33fd5501603688a65ed5

SHA256
89d1245c645cc26d67ac0f556734ebeb99b436cf19edd3cb3b220e78a87796e0

SHA512
b5c334b528ba6d26dde9b4b1100c01bd1675cfcc7167a9bab4d9fb95584ae629e9567ab3a4729776fbee22ca927d42e04fa016cf3f9fe510edfdc340309110ca

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ta.pak

Filesize
1.4MB

MD5
22949a4acb6639bc4fea591bde3f6cec

SHA1
672163723e294a5242e9654470e1efbb3e8aa0a4

SHA256
84776412fd7f2cff26713781be937bdb30352f9c7eb297ca811241e6cf4284d3

SHA512
5e3ee2d29eabfc4398b0f9784064eb03b3c3e13c59f4fb1b857c612727eebe1a4a1bcd76503b1356cf4b4d407431a643503d9068f61f1ed05041f3aad325262e

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\te.pak

Filesize
1.3MB

MD5
f0a8ccf00882e83751fd666876c937bd

SHA1
6fd5045a20bdb912f61dd38f4d046b333bfb03c9

SHA256
65ce3f1fe059a8d8b67cd47485233c6ab3870cfbb313241fe0f24e948bb0f158

SHA512
8ea9f2215ac8354378aff1717ef6f1ba97ba8bcc1c660290d8a070c9a7cb9b0e1a87b8e37e68cd71d7bd429adba8b17c6cda68508b7389e42841fbe2f9c79528

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\th.pak

Filesize
1.1MB

MD5
77721a07831a7aef49934706398559cc

SHA1
240ac6e472ac7312f02b99a8d588813d3dfeb468

SHA256
e8cdabe4557192a6ad7040de396d807f96f50d6ef256dd04972211b9c898bc1d

SHA512
f73be17166c7a94c216d13d837146c3c72a5e205688479ce8199c8cf468eb1bf780f2569d42e908684f0059e6ded370428d9b123389ad2cf1553a0aecd1ef06f

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\tr.pak

Filesize
554KB

MD5
41bc209ee64f56f04836fca3e2de362d

SHA1
c019805b555d4c24c347112a583ac9f9bf2ef142

SHA256
71356710c485d7db228a866789ce9d253276725d94a4e4622e7b82037beb9825

SHA512
a65c4f9147c5796567e61b0661b4766c199f156541a252ec442fe5b5e3e1156c80e8fc7cfb6d9e55db4c5f60732b55cfa74a65e7dc46fbd5a4e5dfc8f3891add

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\uk.pak

Filesize
952KB

MD5
7e2cbb9d3591278a76dd08364d3dad4d

SHA1
a760a029070bfe57d4ef273b705650cef0a92f61

SHA256
38616b5f7f939a84d5205e758a8d3fed024a8e3fbcc8159c90666ce650ae1d30

SHA512
81e5ebada5990d79363e2583efdd3ccb19d8a10291cf6680d77d7c399816fe273a4fea5a7cb5e55e11f445df46a7ccad2942dc04f4fb8b6f66d2f2b151374de2

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\ur.pak

Filesize
830KB

MD5
157117641502b63c89110363dc7083b2

SHA1
fc86039a03b2e48fafc70e1cadc096fd46389af2

SHA256
fb7cd2f4beeceaf445f4d299a3db26cce49a7950a37e5a9b48fae7f5a8e09f99

SHA512
422d92c5f0b2b2f9f35dbb7c11cd1b463085201912948c61222bb4f43f8dfd777fce678f04371df53ab6d07ec14cfbc9e4b1b084a72a0f2aa80ca7a4728e6359

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\vi.pak

Filesize
657KB

MD5
e6db9a8c61dc84aff75efc00b486a8d1

SHA1
6d1f0329f9a44b64fa3474313c7bf207bfd78557

SHA256
8ff2d05730915c1b15a97a3915c03d83239c34771ed661ccac745fb308901f14

SHA512
89cf188b5d21528166353b29986f5afb9aad9a51a57864951f7945124b157e0129125caeed58c70568e38f7ba3a34a17d10056902b58ba48ee2e4e10a4649f75

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\zh-CN.pak

Filesize
473KB

MD5
5356bf9ddeb7ffad20e27ef092dac528

SHA1
3514ded7211ff71297c87275ef0805588da2d47d

SHA256
0b6f0a9ded5734b260c1c02d7c717305d139bded5ec7ea80de40b641f13bfe0a

SHA512
887be5ed95b40d73e0f61f4b3e85f8a77d4bf4a222197b9d1c60711ae8481efbf9c183ba902dcbf437fdf70381bd232fe9c27cf0ce87c0f45b283b75b6d19962

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\locales\zh-TW.pak

Filesize
468KB

MD5
9c51b828271263d574382077abd2e2f3

SHA1
4de07caed06477855e4f4bba1d0d1178c5757171

SHA256
21550464b12c7f9b23380acf7ca2b42c1b578581613c342196da95908f14c8af

SHA512
0e6921dbc4be8d5d98bf80e9b0f8c7fc31cb4e7553ca76b9c697a3f1428f855e59ee0dee99903a5215dddee9375532226af81128f066656d98db28a8d9738604

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\resources.pak

Filesize
5.4MB

MD5
f9e3b0bd3e150fa78beb6e6cab177eb1

SHA1
75e6fc1ab50863edab19a236c134a83df01cf89b

SHA256
cd57a8548e6c3bc13b1502e42d730b35def669dd256437cb1093ec8cef731a80

SHA512
d2ee930d40bbe89ba07c183023be55b3dd135db9c5394bdbcdfa578ab4cc05217aa0bf2366629764436b76a7c9ed39bed656ac3c323283787561521e4bca115c

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\resources\app.asar

Filesize
7.6MB

MD5
d12f5981671b98c3065f94129543b8c9

SHA1
014685798eb6c1044841c6b7a81e8a8568515cac

SHA256
8e6f27e4e540638dcb6d7ca1cf9ca793785fc82e50ddacd32f56a01098f3f536

SHA512
f646a0b044cafc066639098d740c94f42b9c61466c7b4995816399e1f986882924274473a2f6f9cba43603fbd885d8f20126d99fcd1033b4765865976e01f9be

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\resources\bootstrap\manifest.json

Filesize
154B

MD5
391b9425971060df3776632483bdbb56

SHA1
2eba4a5703f8300c861bdbd3bd11d71a2872ddea

SHA256
6593942b06d0c5df41980828f73b0ea170cbcf7bf5d8944041c893e10326e628

SHA512
9edf550134c9e0275516b499df4fe0c7a82e920307dbb9aafbe4154485c6f52c5c7b8dc628c3d14cdc120056edc3048e6a4600c35ec5cd5834604374dc73e771

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\resources\build_info.json

Filesize
80B

MD5
7e7a304ea522ccbae99b6941f2834b1d

SHA1
8b2b812e0291e9be4f480cac9d9a50a93252a815

SHA256
ab1afbf80508b402f20cdd409456058433fd951ac4d39515897fec470ad08e58

SHA512
8d73e9c405dac0b1817a9c36b989dd6f3a891c3a0a35290f1e94c033e3c883be3ba6d1b46a95d894c2691b6c831e5e56c3bb27405dd5abde359d5e5a61cc0c74

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\snapshot_blob.bin

Filesize
306KB

MD5
0406a232eb55e516dc38b4967671846a

SHA1
aade7c03b1ecc81027c98a79285687bc19276fc5

SHA256
4f944691b7066ef5653cfbf6b016488f6e5f0afd2d6bc03b90de5485514f83f5

SHA512
c608095510f88348e1e412ef573e4aeb4a7d328dec2892bada688a06baa023fcea1cc0dfbba6f6c41de303f3b6d5e1c4335a2610f3ec47a690e4f309f8782359

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\updater.node

Filesize
4.2MB

MD5
1e2bc518b8f2a8d062e6de83a2d1604f

SHA1
9f7e0e04d83f1af1309161668a1788a16dd73659

SHA256
93e15c69c70d6a471db74633aa6b210d647f90d712380c938fc226b156260148

SHA512
2cab60c6c4ac3d6b738369bb9be0b77ea262c1e7fbf6cd61223f06957bcfa4e6a0eaea4270bdb10fffacd4a1e9c73532b9d2c4563344a01a7da4e9ed44ee8639

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\v8_context_snapshot.bin

Filesize
650KB

MD5
3eef488e8b9d35f710634c4d404c7e1a

SHA1
971c730ccfba2db0fee379683f4e310df5c9f1df

SHA256
3a189b50da4b31b5af6cdfdb6398fa039ccac9e13898e4851b27c4d91f4dff6c

SHA512
f787b7633edf75905674c467f7c291a2b3791a8475b11e1d4fb1769ebe872c6b70d778124c22a55b96efe2ac443c82750371421ac9fe8f2cc8bb47ce0e3648d6

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\vk_swiftshader.dll

Filesize
5.2MB

MD5
940a546c36241c06aebb196911795dfd

SHA1
918511758a661f5a2d777cd67883e5bc4e74907d

SHA256
10ddb8ee6f879ba8f6b439a2a8c1003615a9acbe21bb0b1f7c47b1f17fdf91d0

SHA512
cfa2b92a870c9e42dd9e850c0b0a8762276ae5ac339b40c0516329d10252064f1d0d03c42104c9aa76f70bcbf49ffbd331918ea6b8c89b1cc10657fbdef3d680

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1113\lib\net45\vulkan-1.dll

Filesize
880KB

MD5
989e4457789137a524b0ee9fe786cc5e

SHA1
aa72d818ce9835c8edfdef2a8aad0b9e405ab3f0

SHA256
27e2bbe6eac7a73c8a93514fd1dcde9c535f858d06f84056c4619ad42f28e2e2

SHA512
076f0266eb7b8602983000547ba6a1de11ebfd14d29283cae05fe06b39322a7d580f687bfcebfdffc0f4db8c73804df02192119cc6a4c563c594e092aedfd99e

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\Discord.exe.sig

Filesize
1KB

MD5
89e3446cd2a2940f93031d2517849ef6

SHA1
79bd7f588be8aaf49ebe996287ec090ae3c1640d

SHA256
46416801a84c15a4dce29e9018e71251136512989ecdd0bbc7be0e41e540ba7d

SHA512
d6e49b33afccbc91a3a4a72b03172ecc8737d366e02a8c9ade6b89994ea12ee745e4773af378ff92c945bfcaae0fd5b9a83430c7939c65e0e2940bd03d38e545

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\ffmpeg.dll

Filesize
4.2MB

MD5
3092f628bb20ee819a71e90f401cc676

SHA1
5118b83e751ab8a25ed457a179f1ffceb93e977d

SHA256
7e8255fad51b78a606807969c6832c9fd5698722725d73785c3ba3a6f1e89864

SHA512
e45b620ef1edf1a6d6832e6ab03c03d4c8bf4d11d05afd6e825b5fc9fd053bbe5834f1d8519505f4eb9e7e5ea186c0de34fb8cb24fafa4816f6ed6e70fde291a

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\libEGL.dll

Filesize
479KB

MD5
6de4105d5bbd3bf8e1b76a2663890e8e

SHA1
145fac7a706242fcf70805818eb337b33d67dd50

SHA256
10f5826dc2e1915376fbada351372f23ce56b3a7bbeef553a17157a736296c7e

SHA512
e12132d987097da475c850f91e3d2b83d7c5f5eb35cea55689e2648018641c0f1e53424d89a336d7c356d99ccf76770a1d7da34947c2ccc05f9e1dc0a29b70e2

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\libGLESv2.dll

Filesize
8.0MB

MD5
a6de76b31f30ac21b29ca087c338461c

SHA1
f6ece4a9df790e83539d284071083b7fdf1f65bf

SHA256
30654070297f85a0ffb58662ce72dea250978d7b37d329af03d7f0623ab6f324

SHA512
0ead3f43b1ec57e33f0e33665371de5f2f9f1c5c9a13dd88b8bf50872ae30420dd68136854e0709a402223dd00d8492d8d3a6ec85434c4a1a950d0d11c0bdf2e

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\resources\app.asar

Filesize
7.6MB

MD5
456b3cc4e23e8010db94c734386f86ed

SHA1
6cefedac5acf6524d33f1b8b234cca4a50a1f70a

SHA256
eceefdf948e6496970016fe16b95bd8a6c08d2732a5c65cbf1f9f3aac457a44b

SHA512
86739c2645f06a99997f791178cd61dad136601b531600ec92e18607c21728f5d61d0b797f108171634cf655c27b073fca1afabede9c86b83111bbcfce8e53d3

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\resources\build_info.json

Filesize
83B

MD5
33beea6f5e2acae16305739f2024c08b

SHA1
f0837c1ba40a1e408eff602fcb5df9808579fa34

SHA256
849c2bd480b50c735ca1ec892a7509407b7702c041dd16f588a0d3b1af30a632

SHA512
ab0e5117dd3415a987b268224dab79c0df08bf36a4eae67b72d03201c06523d8f2ddf65d9d5b91c03eeb9ef195588e7ff317578676a3712882dbcf2e429b5c22

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\updater.node

Filesize
4.2MB

MD5
4caec1537e76cb1b27ad30b06228466b

SHA1
62063776ee06185e154e1232c7c22cafc117a0a2

SHA256
71c0667be07a3e9ebf32ed946d33b4575bc74c11911f879f17e31750ee3301ad

SHA512
dab5a87a7f7062dfcd6cf057dcf4e6859695eed72e61aa5babb7dd0f03bd4bc658a7f32f4e84943afae811b7ec7d40ccd06a5ddf7b3e1e72e4696c060a902342

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\vk_swiftshader.dll

Filesize
5.2MB

MD5
3dbe515de93b8ddab352e30334e0ad5e

SHA1
25a60da45ef0bfba6d5547a9543fd2154b701530

SHA256
75e63d119c67981f4cf67562dbf95404bba4ad6157440715b2e61b80b1281849

SHA512
6ad49de95503e3a7088fd552516a0cbab8e2ccb0d88a9d26a565f726a2684c5d5d7da3c38d1355f8f6d4c19a7deef47cf506dc3c12ed3437f833f03d14a69248

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9168\lib\net45\vulkan-1.dll

Filesize
880KB

MD5
854ef86490fe699e7265fbeadbd127b6

SHA1
7ee6511d05177b989f547c4aa2ed54c0cb724411

SHA256
d1d5235852dc52ab66de31fd061e12359acc698c072a74bfee7c7d2268928a19

SHA512
a6c52e7f1ceacff4b9910ee3321b9e844a9579290cc2965569a5519a20ba0e010558d7b86a3fa3488a919c119eeb34952318cb09e15b37559c7512fdb3a802a8

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\12dd1148a4d5c99b8db76acfd4a9b2d70f02eca8c6280115c794c0a06df8b607

Filesize
31KB

MD5
9b24becedd41d04323cf429de759c3ba

SHA1
9a43d4766e3c91a24d11885c3600de4f2a1e9df2

SHA256
12dd1148a4d5c99b8db76acfd4a9b2d70f02eca8c6280115c794c0a06df8b607

SHA512
775fcfbc1bd6d428b1382177f3e76d283374277a84c0292ed62698cbe4bfc6bc972c33cc899a4359de7720b84b5a4963daf09aca2bf6d882c0f3a53da546074b

