df70f699036a080b6e48795b3e940377b4abf8e3869c30c5c102c1dffcef4045

Resubmissions

17-11-2024 21:02

241117-zvfegaxpdv 10

17-11-2024 20:51

241117-znh7saspgr 10

17-11-2024 20:36

241117-zdt7assngr 10

Analysis

max time kernel
496s
max time network
489s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-11-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aiosetup-main.zip
Size

46.3MB
MD5

18ee73828f04ecdcc8d686ef26cbf99a
SHA1

3c11e0ba5ee79860ece1743b452bd804d3692379
SHA256

df70f699036a080b6e48795b3e940377b4abf8e3869c30c5c102c1dffcef4045
SHA512

b804e65d85ef00ff0b39dd07f453eec88907c45f1ed0bcf62698548b3f79cde3cb113d7e66ec0d33476880ba68568cbf975a10e74509d9fd3ed238211ca0a70a
SSDEEP

786432:OmnYTFjhvhzajCtC7j3ZSUWIcqkUJpRvxu3kPR7XWudllYPMMvrf29jTrCy10X0M:LyFjhvhzaOtC7jwbGTJpRvxu0PBX5qyK

Score

10^/10

microsoft defense_evasion discovery evasion execution phishing trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
194	5868	powershell.exe
196	4340	powershell.exe
199	5352	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
5896	ILSpy.exe
4284	EXM.exe
1516	EXM.exe
5180	EXM.exe

Loads dropped DLL 64 IoCs

pid	Process
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe
5896	ILSpy.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast	DeviceCensus.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5736	powershell.exe
3064	powershell.exe
5488	powershell.exe
5248	powershell.exe
5844	powershell.exe
5556	powershell.exe
1640	powershell.exe
5756	powershell.exe
5176	powershell.exe
5528	powershell.exe
3576	powershell.exe
3304	powershell.exe
2840	powershell.exe
1168	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
150	camo.githubusercontent.com
151	camo.githubusercontent.com
152	camo.githubusercontent.com
140	camo.githubusercontent.com
149	camo.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	DeviceCensus.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Launches sc.exe 36 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3292	sc.exe
4068	sc.exe
5472	sc.exe
4168	sc.exe
3716	sc.exe
2716	sc.exe
5800	sc.exe
2004	sc.exe
5288	sc.exe
1776	sc.exe
2148	sc.exe
4396	sc.exe
5440	sc.exe
5084	sc.exe
2224	sc.exe
5200	sc.exe
5860	sc.exe
3632	sc.exe
416	sc.exe
6024	sc.exe
2140	sc.exe
6068	sc.exe
4804	sc.exe
5604	sc.exe
3616	sc.exe
4152	sc.exe
5608	sc.exe
4688	sc.exe
2812	sc.exe
3744	sc.exe
3748	sc.exe
4012	sc.exe
3120	sc.exe
5020	sc.exe
3332	sc.exe
6020	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateBroker.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5372	cmd.exe
2156	PING.EXE
5844	cmd.exe
5548	PING.EXE

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	DeviceCensus.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
5984	timeout.exe
2064	timeout.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	DeviceCensus.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5808	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763503750689529"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 62 IoCs

Modify Registry

T1112

pid	Process
4284	reg.exe
4516	reg.exe
5224	reg.exe
2036	reg.exe
5820	reg.exe
5648	reg.exe
5564	reg.exe
2936	reg.exe
4420	reg.exe
2352	reg.exe
5964	reg.exe
956	reg.exe
2780	reg.exe
2960	reg.exe
2932	reg.exe
5104	reg.exe
3008	reg.exe
4072	reg.exe
5804	reg.exe
5796	reg.exe
4868	reg.exe
4456	reg.exe
4800	reg.exe
1092	reg.exe
1496	reg.exe
5628	reg.exe
1372	reg.exe
2456	reg.exe
6076	reg.exe
5356	reg.exe
5464	reg.exe
5568	reg.exe
4020	reg.exe
3180	reg.exe
5596	reg.exe
5528	reg.exe
3748	reg.exe
5612	reg.exe
5372	reg.exe
4876	reg.exe
6116	reg.exe
5676	reg.exe
3896	reg.exe
5344	reg.exe
3536	reg.exe
5604	reg.exe
2716	reg.exe
4684	reg.exe
4688	reg.exe
4612	reg.exe
5672	reg.exe
5176	reg.exe
6100	reg.exe
3052	reg.exe
2940	reg.exe
2136	reg.exe
5888	reg.exe
5736	reg.exe
892	reg.exe
4700	reg.exe
5520	reg.exe
5868	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6048	NOTEPAD.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2156	PING.EXE
5548	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
5680	chrome.exe
5680	chrome.exe
5680	chrome.exe
5680	chrome.exe
5608	powershell_ise.exe
5608	powershell_ise.exe
5608	powershell_ise.exe
5608	powershell_ise.exe
5556	powershell.exe
5556	powershell.exe
5556	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
4932	WMIC.exe
4932	WMIC.exe
4932	WMIC.exe
4932	WMIC.exe
4396	powershell.exe
4396	powershell.exe
4396	powershell.exe
5900	WMIC.exe
5900	WMIC.exe
5900	WMIC.exe
5900	WMIC.exe
5736	powershell.exe
5736	powershell.exe
5736	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
5800	powershell.exe
5800	powershell.exe
5800	powershell.exe
5756	powershell.exe
5756	powershell.exe
5756	powershell.exe
892	WMIC.exe
892	WMIC.exe
892	WMIC.exe
892	WMIC.exe
5488	powershell.exe
5488	powershell.exe
5488	powershell.exe
1776	WMIC.exe
1776	WMIC.exe
1776	WMIC.exe
1776	WMIC.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
1540	WMIC.exe
1540	WMIC.exe
1540	WMIC.exe
1540	WMIC.exe
6128	WMIC.exe
6128	WMIC.exe
6128	WMIC.exe
6128	WMIC.exe
6008	powershell.exe
6008	powershell.exe
6008	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2716	7zFM.exe
Token: 35	2716	7zFM.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2716	7zFM.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5896	ILSpy.exe
4284	EXM.exe
1516	EXM.exe
5180	EXM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 1960	3684	chrome.exe	87
PID 3684 wrote to memory of 1960	3684	chrome.exe	87
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 4276	3684	chrome.exe	88
PID 3684 wrote to memory of 1832	3684	chrome.exe	89
PID 3684 wrote to memory of 1832	3684	chrome.exe	89
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90
PID 3684 wrote to memory of 1572	3684	chrome.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\aiosetup-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd0919cc40,0x7ffd0919cc4c,0x7ffd0919cc58
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3192,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4740,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4476,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3496,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3860,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4552
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff77a374698,0x7ff77a3746a4,0x7ff77a3746b0
    3⤵
    - Drops file in Windows directory
    PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4772,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5280,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5300,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5520,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5964,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6084,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3468,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=1296,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6472,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5372,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6752,i,5859287467247194620,16794670292905259892,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:5932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2136

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4c8
1⤵
PID:4008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5400

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\" -spe -an -ai#7zMap20085:148:7zEvent26166
1⤵
PID:1932

C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\ILSpy.exe
"C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\ILSpy.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Downloads\aiosetup-main\aio.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5608

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\aiosetup-main\Aio.bat
1⤵
PID:6056