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\3caf68f7e3037ca2f71e83b4838571ce13f379ade03f6ba0156f6de0f3ca4288

Filesize
230KB

MD5
2001c8d8d597f4f8b1210cc60ed44144

SHA1
0cf81a9f2cc478f56e075118fe847c2ffdc05866

SHA256
3caf68f7e3037ca2f71e83b4838571ce13f379ade03f6ba0156f6de0f3ca4288

SHA512
23e727f9f9c4c73df62b2a5d8517d24f13ad1cf04ac627acbd5b9bd29db6116d9b7971280ed68000c2ee82de9f2a564ac0116d8f79aea4a53533ed422d66fec1

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\3ef3cb45aadf81e6fdb7f1ef5530c4b122b1da766ba4fe596dc9a6f088e606be

Filesize
1.6MB

MD5
cc77271096543df142a86688e3ddcbfd

SHA1
8ae45871e52c5e00e7fafa463a258e88b710e747

SHA256
3ef3cb45aadf81e6fdb7f1ef5530c4b122b1da766ba4fe596dc9a6f088e606be

SHA512
2af79c8b0a07eed6dcb507aa127ed0a5132fb7d9020dc50d8e799734ae43684df5337e3315e7191bc28e8ad5bf2d415251420491b935a65fb2fe75e6f6ac867b

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\447bc9a33803c7e20763d39f61521a576a9c349520d8df115c426a42025f0784

Filesize
312KB

MD5
83c2e78dacf3cb60ea61cc8c4d9ef99c

SHA1
41a342b67fae9c66a1a0a397f8f031e3ddbb5201

SHA256
447bc9a33803c7e20763d39f61521a576a9c349520d8df115c426a42025f0784

SHA512
83fc89dd4e0c69a9d4372221102b20f21c75f7a6e7b329ad3f74e4678a6712afb059653bfa5d3dd832a06c80280fa3c0fd2765ab18b1898ddfefbb934b9a2f0c

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\70ba0379f075e6e7d8b0a351c68ca693710d74884600e8f0ea7ebdaa3e269960

Filesize
267KB

MD5
55febaa8776c1654fe6f3b20028816e4

SHA1
01ed2b37287a1ae9dd222db9310c9affee90389c

SHA256
70ba0379f075e6e7d8b0a351c68ca693710d74884600e8f0ea7ebdaa3e269960

SHA512
418f9259e1561df3b8a843696efce22b4395ea42af939d71e251c1b2aa250d0d64a4c79c913c9804dbcb4b324cd3f20f07672c0f7e8325e3fd60ce9342582a16

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\8dcea17f4becbfb29887ae412d54599e4362edae698a5f41d316d8284c5f6232

Filesize
531KB

MD5
63e2c0c0a441c91c2b3685deb7babc67

SHA1
8f243d4c2814eb744c3f62dacc35657bfed58e5a

SHA256
8dcea17f4becbfb29887ae412d54599e4362edae698a5f41d316d8284c5f6232

SHA512
49886de2d9fd965e04e518899192e1eaa771ce99747a82fcb80995667f1e3b462eb19919a0e6f781d9e3ca7ed317c73a4c2a8fb1d756be8300d565af687e4d8a

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\a0ab7fd761c6b4f5ce709b361ecf51f2b9545093af97c77d0c19b3e6376e4659

Filesize
1.3MB

MD5
20543c75f484bd477d8f2450fe94b3a4

SHA1
a998163e5519fb4ecfe1eb0b5d7da303c401a4a4

SHA256
a0ab7fd761c6b4f5ce709b361ecf51f2b9545093af97c77d0c19b3e6376e4659

SHA512
af75dc6a2c303fcf71c2a83d174d9b72a8c78c296429e903ae63e6d69d9660cccb3eb433ed687cbfef6a27da6c16ad0a917f31115cf979a96d3a149134375417

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\bc2f3a265a169c6f40f36fbe076bd9a1d510fe9937e10b7f5ccd015e2675b07e

Filesize
406KB

MD5
9a956ba51f764cd0775c29800235b7fb

SHA1
a1b0c7645343fb95275ac15ba600e5cb588f5769

SHA256
bc2f3a265a169c6f40f36fbe076bd9a1d510fe9937e10b7f5ccd015e2675b07e

SHA512
6d9a963ffde36a7f86374b42fd98f5cae45bbd38ac64cc5287e1583b74a05df8a1119dfb4bbbf074dbbaa524b1fd3b563872922f1fa417af871d99f85aba8765

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\cb08ed42a6b4594a66ad57e4fb7bfb9a92c08ca9813cb9909f97f06b57e26e8e

Filesize
9.4MB

MD5
dcf5e050bc6844d39225d79fb47d8d88

SHA1
3a8a6848d8395703041782646ff2ea68e52b8ddc

SHA256
cb08ed42a6b4594a66ad57e4fb7bfb9a92c08ca9813cb9909f97f06b57e26e8e

SHA512
28fee3c5291628519ad19bb5e8cb821445012e83402b40018bc73e4137801aa5f0bf93627f4159065c4c9b3f011c116576069be04e335f381547f57ddf4e88c0

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\eb44bf695a42fcf11d71e23ee3b9dd2126e36bb2ed87dd0965b07c6658513739

Filesize
1.6MB

MD5
2b5138451e289f89418abfc078233816

SHA1
95db4fbe29cfadae41b944620fc5bee7af174e3a

SHA256
eb44bf695a42fcf11d71e23ee3b9dd2126e36bb2ed87dd0965b07c6658513739

SHA512
f1112c3d53f583a772fc71112e11d3abfd738a82ebe34497e09b654671c2fdd4bbb069bad7f44f429a304a65636a5ce52111243043f8f4cf521a4ca2aa936f6f

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\f9176e33b95f38f50c97e5c8769784f785e6952d0449a8a34a2971c7f5a66cf7

Filesize
187KB

MD5
293bb7bec0e133fb4bc1b3b74bc4cefa

SHA1
7119251df5ded61184d6ed74dc48719ebf1c1f70

SHA256
f9176e33b95f38f50c97e5c8769784f785e6952d0449a8a34a2971c7f5a66cf7

SHA512
2e8a167ef6fed250b46ce1bde36ad6b61d97b7853210c2ca9c056a99851ea8ae8fdebe4e4d8ca8a50d4a82e2ddba2f5fd437f97be86ebdde09d2bdcf49cc8511

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\fab19291eafda3bc491ec915b690125fb7ae201b0c6b4a742e30ceedaf1377da

Filesize
16.7MB

MD5
2dbe720a42b43598f55699a0d72b5506

SHA1
c84aef0321537b6cbf641a6072c21347803188c7

SHA256
fab19291eafda3bc491ec915b690125fb7ae201b0c6b4a742e30ceedaf1377da

SHA512
9d0364377e26b91cd3a14934eeffd4b8a2eba830c81e8a03b093c278dbc5bb1ad499dc3a7cc2470015bb8288001fba0f519ba2071485471a160efe4747d41c7f

Download Submit
C:\Users\Admin\AppData\Local\Discord\installer.db

Filesize
232KB

MD5
27775d8214dca5949338a82eb4a32447

SHA1
0843b267606cce38885bb23acadaa3fb07cea76e

SHA256
e0e463b8dda151b073108243776f5c72f165517aeaf4020c568b9bb3d11644c5

SHA512
3b990b4b7addac6393d189fb1683311565cc251eee30999f6123bcfa2fea9718538a1828d46b1633a6f8f39897787c561aec376e0a6fe3cd35e23fb8d8b198f4

Download Submit
C:\Users\Admin\AppData\Local\Discord\packages\RELEASES

Filesize
73B

MD5
0837c64b07a5d3cb5401eb6bc0b9182b

SHA1
0fcda4d2b40c326fb803e43bd2aad1700d9f8ce3

SHA256
1afc0e6e892f2c9ead6edf3b5a4d742954acb49047f08fc3e3483fabe15b1a9e

SHA512
07d2eac97c52a3e17c36f1441b34561007c6a5e4401ae35fa612b3f90132a87e0008ab4932a0cc58f07746c092906643e5ea3a8e451b052f2279c24bd71cae41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39191fa5187428284a12dd49cca7e9b9

SHA1
36942ceec06927950e7d19d65dcc6fe31f0834f5

SHA256
60bae7be70eb567baf3aaa0f196b5c577e353a6cabef9c0a87711424a6089671

SHA512
a0d4e5580990ab6efe5f80410ad378c40b53191a2f36a5217f236b8aac49a4d2abf87f751159e3f789eaa00ad7e33bcc2efebc658cd1a4bcccfd187a7205bdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef84d117d16b3d679146d02ac6e0136b

SHA1
3f6cc16ca6706b43779e84d24da752207030ccb4

SHA256
5d1f5e30dc4c664d08505498eda2cf0cf5eb93a234f0d9b24170b77ccad57000

SHA512
9f1a197dccbc2dcf64d28bebe07247df1a7a90e273474f80b4abd448c6427415bace98e829d40bccf2311de2723c3d1ad690a1cfdcf2e891b527344a9a2599d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4b5e9573c67225fa86b547f20d40828a

SHA1
ea145b12618bbaf5eaab6b1240d449e477e10b79

SHA256
a8fb72402f0ddd51d4c5ca1dfcae8f39ec320a85292e3f51b15f2f2fabf27416

SHA512
7a62e6d85d087ef9630a1a343eca91e99bc21d67d7d731e2c013f978c2bbc1c54ac93ba052535bdb9f644fb02c0fb8d3baa8a317d7f736455f6327ae11d47940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe712caf.TMP

Filesize
48B

MD5
43838a308b877cf2133479dea009f43b

SHA1
8921cd944ff917ef7dc9e7633dd75bc7285573c0

SHA256
c9085cf22c64b51e30a98e9467d437b32d7932afa66e8e106bc8414a7ba6190e

SHA512
e4f4ac77dde767e79ebf78bf8d6964c25e2692e87eef307949bc57a64fd0275ecbfc3ac8e8f95c81dbec7c8c72cb43edbe4d1bbabd98c17eb879c537c7e98ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
e29949d8ce4fdcce13ed13e333b26dfc

SHA1
f94bf5d28d378149c388974c05c07f23305b235f

SHA256
ea86e49f167d8a6dc95475fb26ddd6b8d7bd266f560009ef13ec97d0d6d6560e

SHA512
8f7ef5ab74e81613b520cc4bcf25ef3a9d146dce7ae25443ea0979989eb775ee0ce989f6435eb03bab79546178ad13030364f377447bbf13ae1d672b74e66f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bb42196882c641ca0b7bb999f8ec3cef

SHA1
c4ecf510c36807894a8eca78bd3dfe30edadc6eb

SHA256
8af9a17f164e4f806095dd75e1fadd0e0443ea0d088a3dcecd58ba47dda92710

SHA512
fb6a5a99b265f47d559b722eb92ac3d71878d9333ef8ac9751339a57c18b23b2e3af757345a79c34d87031a71d888b049dd5a236f095f9e0e947512d303a4482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
efefaa8e71238b4a0b7d77fdf8f1673e

SHA1
04dc2227fd7949204919186b517f72191d593b1f

SHA256
bcb6bd118d6b3c86b21fa16860451aed844cb10263d54c349bb6c3ac1c3fdc48

SHA512
334f6ec0172ad9d68da6baa3f12001fe89dd39381d7cbe679d3695e3c92cdc76478dfb236b9d4ed94ca6694c33c51e14917f7baf2144517ef116b867497dbc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60d82bd601d64fd00bb0373f5ecd65b8

SHA1
0e8bde426270dfa3ea285c2c5b7282ab37771d4c

SHA256
bdec91a5061c6a400ef33c2dca5b1d0c16c1fe9e464f8ec99a72442b752e6a97

SHA512
5ea1b33784438acd246c02c95716f72c78293bc8d8e8e6d71aeaab370ae9fc2063ba8ffa443bbfc26c96e45a95549b62894b846a459c986531b34a110d0be38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e8f43f94223ff6d4e32b728aaed863b8

SHA1
bbae81603d32ed050ecbe20b77dc275ff7d85d1b

SHA256
de541fe9d38643ba89c711575a0f83c66108d092f10c6aaf243219a924c4ff8f

SHA512
721a59966fd5adaac1d5acafb05055356444a1d185a22727361587fcab78c782f1715ece4858f0736a6ac4c5ec8fdf74cc2b56280c573a8c49ea4dfb2608fc02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
18ef894bed11c2086aa3f0035ae67403

SHA1
cd72a13501a4e9c0c0cd2b724672203a736cb015

SHA256
d6cde37a797a21f84697383ac693fc8e9fd88a4b61fc953aa021f0bdb6cb2265

SHA512
0217e1998a8bcdb44063fa1676b868c1fd81a0cc798ddbaf9e291de6b1b36739d80e067e1b7eea1ab60251152bf296f44d54f865a20825aa1b043447af292578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77C6.tmp

Filesize
24B

MD5
f732bf1006b6529cffba2b9f50c4b07f

SHA1
d3e8d4af812bbc4f4013c53c4ffab992d1d714e3

SHA256
77739084a27cb320f208ac1927d3d9c3cac42748dbdf6229684ef18352d95067

SHA512
064d56217aeb2980a3bfaa1e252404613624d600c3a08b5cf0adcb259596a1c60ee903fdc2650972785e5ae9b7b51890ded01ec4da7b4de94ebda08aeaf662df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77C7.tmp

Filesize
24B

MD5
db7c049e5e4e336d76d5a744c28c54c8

SHA1
a4db9c8586b9e4fa24416eb0d00f06a9ebd16b02

SHA256
e8830e7ac4088cf3dd464caec33a0035d966a7de5ae4efc3580d59a41916ff7b

SHA512
b614037fb1c7d19d704bf15f355672114d25080223e7ee4424ad2cb7b89782219e7877b373bbc7fa44f3ad8df8a27eef4e8ccc765d44ec02a61e3b7fae88ae69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77D8.tmp

Filesize
24B

MD5
fc94fe7bd3975e75cefad79f5908f7b3

SHA1
78e7da8d08e8898e956521d3b1babbf6524e1dca

SHA256
ee1ed3b49720b22d5fda63d3c46d62a96ca8838c76ab2d2f580b1e7745521aa5

SHA512
4ceaf9021b30734f4ce8b4d4a057539472e68c0add199cf9c3d1c1c95320da3884caf46943fc9f7281607ab7fa6476027860ebed8bbaa9c44b3f4056b5e074d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77D9.tmp

Filesize
24B

MD5
5f243bf7cc0a348b6d31460a91173e71

SHA1
5696b34625f027ec01765fc2be49efcfd882bf8e

SHA256
1b1aed169f2acfae4cf230701bda91229cb582ff2ce29a413c5b8fe3b890d289

SHA512
9e08dfbbf20668b86df696a0d5969e04e6ee4a67e997ff392099bc7ff184b1b8965502215744be7fe423668b69099242bba54df3f0bfe4e70acdc7cad8195b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77DA.tmp

Filesize
24B

MD5
379523b9f5d5b954e719b664846dbf8f

SHA1
930823ec80b85edd22baf555cad21cdf48f066aa

SHA256
3c9002caedf0c007134a7e632c72588945a4892b6d7ad3977224a6a5a7457bf4

SHA512
eca44de86bbc3309fa6eab400154d123dcd97dc1db79554ce58ce2426854197e2365f5eee42bac6e6e9455561b206f592e159ef82faf229212864894e6021e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77DB.tmp

Filesize
24B

MD5
2d84ad5cfdf57bd4e3656bcfd9a864ea

SHA1
b7b82e72891e16d837a54f94960f9b3c83dc5552

SHA256
d241584a3fd4a91976fafd5ec427e88f6e60998954dec39e388af88316af3552

SHA512
0d9bc1ee51a4fb91b24e37f85afbf88376c88345483d686c6cff84066544287c98534aa701d7d4d52e53f10a3bea73ee8bc38d18425fde6d66352f8b76c0cbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77DC.tmp

Filesize
24B

MD5
635e15cb045ff4cf0e6a31c827225767

SHA1
f1eaaa628678441481309261fabc9d155c0dd6cb

SHA256
67219e5ad98a31e8fa8593323cd2024c1ca54d65985d895e8830ae356c7bdf1d

SHA512
81172ae72153b24391c19556982a316e16e638f5322b11569d76b28e154250d0d2f31e83e9e832180e34add0d63b24d36dd8a0cee80e8b46d96639bff811fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77DD.tmp

Filesize
24B

MD5
2dd3f3c33e7100ec0d4dbbca9774b044

SHA1
b254d47f2b9769f13b033cae2b0571d68d42e5eb

SHA256
5a00cc998e0d0285b729964afd20618cbaecfa7791fecdb843b535491a83ae21

SHA512
c719d8c54a3a749a41b8fc430405db7fcde829c150f27c89015793ca06018ad9d6833f20ab7e0cfda99e16322b52a19c080e8c618f996fc8923488819e6e14bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77DE.tmp

Filesize
24B

MD5
d192f7c343602d02e3e020807707006e

SHA1
82259c6cb5b1f31cc2079a083bc93c726bfc4fbf

SHA256
bb4d233c90bdbee6ef83e40bff1149ea884efa790b3bef496164df6f90297c48

SHA512
aec90cf52646b5b0ef00ceb2a8d739befe456d08551c031e8dec6e1f549a6535c1870adb62eec0a292787ae6a7876388dd1b2c884cba8cc6e2d7993790102f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77DF.tmp

Filesize
24B

MD5
f6b463be7b50f3cc5d911b76002a6b36

SHA1
c94920d1e0207b0f53d623a96f48d635314924d2

SHA256
16e4d1b41517b48ce562349e3895013c6d6a0df4fcffc2da752498e33c4d9078

SHA512
4d155dfedd3d44edfbbe7ac84d3e81141d4bb665399c2a5cf01605c24bd12e6faf87bb5b666ea392e1b246005dfabde2208ed515cd612d34bac7f965fd6cc57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77E0.tmp

Filesize
24B

MD5
2a8875d2af46255db8324aad9687d0b7

SHA1
7a066fa7b69fb5450c26a1718b79ad27a9021ca9

SHA256
54097cccae0cfce5608466ba5a5ca2a3dfeac536964eec532540f3b837f5a7c7

SHA512
2c39f05a4dffd30800bb7fbb3ff2018cf4cc96398460b7492f05ce6afd59079fd6e3eb7c4f8384a35a954a22b4934c162a38534ad76cfb2fd772bcf10e211f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn77E1.tmp

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
24B

MD5
60476a101249aedff09a43e047040191

SHA1
de5b6a0adc7de7180e19286cf0f13567278cdb64

SHA256
35bc77a06bfdde8c8f3a474c88520262b88c7b8992ee6b2d5cf41dddc77a83fb

SHA512
f1d2dcc562a36434c6c6405ec4eac7ecfa76fc5a940114da6f94495b77584a132d5d82ad3556df749490be096cfd238fa8b484b7c734cbc4d074e963e5d451f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2d24f9830de86e00fc6649cb269ccce

SHA1
cecfe1506beccf1f3e19a4e9a71dae1493e9dc9f

SHA256
f337c17166085d53a4029f3fd0f09b29cb524aef98279710f7dd5406a2fdc3ec

SHA512
836a5909ef2f68b4974737b1d7eff4171fcfe9b20f06b7146134c53e20531a96a8c68c518c82bf5082e647e2675124c8f98a8ab2d9e27e07f47a667c3e18c8e0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
7ed0f97e6ad1f685349f188d456ffa08

SHA1
327be96bce46a32829aeb20b4ab909594ed5009d

SHA256
cd644095a9bdb123e3c2483042bbd5a8c37b4827971cfa0d65bd9934de9e719b

SHA512
bce496025b7ac3372bcd2785a1869f4e963633a3fcaa744ce5f8a6559de8a23c0e04da9b131751b92663dae8a5451e3ef9d217e96d12f2ea74fc32cefabbd892

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\doomed\11056

Filesize
14KB

MD5
482ade095f2aa6b36525184200ccce6f

SHA1
578ad1797d03f60dbecdebe774a99205b331897f

SHA256
7d383961846f18cfd756cc82003bc7c0e806469147b85bb671de3fc5a027244f

SHA512
434b596cd586129d7248a101f8e4aca823180bca26edc7c01609d369e96238681610feb091cf3143a9632cfdd279b520f5beac7e4a034d19facaf839baf047d4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\0106421E1F1335662D826A109741DCEABC51B254

Filesize
22KB

MD5
e49eb5bce025a1497f8ad592476b3d97

SHA1
57e6fedb62c607d8524ec8d4b7279ae1757cd187

SHA256
2147c8cd6770285bcfc8c9d6127653afb59bef30a8c57ea28a72c14ad90bd5d5

SHA512
40bab8afd3797a48153162ee142abeb0fe49d081d4c93ec2e0569d1ab4cad6672f90628c36b762de1647a5e03dfb200d6b1971c74de26afb27249f4cb5479392

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\4253FC093687BEA2D5B4BE512E4739536D21F20E

Filesize
22KB

MD5
d886b882e5bc6186188647e23ed72370

SHA1
cff05c28ca489f3e46eafb7d2be96bfb7d381c3f

SHA256
09adb3043a36546b49850c131ccff596609bf761e04960b419f5a036e4c5473b

SHA512
0bbd128a8e86221745db202259a166c18f34538f7189eef4f020ddbc9672e32b1969d6db889d74347e653a46edcfcff5cee6d27b32a5e0c6c95f144364dc18d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
32KB

MD5
0c331238cc9112d7e82b6a3e5ffb4fd4

SHA1
75b7e308cc7de6da273853a32f368bac897b17aa

SHA256
30c25bdd2352d967a9a2c9bfa50a59a3c8a7eefc2168bd606547a9840b75997f

SHA512
ba75f6f158a99448340e1effc5275357115e212acba676627aca1cbda1a9f20aa8be748800d31b807813af4aa3243c03b8a97862dc42cf8ea3acd5e912fd83c1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\5D211F096A57BD106BBABA652BE8282EDA405F69

Filesize
224KB

MD5
6bb1b99f107b7564c32a24a5aba5d519

SHA1
f99384b970cbc5806e78c3dfd36837e9665bc506

SHA256
0ad65395b71764046944285fb08a8f6623c98790a591857f2a0df63f963f00be

SHA512
ae4f5a09ed500ed2521247f0b6191350cc19769c7bb505ab03c28d8668446626c587df0973db96518d8f0dffb29567ab02a3dd2d311a5c99701d4279695e4ae3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\8AD6F5CF0FEC728921A5A08D73A7BA92616EE430

Filesize
81KB

MD5
4b3f48973c0bc1227f7becb3b57acdff

SHA1
1ddc49fe332cc8fe42c27172c1a9cd8dcc9dd53e

SHA256
1c384c72db83233692bdf9a77c111187f301f07f72aa268ec49084b29486f5a0

SHA512
16d93e14de3bfdc87ce679aa24a7e2be412879b4385343475a8b506539b5766a6567df33b457aacc32d66b05ce491cc9806dd7b6c6d0cfdd4286b78803779ed3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\8D270C8B093BC5E889365C7BA2CF74E26CD7563D

Filesize
62KB

MD5
62de9729ecea23b9859af06d773d0075

SHA1
00ad67e40d2ed6930267c2f804af690eecdad5de

SHA256
268f1e41b8d755e6de1c0bf29c4f891b95661d9e4633608e98c3c69de51e235f

SHA512
436f22c1e3826f3ff0561a0185f31ac978207cf7f84d1aafef034675eaea4e60b6313eeb71319e362ac893a59b36e0e413cb248f3adbccdcf6d1c7281b93bc4f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\9FC8C85689D31525EACE26158B83B464F43A027B

Filesize
23KB

MD5
49755c3bd336014b9325196df61e5c1a

SHA1
3e755baa0bcccc19d444dad6d2668902ad12b65e

SHA256
4e1ef088dbc8fadece2065f77ee1457f8b854d6e41d8d01f9b5bbe4a27ddab43

SHA512
cf011f0433fc7ba615a8062d248e410001938b20f7874dab05cad640379a2742f55348536a1999a8e8f8b3cb7da9c6ace987d80341e920f00f6414fc08401543

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\AF0D657342802ABB2242B01FD7BDD6CEF8C3837E

Filesize
455KB

MD5
bf7cdedbe843b144faaa411e0c6e8ec1

SHA1
19fe21af959d38363a8d2d37c04625589b06e053

SHA256
d2a9c732c038e717432f67cd47efdcefa9d512c916173cfac90ddb5e932e7fed

SHA512
fd1a72527ab5c5fc0ab626d0e8ec2b96f05c8270272fc06f94e1f6dfd1aaed7b8970e0f8e5e6d0ae25740599a4d7516705eae45d82f2fb56edf9cd67c5aaafa6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\D30E15126458F0CEA70650BFFBC1C9D53149D1C3

Filesize
25KB

MD5
77e857f9c867a655b259d97a878abfa5

SHA1
0833c7024d3b6fc8db11bb11814f4047f2dee2fa

SHA256
21a7f628667c91a8800d01d691cea9f99baca34be632a9b0078ba896c554d5cf

SHA512
f57eee28184a4994057f2f9f39e804852d804a7656a36cd14771524317f4553f0cade722b3a0b1c0d93f83168026215d6ee309bab27eac01dc3d25f01ac52666

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\DBD78B5F0DD5928F802E6B4677A914D2D6B73B75

Filesize
77KB

MD5
78739a4897c90f3334030c07b351b85a

SHA1
e9bae2fc42a14be8e36f99b7694aa8560a90bd9f

SHA256
c22a4b3501e15f2a46fd375dce86ac271da7d6f5d68c9123273b8f09082606dc

SHA512
e2e3de855092cafbda442ca37bb44ecf88ee748344d912a5fa8e3e1ceafcf51d739af0782b471974dd22fbca0fa805b50ad339d4837c5b2c96b46f92ceb479b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\DD1D8E1D4ADF858C026AA4DA41C20E32F988ACBC

Filesize
71KB

MD5
4030459db8d3591adea58f3af6411328

SHA1
63072ca6986f37e3bc9bab37c3abcb9b0f57962a

SHA256
55d60fe7d644ea4f28e76e25f7b71e7ea92a88aaf23fe04b3e2d7ad6b0469152

SHA512
7b0edda88ec0e5740b3a5ebdda5a2682c5d0aae56886eacad13349c605dabacb711d521c884289b9f8c65aec0500936b7635733368abb4fa30bbf8ae6b5487f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\DDD6CF9A8E93A6B7702694EB238F08EDAA4A508C

Filesize
18KB

MD5
5c34b914f2c22af90b103fa3cd7442e4

SHA1
f56b76a68a11b60f23c94417cc2c8b43c7d29039

SHA256
c1fbfd7d2ab3ca8e8c52427e60763cba2d631079569d0ad95cd9cce116d1ce9f

SHA512
d8f19f2f0e3e62da5d4c60ada7435fa7412ce8421458da5bb3fe3b951fbe266532ee586ce5b15e675fe16c1a5115da37712ed753c1ea00f31b98c4486c8bb2d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\cache2\entries\FA96A43094B14EBDDB5DC14BB035C6357047D752

Filesize
32KB

MD5
9d5fa0929933f7b15325b384a911e4f7

SHA1
f7e11733d1615d6bfbaf63722d8d0a69ef621003

SHA256
696931c5ea5aa8fd401c6bda19d0d51f55a63132d455636397cbd72af9aac6f9

SHA512
f77c2286064baf5f99aa14c886918396b3c3853d893177890e421735aab3c21498273f666af0ab8dbc9f0ce506869b2ebbda1195a5ae315443300ea6e998ea31

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\jumpListCache\ObKbdQ6YcCSpkYXalm8Bu+9B5yvV65Qm4TF8ZdXgzkQ=.ico

Filesize
691B

MD5
42ed60b3ba4df36716ca7633794b1735

SHA1
c33aa40eed3608369e964e22c935d640e38aa768

SHA256
6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8

SHA512
4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Filesize
52KB

MD5
552044e42d145c7df03ef2dac1e82e72

SHA1
1c5e1fad1259c15b5752d38bf8893ab32a308bc3

SHA256
2ee1d69846b5005b5fd55d40b8288886ed35bfa18d3c2e756ca59cf266872d40

SHA512
35145e6ea7853dcb86fc8e118e89165641b8ed802f9043c805c92dc61fcdbad795e256ac55ffff11aa89dde0ddaeb0f36e671e18ecdfdd64c959ae78452ce358

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.4MB

MD5
d203ecc638d1718909b1ad5b63deb004

SHA1
beb3e02dfe8947abb7f45ae8f7c214f3d8fea84f

SHA256
40245926bcef6b6a3b67eae7803cf3a39cc4173a3a0ef5380e216b53542c9a72

SHA512
291b910b4e63f19eaf141551f5506b85cf1cecf000d0b4271147c1d0960d4e1776551bedf0ea6ec7d089169e693397557fb4f5780034f8c49d75a9b755f8397c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.4MB

MD5
531c45ea012bfb7d73889a42288f1fd1

SHA1
418a70f3ab0902dfab2e736990123c72f5fa1e34

SHA256
7c09540451887962e84df4560876f93ed93edb1917f7c385c1b5e719616e7ded

SHA512
856db3206cf98d7085405d0c1d4756455b122899174efb6e210424d73d1176318dd6508d1998b33498ceff8e9c0bc9344cf643c863588cd0df4badb023c7d6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\.squirrel-lock-62919BA4BDF2F7CE92C75BB23DC2216E9F35A3AA

Filesize
4B

MD5
a7e0f8ac46398a7876d1e40dd52c2aab

SHA1
b66922b4e6f09e23c072e4aff49c67c3121dd5af

SHA256
05174bbf0d407087e45b12baae17117426852ff3a9e58d12a0ebb9a10b409743

SHA512
e6b93215582f7f4f5e9292273a9466b5d0cc3a4ea7d77ae42854203755441dd5edbefb11fe8890cae7783e41e2edbf61ec7b03d7e5e9870a7821d4016b095f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0E66D5FD\Update.exe:Zone.Identifier