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd
1⤵
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd" "
1⤵
PID:5080
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:5020
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5244
- C:\Windows\System32\findstr.exe
  findstr /v "$" "HWID_Activation.cmd"
  2⤵
  PID:1508
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:3716
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:2872
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4424
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
  2⤵
  PID:2232
- C:\Windows\System32\find.exe
  find /i "ARM64"
  2⤵
  PID:4596
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:3220
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:5476
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:3180
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd" "
  2⤵
  PID:5536
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5504
- C:\Windows\System32\cmd.exe
  cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
  2⤵
  PID:5468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5556
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:5492
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Windows\System32\find.exe
  find /i "True"
  2⤵
  PID:5236
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5372
- - C:\Windows\System32\PING.EXE
    ping -4 -n 1 updatecheck.massgrave.dev
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2156
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
  2⤵
  PID:2840
- C:\Windows\System32\find.exe
  find "127.69"
  2⤵
  PID:4516
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
  2⤵
  PID:2148
- C:\Windows\System32\find.exe
  find "127.69.2.8"
  2⤵
  PID:1108
- C:\Windows\System32\mode.com
  mode 110, 34
  2⤵
  PID:4104
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
  2⤵
  PID:1468
- C:\Windows\System32\find.exe
  find /i "AutoPico"
  2⤵
  PID:4208
- C:\Windows\System32\find.exe
  find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:4456
- C:\Windows\System32\find.exe
  find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:1540
- C:\Windows\System32\find.exe
  find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:5048
- C:\Windows\System32\find.exe
  find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:848
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:5860
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
  2⤵
  PID:5596
- C:\Windows\System32\findstr.exe
  findstr "577 225"
  2⤵
  PID:4752
- C:\Windows\System32\cmd.exe
  cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
  2⤵
  PID:5132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4932
- C:\Windows\System32\find.exe
  find /i "computersystem"
  2⤵
  PID:4800
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
  2⤵
  PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4396
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
  2⤵
  PID:6128
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
    3⤵
    PID:1496
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
  2⤵
  PID:6096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5736
- C:\Windows\System32\find.exe
  find /i "Subscription_is_activated"
  2⤵
  PID:5912
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
  2⤵
  PID:6072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "
  2⤵
  PID:4952
- C:\Windows\System32\find.exe
  find /i "Windows"
  2⤵
  PID:4848
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5756
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:892
- C:\Windows\System32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:5476
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
  2⤵
  PID:3664
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
    3⤵
    PID:4688
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:5848
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5844
- - C:\Windows\System32\PING.EXE
    ping -n 1 l.root-servers.net
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5548
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
  2⤵
  PID:872
- C:\Windows\System32\find.exe
  find /i "AutoPico"
  2⤵
  PID:2632
- C:\Windows\System32\find.exe
  find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:5160
- C:\Windows\System32\find.exe
  find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:5836
- C:\Windows\System32\find.exe
  find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:3544
- C:\Windows\System32\find.exe
  find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
  2⤵
  PID:5512
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:4168
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
  2⤵
  PID:5320
- C:\Windows\System32\findstr.exe
  findstr "577 225"
  2⤵
  PID:5324
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\System32\sc.exe
  sc start ClipSVC
  2⤵
  - Launches sc.exe
  PID:5288
- C:\Windows\System32\sc.exe
  sc query ClipSVC
  2⤵
  - Launches sc.exe
  PID:1776
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
  2⤵
  - Modifies registry key
  PID:4284
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
  2⤵
  - Modifies registry key
  PID:5820
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
  2⤵
  - Modifies registry key
  PID:3536
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
  2⤵
  - Modifies registry key
  PID:4700
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
  2⤵
  - Modifies registry key
  PID:5372
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
  2⤵
  - Modifies registry key
  PID:2780
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
  2⤵
  - Modifies registry key
  PID:4516
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
  2⤵
  - Modifies registry key
  PID:5464
- C:\Windows\System32\sc.exe
  sc start wlidsvc
  2⤵
  - Launches sc.exe
  PID:2148
- C:\Windows\System32\sc.exe
  sc query wlidsvc
  2⤵
  - Launches sc.exe
  PID:3632
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
  2⤵
  - Modifies registry key
  PID:2352
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
  2⤵
  - Modifies registry key
  PID:3008
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
  2⤵
  - Modifies registry key
  PID:4868
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
  2⤵
  - Modifies registry key
  PID:5520
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
  2⤵
  - Modifies registry key
  PID:5568
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
  2⤵
  - Modifies registry key
  PID:5596
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
  2⤵
  - Modifies registry key
  PID:4456
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
  2⤵
  - Modifies registry key
  PID:5648
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:3332
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:4152
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
  2⤵
  - Modifies registry key
  PID:4800
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
  2⤵
  - Modifies registry key
  PID:5868
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
  2⤵
  - Modifies registry key
  PID:4072
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
  2⤵
  - Modifies registry key
  PID:5796
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
  2⤵
  - Modifies registry key
  PID:5964
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
  2⤵
  - Modifies registry key
  PID:5804
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
  2⤵
  - Modifies registry key
  PID:6100
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
  2⤵
  - Modifies registry key
  PID:5676
- C:\Windows\System32\sc.exe
  sc start KeyIso
  2⤵
  - Launches sc.exe
  PID:4396
- C:\Windows\System32\sc.exe
  sc query KeyIso
  2⤵
  - Launches sc.exe
  PID:6020
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
  2⤵
  - Modifies registry key
  PID:1496
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
  2⤵
  - Modifies registry key
  PID:3896
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
  2⤵
  - Modifies registry key
  PID:5564
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
  2⤵
  - Modifies registry key
  PID:2136
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
  2⤵
  - Modifies registry key
  PID:5628
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
  2⤵
  - Modifies registry key
  PID:2960
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
  2⤵
  - Modifies registry key
  PID:1372
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
  2⤵
  - Modifies registry key
  PID:5888
- C:\Windows\System32\sc.exe
  sc start LicenseManager
  2⤵
  - Launches sc.exe
  PID:5608
- C:\Windows\System32\sc.exe
  sc query LicenseManager
  2⤵
  - Launches sc.exe
  PID:6024
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
  2⤵
  - Modifies registry key
  PID:2456
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
  2⤵
  - Modifies registry key
  PID:4612
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
  2⤵
  - Modifies registry key
  PID:5672
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
  2⤵
  - Modifies registry key
  PID:5176
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
  2⤵
  - Modifies registry key
  PID:5104
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
  2⤵
  - Modifies registry key
  PID:956
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
  2⤵
  - Modifies registry key
  PID:2932
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
  2⤵
  - Modifies registry key
  PID:4876
- C:\Windows\System32\sc.exe
  sc start Winmgmt
  2⤵
  - Launches sc.exe
  PID:4012
- C:\Windows\System32\sc.exe
  sc query Winmgmt
  2⤵
  - Launches sc.exe
  PID:2140
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
  2⤵
  - Modifies registry key
  PID:6076
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
  2⤵
  - Modifies registry key
  PID:5528
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
  2⤵
  - Modifies registry key
  PID:2936
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
  2⤵
  - Modifies registry key
  PID:4020
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
  2⤵
  - Modifies registry key
  PID:3052
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
  2⤵
  - Modifies registry key
  PID:5356
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
  2⤵
  - Modifies registry key
  PID:2036
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
  2⤵
  - Modifies registry key
  PID:5736
- C:\Windows\System32\sc.exe
  sc start ClipSVC
  2⤵
  - Launches sc.exe
  PID:6068
- C:\Windows\System32\sc.exe
  sc start wlidsvc
  2⤵
  - Launches sc.exe
  PID:416
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:4804
- C:\Windows\System32\sc.exe
  sc start KeyIso
  2⤵
  - Launches sc.exe
  PID:3716
- C:\Windows\System32\sc.exe
  sc start LicenseManager
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\System32\sc.exe
  sc start Winmgmt
  2⤵
  - Launches sc.exe
  PID:3744
- C:\Windows\System32\sc.exe
  sc query ClipSVC
  2⤵
  - Launches sc.exe
  PID:5084
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5448
- C:\Windows\System32\sc.exe
  sc start ClipSVC
  2⤵
  - Launches sc.exe
  PID:2224
- C:\Windows\System32\sc.exe
  sc query wlidsvc
  2⤵
  - Launches sc.exe
  PID:3292
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5456
- C:\Windows\System32\sc.exe
  sc start wlidsvc
  2⤵
  - Launches sc.exe
  PID:5440
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:3120
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4164
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:4068
- C:\Windows\System32\sc.exe
  sc query KeyIso
  2⤵
  - Launches sc.exe
  PID:5200
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4788
- C:\Windows\System32\sc.exe
  sc start KeyIso
  2⤵
  - Launches sc.exe
  PID:3748
- C:\Windows\System32\sc.exe
  sc query LicenseManager
  2⤵
  - Launches sc.exe
  PID:5800
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4928
- C:\Windows\System32\sc.exe
  sc start LicenseManager
  2⤵
  - Launches sc.exe
  PID:5604
- C:\Windows\System32\sc.exe
  sc query Winmgmt
  2⤵
  - Launches sc.exe
  PID:5472
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5476
- C:\Windows\System32\sc.exe
  sc start Winmgmt
  2⤵
  - Launches sc.exe
  PID:4688
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
  2⤵
  PID:2732
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
    3⤵
    PID:5848
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
  2⤵
  PID:3528
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
  2⤵
  PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\aiosetup-main\HWID_Activation.cmd') -split ':wpatest\:.*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5488
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "14" "
  2⤵
  PID:2556
- C:\Windows\System32\find.exe
  find /i "Error Found"
  2⤵
  PID:2812
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
  2⤵
  PID:5308
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Windows\System32\cmd.exe
  cmd /c exit /b 0
  2⤵
  PID:1668
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Windows\System32\find.exe
  find /i "computersystem"
  2⤵
  PID:4024
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
  2⤵
  PID:1704
- C:\Windows\System32\findstr.exe
  findstr /i "0x800410 0x800440 0x80131501"
  2⤵
  PID:5600
- C:\Windows\System32\reg.exe
  reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
  2⤵
  PID:5740
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
  2⤵
  PID:6132
- C:\Windows\System32\reg.exe
  reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
  2⤵
  PID:5768
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
  2⤵
  PID:6044
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
  2⤵
  PID:2300
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
  2⤵
  PID:2560
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
  2⤵
  PID:5908
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
    3⤵
    PID:6108
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
  2⤵
  PID:5808
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
  2⤵
  PID:4508
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
    3⤵
    PID:4792
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
  2⤵
  PID:6112
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6128
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
  2⤵
  PID:5616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6008
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "
  2⤵
  PID:4612
- C:\Windows\System32\find.exe
  find /i "Ready"
  2⤵
  PID:5912
- C:\Windows\System32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
  2⤵
  PID:5176
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
  2⤵
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
  2⤵
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
  2⤵
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5248
- C:\Windows\System32\reg.exe
  reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
  2⤵
  PID:4332
- C:\Windows\System32\reg.exe
  reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
  2⤵
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
  2⤵
  PID:4684
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
  2⤵
  PID:892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
    3⤵
    PID:5504
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
  2⤵
  PID:2204
- C:\Windows\System32\find.exe
  find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
  2⤵
  PID:4720
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
  2⤵
  PID:1292
- C:\Windows\System32\find.exe
  find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
  2⤵
  PID:3528
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
  2⤵
  PID:5316
- C:\Windows\System32\find.exe
  find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
  2⤵
  PID:2276
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "
  2⤵
  PID:5552
- C:\Windows\System32\find.exe
  find /i "ed655016-a9e8-4434-95d9-4345352c2552"
  2⤵
  PID:872
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
  2⤵
  PID:5228
- C:\Windows\System32\find.exe
  find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
  2⤵
  PID:5068
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"
  2⤵
  PID:1304
- C:\Windows\System32\cmd.exe
  cmd /c exit /b 0
  2⤵
  PID:2556
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
  2⤵
  PID:5548
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
  2⤵
  PID:5384
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Control Panel\International\Geo" /v Name
    3⤵
    PID:2840
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
  2⤵
  PID:2156
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Control Panel\International\Geo" /v Nation
    3⤵
    PID:188
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
  2⤵
  PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
    3⤵
    PID:4868
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "
  2⤵
  PID:4480
- C:\Windows\System32\find.exe
  find "AAAA"
  2⤵
  PID:5708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"
  2⤵
  PID:6128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5176
- C:\Windows\System32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:5984
- C:\Windows\System32\ClipUp.exe
  clipup -v -o
  2⤵
  PID:4320
- - C:\Windows\System32\clipup.exe
    clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem3550.tmp
    3⤵
    - Checks SCSI registry key(s)
    PID:5316
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
  2⤵
  PID:5068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5844
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "
  2⤵
  PID:5264
- C:\Windows\System32\find.exe
  find /i "Windows"
  2⤵
  PID:2148
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
  2⤵
  PID:6132
- C:\Windows\System32\cmd.exe
  cmd /c exit /b -1073740956
  2⤵
  PID:5596
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
  2⤵
  PID:4752
- C:\Windows\System32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:5832
- C:\Windows\System32\reg.exe
  reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f
  2⤵
  PID:5860
- C:\Windows\System32\reg.exe
  reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
  2⤵
  PID:6092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"
  2⤵
  PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"
  2⤵
  PID:5456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"
  2⤵
  PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3304
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
  2⤵
  PID:5852
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
  2⤵
  PID:5324
- C:\Windows\System32\cmd.exe
  cmd /c exit /b -1073740956
  2⤵
  PID:4284
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
  2⤵
  PID:5296
- C:\Windows\System32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:5780
- C:\Windows\System32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:5808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
  2⤵
  - Blocklisted process makes network request
  PID:5868
- C:\Windows\System32\findstr.exe
  findstr /i "PurchaseFD DeviceAddResponse"
  2⤵
  PID:6016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
  2⤵
  - Blocklisted process makes network request
  PID:4340
- C:\Windows\System32\findstr.exe
  findstr /i "PurchaseFD DeviceAddResponse"
  2⤵
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"
  2⤵
  - Blocklisted process makes network request
  PID:5352
- C:\Windows\System32\find.exe
  find /i "traceId"
  2⤵
  PID:464
- C:\Windows\System32\reg.exe
  reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
  2⤵
  PID:4492
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess
  2⤵
  PID:5252
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:5484
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations
  2⤵
  PID:2124
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:2456
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
  2⤵
  PID:648
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:3292
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
  2⤵
  - Modifies registry key
  PID:1092
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
  2⤵
  - Modifies registry key
  PID:892
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
  2⤵
  - Modifies registry key
  PID:6116
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
  2⤵
  - Modifies registry key
  PID:3748
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
  2⤵
  - Modifies registry key
  PID:5604
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
  2⤵
  - Modifies registry key
  PID:4420
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
  2⤵
  - Modifies registry key
  PID:2716
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
  2⤵
  - Modifies registry key
  PID:5224
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType
  2⤵
  - Modifies registry key
  PID:3180
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges
  2⤵
  - Modifies registry key
  PID:5344
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions
  2⤵
  - Modifies registry key
  PID:5612
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
  2⤵
  - Modifies registry key
  PID:2940
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security
  2⤵
  - Modifies registry key
  PID:4684
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo
  2⤵
  - Modifies registry key
  PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 20 | Out-Null"
  2⤵
  PID:4788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2840
- C:\Windows\System32\sc.exe
  sc query wuauserv
  2⤵
  - Launches sc.exe
  PID:2004
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:1168
- C:\Windows\System32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:2064