Filesize
152B

MD5
a3c1752a31ba3afe4dc87f917ee7611b

SHA1
6374602b9208cda68190fcd0cd25273e7d576d1e

SHA256
ca54a8de708efc352863a070723178b16c4b1f6b99f55918c2500b5a2fc0cae5

SHA512
f7ec1b56572f6770b067b71219c1d32db79978cf01a4fcfeafc2eb874b8f14ae0329a15c429cffea64b90ba417f84f1a20e6b7d5fbeda1cb179a8f43e01122b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rbdcxact.thd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
165KB

MD5
58e8722bc0f0799eb09cc7264103d0b3

SHA1
5dee197f221eb88868f3ff04d005fbce5f7281f1

SHA256
c340f0ef38484f76f7287dbae542b1d7898e4a9e2e285801b0b25c01d91035ea

SHA512
8d1a1a938cdf45b6201429ab7d8c2badfa1c0880d12670459d132f577d0fbf22f39209dcca4d61b3673db75fec3f9aa30215c933b0eb097ded62ee6abd21e313

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
0d86b5593b8741e3a7c8b855a70cf72c

SHA1
d50a8d2ad22ed8728b2e6c76df4f1cf7c6e12a7e

SHA256
4f8393a31e2bbc1cf34cef8ccd56896210a3013bfd4badcdf349788c70c8ff1c

SHA512
bee59ca7665d725d63a1c9c504c398cfdc43e51ace4995a3f45720822792999ed9808b82bd4b0c67e44d32aab30eb700abb6174350cbb605b3b8b565170f7fc0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
38KB

MD5
e720f4ff650c58b55ac42505abe6ce3b

SHA1
3cfa0371ea73b4bc7d8bfc664b83668a35079dd4

SHA256
4bac0b2d614dc50fa7fce97b62871ed0884b5e3a303995e4163028380f9f0e16

SHA512
24c0adfd9723694c57bd0aec862f29af3daf6861edccf0d52315c97687f245bc93cf3abe6101b12b08212db09f34c84bebd11762504486ec3a58d827a6f30de3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4da0b6e4bc91f18c6338e471f2b0fed3

SHA1
2c037fdbcfb54f1d0e939ab08e43c3870b788af1

SHA256
759f3c0cb340abd15be59494e325cf14f3a4ebe91315bffdd49f798895ce16c6

SHA512
4e7d99db7dcc56a4d90116e2efba41cb63c679009cc4cba99044289161f92128af17a88b09553b059b4098c1e30fd39ea435d9a3ae16d3ff4a2e88d9cb3689d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
961b80cd75d64d0a738b548a09fb118c

SHA1
757c69c56bd9ce174826422473134592cdb84ad7

SHA256
eade3885e65ec9160ba384d3e97155555c632c6be118cefa797ae0d1211cdbbd

SHA512
b366e6c40ff60d35ffb1673aee206ab0796f7f44cd65539d9e4d2191a0db1b55465a46adf67719550674377a6f8a5c1c6b078605e2b5b6e561851ae2014a4641

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
4bdc7afb340014863d1a5b7258c2d15e

SHA1
7ba4e55ecbb4a355c443d3e697ef2dc8897a5c14

SHA256
2de23d14506b888ec8eb6d19b565d9cca4f90eca3de1a267c9c4342680f0b0ef

SHA512
8626756a62e5e9cae7109394b25cf936c2ca3408a56347440c2276c49cc2df49356bd2fa6eebfaf776e0207c374d41c4afaee403b8bebe4758621b090be7acb9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
6e7c830fe676a08c454a320270095b56

SHA1
a99a8d18694ed80324128beb6bac68928609d04a

SHA256
86c90c892b183f60299f3f730d4f4d7720154f5c31d12d2ae28731ca1111e9d7

SHA512
b713b6b4f382c20d85e997ca045b9f7ac49f4082d600f1dfc7c709278d512e949f006cbe71ccccf710bdc264dbb7c512a5b1015ab4d1977926c29a6084e2be50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
f597738eac67fb42d56db573c8dd1514

SHA1
ddb616c684b215b200f7fbe68aad1d161235dd93

SHA256
3c65f76a47c81bb276f7bfc8bec9d8347082b753af214e710c779ff9f5bf5d50

SHA512
66bbe920162d58171ea4c88e7ee22708a71872203163ce9de851d783e91930ba97da33f548e0fd17959bc47331a5dc6f0d903cb2b7dcd9ec103f2e84d61ae9f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
e7fdb32d32038c682d88b39561d27399

SHA1
f54d815f369995e815b7592033e9c6c18068d426

SHA256
fb802994dd043691eee22bee298c0f267505e53316e93496ebcd6bbfce9cd2e9

SHA512
9aefc95564106d860b26c618ee9848022b7c376aebbc1970bc1ac739d6a28d0da7509a1bd5e53ddaa484fe3ac7dfcf203a818c16aadeb19b9c597e37ed27b809

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
893B

MD5
64f54a60ff79d5e49f508ace793a3a06

SHA1
e2dd2a1b63ccc5fa0634be6a833e779c34140e3e

SHA256
aab29557a67b2cbd89d9876e161c7491468785598f7ba2bf5531f010f6914757

SHA512
c08902a5739a867dcfd5155d59c20dbb7ee9aebfcb24be042bc614e1d46f57943510d79078458d7852d9422eda7d473963f041225873710d095363caa080d056

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
893B

MD5
ea45d57e8978ac1ef61777dbcc106c97

SHA1
b7dfe462ae1eb2ba45934baa10589b242bc76efe

SHA256
69ac41bdf7f7742dde1f8292e36ecda11ba05555daf3da2b03f3e74d68206e1d

SHA512
989d6de9a1a4df7165e00ccc5535b726001093ce51e89dea8ebd1fd53189a2e889d08d854c0e066197d3cd9f302d03d4f5cf34e519fc21ef93d1da094371c0a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
893B

MD5
3429c98c54e5a649302b851061a5a212

SHA1
e0d0b70a2d6a998c8351c66e252a33b49f8dbf10

SHA256
9172af5795c3f2930231a5a9ea8a1fb8ee02e44f0b1902bbd6df3b947ebf63ad

SHA512
2c974a6260cfe7d9ae4a77cd356739b7a5a2d06351af5d2cbe7a40da4faaa140cd840e195176c6bf81605acd6f242dafef68b274944d2ccb91b64aa0c5503be7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
b77d02deb5f4592bd5894338d0f1a424

SHA1
8ff928776940b5f9796a8a94671c76267efe1323

SHA256
82ac1571870b81bdc7ba2c671c2fda488f8b154eae71014927220d8b06a5b185

SHA512
8e0240cab3bb6521487a3ab2ed8b2a43ea4d03181551142c6d788a2b0c2b55f5180e0493a92c9df331d56a9d74a5f61e1f4d3d34e25bf858f2921d7219971d0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
65220db9bd21d3e0ad54f4f75d4ead18

SHA1
d08a6307c30f91df1f9f87b6f8185274c6f8ca76

SHA256
7860dbe8d5809c96c062a5f398a5fa1f9cbec67ab0add9a39e09e98160a23e79

SHA512
c02e647481f5c2870b0cfee0816a04632d31222ce096e581748a26e12fb7651575fc92ceea0d6513beab21d591d7b47731d95383ff473c3d67d3b046bc173ec3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4ad851369bb4188c5989e47ae22045e5

SHA1
2f436fe3aa8e1ac8047ff65b79362be5def23223

SHA256
c55d9e0a43a9e446784dcb0d9489c2aaff43b19d688f8d49cb63b2e4ce206ea3

SHA512
3611338fa8d45f53272e31c7275da48d3397935dcb9b87528284398174ede561891fe5a70c1204e89cc1604188e475cae5bb9e654db3fd42ad09aff430dde9bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4eb3093b7c7b0e0d610fcaea22fba8cb

SHA1
0a67f45adfa31859df651f3e38688d06c22c2a21

SHA256
4f5e1131933ee33af582c913ad514669dc30befccfebbd33201b396c376d657e

SHA512
3de252f27fec03ab67f11dd937a31ad7fcb1c1edc83798853b8e052dbf78d26f6e9330630e6fdfacfc3798c82a10f405be5161a1db519918ee645931adbdb7e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
1eaa717af85d1c8226a054efdb2d729f

SHA1
98f2e56beceec33fd2461f9144527e7580b3cbdd

SHA256
9b5053b09b21a5c94b550da1a02bc2bce48f7f96a05bef8e58cf56020b77e850

SHA512
e5afa8bea0d87b77edf8eeb4a2bcdda629f319b2c9bfe6580a4bc1c7cd6df88b968a64e90f8980c485a0d4479a1cc074f7bd223146ab98d3659948492e8be038

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
470b177ded600128c6427b92b61b1e97

SHA1
208d6f244ed31246d6680bf7b4ddfcdee181d1ee

SHA256
7aa15f3b2f46dcabe4b745eb98eca2d5cd3aba7a3b9684ed52e44cdf3b3c34e8

SHA512
6d639b0605e645112d8807aa0c30123f74f342999662234af2e939111fc4d5a6aa42625035632e6b3fc00d99f11bd3a544c32b08b3bd580376b91d759e01dea0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
f477b8582ae65ded6618095873e18cc5

SHA1
8e73e93a5a95623ac375f2d3e991ef8cc1ef8f4b

SHA256
77c20790ce4e01a537e3fcfff8928625b2e1f639643c8c40b389d7a4c1a8fd87

SHA512
202143964d3ccae2c4c3e19450f55bfd6941b34083bb2220760fc6d7ab17ac1a5b369f7a69794fa05683b1c1b33a1ce47fb6e0384c44fd6df46c7dcda8616d53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b9c8583dbffe6ba50a93fcec7eddc853

SHA1
2bea56b535f98114588919d886f73fe901c51d87

SHA256
1aafdc85bacae1a665c2e771ed6eda924875fc3c03f35f59fb52977bd16a3b5d

SHA512
398fdcff126484b7f3dc59a2f95211ad8d3d51f2a90a3c1c0ba55c01123158271ba1bfd5d589bfc2f6658b8e99e37bd11d04f93da8b963fcda951e6d6446ab96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
94c4abef4c1833783f59ad3b5bc4fccb

SHA1
82dc0ea2e6e8dc9a66e26dabda585be942f7451f

SHA256
be48567d1149e9a7c700316dc3f68fb1f931086bdb627d1bd2e600c0b0eeeb90

SHA512
a1165b4c926fc9a4cbac3fdc7abb973786d7736549a32d814e29c282293f068745d9e594c2b3f61bc2a427fc2e471bc050841326e4d6dfe53cffaa4ffee6e9f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
31550ccdd9f6da5c75890c427d3ba49d

SHA1
a77f074b8d7c198c54e8e4af58ebcf4c6276429f

SHA256
42d2cc7f17d4c29694579419ebc9f0ef34d23a5853509d5faf10ae6e1a0d98cc

SHA512
7e01ce4c479fb06abb02592cf7be8a9f5aa2246a7c4570590151ddbbef681a8b814c11e198f6f3b56c843e2771fcd4f36b4f8ea81d6ed28e75cdf50bf1216605

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a31c1750fc5c01be64a3413e80927f16

SHA1
5cf19416cdfd82e2b5c6663b50aae94ad312167b

SHA256
3bed3f8dbcd6289dee49951dd1e6b9513d0e90e4967f8f61a7c7efbba6da059f

SHA512
54cae10f548ebea15184a42441e4df34155b5ec526342be661de52c4ccdc2070482b15789622aa7aff6a27db32f6327401300b048bf5a2290f76e3d519c07b29

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9a5f52fb77e50e79c9ee20238e9bf121

SHA1
0f6706a74952912eaaf1fee84e64ddca026839bc

SHA256
0525e913459bc1b1926b589702f8db89c26a9f7cbc1ea6e1342ed1aa5764996e

SHA512
97d84838307208767ea3675bc71f3f76aa5673b7aade4c6c608071bf10a3e91d909a8993fbbb02d87c95f6b1598ae74dcf2070be864868bfda0a6ac05d332341

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
1a73410cfeab150ffbc67d6ea7625f69

SHA1
1733a7550c6de072d78dba71e8375ac87cf2cee4

SHA256
d38ee5a106fe7288aceef27b9ef8e6923ce0d9713d1cdac39e94bf50d0557787

SHA512
555122f5038d18d45383c0e90b3d82db4071b55a1d6679ebcaa4d19ab5e23fd4fe0518d88a9ca1284328ff4bba7e402f26a250f5c93786cc2cfc7dbd93f927e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
e274b219c94206a70325a11002953f87

SHA1
3d9ef0a23d1a5efc634c0aaf46d2c4f3db56f7c7

SHA256
b4c338fa249979e4619f37bf6120c08e54a2c3ed75c2e2a7844ca9f576e24ed4

SHA512
459070ffcf0b2a5c0703351f247b128a7e62cd043c0317bef057cb391cd81abf21f947fe021746b50b1b9fa30daabf0520826c50acc0cd46e0e3f817f07a9f06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
da26d0b5333fe85ec57f3226f1736d8d

SHA1
ba3e3d602291ed8f1508109673e87d4b8621e908

SHA256
c0ed8eb95b61c240caa024b1bde0f97ca5a8d4db9bb1dbf28f92500e93746f0f

SHA512
b442e7583927ecc5b4dff5bd8defa33f37b2204fd3c1479a9813cd0db5795d5eb7efb3250cd600282e24ad7a189945ffd855ab695b306080dce85bef199c78e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
3e70d12b8bb440955d87a58bdc2f5328

SHA1
5fec1285caeea6afa67990ca54951ef4e5ed923c

SHA256
cd579cbcb17a3a7ccde8626d9905f571c7ce46541f0d9a9731abf057368e40e4

SHA512
ea862621619d511e197ed86ce541a06edb67ed394f40779eda05edc1a5139274caea95f31339d5d55d1b8e49a2ee91d4646603a649f9b0d40dccc835066dc29c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b943932f9fa9fd0a088ba4ddb2fc910b

SHA1
5ba045f87c94ba2cab0e44203a01f5477ca8fb58

SHA256
49954c9cf235008c4b223ee6b9cde213d91370bc1d13606c5aeaa08872eb83a6

SHA512
97b037ff3880e184eebaf602ff458d7e991f220118ce93163cfd2b75056cec72b19d836fa300d7d5960c9b8574b82ccd07a34048ac8f221a1a9cfd13232c1117

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c338a4e73a76b6849ffe41618b9cdbf3

SHA1
e145ea8656a659394bdf28f21603f8f677d2c7ce

SHA256
982fcf0333d6c433a604177aad9782df8ebef7fe32115c9f5db3add889d02aef

SHA512
fcc18d46494b89affff4297bc98921d60e1ba457ce1fd8bb69ce8f94efc665191b45f48e379565d5c1b7638905ada158f808a322746bca440a92cb064ad44041

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
df314e700ac0bf5a4c5227bd066a5494

SHA1
aef281d1959ef1159555f71ddd77a82bdc178729

SHA256
ce8a8ba29872fc750990b884a165525d42250e2b7183806a3011b8680a593db6

SHA512
f9d32cfb7361f5e02abc5158b12ba648d3c823348efd96f755737dd9f728ee472fa1d8b569fcba5cfdc43985ec35e79a6e041372666b95ba1304cf45b59c9525