C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:1776

C:\Windows\system32\usoclient.exe
"C:\Windows\system32\usoclient.exe" StartScan
1⤵
PID:1112

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:1168
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem2C09.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:4164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3984

C:\Users\Admin\Downloads\aiosetup-main\EXM.exe
"C:\Users\Admin\Downloads\aiosetup-main\EXM.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\aiosetup-main\Aio.bat
1⤵
PID:5900

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\AioSetup.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:6048

C:\Users\Admin\Downloads\aiosetup-main\EXM.exe
"C:\Users\Admin\Downloads\aiosetup-main\EXM.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ADB.tmp\ADC.tmp\ADD.bat C:\Users\Admin\Downloads\aiosetup-main\EXM.exe"
  2⤵
  PID:3904
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
    3⤵
    PID:5468
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
    3⤵
    PID:2632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1168
- - C:\Windows\system32\reg.exe
    Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:6104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
    3⤵
    PID:5920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_UserAccount where name="Admin" get sid
      4⤵
      PID:5748
  - - C:\Windows\system32\findstr.exe
      findstr "S-"
      4⤵
      PID:5596
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2232
- - C:\Windows\system32\mode.com
    mode con: cols=160 lines=60
    3⤵
    PID:6020

C:\Users\Admin\Downloads\aiosetup-main\EXM.exe
"C:\Users\Admin\Downloads\aiosetup-main\EXM.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
997c02c58d08084dc3add213a1423bea

SHA1
bdebad616f5973c24bee81f28ff3d7977f6df586

SHA256
fac11bfc9d31501b72fb52424cb32d99aa57087f6ff8bf077edcf308e3948215

SHA512
291101ad29d84d4f51eed691454ba65d7b2df1b2a07e28bea7a48ccd3433675fa0c10cfab06aae9ec2bccfdbcaf3749deb30e6a1a9f4dce902e6a0c450cf5f61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
782ddcde4ffe8a5c0d57b316ec294663

SHA1
65caaf467de4b53a3e83c147adc4a45ee3c77677

SHA256
8c10ae37a65a8e0b7226a12a57b92aa01f19f4e23f1cc18b66713c0ab33c0696

SHA512
561ce1018bd32a40202314a81ed7025655d3b966fb5c74e75f75db3056de67854e2142f4bbaaccaf3ea65c529124a81983c896e70d71a08fe68dc1bab41d63c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
6f7cca5ce4d725bd1dd27bfb31d8c911

SHA1
f868f921f017195539d5c1a11afdd2da19072449

SHA256
7d5d9bcfb877c652076079bf0560c6e466d31c87e21e43498fc4e8c4a0e410b7

SHA512
e1a8e713c31b63c4765e71e70f0419b8a01ab5476cd0b417d0dc9d644daf64e39d93dae091bc6e5842d3400ea76d2b7ed404fc43bd9a789c2343138ece7c7b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3274f095c0c6e91b8959a094ee1854eb

SHA1
d988ac0efa5d8a4eaadc5e7da7b71b479b19acc9

SHA256
fca0730ae17b335084bc1b09538020e89e25e68a2fd624cd5c3e5474e0de0f10

SHA512
cc92330bbc313599abbb47cc24ae9a252c7925bac67be0a84b7a35a5a1be33c89401d87869340d78b060fce37c3d285ccfc75617c879559af5c9d9b2c9e4109e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
3e56ea7bd885fed76a11b28922e11493

SHA1
64a5ee6ecaf3c4b3280bb270f24e1d5ba3608689

SHA256
6de784db98a1d64a3c6a8db895662f568f5ed6ec4737a3dbaed79acae81a78bf

SHA512
166ba232c497a8c97cc35e9b943b7c7cd69cbe54f26d34fb204526df0b2c4275aa64ca833e967bbee38c76820306bb795ada5616c0672139c045b964f5608474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
a8b5020620cc18399035d425e9afff73

SHA1
d2791496aabf2cf67ee712f0d8406f9485f0211f

SHA256
5346eb73d86352d341b5b523a58304eebc23220b72169138647e6e67cab9043f

SHA512
109a4b25024bcb2d2205ccefa5b9fdaafb5ca70d77947fcc8983e34d1cf6a6f4e72882a14f5393637ade5d6eedd2b5aa94eeb4a3ec4647f1149c8c9dad544bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
a9bb40426ec31759140dc019c9212ee5

SHA1
c4ba95de7bcd30940ef9adf56cc2468e398767ee

SHA256
eb1785686867b6871fb3510c76454fafc38b7f4d145db45498c8dbc8e22e1325

SHA512
5154ff2ffcfd6b71488db0ccc0f73d615d8b22610c19c8e53c61870e6d3355b34ac273f6c7ac6cc8aa2e1a805ac13077115d44e6ea5748f26e9ac3f97a36802b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1014B

MD5
6edc69064174313b3f0dbc5ca76cc77c

SHA1
bb9d318a1c291e46c73d134ff5e22bb528ddbc39

SHA256
d1d1a4c237a4149bfcf40999d074d956ff090eff4818c855ef89a52af2dd3b76

SHA512
4b33caf55b1a58170a5621ab35dfcf73a7e99ef42f4dceba4d22d2ed418dc64ca5957ea1e5d9fb5bd5273a60532a0df4998433a504079d84c3373296c9a6d2cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
350B

MD5
ae8b84bc120cafec0c2dec376e247981

SHA1
67740c0f712ac86829ffcf853613060d56df85d3

SHA256
df9d0c4aa75417b89ba4890f7593b0f7ae401c74923026877e5dade138760c14

SHA512
30d297eaf592fbec365f29a703e38859c476c622f51b4466ee1a4896300dc5c7ef88f1594756f3a6450d16ef9a92133e5e5a38ebd3979a6685c6cc4f1ab77b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c9fafa1513b87e6c916249b3084733c2

SHA1
be7841612c5eb940ac7c277f1f19878d49f708a5

SHA256
392d6528b9f95ffb672fa8f244def68aa7f23963c83202ffdb64d9e08517f3eb

SHA512
639de7cafd607580c4aec49db39a57b91cf924dfabb4f0e6fbb99b66adb2f1d14325e89344d878160ee27549e7e2ffe5357738af59c9a31a2e4e0fa7287d0951

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c86b5b6d51c91c1b80d8e51bbe79aaa3

SHA1
00cbe62d682ece6f46342088b48ebeb02debdacc

SHA256
71eb97ea8740ea3f713739484883b7f2858f018707691e82e31a798355e3fe20

SHA512
b9ab64034f5e75a933fa2d3d77dab37fa1433067e84c30852df4c0cef462cd3eebd2ba8d19deaf5c3f1def6a0a5926daf010815173b61120ce51c8e387246d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
96cbafc9914b6932de9545e46a0dd3a2

SHA1
93c76d857b6a9f976efc2efabc3c44dd5b950b3c

SHA256
919c748666800023732d23b6eb48a0fda79fb47ee9ecab46ce9d59e9c44c366d

SHA512
adefb3190a0562783855f08ccd925635f0e80f39ee5607b1c9f42bec35893f3ab72b60a9f25b55079fe70b75daf6a01b94b52d5387015b52b6062c82aac49891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\b9a1c685-ab72-4b15-8437-1e0cafec61d4.tmp

Filesize
2KB

MD5
b887fecbba4acade8ae668db11d16f82

SHA1
4378bbcc3730b5ab18600153f16fbdcc6337cf30

SHA256
792b5d5fedfff583b54311a4c69d333bca1058ab39044b84da2227f15599cc12

SHA512
09efe0b8d5641b4f50e3f2e2fd34a370158229e0b3622f21d0b0a46a964afa51831bb6c068f51e451e05f104c5354400fafe2991461cfbdf6993ce2eb5250ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ce8c69f1b023c3f44fb181630b3f5f7e

SHA1
f3a004826bcd0e753ecc4d5ba0ba75d392f5f7cf

SHA256
457ad046e863ff441ff67072729040c278208de21e02226755344a62349dd908

SHA512
c16c53084333ebf195d1f5bd9f0022cb9b00c2160ca237901206346cbed0109b4f712543b8a0b4f280946fa5e39a5ab350fdec9b0a3779d02b5c460d1f673cd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b088b1d4c5f75998fc54883560ee7d7

SHA1
a7d4053ca36ae27d6f33a2e1eddcf86fd92679a8

SHA256
a562a0834358f8a9b15584e75a59497b412cd7340ef90546b5c0c62b191c4b48

SHA512
bf9be48bf1d2808488724d5fdcbb497fdca88061e500d76aef548a4c72c67c45416b0f3e2a6e4005558f885ae6d75ab15a209c02323d570e8db30609babbb5a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
70909b6512d76bd92ccc46ca96dac904

SHA1
636ddb5cd478caf994664db0649a7b71fb5dfe09

SHA256
b816f6ce5d37fd45f9a799bb5c093af7c4efbea9de16628fb76e22b32fa879a7

SHA512
7d85981c273a50c61cb88ba86a5245fdeb43aae28aa17a6b660dd29adfe0987a887ed8ab1cbe6644e66a3d3ba974fe1c0052c2288af98974dd0231b6af0dc8da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3a9239a01e2cd8f521e9a4cc2b8db2a3

SHA1
f2bad68dcc8486ba30101f6c86eef97194c01ec0

SHA256
a8739c72ec1d80a76c33ed04e7618b958d7dc588033ac21516e3031687a9fd5c

SHA512
c1f5042553814f6f96f00827f70f4fc0735a19a5427b1126a7f580d2bf4ad7573ba8afd9863c3c53e04c4abbbf9d6f9ac1be2a3e3c51e1bcac899e9f479cb1b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
390a0b0401854a745739e7fa02b72616

SHA1
0eeb47c5d95fec0401b1c8cb1cc6f63eecef1df1

SHA256
8c809a75d6b1e71c542649963bcde6178d050dee46a8716e98362f0080066211

SHA512
28dce1a13cbdb7d5cf54762f25114912d7fbced8634082c09073c55dcf3393de063a98033a1367a2d126076fd64d4cf01db47153ab3a4b87f219194f2e0a3454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
93715753af1b5b5ab650eeca58f76a69

SHA1
6cbcaff93a8b82f09ef00fd4a159532c8d0bb1ae

SHA256
899c582c2a66de2c8d3069f20d0463df86402bce279ec89d3288ac16b9a714b1

SHA512
e2faa6b611e4ee1c311359aa0383188aa17eb4f35ae34c87b11de269f0de92a06fa1ee62f562bf14dc57a2d004f73ebb8e7afd7a2dac55818697dacd3315ab43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2be0554c45bec965e2e5b75c6af9ad9d

SHA1
86b2dd5895ad27191754b95fa2f9bd84f065b8c0

SHA256
8789795e1c6c5df3bf0c17025a40dc2a4b10721ad4db859e1c54e93889a76999

SHA512
afdafeb78a7df251600d2e440318f30a4a7eb9e4379c12a56fd209beb978ecac8b4d4ea505b73b1fd504f790c9c9b1b49ea803174dc2aba0f1eaa8a1a5915dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b4d3210e13172d4a6f134331b535a31a

SHA1
20bcb9040469d847ccd9d672d0a0986d71b740fc

SHA256
88612a79e2072e3fb937803f873798b134947b020a97e8defc845bed11438bf1

SHA512
1678e84e945e031b8ce6c424cc893f55da4bf897e49f8d99925113f87aaeffa58776d1d8dbadbce2f067d03fc9a7c75d431a4fa6dd3b09164adf5ba30c73ad09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3a45675f84abebc487b0ee6ed9c5ff89

SHA1
fc38aeb3961e335e870a47db092df4675aa9d622

SHA256
c6b62fa0a6885b7359d520ec297a71d9c481bd64569062af4bf54a1ff4aabea3

SHA512
02c111b0e6baf810c1157b1153e972dfc580b001835dccb3c3cc10367e311306b0b5afcbe2f982c58481be10e189c50aff83caa4c1e5a698341d304689df794d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c2c73d110122b1301e3d3d47b21cbe9a