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BO46NLT4WPP98RW54YK.temp

Filesize
7KB

MD5
903b921e0f4781ec9f3d5d85b531e813

SHA1
057a8dcb055fd2207e0f1048ee058f6b3e842095

SHA256
163c3909f6ee73f6f17583332bc32206eb47b1b91f91f8b3833992c8ca85cc1e

SHA512
5c38d03192e8c2c0050ac58a951dafeef8ec73eea29881c835c4c63f7bb77ad434bde9b0c4c05e309b5415e044d2e372f8f6e5733873d1a437011e250f5e0bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
653c1e60feac200dd39cfbe571b3a737

SHA1
7752939b414c7b549174c5f33ffd50a48b62d283

SHA256
6aa12da649fe0a4a7ed56657111a6c9e346f8a5bc9e0c79466e4d62817b2d8d3

SHA512
8cb6acaf0c8016037c0fb5f4aafac5bccd2fc9161d9450b1a0bc9412565a456f9bf191b57c99af33654f1103343cf92fb63b4c523506217ae1a844899421817f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
5531c856fe86e5d0e64e3dd3d238de99

SHA1
556d7d466f6b66d0a500abc570685964be127371

SHA256
8766f38d34057a9f450098fc7a2eff3ad5525a0a4645d838c3e83a929a019760

SHA512
702834aa49c3ae354215c3bde4ac8b401bb2a911ddb5591a42797087acedc1ba6bb609ded063135cf12116ffa9c0a12b5e6432b0d8fd5784d63eb6e95c0ac3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
abcdf257810c076cceb231f19e35fed4

SHA1
91f6430c3c5680d623306f3fac7bff3cf3b0094d

SHA256
08697662ad6df08775aa7754d375512edd3a4dbc170ec8a87f03c93158a6589d

SHA512
0eab024e5bc91593d0984b08ebd9701716640e0193a169d79c7dbfddf1d3b357ac20d9dda2518e5fefd2192bf3f1be84eb7573f00f85e81d46ded051b6970f19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
a88db620400e362ece62a778b5e066f2

SHA1
aa107f11bce9177b162438ef5434d155fe9870a3

SHA256
cd23bbfa7e52022ab67258b9eca6b157c6d2e7dada89c79479330e18f048df67

SHA512
b49cb50d30174bb17011789193d5607791a42a84d05d52cbcbcf7d06996413c0b84f176c0eed69966dfbf772d622e9373dc94644a495a53264fe19b85bfcc937

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
a3ff52194cafabc264153ea6966d92d3

SHA1
d19d9f91918f0471eeff48c988135e63c0abcf4f

SHA256
6af9db46c9c525b591dec5ca8ba9114f1b65b970d0f409cd1f89cc4f79f77a44

SHA512
8dbaad2fc019ca2f5aff5803555872a6c0534321594c386a51caae30b3beac76563e9609a9eeabd3ac8843d5b60bb3270febbae6599ebbdaa78215594755dd37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
e855f355384dc2d0643b73db4c60f49c

SHA1
9a1491137aedc13a830245d68dfb6038f0a5adeb

SHA256
e40aa8c23148b19badb8c39c0e4de9ecb67f32a4bf9da7b66cfea4ef5a14672e

SHA512
cfa8a462006bd00225b5a02c16f1c29c4472470ab508ee2aec6e7e3b91cd8dedf2fc75088acf69ba019604f2b0819ca865b7db3845a0cbb45689bec16ba923b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
466ae8f3e48a77fb23ea726ae3017aaf

SHA1
60b93bd7324406ac6385608a85d7ce490c770240

SHA256
798de6abeb157c2e5dd5e7ff74b18c2bf4a4a056a18c181ba0097c596529448a

SHA512
670655a409b18fdedaba6c333b37b5b4badbb191f79af07d433c805c39d3be292cbe1ab2fc4ea85a8498e8907a1da033b53abde735b7ce5b517d46e948208348

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
49c2a8803274093bb7ef1c02d6dc165e

SHA1
9922b9dbea46812f5a45aa7b0aa58288e856342e

SHA256
5faa2a46aab81853a992aeeac481923785d1a7303041b85ef194ccddca31d1f9

SHA512
6d414174539d9bb4dd8bd52703884161e898cf97c2b1ac46ec4cf78ab873c6fd943af14f88f2eb8e6d42f302f8a4b49cf46cd96d95babe8ffa968f234b7738cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
79d11e8729fde9ed2511aeef6336dc96

SHA1
4242ff46368d4af3c82dd8a056296943ba60b712

SHA256
dd44e7ff460bc64e815a4bb64e67dc73a97cc79fd1ccbf80ee0ff0ed490324a7

SHA512
aabc566f83b952b1d60631867cde2a4470fd6a338755f207b246ec483ed8528b85596adf5f066c3a6d63ee1447cbcba9caf4e81884cf3391b3f655edf727fba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
8aec3b77c189751c1a8798b521cfd239

SHA1
a3eda517b769b606e928806e300833515b0162ec

SHA256
2d8ae385aa5285d38a826871b250abbbc13e23ae703155afd70dfb0bddc1bb3d

SHA512
15da39e31d92cdcd1ed4752138a28a1b178f8ae87db8df0c540afdcc4f88aac5d437a4cb269d29dc2d448054248051c8dd387bf220709a4f73d10b3670d1c1be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
601ff9d2a19fc06146a28cff62081234

SHA1
95930998e25ec78abb6763f8294dee132f7c78d2

SHA256
2dfec888127637033293ec5ca2885c5ae9d8bff97f4b56d59552fdf13e6ef6b7

SHA512
56c7b4ec4b1c2eb6f2825eece5ba785c53fc4b87051dca16b8bb9023a74297cbb87a592137a84f3368e73a985a23ee2451325813ff389a87e01a80d3768e6977

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
075583a927149364a2f9bed004d79a4b

SHA1
461d55a58f544bbbfcff59271904e4eda638bbbf

SHA256
a4b8748f4e9ec25553204e64f8d6066d6938577f2ccca43c1597b13d249bf3ef

SHA512
bd051fd561428f9c18b4803ef8361f3d29578826a3942aef60f6a89e47707ce7335f4e972b22131f335c0aef2a238110a2e545d3d86a0508fa1a70712b1278e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
24739fe96e9749f62337d5a800c3c4da

SHA1
13fd910c23184e35e41c657683c23a9e52c675e2

SHA256
68038a2609dc196c7a72b4218b951c378d1e2eca50095f67e52e83e83f193f53

SHA512
7db24d9daf6c1898bc1f64b75c766825d9d923668896d748ab6fb7a14289e69400c1662508d1f0d376aa9740b7391e7389ec3dfa658a2dc906dc57bbe63c09af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
6f19b5016618de07e4406ad8a4186f35

SHA1
307f83b2a46b62ef04f0f9083b5f891fbbb07075

SHA256
819598683161e65c1adc3d30ccdebad7293423a19a1956de578c65b1d19ffb9a

SHA512
587d9234a0a14f0097a3d06c956cc57aca5b8b939d3fa97628ba82a6957cbf4d8d924e8ed5fa0cbfa5e9e4b8bc9d2459174e3613380eb41aa09a20588c4414db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\AlternateServices.bin

Filesize
43KB

MD5
f13c9509e679e7315a35d7f226d0cb1f

SHA1
68bf168208e634650c52f3ac4d889eff7cae4511

SHA256
ed1ca9e5f9376d2366c41b1201aff1cededdab7915a577c23f1d3fd5715431f5

SHA512
61942db510d713291d30e1705d6aee43af2415531df6f81ccd9e32b904cdb4f1c23a76460d74066a4afeed26dc739652bc9abf2c395ffa596ecaab7817262cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\AlternateServices.bin

Filesize
8KB

MD5
38c9b4959f8d1523ee176e9fae6fd259

SHA1
3e41240d39d9399f15a419bc2d4ded06698741eb

SHA256
a0e59864f3552a7efbe03dbb092b6d6000343d71ca5a566c3deefef3dec74420

SHA512
1b411f2d98fa4a2d5a72b44191ffe6df9800dc9497e33bf6f57bfc5c360350150242f8066d76576617b2989a95159ba87be54e7c2789269814835b807a0c5810

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\bookmarkbackups\bookmarks-2024-10-30_11_YUdqwbmsuRJmM1KIep9vcQ==.jsonlz4

Filesize
1005B

MD5
2cc2ae417472d2ed539aca0c6796464f

SHA1
f2bfd2b475e9f64b171d961721c2db968f63a5c7

SHA256
2f71ccdd3353688b03d7c0b0298b7b7a31907cf71c415e2eb48bcb1e755a4156

SHA512
de9a8b0e743809c787cca824630035d8029dcc83845a23bc6adaf286d348dabb580c91487c0b78a75dec8ef9e21a68cee173115b84b4f92e4730910c4e166d14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1b407e5274dfb2a466a2f6bb0d8b8a6e

SHA1
166c2f7afe26ebd9e695d52f7d6b4cd88f22e312

SHA256
f57db860e2b4d68e7e6992565818eaae4f3b970e20068411093b103b4aca4c63

SHA512
7167e3418b539d1bec6d9af2d5122dd9999fd80919d5324723427195c6cff712336081747702b72a5b2f7c6d7271b7c58c8075c37569d6208d98e6f5986939e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b568153849a2836ff870725637b5e103

SHA1
2b6db56844443e25f5206b3ffb8f5a4ce85a692c

SHA256
abc6f6c896c5d7ab33e634e80d1c14c5f82858a0aec3d2b8b15298b6c6a51c6a

SHA512
2690d162d6b08a8bfe9756fe15097a00f8915380505d04dacc87e37d8869ccf2acab19bf2ffa246b5c23d924fd92cce66f0399c9ca948df13b5d37ad7561a355

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
92KB

MD5
2f11205c61f1979040871a3e04bca7e1

SHA1
d949494dab8a62527e5a4a1c4883c91c3db00488

SHA256
c5e79b7aa2f3d48750292c501f36375b3a417c297571e5f546a869035b994e73

SHA512
efba529251c283af225887e7d681ce0ed211ccd5812734afe241e1cdf1f8a0d305aa978b9f5f6e4bf4f88fc04c14d21a23bb64844e134c01fe13bd4c0082f20a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\events\events

Filesize
5KB

MD5
a4481f57f67276bc15ec65c33db0469b

SHA1
2e1dda3bbd04b8d5b77b2867376d9e4cefd764d9

SHA256
5f94c7e97003e100c22c1ed8024205941db6b0e72b18ea64f8f9d01afad6566e

SHA512
540d24d5f1543558cb76478f54ef82305523cca5ed48f887a10fff0fd20ce334ef5ed7e297e54c22fab7f6af042d9b0b99f35ecc8394d08fc1367f2bbc636eac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\727523df-3c8d-4665-927c-b2f20324b5f5

Filesize
26KB

MD5
addc6bf9dcb017413c5381a5c72d2fb7

SHA1
45518e0fdb717ae29de515343a5956867312f8c5

SHA256
485233b9ced5ed0b04a00d9c908860586b5bfe206b7f59210df9d98577d6c252

SHA512
f5b411ef8916d6371efdeb13441ebdb7b1c6a0c49b9d80315dce0e1936cee1837acf14d018f318e3460b5c9536dab89696d5d90dac5055b24363bc4f475ac055

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\c8f97970-4cd3-4e45-8f6b-a55d995071a2

Filesize
671B

MD5
bc383ae0634894999911a198759df233

SHA1
0a63b8c9ecf945d5740d0e1f5ba2874349b2f50a

SHA256
f67a56fab1b5b136266faaa2150ab85cb15df09b3ebabb2f9150b38e13d02fc4

SHA512
1fed79c4fdb5b757d3ff7399513209c59b45ee89f29249ae0a46e8d4b12a98839a428448941a0cb83993edbbd5e29bbb8c11c098e1352fd01abdaeb900295b0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\c972bc20-aaae-4853-b64d-52d45f900ba6

Filesize
982B

MD5
8ca7ecf528558d5e9630ccc64feece1d

SHA1
4124e8a1109191f3c09ea7ad2e394e99b2aeed1f

SHA256
a6834ddc4d532756beb995d16415142dc4bbd0fd49620dd0ea2c3a0e17577af7

SHA512
18ab796328826d404aecd4bba16ee5b669bcf3323a65e0fea5193b4fe6b2cfbb2d87c22cefb6432d9aa5dc15977bd6e3c8806eeffcce4aaa70a6f846855fb84f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js

Filesize
11KB

MD5
452f481f9ad6ba238a70ea103ba026d3

SHA1
27275ccd90e9a65f361d093e6a1a44bcd921f229

SHA256
10e953fb8b1156ada09a286bccef3310b076c8654d5f851dcae74cd91fdec42a

SHA512
b2efa493461b22724342207f23f51dd1c65747c3b1b0f0c2d97fce486a392cd0594c552f850bc8561856bb722738eb345773d898477e289b2d131e4089069e8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js

Filesize
12KB

MD5
47d426509f7d9c9e11eb7c7b9483c73d

SHA1
4066869665ac6cba6721dd74e81aa685e96b0994

SHA256
de6a3e89fbfe57a09e342c4f187d42ce75f49edbeb4b0a3a5fb21aef0c1de28a

SHA512
d1809e4a412a7f0f15b154b557f366e0e6d3d7504359a02f1938781593110a0f2e7a262e674f7cb6819ff055e2bbf007e51fc832380902fded39d7fcb0e4c102

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js

Filesize
10KB

MD5
9220c478b6ccee6906a84d2e1b28e0dc

SHA1
735adb0248f6dee124100f84e82a30590f3e9fbb

SHA256
63bef8a0e65750a4f9ac1841467331360a1e9061a6447546a8e78d668bccf07d

SHA512
4f10dd6a18d81827ade5bc15c74ad5964c17f16920309625ceb63762eeb1089b9dac7eeae7219aa42b0d08a1b84804183c2ba9c44991ae7b9292ca2c44b87d50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js

Filesize
12KB

MD5
7d4170713a409184576187c596c9c942

SHA1
301fd46a230304abdd47697b4131b0c916d012a1

SHA256
b1122abfb9c620a8b4721178425ac857f248cc6fd11e3e4632ea9f442ef0f68d

SHA512
0e6aae5900217056185771f0eb7aa7589ba7f5ce40099b6257e4f885ae96ef0635b4a1ef7046bf9b7f5ac156018e1474a7e9c32e50575450b34ff88b923ed32a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js

Filesize
10KB

MD5
77099a82133f4332ca9f83736cbfe38c

SHA1
76ab762a108e417fda6b3ed104b4c08132c8b5f0

SHA256
035b58282656f88769653fbd04f08b1899ae63678ccc10ee1cf32a5bada0386c

SHA512
9c2fc61aa6bd0a3305cbe8df3f7d0614a13ee214e465862f70043bef2c8800b66fc9d960b336d4197ac56955d2272cb2a14dcecd758bbc7d8c290986534e21a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js

Filesize
10KB

MD5
3dbee351120e696a14f2106d8c2fe5cb

SHA1
d72f6c72e6ed0f0da25d86ee7b57bb537aa471f0

SHA256
07b1691940fc4b154d0da1be2072fcb436c773c543f3513dc46d2350b84c0ded

SHA512
e7c8b81e7d2eebe54b8a2a1e40d8017567977fc00019fdaa86911e519341641872e30b9844b6f1c330b6d45c44080867a3943790353ff2c76664f1569c869a09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
aa13ab427a8f1ca0a8b63b4c0cb51a96