SHA1
1f1b3e2554f74227095ae56b767be08a8d3f539c

SHA256
d3cdb8eda8acc0c0bd6f48c1742f82b2211ebe7cb19fda5ca2fc8fff9948ae56

SHA512
667da0aff1fd5afc99c591f2c0cfad6f026c48ad070a4de18702a89f0e30dea72bdf9d9fd36467936bc97584f128c9c29fd016a133277ec45bbe04d30af33210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
069b014654f7ce5b8105abf8597a3a1b

SHA1
c41f3b789daae3391d936f3aff257a2143572769

SHA256
ff20d676dc3caf410aa69f4af6352d2f7f2578753827310ee869b77d7bc271e9

SHA512
2e49bd7358392e9702b7eca00cfa5b9b4343883bb9953106c2d7790aa8bbbe43300c1ae69acf03df44b025a5c323d24eb319c1bad09fe24065211b0f1d4629d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3b363b510a29a3175cb6c3692f1e1523

SHA1
44e951561a50f206e01ba27df0ca3f3c16a05f82

SHA256
d9ab0d70eff10b7f36f16428d02a6c0906892bf277449aab57f9311364e21d07

SHA512
36e94de07954faa6e63223a92da76355e47025a599dba0d97013fa828013f34627570c65b67b589f7fd70a6bf983675b2f9d4d9d5f57c323cabf231f562b6871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
536cf58260ca03c5aece5fd7e2433071

SHA1
c565305d365470e8a466700beb66938be5ecd702

SHA256
3903593625dfa31fdedf960e3a62cfe7848540514fcdf3bb1da4afa1f746e9c8

SHA512
dcb0a72437e9026310b09924b1ce68bdf44049bbcd5d77d945110e220c59e5833e466550b6a373e1a0178b6bf23b56437cd1d5d94f879e5bd952c54296d35d92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a1085ac4a7bb3dd0c6d723b68aedc991

SHA1
d377eeb126d6831f53517c8b601d9c6d5d8790c9

SHA256
44236205b2ee5dc130ac85e56af842ff424cb9b85df5477bfaadfc5a185252bc

SHA512
244bc3d56f84fa5464a74e084c3fe2e3c166afe9c2255783b3aa44d80d2b6a22ea697f0af9d4a40088895d98b1b89d755ead053fe0c7ba0d8f435a9b69808412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6bd08684d352c5fd4a3d9f34eb92648c

SHA1
72ca52a0331f408a2b4f56400cac7c24647838f0

SHA256
c2a9fec28815f773f5c4b01e851ae84f3451615d345b594011f63c063c8ab862

SHA512
029b4dd78f146d3603a3adbe48b895f77c22c66dcb3ccd8f11bcd5bf368269223eb0a303e58d76265fcff6ca529049218752c7ccf27e3d23ea428c64fc2bff60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e95e5f2b6ba7006f05e754de42bd2944

SHA1
facc0390e19a072892dc8695790d8440cc8bb3f9

SHA256
ed2a02ae60ab80b1e571a40168400ae50f856c18cf61730e88a474d20b5b3b6f

SHA512
41a328082ba29c04b736f40c84aed5b8b0ef51046e3136e788a094f4bcb13b59c3d106b9e9c7f2d6d09b7f39a1ddc497ce8193d9355a5f30acdfa0b1351ddd7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
768f07c8ee43c7dd2be5caedc15a64ac

SHA1
f76b228ad9f8f3ad14618dc58da7792d512613f4

SHA256
4068aaecc9b1b0bac0b20d11e0957011f9550191f71a57344c274c5b502a7381

SHA512
434423f7d926d22540edefd7f03b0829aadcdaaf7c1f6a7223e836bb10177f1d318aacb79d0bcd824701e9e178effeba63a792f3f954b49d5e441d748e8d2885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d8a79db6d8c3d2db9805c647f19f8ca

SHA1
c5438932fc2c31f732aa48b047da4e3d8fc17875

SHA256
242d416cb0c0734a21959827af1e44d6d99da5f62cbd9467bc563726cdebdf83

SHA512
dd47dd4dca051d53e16ac076c19651843a5980cb14d3a6eb1511535c6e7f5581c1b789ccfe724b1daf4cc6a01a436a5cf02d59c278a347042c729ec406175cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b7e78888bd4f12da8806ba1b439ac719

SHA1
d8e251250574538b585b80d17926d67774fb794c

SHA256
a00d7594cd04566f6d7ac501867da17ccc924882c143bf791b3ce0265f9081f0

SHA512
466d5d74786dcd764df226e31609f45ccf6cd9478001aa1a5cdedd40cbc2ba79fd1190c9e49d954b82ae8ee75e3ae1075ce5ce60d89f218db170a9e9392ef04b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9d7af76139b0e93ee0c69e2a843df8a1

SHA1
709c358221f96ac6dabb189b4c42dde70e127322

SHA256
64f4b3c1a17509599e2097873d0f021fba2ca8c40b9517c4e4bd5d356fcb301d

SHA512
996a390520c501fc7a63cd5a08fea8b7d3e3fbfeca9a7451cea4ab388ff35e92b07d08290ff7e9173a14d3fa42dd572530d73db083af5e0171402473e30258f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
64ea315eb41dbe26c8b7a2635fa24f7c

SHA1
9593e04f7d90113f605802f358cf0d58a911ffa0

SHA256
012e59c3406d7b854d9f0d81bc9bdcafab59a5672c5925884a181b7f1f00f715

SHA512
f7171eebee118d18c35ba8f9d2a46976750267396ddcd7c674e8dfba74c78d154cd2e636a312396d742584831f61102dce891227555cad748d4a0d4e6ea39bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
622c9f0daed47a25bdf68c3baf68c17d

SHA1
685ac66f7041a3ec098dd3fb2b29f76ae65524d8

SHA256
f31d7b8d690652935cdc849277084afc76f084b449c7d488ca8d68d3aaacd8f3

SHA512
7ee95a7a3634dbbd91beaf37341c9d2058962e2b8af86702e361938aff6c586c474e2de8646b08f86d99ce31711f4326cffa5fb7af9ebd6e66a105340a34149c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d6717aa3e85e0f7b5bc6791f23473007

SHA1
3f06702f6b19cf6b717ac9ade7d430a0b839ac9d

SHA256
cd616f496fe914c504b975a3d9cb7a3bbb495492643c57e49e04df20d263fef2

SHA512
fc874668b30b17d74bd210f1276104f69c90f345d23bc30cbf8b0af3f6a6da1f9f7b8d1463ea22eb0911c8d4736c46993d4a7e58788de110ed16e84b215b31a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9238a174ec7db58213ae644fcb9025ed

SHA1
29b68c9146c5e2450bb0b9899343da1e3c5fda00

SHA256
2a6a9517a90d95412aa0a102e3914947858ef0cdb778b355ce4ea63c9db24b49

SHA512
e75ddce170c97bc0b9cb2a71d731b3dcbca32b550ea14eaf6ef2e7823d1e3974feedf1eeaedf548e4b1519a195302c6064d93281e41a646f4b40d6a8ae0cff3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8167cabed78bc40fffe3c22b7e9ac056

SHA1
32641c8a9cfa596d3cf7c019f5689550e5e77b84

SHA256
ad3b39d9eb9fd0258c395046ea09aaf039ea1dd1d57e136be751e285191589a7

SHA512
bb88e8d930db8c440914cb9ba96bfc341b3f8c43602163842e5559c2083025c3609010155aea1cddba6a4984957d37bc5e6eefa7ceaa9755ee82d64ed978ea57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3448aed3345ffb9dd3f39af38e576af5

SHA1
9b8c286fd9db6a8f5252eb3277dd92a69dd08229

SHA256
1d15f02c32e01a6f86ccf2ae418414fb7561b05c83110c0a519a2daad3450b6e

SHA512
c1dd8de5a267a17ded384ca3486594799df444a985f1f88a1df76ef48858c9fc44ce7ca5194dae776151fb755205a412432934056355e57987ca10b3f3c1a0cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c2edde8c55ba3ff4b6736c36aa388c4f

SHA1
be4549b6867047a075408568e62ce05b9baba329

SHA256
4faefb5b703a41bacf8b2059f72e12ac70de9b3c8616124b763fef3606c59cbc

SHA512
d25c8b7777a9be0e03b75cfb80c8a59d86e65e23549362e7f06c7b1e583879d74a5614348fa30ff3e7d49f53fa088b123d0263490c6e94553b1d0149522cd57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
60d74863863ec2a2c7eac14bef27e0d7