SHA1
806522331b21c3f721d4447d3a359c044827c25d

SHA256
07b493d2c836675d0226283cf54cd83541844c00efb34fa63b87abd0a78185e8

SHA512
c1e49d64162f948b5cbf7c6d6e5cf231a40651e1ec746760b1e8571123805b8d7daf39f42eecff928e79d960b10c3f12dad6c95f7b83daece6cb28866ba53cab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
4b487992e95a88e72d6f966927d59136

SHA1
0402a3c0074fefb5885b1269046d0d062be1b664

SHA256
530d1ad1b9e3be010a36e5db9f798817c35e1f2d6e38eb68af96e5a4baa6ffa5

SHA512
8c0021233f29c97ba3cc68de45fdee2a77c16e1e6572c9b46a49fb1a13fc64806a8e954db725d306564c8dc54242b627f906ab6ae2564a172cf1377c4ffa3945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
7181cbd70a3c55772049f1bc8dbda966

SHA1
74e032ad2f92dd9402b6afb349c85afb41f392bb

SHA256
c13c0a1343035026438a0073e8bb6aea5dde82678bc8a0588580b6844d801b00

SHA512
d07357b698eef481c722a205c74888d83b4f805ef365b925b71c67c2feba5083005edbc04d9be5db05b048f07d507b5f8baa3703d3fd8571b78fa0a21ad2a16b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
e4863172a3258503270986585a678a6c

SHA1
3ac1cfce39541e3e14fcda0c16e7e2bd8c106293

SHA256
b8f97bf44d3c9ab577757922be2531ca6ae1af8c3d3a0f0d78948b4ddbde750d

SHA512
f154e1b6f3fca0667e418412f675d408c311829ecc77a39c469a3323ba695a0fb4cae313644bc9360034c3e937ef0252ddaf42cd078b7f2158ce8989dd86691e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f109d501b5ab874aa23eee2a3e34959b

SHA1
9f73af2d9ded782a2b479ceb1bb907140a8a9e74

SHA256
c391e1ab0621f6c2aa779dafa6294b9935cccd2d16d14d6ece50e05869eeaa0e

SHA512
a7161865a5f58b6c42e3af98945bdc8e234ffa174bd5cccf09e2988e3c5f294ca629ad2b791370d66136ebd6d08129b2292c072601fdffd419d5be00912b35b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
8d5780d1a6fc038387b8a1718a519c01

SHA1
0034a79c7e26b9dea560d0820d535ee9ecb754a3

SHA256
cd311dd7916ab53fa10d7eb037ea93f812fb71b7efde1420be6302b3d3fb4a29

SHA512
c800ca4af60495fb38bb4659e4844ea8e861e92b43f41395fd967d4a128ab66c12753b9b70a2dfb54a1b9c6b2e6273ed9f1530c7d82214a475bfe37a6255a5c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
328638d6263eb549a219ada65a7598ae

SHA1
bd69acd9f8c818e623593c5d2de9f3ff171f821b

SHA256
572e622fa349d2d154e612c9862307dc7e82fb15f3ef0863dc38964bb3823812

SHA512
6412772600826b7d55ffb9843cc448105f8a991eb5b6f2566a9b7c6af211c828084b7f8d655f9c63beacec2b6755ac51e4a0d353b373fa9b2695c74f8f0bf4b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
ed2e908b165340169d8af22f1cd32e90

SHA1
f64689f8116d54272f8cfe270c9fcaf812caf13f

SHA256
032423f12a89264bfa1eca123d2c89dd5d4c57b1625612e3eb448bbf448a2d07

SHA512
491294a49149de5ea4ce75f6d210c7beb93a62a0c0bb5348b67518a5a28f107f25d27eff10bff584b8962b69a80b3af10c5c88022ff46ebaf51bbcb8df5ee690

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
eb572224bb400ddbb6f660559fb1a242

SHA1
bb3cbbb4fe5112018b940c5b5cc7372e2c1b0002

SHA256
fb0270bc51edd01c9084daa1996b4cd584595697d917459d3302422baff5e300

SHA512
01800208e15bdf08e82aa9b6714c18af70817615a4ee6af7ca130be11fe1d483cdbd0279e0795a0a56f1c09f7677a6f13236735be7ba9f6550c7571382125fea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
3179f2d004b626e7f778ee9b4d920323

SHA1
d0016f009d015276a9b3b8f58160d5b9db613d26

SHA256
10197296cec3018865ac3908b30aacab6eb7e8991c379a6f5a5af6957594c10a

SHA512
be16695f297d04a284b3ca2b667a6ffca7f9fd9a173e050640c91141e7c6a7a233651a21dbd35bf4b5ea5295a92f1648114db0b65dc7f0279e7508c5d76aeae1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
ddea97009a23f120ae048575a7680b6c

SHA1
5afa5d71c02bfd3807141de28d96d56a38b5c059

SHA256
499a2aeeb453886f44e09983d51445086d88bb32e4939f45670a7fa4871fc26c

SHA512
f003f7a816d11753d2728588628d42d052e71e976ba3fc5a67775a05738ca11954cbb6c1cd100e46dce9fbca15be90ed0ac513c50950a3f9438289290297d753

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
6a79faa629c3877c7ff68bf92dec07b5

SHA1
9a5e08e9db3299d8ca028e4021a0c15f01663d28

SHA256
13d7464ea3c792600f97850537f1fd131daa6675ee6d4053d5e7c131381742c3

SHA512
2438ad30c4fb6f0ab090cde36a552a7019146c031f3a493e21cde488e7e3494c17740c44d66de3ce5892e07a7717c35ba486c1237794b86784f30bf58afb737a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
878cd3b999eb2a35911bef59744bf95e

SHA1
b14c56c442eb979d113f4e2550ed4ebdd146b839

SHA256
515729388611111e0d77ea306d7a04ab34ec08e3fbb4433e6d3d5b5954dad254

SHA512
d76fcae3b659d6f6337d247eb6b2726d82667ad9630f911d62665a8a967094f8a98077d8e1e33c9f079c8947f8c67faf215bcfd7dec2fc0f6dd4c4333a5fff62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
5735c2880358d045599128a99c014ed7

SHA1
296113c9ea20cd250ab873e7429ff2f4aa509788

SHA256
ae5de8003afee34a30e97840015aefd50a3e11015a1d9c0c75ff3cbcb55a2633

SHA512
dc73dd65c8eda73cc978e263000f37670b3380a53066c796b431443165b8574ce1a1a5de2d47cc6c7c3fa60863f0fa40e22975e3f837daf17fae4fe5306910ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
349d7913a2064e457d8a36101072f151

SHA1
59308baa98fbda812bbe3238ab5da622da453fde

SHA256
c3e1a723fc7aa5efc2f573b8d97ed710fbcc51a6d152b05b5139e0526ababcb0

SHA512
620533a1b3247f33e7d71156f3f902758d4458f046985ee42baa04bcf6606beb9120aa743b47daa695fe8bdbb0cd7b44922988f0a009338fee3de5be0b86f1fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
4f726d1c4df224c324d340639e9838f2

SHA1
1f42c4016772e0152c87559e9654487ef0823e4d

SHA256
7234f9de7977caed55c29625c9babf8b4739269cdc8d011484ff4e53b423cbc6

SHA512
fdee6028bca013e55d4654b8a36c3acf357cba0c680b5bc0cf25deb2f8203e2824c7b7bd566ef30afc1feb5faeb077d34167ebeb71bde3d85161d16ebc33d4e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
f5ce7187065004283c195acbcd638e38

SHA1
ffb35607ae506088127f0461c2e693cc3cb0c284

SHA256
368ecf046d78c8274074dbc16972c1911d3a165ca7d59220389eefd4237dd9fe

SHA512
969a8fc4cab54335ceb4554d647e723a995c17877022e34e353e6a8615e3cc74d5ba47a91e2ce78f779b9b8535450321dda77370711dde2ec980a6dc0cf2388f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
4f57465cea2d575ccec1c9bf965a11b5

SHA1
d290700678d93425096f23ce89dd5cc5022ace6f

SHA256
e3de91b103514279202d25da23205bfaae44e222ee10f0dfa7105de9932afff7

SHA512
f4acbe7b6f7f95b2bcf4b0684939bccbfc04287f638d897fdb7a65ca7f45fad0bfca55571f0b45eefa2d86aa4100a531049c55a598f71c2a4372cd07ef5fcff3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
e5324f92470bf5cb66ba8050e9df7911

SHA1
6ba10317c4a0183558f750dc9128a0818338de9e

SHA256
4906e68ce2bffae997bc86a7eafc217ad9722885649db5c29f0345f8247cd052

SHA512
513c468d8f2fc30b22d737d2190cb4c12c23f125ad31f2270b5886d5e0a25fe548567e5822bfce18e056bae3c4c95931c0d23363597306b2b333fd9b5363eea7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
4692e4a154d355beee77d99be87feabb

SHA1
1ef8dd1b06e2651f9c1efd7e48b00f2819694e22

SHA256
27188da4d5401073d1f462a3fd167d5b39461df6020f9e560c8c148c7616c61a

SHA512
dc0be8a7ef98008252ca66a14ba1c1d88ee5cf65faf255a41f648075de0c33ba08b183fef89638e9bce329b8a6d757e09a49f5f5e3d66777793c4e1aefdd0e19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
8b0fd8b7fd6997d9cb4260c95ac5840d

SHA1
2e8ece7edd491f9236b2bd4a485be6d1af12baaf

SHA256
e1fde52d877f6b5513a0452bd4ccb2c4ae92edd2ab5284df4083233370564541

SHA512
ec811b4fd795affacab8406177660aac3fb678ad35a7308e4286dbb63849674d09d7d0095fda58f8a58cb3f3ad63b26ffd569c1a0f7cc10bfaac49aee187d416

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
02513eaf1baff2b9adfc9befe6d54e49

SHA1
24e6027f224f07cd538e14eca0bc609e6ccbd47b

SHA256
246c94270e89ad9d5b0a5bc6052496bd33f8a3d9982070a9df2e4f7e2b3152dd

SHA512
52bd277da86069c70b463b90f9b4681d825532ab5c098d64c71e6f53e2f48560f8d0fb2ff85886f334d4d2ad03df3627dd96c6803b96782c8200ce4724956192

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
c82f8d9014fd0ab1cc781a489bd36aa7

SHA1
2fbfc2d7092b8a85b0c7eac398d109071d6ee50e

SHA256
820606fe9b0120ed5e0637aba22f842d2e05367350f7da7f78ef391858ce8605

SHA512
c432b8ef3f57d5cb5b50b19c3af89441a006d87797c85be98ea23b2af1dc798644023307164242909423fc8d2804d5b702c8c216b2f2a55ff40b22b444d35890

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
2bea9ea1b0ae4fd04a17b77468b6db64

SHA1
b206e473a0abfec7cdc6f3147771e4e62aaa9600

SHA256
bb743fbd6d347e2378e2d6d947c605d235eebde851df697831808a0c17238805

SHA512
82c5fa12740ff3bd7c8d908ebd9640722b6919e1d2d246a1fcfb916559d773d0d01d5a4156f3904eb398313e002797f530b053aebb765d9e89f3a8f54d98cfac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
534fcf46b008571a37738b308922e157

SHA1
aa0e2ec0ba5273b49c868082a5ee0c08bcf1bf0c

SHA256
6b9263d9540356016944c9676fe96a4d54352225b87b6f689937546cd8e42a9d

SHA512
5c65afd4ffbff5eb498b1438afbcdea4e42a6ab6f9fcd14672fdd0b21a6f87e1f8f9ba697287f0a774ccfc294c9c17d9f90530b02c452c3da6f5488f43396cce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
a851cad20c98eb5f84c9cb54be90eb8f

SHA1
054bc9ec7e7ef6ef2e7d42723af6bf9fc3c4aae2

SHA256
b9d8b75e39669a24b1a7f60af9f54f608c3db5225cf355cfcb41bffa84452dd0

SHA512
87ec3cbb6c0f498c791b966cbd33dd7e09508d4c4a69b76e49f467907d4b100a78ddfbb398e23f7b8602eb17b040ad1c32b8648d2842869be30be47b08452b0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
55becc7716a774828bc87518e73eeaf2

SHA1
52db3822e07a0a1fa264c7ea9e96c6bf45f9ac67

SHA256
397a3e2d471ce1581545c260219cefeeb4dc5a1d27a48f049b105b7490ebe648

SHA512
b38ba9f0401348abb8d4ecfe81f4a17a423299e10d847b13821155b16d35991de0b2933bc72de28e5c0daa015fdab1851c8bb91ff5bb6bf102ca0df79ae6bf6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
edac1bf75db9a43f0ef78bb25ca5a8a5

SHA1
7c496101fbca6ea04651bda1616869cd9be356a4

SHA256
0370c216c964f1674b6414eecdcb08dbccc3964699e42a3e86f0caa11e6c9e88

SHA512
bbefdf4df0146e61d5ce112c7084f1ce5f9949d7ae1a0de5358b864c4a1f216c54047ce19dd009d1f0f351128f029ec43dc9f97a1e998d3be38e0f7ad30a1c52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
c82754c0690918bfa4f387660833a9d6

SHA1
0e326de46e41e361a8d724b3c341771d8c89e18e

SHA256
e3bbb57aecfad8a3a246a1c9f3012431a75a9992b6c6de5b63d34d0553c452d5

SHA512
8249f2d6333a527416400dac0280601924c53acf16d5cb9377139783453bb3824a68e416ceaf588200e6d315afb9c01b9ade2f25db141a0dc64cbf2ba9024f50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
aabaef6e4612122b6a57ec6f4fe0b922

SHA1
100c9c496ce5214577e929ea1664b630f32dba6e

SHA256
5f5e2a13bd036a0438ab16e89ef53f971ba8583667494ec5b6c13c40314d985a

SHA512
1e515c66fc0a9b67ebac162b540f1c25d83b33136248f5942129e47724b29584947a13be81dc3f87db049423e7102906ab0285ba010934e4323932656c71cd2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
4dd9f535dbbbf6515f2c62f0281de3a2

SHA1
9bdae907a18611fcc780ddeeae4cdcec1b43bdd8

SHA256
bcc8453844b988168366e22dfa2dacfcfff58d2f96f2cede7a4f141ad5172ce0

SHA512
016a77ac3a8415c41a62dab7995b7fb0eafa03c54237f6610f6b6b20803eaf0ae95b673e906187b65b402309466ea341b2217c774d567ff154dc5bbb841cd76c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
b50bc30e4d06912f9aef5bc4bcc4b922

SHA1
db41f61420cd3d72cb12ae2919d4eb2a8290ba4a

SHA256
74b33411c31cf45e04e92550df69fde483ae77555b38f13e0af27d3022d64d25

SHA512
aafa8f300d39f3eaa72a5516fa13bca335d1c90ce916d70783769d30f5b0fb03362f864b635a31e201fd8a4653b85505826ee2343f6c67e6d51ad3684d45917b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\storage\default\https+++www.googletagmanager.com^partitionKey=%28https%2Canydesk.com%29\cache\morgue\166\{2a8b4ff8-9507-4cbc-9c40-ec90091580a6}.final