SHA1
3f8eb3daacdda547f2c90528dd617b128886c835

SHA256
6e3c671c2bb2f0f4f2b76e214b739aecb138d7caeb7f3798496599c7649efcc5

SHA512
b0c4e05832d6e84f2d7a8daac11bbe3908e8d64178f8a87bf753977732775b43df099d9d1e64e427f21dfa2f95429c75e548c283a7f380a6e33a5e18ccd636b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
268dda7d2395db5ead6658907d8e37ee

SHA1
05950aef358f908b2d6d3d7c31bec837e7b34332

SHA256
6704c5fc3ee57740640cf27b9f72710e52c8c532974f4ccc6e816d6e58b32115

SHA512
a583f0b57af08ccde98b9d4d829da98db50be92bced0c79a55895fc0407c213afc451ccc58e88951437b78deb47961b0da40cb48e1dcb03e8757238c9600132a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d7c8e3db7ea1279fca79bc775bfdbde7

SHA1
f7abe1c9993a7cef0f211c817f5e454a9b4a274b

SHA256
d325ba9f8df9f9359d333cf1315a796578950583c006c0ff381ed1ad58ce866a

SHA512
eb69ce3ed0c5762174b703990462cc5ed9be093a77c79f4751e64b9ad96070b99521381516115beaae928320f277cdf3eedcc8189aa715c2f9aece1a6c91f30b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
24bdd2defea3ab7d24850e900d8f0769

SHA1
d2917f347c21120497697ed6b35172fcf515694c

SHA256
b4ce5a2943827f62dd106f327d34ed6535f62d7f0260fa4b2dee9fc0be4eab6c

SHA512
d545bee706e78fed0be31765c67cbedfb737c69f4bbee5589738b1cda23d5129786c971a041e36a7ef6572e38af124f7e1583f1a83167797d6dcf23ac336e4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
71e2cb0e367e24eb4e845f76fbcebe65

SHA1
60cfff9c20db2aaf63643c955c4e3d757914988d

SHA256
c1379cb7c90866987b02f09f16fe0685347865e8946d549252eccf9dfae89c94

SHA512
d7b0448c9ba9a96f15227d708fd74355f7e47a1d587d320fbac2029e05dbe58eb7a613d6e419353318e2243866b70ed4d5a1dc9c49df7cb258339d5be7119d12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
97648f5ef4583bcedeb3c6eadb909bba

SHA1
0bc73567dfa82bb76313e34133592691683f5e1f

SHA256
c267e65976127e9cd439e9a5d70bc92b99676c26bd190f02b31d494a6831b7aa

SHA512
98bf39e54d05bea77d2239097033cec836bd89883f432dac36d5265d33efab1eae5df2010bcd50cbf5a61126cfc3eba791fea37611f0016372459e00643b8fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2cee6c01b5b6c585f7c4f5070c95aa9d

SHA1
32fd0ca93d2a45f7f7516f16f7639ea7e6ed2da4

SHA256
a8031e3012c8b271ae602a8b9ec694383e52d68d489fe7887018bdb4df20f56b

SHA512
c3a81d774327cb10d8f3ce5fc8ad6954d7a23bf69f3850ffca474a3d9b3879a60daaab0482399ccbdc77b030f4718199ffea261d4fe707278f61d9c2b751740a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
c05df13dd109c2acb0bc26e29e00f7e6

SHA1
60281440f9b888c448e6196e989a974882d06f67

SHA256
313c35fc7bbf4619ffcd637ab7ff791b73b49af97004205cb4818461cf993b4d

SHA512
4cbda6a1ff785785a260a5a44c28a39b2e3633de426693feaa674cbf50c48f5fa4d60251c5f4e566b9c694d3d006593fb144fd6b83782520300707bf28083e64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
929c23e6fe7b1a9a40ddd7da77d85736

SHA1
59d6e3a023dd645dc2b40b9e0875f7ee6284b3a0

SHA256
c5a13abe24b529fd894a3792b0afe5ddc8ec42c2b5cc1f23938e797051402a94

SHA512
fc7f45218aba43f4e261614a50df3ca8ba737ea75108e6640afd8a99add0060b96fb40c6cf603d4a7d6ac7ba3b96f6beae665b2b7224dcb795f18ea0eedbe60d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
1206e734b97fd226729ace71487cef60

SHA1
92decb4c24502916c757c5d9f566cb3ac755d74b

SHA256
99121a3f2ee696cf70fba1ae53d239fbde9096c1c880e21f14743c957c92f819

SHA512
58265ef1864f7fcc07c966f0d27926012a003bf636e254e021634862fd87aec206ba8534b834df1e5d06f00184a78a24057efc0b8b93f1ef088648a1d3fa02ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
186c0b6ab70f53988b02863a27633257

SHA1
ec865daa7b4371893142dddca2b0309668c49f43

SHA256
b999cdee8e441705c9ad7cd0ecfc609c728a9435534bc84fc9c6166d37142589

SHA512
e8b972769ae8334ed127d6c1a5ec18c3706ee014aadf6e7779c7b3022583202a1b4c2281057eee6487cd111265e77f9be8c7d579522b195aed0c104ead877ab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
01007c2cfc013724d1e004653939df99

SHA1
d9f9ec93378fce46436c74357e7d5b6b71bd4ff1

SHA256
1b7c3cd5554ddc825cc8a7533fbf54d5bde6b9d06457c8c2d4d6b87ccbb9a1d5

SHA512
2841c64f083bc4a225bb3c774a20c6a34acb8e813b4d5633512b79d72b14714e44a61fc991238b25d417b115adf6ddc3bf7797dfd63fc9edc41cbd77a3dcce6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcrun3fu.kpk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ICSharpCode\ILSpy.xml

Filesize
5KB

MD5
3ea25b6b5c8b11f4bb2c7d6640d8705b

SHA1
3e12f8e9c4786fb9366c978cb2bbc962f22ad3b0

SHA256
925b54109e57dd3e9de83a68880c8886ed1c94bf5280090ea621d1cdc0f4a131

SHA512
945948bf55600041d504589b91a27b414eaea4d18cb32124636271704c12410cb6328c8409dcb6fdba67e36fdecedac0c68a6693d6a9af2c8f9e7df512d659ec

Download Submit
C:\Users\Admin\AppData\Roaming\ICSharpCode\ILSpy.xml

Filesize
5KB

MD5
f49cd4733a8c8f7ec4e90c2f74050ea8

SHA1
5f7ec75d63d71d447fb431be04f21c234364e439

SHA256
41716c1e4d40d4d7991ee0a98ed60fe80bb42404d473cd0a5f532561fc818425

SHA512
7995d67ccaf848f896c7a84e79f4dcaec0f1778407499383c82f931d38f019049e590aa93670362c4b589f39877645ebeedbdddb4370aa58a41aa926ccbf792f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\AioSetup.bat

Filesize
17KB

MD5
35c60956a0f5ce70a3f4130d9a7b1501

SHA1
fe9a73579364848d6267c958ac0c8627e36e695f

SHA256
93d525abb546b36376b8271db637f0b7b0d41b5a1f7a056c0169c78090ef70da

SHA512
9afab9a6526acae98894d934d9ab28092c3473585fc2ebb57648998d2fce1c8f3dd566404948ad084cb1262bb73a1172b63728bfd412d14f425b7aec473ccef0

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\ICSharpCode.ILSpyX.dll

Filesize
239KB

MD5
b4abd8d001fac03eca845b28b18d866b

SHA1
b408a8041611b2c936b559cb7b0fbf3f306405ed

SHA256
69d56b632865b2cbe7d9decc796f0e4360f67ab1823aaed3225e4fc652765e82

SHA512
5dfa5950d73a718ded2669e2df8a62192a6f4ab10ec44d04415eea0ee0001bd517d2f26b99e177c00f834b44689d5a1bac1bf7df0725c5aa0db3e3c397dc2675

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\ILSpy.deps.json

Filesize
54KB

MD5
13492ecefca7adc8cb26a3410cf269ff

SHA1
fc75f5ace59f1d3afd5c5df0d940a14cc172bed7

SHA256
cc5dadc1f1ce8e695884d4606571989830f73b7ac5b0a3670ce929e064fb19ef

SHA512
d28a2fc9c8d68703a927c1d8fa510b39044486e8a223a9b155411fcaca85d5f8dfa9c447d6b563032db3ae0eb810528d44828191f860eb52a2f85ebb96dc096b

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\ILSpy.dll

Filesize
1.1MB

MD5
8fe47e3a88aaa6e63c14e173df92c8c3

SHA1
0aee9e92e2db7c454751a08b1a85646111b205f1

SHA256
b42481cf0d9fef13e102268a4f884dcdd505b3605a57d8dc2aba6d771315c82f

SHA512
d2a82b19218bdbdc48323b84b7478978d75e5acf978101b7399b02ed28cb4f326a2b18984c0ed858811f6a4736a00cd3d31db88c171dc5528e983b7c216ebee2

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\ILSpy.exe

Filesize
206KB

MD5
04044e6aadd1b0320c25bc2f7a807cdb

SHA1
bc1a82d25f74c700770a3006e109f53f3a60b25f

SHA256
59dfeb9172ddd9ff4ac6bb11ad01ab092aa362029f4966b50afc33d73edcb7ea

SHA512
62a8fa80c1b3ac495a49e634da5c545f06eea8bd4149088b39bcab10a0e477682d0c2768d406043e794b33a241b690d983e8a70b71c0379e1e0b99f43c6a08cb

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\ILSpy.runtimeconfig.json

Filesize
622B

MD5
fb8bc637f1f1ae6fc04a0c7a5172e95c

SHA1
9b33ed303e3214b4d5a49f91657259d5729ebe31

SHA256
f2e4da0c5b92397b97beef929f91b09a8218209f79544ebd96d18789bb2d155e

SHA512
b659aea9c6a6430ebe35728d41db4980b9e03d394e50ec2522e97798d36d49ef0886867da1a8e0fec2acb992bf6766dd83ad2ddc52d70629fd70ec4f59fc9b18

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\McMaster.Extensions.CommandLineUtils.dll

Filesize
148KB

MD5
586ad03be048363e27446166abbdb2ed

SHA1
cdf6d8c1534715691e4e026a685dba5eb162abef

SHA256
2128196ebd4fa7fcf6159d2a5548c2b9efb733eeecc7bfa0023ab0a838859b80

SHA512
b3466194d4de4dc01c571b66068f5769bc84a834f8c65f75d20c83f976015eb5caa9f347be3690171dcee479c3f45b11e57b686f9b481c6ee27345f9a3159944

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\PresentationFramework.dll

Filesize
15.4MB

MD5
bd8994e54bcec20eb104488d9c64e4df

SHA1
99fb4c0af9a84909099ad597b306698965f3a102

SHA256
5e3bc191b1815b5e4e0eba7da068eb7726093b77c33d62bcf267c52f1777f6ff

SHA512
ec22bec8c34cb5df7bcdab2496d9600e0497deb3b76ab39a9a16184dad5cefeb34e6782ca1513913ea54fb56cfbb06968cebd57b32a297be0d2694f35177db28

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.ComponentModel.Primitives.dll

Filesize
78KB

MD5
8c50946b498caf0cf9a78420a1c62084

SHA1
916234905e6635173e9e17385bdfb0e22c630e69

SHA256
fa581d2aa20bac7d159a56911cc469784aa9a7ff816115499eeacce85fbc989c

SHA512
28ba730341f46ace0de82f46bec7fb3eec622f00522e39d2d662a5dcf32b2aeb6e9a8c626f7a83f9ebb1b670b0591924f722d816cf87718066f965ede2af7796

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.ComponentModel.TypeConverter.dll

Filesize
730KB

MD5
68ebeac02eaca672a7615c616643f0a9

SHA1
2e243584314ed827068d955669da7be7f2b66ea3

SHA256
f5286ef2c4d5a9ac1418122b9ffc26612b09468c87120f51ee4e9736f84a9eca

SHA512
68e9e37a708c0fe968c15ec35017c71cdd9ab2fa49028ec810ee534084c835fd82aa73817a7176d82a81d0bc1964c0e74666ce3b4fee02d0a9e867ccbda2d5bd

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.ComponentModel.dll

Filesize
30KB

MD5
af5df602d830cd5d828113e6ed63167b

SHA1
ba7282f5b075160509d1a8e7e3c87cc85d92236c

SHA256
145bef6f199664ad1f534120056906dad4a1a6766a9cb0501b8125cc3fddf9df

SHA512
e6f6095b812d11a2463ffe140becd5b6e5c42b033f8372941913a5fa3580f0efe3f1010dd953a1651af614da0e7f06a8ade4ae00f7086bb32405a00d2567c6ff

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.IO.Packaging.dll

Filesize
286KB

MD5
51a7489e0dd729bc6fb88a936858babc

SHA1
98b4b9961fce377025d05b3dd9bc3d3fd202bf03

SHA256
60b2e3825434c79ab3ac158a839e7d50caa735acd2c3310a4d33f618f5b4a0e9

SHA512
23a43bca8ded44952e3255a33c8018f89d9b2b4f2db1a5ac9c01c940b9470d2ec651e92a8c9191e41c3d6f354b577aed4b4ad6d57ac2eef2c67e3c89c1f715b8

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.Linq.dll

Filesize
530KB

MD5
fb0fb17b3a25ff482c63087e2ce4f73a

SHA1
b34cd452f7ace750f3810a95983a067db6aa379f

SHA256
64acd73260b864145c835de0a0d535b0aec1ab10cf4708c1b56797ddefd0a678

SHA512
1416defd37a17342e4a135c5b60e3104b40a516c5eb0958d846929f15d3fb8bca93f552cb58506d3269babbdbae825ff55a8e8e261bb1565ddc70e82d563c0e1

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.ObjectModel.dll

Filesize
78KB

MD5
df2793c6fe44c1e75b5d901c306fe24e

SHA1
d4c390d18da902b5e33a487dbf278209de9a2f09

SHA256
381fc44114bd420c0855469395876a962f8cd752a6621cafc3bcad5c8e131970

SHA512
207bef86d7e0a9d17035fc9ba9baee17ccd8cce0a0d7cd39736cdff00956ad412a50f5b2e2aeacae2c79bac7a03edf7a9cf454326aed0e8c0202cac43de04324

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.Private.CoreLib.dll

Filesize
12.6MB

MD5
59f8c0b86e0dcf6a6a3395947407a783

SHA1
d9a95ff773c8098fceb10aa0edd5fb2cce66c8a5

SHA256
6b18dc1feaf9ceb49cf5b173a1543b41a304dc5ceef32a612ad77fd13e02eee7

SHA512
f696f7dbf6300c32ce4c275570b0e3aafd2bf6d21853dc729600399bb8699b306553d18df609191c51a09ac3414a4de985bc19ae2a0452e8c05c8927183d3bec

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.Private.Uri.dll

Filesize
254KB

MD5
e620d27381add0d057a62d1c63df896e

SHA1
a08dc1cec40c913a239d7beb68ba7dbafd158806

SHA256
2492c5f7e779359d09740cb776cd41a726cd4f0ccdd65dd64d5e6f5a81e6df54

SHA512
dbc105159c7d389761e76f77ecd76d9341938235c227e3367c294e8594d5f6a19adcedae0891a6ecdefd6485895845df1a3ddfe2cb082a2f6b308e8cacd0b269

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.Runtime.dll

Filesize
42KB

MD5
adb7dcabdb8cbde702a302cb166ad7a4

SHA1
05905e34cd64708777663bc13a028785de01ce1b

SHA256
2849a7089c9a96c027caff7350af131e630e4e7b6edb268b7ab880569358100d

SHA512
0a286a8b2a58993b5e626eac9e0be49857690ae5f78d1185bbff95e6f31e9dfc1109c6b66695a8d43b8238fe504d88c47d82847c8b78b9fdf715b6ba74570781

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.Threading.Thread.dll

Filesize
15KB

MD5
52e673fb8d3e1f4f642d907f49e5e28b

SHA1
4c31332b702191c8ff0b52f2e5417fa20f1e4975

SHA256
eefbc4bd778148c479774c57d24d13261d4f2b32fbeeb95f211d3a129a52b27e

SHA512
dddc9e880b0d1c5018781c8bb8e688e9d9ef9cc18240dc749321eb9ef1db74763020fc6b076b9fe24b04fdfeb97b1dc3f191e0ca162568506bb065e03ef408d9

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\System.Xaml.dll

Filesize
1.4MB

MD5
0e992ff6398d5130c83fc5e05cff997a

SHA1
56ba72f95a1b7f2fac274b05915590f9cf082a00

SHA256
53b27fa67210b4c2edba7fb727e5b79014970a8831a170312970626ade700454

SHA512
72e11185b6a0f08347a910e6cdbb07875cfc609ddcb0d9aadc94053d75cb53088c0056ec94b7af81f89ae4a0f09f4a53431005ae99c3252544eedad6de31ec67

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\TomsToolbox.Composition.dll

Filesize
27KB

MD5
24a29907de7bcfa7dab4bf59649d3793

SHA1
5c88c68f81c72533a604437f5bbe34ee2e731cf3

SHA256
08b922376ae4439c6d439bc02e5d919600af357a71eb39de8f72931ab4b4b8d4

SHA512
122ae399eaeed3cd5ec5b0e2059eda4a437a1128553d33075ee33dc481bee07bd67a766891d97ac52836ca67a2eb60c34b8a7c7bbbd48d6118f18039224da053