Filesize
4KB

MD5
7fd116230491d5754c0b8b21d8aac3a4

SHA1
505c970507e1ee607f55221d72dd3c8d5c34a006

SHA256
c7e87cc66882a9f33a088046f6bccf88d71b3c746c737cd922845e4f964ddc3a

SHA512
2d782cac56b3691bb4189b85a4f2882ab30a5d23eb71e5db4aa04f27d19956cedc246213fcf66c333ce86cdd57a808a1cbebba54f885bc2e85b601d02a9c943c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2232182701SeesravbiacteaWDosrgk.sqlite

Filesize
48KB

MD5
5864c1f297db6500707716543102cd10

SHA1
3c3b6069999fe4f39c922d4a425f258e106d40ad

SHA256
e920fa4f2eb52d46a6e9ea2a8f0d08780c8584e1c77f5bca2b0d40f49bf7bd12

SHA512
f930ac7800c174c7f343f0f4ff4067f7fc28ea0ac2db1f827cc8e7694c56733591d15964e8334ddd848598e85c19488bcb0aef4911853b55e68f871d86d6cccb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
977b3c2b1cbfe5c37494abfb081e4546

SHA1
ff9c5d96a948a134b2be2cf9947c4c8e8f5c1861

SHA256
b8a3774605b55f13e07b3a1b56d28e6426c5f32a88169ddac4d061a1ad634a42

SHA512
9a7d93e11af0b548fcd2209a65ada3097f5900ade87bdf8d0a6a07687d47a3820832e4c375bf4b827c33f2f3263e524854a135f4ef088da1b16f7dbd7c0d928f

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_000001

Filesize
163KB

MD5
60fac52d8b47e46483d488272739b6e2

SHA1
f13fce5c73fddf91ae7cd56dc57bda8e0bc27ffc

SHA256
daf884a9d607a3b3c814e5099556629193f0601b1f3aecd80ef2f5caf5c6f0cd

SHA512
b8af059addaec74123dd07901091c8e1778d200be33c00148e1529a359ab4d2f5b5cac4ed49c76c2971c6c9396d701b0bad954b261727e758ffa59ea6bfa42e2

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_00001e

Filesize
38KB

MD5
ff5eccde83f118cea0224ebbb9dc3179

SHA1
0ad305614c46bdb6b7bb3445c2430e12aecee879

SHA256
13da02ce62b1a388a7c8d6f3bd286fe774ee2b91ac63d281523e80b2a8a063bc

SHA512
03dc88f429dd72d9433605c7c0f5659ad8d72f222da0bb6bf03b46f4a509b17ec2181af5db180c2f6d11c02f39a871c651be82e28fb5859037e1bbf6a7a20f6b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_000027

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_000028

Filesize
41KB

MD5
503766d5e5838b4fcadf8c3f72e43605

SHA1
6c8b2fa17150d77929b7dc183d8363f12ff81f59

SHA256
c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9

SHA512
5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cca24a2cf68420ab66ff7bf120353604

SHA1
ac669b4d27d7fc6ded15bbad19b64129a89624ed

SHA256
70db9ee1de318050ad1bc6557d2526fe7ea5ed7b4a7b99b9629936c06cd4bdbc

SHA512
2a2499bcced413d7e86bb57de780b3bda708e5dd5fcea609df1dd0dc309eeaa87dd37d82d1a16515b4a4571637ee2c421b7edf1738d3793c8e17acb15893653e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b3ebda83c4e423729665a9c80773e327

SHA1
68df60e4b85d3c4c7a75a0f928ce0003ca6ca90f

SHA256
f014986f7d84c537c2e5fd4dbf5233c6a2c87f8971261cd658b1f1aca9b602db

SHA512
0fe1249f7e5ad33cb24ebb557f60582018f10a8302e5f9d4f9e9dde2686aa2c79746c6bb32e23264f61adf0216f912d0adb30d9b3f30975858788c0f2c461a48

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7da1133f71987a7768daa2d093bf4f8d

SHA1
e9a30ace0dc3169f2326d1a2513ef0bc87519a89

SHA256
23051a6c900253e63a583b30297865d5bbe5c39d2d1c1bc82f779f9f1c8379f0

SHA512
2ff979a7c7ab2cd438e1a3e003922429db7419992d94a9c346374ec9a2397e66491af24f81d77ad9618f90c9ca49eb0eecaf57f517c9ff421cf27a3a3d3dc0cd

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Crashpad\metadata

Filesize
114B

MD5
3f15bd5c4e129c7058ad59aa921b37a4

SHA1
90b04d64e125b7b4e34e215f847985c397f115b9

SHA256
b5db4a02ddbebe50c9214507fcf38868c872f6c48699ee2fa56f1e8eec48b47b

SHA512
16dcae24a1f4bc2566ccdc89e600a912cb885eb6542f72aebeb02253402da443ea462f1238ef160ba774f3b1a8dc963df67675e875ba588d554d047ff643acff

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Crashpad\reports\c715e653-3e6b-41a8-8919-2919e6be13ef.dmp

Filesize
579KB

MD5
20c78cff559ee1b3da7c61087a2cdf43

SHA1
1e3d6121eb753b97a60564d8b40b44932db14dbe

SHA256
28c77e8fe2cddfb92bdcd40bbb79e90e5fc5d51440866bb40bcaaf4d956c24e0

SHA512
eeced99e35a14ebdcc7070fcfc9ce8e965b6443e8c3c7786ace6f04dd97757bc69240de774cf4215e9725aa0adcd2896b5a43e642497bb927f4ab2ef079eb42b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
1023B

MD5
2f1e5042d636a9fcb3894b46f59df66a

SHA1
536d9b09a7a170a8803db2753f820d11fb19b916

SHA256
ab707ac10b7d1ccacfba40c7a1faa8fcdc9b6a527fd088631c91759cc788908b

SHA512
2b1c59f6fc7f918d40c23315cc7a92dfee1ae768b7386d54ec47747ac43cb22e21c7f76e6b1b481a80efd180593aa1a72617f1f212aae2e13a8cad273b7a23f0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
1023B

MD5
55c491441f6f0fa076f57609dbba959a

SHA1
aad2f2902c15cdcacbe126eb2b174d3db0b59d29

SHA256
150f157acab6fee7c27d8f25452a15544d7191c5d49997828acbfd72bf87aa1c

SHA512
32f5409c2e389aa6ba5d6a25306685888679dbaa06a3eba06fea37d0ef21020c07a305bd94416fe65e40fe3136c6484dcb7e40c4913e6649a0077397eddaee9a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
78a17afa6d81ac322c3de2dbc51398b8

SHA1
58c7df2533cad4bde9b2676d5d73be72977e92e3

SHA256
6267eef96e4c4ea345ca381b9e8506cf72a28e5d6e5a7fdf619abffe277b85b7

SHA512
10edfac28dafda3e7bc77a5d9f7cb6f67efd0c553f9f856da7df6b6c594faddf70d1c1abd0681ff9c430cc322e208c2221d7d77e7929542de715cae99db59e0a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
404B

MD5
bca21047bf5f10451c3d8a585c631ace

SHA1
42bfba25796d1fee9f5f19a1d95935287408871c

SHA256
c4a06b5f6400daa98851dbbc10972c21937840247004baa855b985a1fc1efc13

SHA512
418d449b9250e15bdfdeccf7b584f4b132f99eb6fc38c63110f33e2cd7dd48506b84ca56596c400d98c252c19bd702c8eb6e73509d0da07cbebae107c406beac

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
750B

MD5
f42eb7e4f7f77ec64a8ac990118429c5

SHA1
fe585779a84ff3e0dde3897aaa26174c2576902d

SHA256
2f995990de0818ea6ad0d515a6113659bd963f1496508c57431fd41f978ddca6

SHA512
0c61ef7ddf24576fc53b2ffe178b58d9935510ba2ca2f9b6fda5ca05878388fd8ed1181c61eb5bd9b728142f04f36fc46a8786b1867e5e8830c9483f848b6ba5

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
a57f4cc3ed9ae60390cf870bca37639e

SHA1
e96bc337ea660563648e3d58bb464e20bbbba5a0

SHA256
6fa4c320cddc7399abf4c33ce7a0fac9d08c328c0ed74e7571cb78e3b81b7ab2

SHA512
e88aa004b4484b8296c9bf58bc2b2ee914c80935c60c45e3fadf7548c5c570daccf9a12512d94cdd8e0226fc1924ab634c04735e7a5232e6dcf431c2e36383b3

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
520B

MD5
aeac6c14918162477145eba0b42a2b52

SHA1
e615c90cc0e3ce37d0d9b00f470b3c157ba295ae

SHA256
f4c4c59a84c9b931672119cd11da2cc494a1bcf04d5d80a5ef4db442840a4307

SHA512
bfcf96e32aada34f84f0d73b2d7c527a8a5b5fd9d3b38aa6d0514380d9d2d829de46c51e953534a433ff6f2dc845198f7df48c6ed5dbfcd3eb66b6cdb872b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
520B

MD5
f1cba7f4aaf6cfd1aaccb9803f2e14cd

SHA1
0c72ce2d655365d60f1f8ffa069d35b32578764f

SHA256
bb9b1227acb4bd7d7820ddcf778946d5900881b600f672681fb6727a02e68c9f

SHA512
2c60a75324317d19aae22d14de9b1c4e600375615d20f4b1bdb8a965fbf8f8579fe3b2ea8e1eacf15b30a08156f3db8e42db5b5c10f52a585b12cdf9005fdd29

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
520B

MD5
2e1a71ca02b844a4bb3f957238a3c860

SHA1
171e23f7b8bb0616045b10d9675effb271da6e15

SHA256
f66b714cfd1e4646f25087b9ff46c37330044c103c6f61d1cbb352bdf66cd8ff

SHA512
ad019a32c4c9a08eb4aca43058503d954a58c816c6680e25ff0c1a05fbdbefb1327c3b9865f68dd587524c4a198fa9431eba7df1507e1da591fa857c1c4e525f

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
518B

MD5
f37f716fbb443ce0afb59bda18c154be

SHA1
e0937b2479b88a9ca15621da6ef8e7c4c23b8695

SHA256
55dd7effe6bdf140dc27a2f22a801971a8b4ca6e1029d6316d1df647daa1d3c6

SHA512
f956962eaa7e6e3c778de9661253fbfa992180e25b7d08adc7e7275c1184c7aa267924a30e43858c459b90598ea79c182e2d6d4e72407cd3acb296da18465159

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
353B

MD5
3e8132390649b98b36f50b78c831e752

SHA1
65e15da6872e529b0cacaf8cef5cdc91f8e0d83a

SHA256
74ddbc3d58a82ae62a77a9f2bc0581baf4c1649e61a14bc9c6db82fe2291837a

SHA512
94b1ab1e1e98f4ede5ea930b85fee136df77b153e0133bc7dcd43b581b78726dc16499244e77a75081597092b645edf4a8d325f0c9459306d1896652a868f1c4

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
353B

MD5
326b584f40bd94c3c0c6488ae0bc2ba0

SHA1
7106aa57f35f7f1744731e69204a88ee4ae76f1e

SHA256
28980d593ffcfa20c444e3852a4540e1e614b41263838e2dad757fd47b373460

SHA512
29b86ac2fe58ec47a393abc6ac3817d7492e1baa36e1399b5839db6eb3beb787c2ee089b18a9bd6aea002833d517eb7a2d591a58868777d494ef923c5ee42345

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Preferences

Filesize
201B

MD5
be4c54bc00e606b3e980eeeca759f760

SHA1
89fbdc97a43218c4e70d5335e4855d2aed267b86

SHA256
f014fe79f792953e243f942ad63ce8b9f29932863ecb771c1eea46b2f3c67a91

SHA512
e0a03471606923cb4a647c497be831af4b5dcd0a7191a655ccfadaee70f11d2ab2afe6839ea1182b078be6b07caa591652a329a5bb56dd8fe767f2309df9c4cd

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Preferences

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\a82280fd-4d50-4469-b0df-a5ba8fffb7c1.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\neifaoindggfcjicffkgpmnlppeffabd_1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

Filesize
1.1MB

MD5
f265d47475ffd3884329d92deefae504

SHA1
98c74386481f171b09cb9490281688392eefbfdd

SHA256
c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

SHA512
4fd27594c459fb1cd94a857be10f7d1d6216dbf202cd43e8a3fa395a268c72fc5f5c456c9cb314f2220d766af741db469c8bb106acbed419149a44a3b87619f1

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Roaming\discord\logs\renderer_js.log

Filesize
3KB

MD5
cb3ea4ab1d7cc5d65b5a9e3fe264c653

SHA1
9cf6aebc1312706e927e28194b96d64d29479405

SHA256
4a673b55773bedc8a52f102c039ddb2125df992bd7322f9579b1360ea57cd8e3

SHA512
9e3c9b2c99b527825421210984c2779e275828558746649ac6e0fc3ef89338f4d1b419d2a497820cfd2bcec3a3eaa21e2a090c21875b748edfa4589bb4246294

Download Submit
C:\Users\Admin\AppData\Roaming\discord\logs\renderer_js.log

Filesize
5KB

MD5
10439660dfdcb9428f2a2314b527efd6

SHA1
1641aae6bbbe9d03e237bc04cae6df25ac7aabac

SHA256
d93f1e414d2c1ea8eb42a02a5333d8a466240b6fa4496311b998e6d194e88f11

SHA512
d2c77c8c24902eda989c80430834296fee6930ea8ac46b74357bd98aca218d53ee4e7b8d6135c43dad13e6aa6b8676c92bbb9fce56dc4cb16c5827f6e172e7e6

Download Submit
C:\Users\Admin\Desktop\EnableRead.sql

Filesize
421KB

MD5
b87149a7dcb9e24e4f8973505495a05c

SHA1
ffdd526599d4a156d1666e5c923c8c68c8416fe3

SHA256
3ca43fcc6977f6f4b44e73d94cf6d925e0da0d1199c7098492e82148b9de0259

SHA512
0c09e3a8b52c6db33f327c6dde0841ef15331472a4603290cf1bd44e8eb07f97e146e67e67663f75b3b64da0a77b40906a5a00ee12eac481b4fe5d088be3ae8f

Download Submit
C:\Users\Admin\Desktop\EnterWrite.TS

Filesize
191KB

MD5
56e341a0ca6b98a9c4ed812474d35fb3

SHA1
caee778c7afc82b41d525e7c2be94569fb74582a

SHA256
f322b6fb0817c7513eb9e16a9d3d13b6771a099b0245dbb5bc5ca270c6569c59

SHA512
fa2ff5256bb506e1a181cd5ac8c30f25b4fda85966c38f8548a3f0adeb2d23c5054b197f032fe8a25fff85c85c9f74df0ecaf2d69c6e2bb96f95c6840191c9f5

Download Submit
C:\Users\Admin\Desktop\FormatSelect.raw

Filesize
268KB

MD5
e96e2b4fafb6ecc7ea29a20c9ab38e71

SHA1
fed9d450d149698640e0e1fff8a43e0350a74cc5

SHA256
872763990f91b9839c32ffc7bfba57cc904177eb70bf93f0870f9037f0f857a2

SHA512
3456fa12c732daa18c323596fdcf2eeffd99103dd32a31c0ecdb4b6e91ae1a1b72bb8885b8963a8debb83a4759b821842d5d0d872a7d9ff458e2fd6542c76680