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\TomsToolbox.Wpf.Composition.dll

Filesize
61KB

MD5
2517fc3bd863e3fdff1d9a4ab72bfdd5

SHA1
7e7f9af74eb63f16df838de069dd1ee8c59b5dc5

SHA256
fd37ac2cae51f00c6083c3015a58543b621dddd40c544298bde37ad873eaec93

SHA512
980e020e7242d5d0160b17ec92391f0ce583716cac64ba6e29caff9e07f7142a0f136efdea28915470a8dd70b6da9b56a92719ae5b76ef8f90012f00484b48a3

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\TomsToolbox.Wpf.Styles.dll

Filesize
117KB

MD5
495576994707176a58c1bd39acb16c4d

SHA1
95c178d8c8b3749c303e9c4c6404954f66b06dfe

SHA256
a37b2c475f69e602e867e7bd8f5c14bd51a84f6cdce367a46419fe0684abc381

SHA512
5775751015bd1a4b7387c52531921f5aeb4d427859483f789dd32cab0a0f84707e19a3328c594daa8d05b3ba00a8343cb89df1b08943f66f4ab268a9b6faf468

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\TomsToolbox.Wpf.dll

Filesize
245KB

MD5
cb152d916d8974867955f637f5dbf6bb

SHA1
582855b877aba626fb8eede2a2f117acd5b23e07

SHA256
2fae4ecda8afb50df5c78b7ae7afe673dbb7208822e079772a91a16130db4eb4

SHA512
351dad8e1d59f04b47acc798fed63789833f21a961f7066f742d2d4c423c1eca2ac14a0c778264e525d960a491163eb42da2612db3dcd0eaa742827fc9fbe0bb

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\WindowsBase.dll

Filesize
2.2MB

MD5
98bf338f37cba778f123d520abf0b1ee

SHA1
7a3381a275ea419aac68bef386b23ef8d7ec0932

SHA256
04c4e2839104f9e066e31659bb1fcb7136a9593613128f0f47451c19ac589666

SHA512
bc1dd2f1df4ff025422f8f9c726222ab55b4357385c31f54cf4298a83707e778734f78a6f0a2da4ed9606d46ee112ff02dcd042e4f5f586755c75ae92b98fe42

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\clrjit.dll

Filesize
1.7MB

MD5
463e4a8ff3ca41f30303ac50bd0ab343

SHA1
e8b210406f03044452dcac9d95d427b5774b1a27

SHA256
bb68bf2c02422190fca77a823f9cd38ea2bb97ed9bcfd16cdc424c2e5f3de6bb

SHA512
5eeb1174beb5187c1c11f30cace50240a63f3474c544a2b231b011f42cda7edbe676446619efe56489721e99697c480a288ad2d2492123745a7ce3ebdc68f534

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\coreclr.dll

Filesize
4.8MB

MD5
2f0b0927962c29a35744de52c3820b06

SHA1
a0f7bcb68daab2ca37809dcf2b7a67ce33b3d5d4

SHA256
b8962adcfb27934ff93f7fffe306e1f01b9342305e883443896204e24c68290b

SHA512
b96d09bae12c98f89c1e91bfd1eff526ba91fd006d711cc7c2ad2070e8799fb8ab279efb513de1d13ee272ee2f87ef6ac77f42fa1c64eeea6d8a4325518a903b

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\hostfxr.dll

Filesize
342KB

MD5
92b9c5373c301e624c4159fa72c5e2e9

SHA1
69d9adff6556d60345c8d61f5aac5515e5f4c8ec

SHA256
eef3310770dd503494c4b1c917394db18f1eece1600638c881023c30902934f1

SHA512
409cbca9d63fd7c58f1f7c430892fbf01be31cac131981d0d88d7b847b7ef6f6fa51d9ecc878d81ac317aeefc0ab2300a124ee2a481ad697028763c674aa4b06

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\hostpolicy.dll

Filesize
384KB

MD5
061a29ca4f11abab79b7c49980294f06

SHA1
748913c97ca8dc00f7f0453bccaa5e7a7430c018

SHA256
d4d9db2cee70e6ad857188f12f92a0532be6f7fc7412851c8ed54afdc30ccbcd

SHA512
20646998b0b46de91e4f0ef0fabae17b605dffe7e9cdeb8135e129850222e161b120d80ef311e2d6cb6cdfff2743f6d25045f67c864cbf3deeac710c751ed1f8

Download Submit
C:\Users\Admin\Downloads\ILSpy_selfcontained_9.0.0.7833-preview3-x64\netstandard.dll

Filesize
98KB

MD5
ea0e593c338c61277f41823d982b374e

SHA1
8648bae24540173ca51e4fbb6475b269966fda79

SHA256
57f9beafe45cce172d363928f126936a274958b6d357455d368d9f9a2be16f1c

SHA512
ab324a0792ea02d98d00bababe3c26e07288270717c659f492a81e65ee2e7b8252aa242aecf82035c23f793de45f06400ea933a7789e5cfc1590c3a57c8a38d2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 917871.crdownload

Filesize
4.0MB

MD5
67a066e7526880c69f21cecbd56cfa9e

SHA1
58030474e98022e2ef048216fbc07ed3839f514a

SHA256
77e103f41118b7c285c94f7e6c108007feacae04624a5991ee0b0f4a8cd5d793

SHA512
c7b20cab7f1502945cb236b1aba8eaf802e16d09e04ead2f24d3db54bc6d8a94c511497eae6e4e092268bfa9305aa30630b0b10a939fb46235ab39a781d16854

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
memory/1168-2166-0x0000019FABB70000-0x0000019FABB80000-memory.dmp

Filesize
64KB

Download
memory/1168-2173-0x0000019FABB70000-0x0000019FABB80000-memory.dmp

Filesize
64KB

Download
memory/1168-2165-0x0000019FABB70000-0x0000019FABB80000-memory.dmp

Filesize
64KB

Download
memory/1776-2144-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2142-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2135-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2136-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2134-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2140-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2141-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2143-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2138-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/1776-2139-0x0000017BAE1B0000-0x0000017BAE1B1000-memory.dmp

Filesize
4KB

Download
memory/4164-2172-0x0000018917F90000-0x0000018917FA0000-memory.dmp

Filesize
64KB

Download
memory/4164-2167-0x0000018917F90000-0x0000018917FA0000-memory.dmp

Filesize
64KB

Download
memory/4164-2168-0x0000018917F90000-0x0000018917FA0000-memory.dmp

Filesize
64KB

Download
memory/4320-2184-0x0000022516BE0000-0x0000022516BF0000-memory.dmp

Filesize
64KB

Download
memory/4320-2178-0x0000022516BE0000-0x0000022516BF0000-memory.dmp

Filesize
64KB

Download
memory/4320-2177-0x0000022516BE0000-0x0000022516BF0000-memory.dmp

Filesize
64KB

Download
memory/5316-2179-0x0000022350E50000-0x0000022350E60000-memory.dmp

Filesize
64KB

Download
memory/5316-2183-0x0000022350E50000-0x0000022350E60000-memory.dmp

Filesize
64KB

Download
memory/5316-2180-0x0000022350E50000-0x0000022350E60000-memory.dmp

Filesize
64KB

Download
memory/5608-1905-0x000001CF31980000-0x000001CF31988000-memory.dmp

Filesize
32KB

Download
memory/5608-1877-0x000001CF16920000-0x000001CF16958000-memory.dmp

Filesize
224KB

Download
memory/5608-1878-0x000001CF332B0000-0x000001CF332FA000-memory.dmp

Filesize
296KB

Download
memory/5608-1888-0x000001CF33260000-0x000001CF3326E000-memory.dmp

Filesize
56KB

Download
memory/5608-1889-0x000001CF33300000-0x000001CF33338000-memory.dmp

Filesize
224KB

Download
memory/5608-1894-0x000001CF319F0000-0x000001CF319F8000-memory.dmp

Filesize
32KB

Download
memory/5608-1904-0x000001CF31AB0000-0x000001CF31AD2000-memory.dmp

Filesize
136KB

Download
memory/5608-1908-0x000001CF335E0000-0x000001CF33606000-memory.dmp

Filesize
152KB

Download
memory/5608-1906-0x000001CF31990000-0x000001CF31998000-memory.dmp

Filesize
32KB

Download
memory/5608-1907-0x000001CF334D0000-0x000001CF334D8000-memory.dmp

Filesize
32KB

Download
memory/5800-2012-0x0000021A2B320000-0x0000021A2B52A000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2011-0x0000021A2AF90000-0x0000021A2B106000-memory.dmp

Filesize
1.5MB

Download