Download Submit
C:\Users\Admin\Desktop\GetCopy.temp

Filesize
158KB

MD5
a154b9d9b3739d807bd98c396878652e

SHA1
fc987e7fb41f406bae05e552e56cf0207c69dddb

SHA256
755a3594f7e5a864e6782b18c72f2ad5e6e4edb2f9516eca4eb3701aa1aaafa6

SHA512
af4b2f52892d3bf21b3264af4f3eac4c052ab367fe6aca5fdc7ce4790c39c377b64718bf3541a654e32c295a4a308a4174fa0f9b391d3e8df6707d19895e075f

Download Submit
C:\Users\Admin\Desktop\GrantUnblock.iso

Filesize
454KB

MD5
212f693fde79ade883c0a8cbef3e1cca

SHA1
f7264a245df6f3c0ebf4b7abbbec64e5af8af877

SHA256
dd85f8b28fb8c90acb478ec05f73b572aea8dda17928cb2294fc9740e72335b3

SHA512
359a9944b8de51d4ee857234db140efe0b1799eb24670f365a410c2bddf48f6bb5e7488059a21c4fe82500c1e8b5117863eeeec2b7bc85e1ccec2af8bc3a24a5

Download Submit
C:\Users\Admin\Desktop\ImportSend.mpeg

Filesize
378KB

MD5
ef2a7702108e8dcf73b906ffbdf5a3e7

SHA1
19d6a19e71dc7138af6456f6174f8a33d887f628

SHA256
c1ebd9938174004b9f3cdaf91ea15058558f170619bc10d4585332a6f53aca43

SHA512
1cd7e7bdf2e677b9be43a4561240413ab4bf7cc6e4739cf281def720c4fd164b89cf6e65423efb0a440f238fbfd2179f09d9ef7b3d951ad37b523793f1dcb239

Download Submit
C:\Users\Admin\Desktop\RELEASES

Filesize
81B

MD5
aad898e5520f5b318bd33e0c1fc24212

SHA1
c6ae8dc09788eed217525e69a1a63bb6cb215aec

SHA256
2ccce5a1c53bb3937a09c619d48a5eeeafd02c804c4618ea4019a686edbbbc87

SHA512
dfcf06199c760a335676648751235e054f069a96760935938b1452e82169f77d86201ffcb08393ab40c2b330d885bb0ff8577af26204db6b898d005f0989b1d4

Download Submit
C:\Users\Admin\Desktop\RegisterDismount.dwg

Filesize
279KB

MD5
9a4c79bfe17b39eac7ac15b7573579d1

SHA1
ade495889434c6187914bf461874f1647d44ee39

SHA256
f4e678aa0dc5cc64159d1a48f3444d2316272871527071a73c41a3a16f0639b2

SHA512
bfc9bbe0e335f57e7abce4f8e4b5ea9c6371ae3c5577c518b35cb10ee04d2405f46c97cccaea19fded2f4379ad9b3bfda48be8824880b639c25e02532e84176b

Download Submit
C:\Users\Admin\Desktop\RemoveImport.pot

Filesize
224KB

MD5
a8d96b94cb4083bc855a55bf5272a213

SHA1
d3d10baaa0e934cde5c2c3d39832d96695bb7e0f

SHA256
5f30e844d45e4e48cb682982d4acb9bce52b4cf340966bee18efae2d4fdbc8db

SHA512
5fe71e8fbaa7f7913d14c56f02ce28fdcfa351ed35a0a2328fa0d6141483efc12216c1f083f1fcf7caad98059a66307d1419ec3ee199fbdd98642d9dabed2a7c

Download Submit
C:\Users\Admin\Desktop\RemoveSync.jpeg

Filesize
624KB

MD5
249baf75fd61eab7911ea62a8f638b22

SHA1
16d156bc0133e5960d386796721b8bd26b140140

SHA256
9b3c67a1b87555e5b2bcf16123f662a66a9b0c646a33c9ef2a3926773ae631db

SHA512
fff6f85d6a7433f6d8c2e168760406fcb8d6ecee7fa928819294cd521e08d82a65708af23afe0584a64220c02338edd1bd6ed2c531b05382279cc6073082b236

Download Submit
C:\Users\Admin\Desktop\RenameBlock.MOD

Filesize
399KB

MD5
aeb46d98ff333397d372a7b8d4d836fa

SHA1
85572d852e30628fef611a87920339bd3b4a7df9

SHA256
5da8ac24ea4a1f8eddd028a6096b1d679f65ce90dab0d954be313db801c1b02d

SHA512
0ee3f97003743259765f7c0b539afa2ae3e51da1287a3c976a47a7e6522316d649ed00b75889a17f6e4c2f9177d29f7777cd4b58ff547a13a2222ded22eaa553

Download Submit
C:\Users\Admin\Desktop\RepairCopy.html

Filesize
169KB

MD5
a852d11c2137ec2b7063771e45d9893e

SHA1
4eb57ed8e2f33f9659456fd59dff26bc3c24e0b0

SHA256
b90b28da57315d693d1f798a2363f740302b8fd782a6fd7cb74d01315daa8680

SHA512
020ccc7f36a627ccfc456c977f361be3fc09eb6653503cf95db125f993951ffc83d37592791b7c03e7b0cf89c4523589ab9ba8a8f4c8e584b83572c82646cbb7

Download Submit
C:\Users\Admin\Desktop\RestartTest.xlsx

Filesize
12KB

MD5
151997b49e45e53f4064ad8e29f3ab22

SHA1
cdd5a76945e09a595769dbe7f92952b54852d2d8

SHA256
7e8879965b2224c3a315f2723ad161e9e7af4228494f1d67692bd45cff1d81cc

SHA512
0d239b9820e0dad41eae1d3b249cd5e5b3beecbf91df3f9f10c68df7fbf1d288013c202d3c6780e921a2003979451b37cab788d27c4238ba8daf29d481b437a7

Download Submit
C:\Users\Admin\Desktop\SelectWatch.search-ms

Filesize
257KB

MD5
166cdbbc18a6c820fa061fbccaf26e1b

SHA1
8357cbb8cb4f53bb552e26ed90308af534139017

SHA256
8ca98b47f6bae764f71454bd1df344f28516f1e316e2aeb0cb3d12ee9d21ae58

SHA512
4a8b4e9b823728174651cff0730b0e5e0f3d3c4c35de76107628184577302398d6cbd0bffbed0fb31279d5443c702ddbf85cd0df50a0959a398ea321619c57e6

Download Submit
C:\Users\Admin\Desktop\SetClose.vssm

Filesize
345KB

MD5
7db5fef926ac0fcf0fde3625e88e3c2e

SHA1
8359a5f1fff7f93e6a53d40d6ed8ec79c5975333

SHA256
1b2d6ec38e909f3c9aad917cf613c5b2a6d78f91571b3b77878550adb3d86201

SHA512
3738ac723d5504e37922f8d12e41b6555ca2f2fdf39f8c5f62820d8cd7deb5ab731b3ae36399aa0b8e95af4c2cdba72392d5f182a9044f240c6c39829140272a

Download Submit
C:\Users\Admin\Desktop\SetPublish.wax

Filesize
213KB

MD5
5dd061e42c784cce5698c80a06978cee

SHA1
6ab4a530082727ff82fbdcde957368827421d7db

SHA256
21cf63b35be07bea73e0541f83d7374b20baa02f923c314e757ba5db44559806

SHA512
075a98bfe3649b6baca55265cdf22ca5575d517fc513e188194ccd98645325023cb9dbe76538bdd82c793c47c030d20c24d351f2618056450c25c22f33d60527

Download Submit
C:\Users\Admin\Desktop\SkipMerge.htm

Filesize
443KB

MD5
15a1da1cb9341e4974e82eb99ebee680

SHA1
05d9bb66eaf6fc548d4a55fe32cbb586468609f4

SHA256
04971633137c9b6216ab2c43ac33cbd05e9912076cf6b03d19e3b4db856fe362

SHA512
055b3dc60c3c75decc6ae9c1c1c74a61bf4a0d2fe72af35592d394be7eccc8bb9ef69fb1fe5823f6aaebfd09b6c9bbfa721837708827d92b9c1f7ddc21554245

Download Submit
C:\Users\Admin\Desktop\StartGroup.tif

Filesize
432KB

MD5
ef28dbacab65f40b2096119e559ceac3

SHA1
986d501b8544f30c52a5474e1faae472cbd73037

SHA256
c8f4e302b9ba6d9452d123fb56c1ac96b888fd50fbceb20bbb1fc6945484b5f7

SHA512
8d178339ecf5edb6025cec00ccc67c28369a1bb8971a9a7d69390f5516bf77e523a08bda99113591ae33b4f8ad1f8c244cf5ef48a84f4cefbbbe36d4f4ebe1b8

Download Submit
C:\Users\Admin\Desktop\SyncUnlock.docx

Filesize
14KB

MD5
fe627513dfcfc85aa544a63ee39fb25d

SHA1
0f715789be82e3e0622b3f37a7d82e67ee88f5df

SHA256
b24f5e152a095cf0d4dbc6edff60183b99defefa473e8ca475ec0ddd192e21da

SHA512
b4de8c30420d950fd87d63001f97b8bbdec71707cde3ddd388c628d4ec960df488d3133771e7c844270ffd96538ac22a24cfebacea05ffab11d351d4af5255f5

Download Submit
C:\Users\Admin\Desktop\TraceWait.wmv

Filesize
334KB

MD5
20c09ae43ac7e2ba819e6a8f2532e50d

SHA1
c8d1c430261b2ebf950178a1e0dbca102154c5ea

SHA256
9dec87ef55e2fc92608f209d273ac4ccc14f1135defdc5a0a93499baf7c47f73

SHA512
3ad86b5409eefadc7382231e6ba6b98e26119ce0cffa0a12cf7419548e7f88cc3b05f9a227164233db60202f36856a25f63ed59313eb05182d90429e930a63b6

Download Submit
C:\Users\Admin\Desktop\UndoExit.xlsx

Filesize
11KB

MD5
5d4d368fdd65697ba610c9958f9aee0b

SHA1
a24edd9bfcc651244f390ea85bac63b04422c423

SHA256
36f6374c9214795b9caa737d064d31973059742cb3c31e1f9e3355c0d7a546e9

SHA512
594f40d16659722bb58e9e3a096daed2fbb4c767612a9b52961f419884bb5c527ab00b41ccd691398897a47d009addf33660d17071e41eeb10b6a1ff62ba6797

Download Submit
C:\Users\Admin\Desktop\UninstallCopy.docx

Filesize
15KB

MD5
b52dd999c695deca485d429357648459

SHA1
e2d99b5331aa54374e8273cb20aab9dc806e4ee0

SHA256
7b303022255893d281fa2aa3364bec77e390cb016458ddccb527c9f65cd2f291

SHA512
c11011f2e457ce44a789c2abd655edf2117893aa8c6c0a62ed382413032d9dcf8402256ad2202d7ad382548f100a4493282a3141cc57ebacbebd67d6fbf614d1

Download Submit
C:\Users\Admin\Desktop\UnregisterConvertTo.bmp

Filesize
367KB

MD5
075609c2011180de4b6777a6a8a8c387

SHA1
ade5a8d11574ef700e8dfde173e4ba275355c77f

SHA256
f178ad13cda4400e6050613becfeb09da3e8db1676e66240dfe4be235c3d773c

SHA512
e1a4aec41082c66e1cf53d2abca97e702248a9bf3bb98666eabc65216403b0fec382d0add771be5d590d8c310d5a087adee33778d1df6d61247b0d92ebdbce91

Download Submit
C:\Users\Admin\Desktop\UpdateSet.kix

Filesize
389KB

MD5
5ff401aa87e0d17a41f5d58f89c52eff

SHA1
d5210557aa4e0993914f0937fc462f3a1d3839eb

SHA256
5b2461d943d1ffab1d8b99a6d3a0098fecdf0a49fdddd30e68912988251cb5ed

SHA512
93e6434ad0219990303e831a568be4a96ce58f50d2a2ad39c021fda463c2b35981c3cd51fe8fe770f1e525dc62d2ec82efb069f94b4b23e076dd7385b640eaa3

Download Submit
C:\Users\Admin\Downloads\AnyDesk.G4rTDO3G.exe.part

Filesize
4.8MB

MD5
ecae8b9c820ce255108f6050c26c37a1

SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f

SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4

Download Submit
C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.0uLOpmM-.zip.part

Filesize
310KB

MD5
3973cb0da65fc881008031ac388046b2

SHA1
24dd6e62125508a6db5d53e087bddd37451ed4b8

SHA256
26ab9df0d662009aaa45693d94057f0b5ebcd83859772a4c082914d1d5b7ae68

SHA512
bc7d0254f23e1328d46b11834856cd72ed4ef54b90adb40540cb1dee359e2e7e977811da4cddff7c7e711b35c234a867fb15c811ad928db78781b67cffcef38d

Download Submit
memory/576-3706-0x0000000000010000-0x0000000000186000-memory.dmp

Filesize
1.5MB

Download
memory/4044-308-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4044-263-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4044-241-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4044-276-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4044-252-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4044-259-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4432-278-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4432-239-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4432-12-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4432-261-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-260-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-253-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-37-0x0000000005AE0000-0x0000000005AFB000-memory.dmp

Filesize
108KB

Download
memory/4524-10-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-273-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-879-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-40-0x0000000005AE0000-0x0000000005AFB000-memory.dmp

Filesize
108KB

Download
memory/4524-264-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-41-0x0000000005AE0000-0x0000000005AFB000-memory.dmp

Filesize
108KB

Download
memory/4524-349-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-238-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-245-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-304-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4524-277-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4528-2213-0x0000022D6E9F0000-0x0000022D6EA12000-memory.dmp

Filesize
136KB

Download
memory/4532-346-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4532-236-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4532-307-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4532-237-0x0000000000CE4000-0x0000000001CD1000-memory.dmp

Filesize
15.9MB

Download
memory/4532-347-0x0000000000CE4000-0x0000000001CD1000-memory.dmp

Filesize
15.9MB

Download
memory/4532-0-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4532-7-0x0000000000CE0000-0x000000000218F000-memory.dmp

Filesize
20.7MB

Download
memory/4532-1-0x0000000000CE4000-0x0000000001CD1000-memory.dmp

Filesize
15.9MB

Download
memory/4644-2320-0x000001BAEE7B0000-0x000001BAEE9BA000-memory.dmp

Filesize
2.0MB

Download
memory/4644-2319-0x000001BAEE420000-0x000001BAEE596000-memory.dmp

Filesize
1.5MB

Download
memory/6924-5186-0x0000000006CB0000-0x0000000006D42000-memory.dmp

Filesize
584KB

Download
memory/6932-3274-0x0000000000450000-0x00000000005C6000-memory.dmp

Filesize
1.5MB

Download
memory/6932-3313-0x0000000006750000-0x0000000006758000-memory.dmp

Filesize
32KB

Download
memory/6932-3365-0x00000000067A0000-0x00000000067AE000-memory.dmp

Filesize
56KB

Download
memory/6932-3364-0x00000000067D0000-0x0000000006808000-memory.dmp

Filesize
224KB

Download
memory/7152-4851-0x0000000004EB0000-0x0000000004ED0000-memory.dmp

Filesize
128KB

Download