Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/01/2025, 23:01
250118-2zxknaxpaz 818/01/2025, 23:01
250118-2zjnssylcl 118/01/2025, 23:00
250118-2y9htsylbk 118/01/2025, 22:59
250118-2yn7wsxngx 118/01/2025, 22:46
250118-2p7ymsxlh1 8Analysis
-
max time kernel
639s -
max time network
641s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
18/01/2025, 22:46
General
-
Target
1dolar....png
-
Size
434KB
-
MD5
c987f89cfb71ab62b207d9db7f9e2215
-
SHA1
7f3d80d21105e4b1121f450c631433f8b89bc999
-
SHA256
00a9607440ef0b169a4c3908a204af9dc3a202c8788dab74621e41e2881697b9
-
SHA512
1148524e018582c7c3cdc716b3ce25a913312cc32ac60451aafe4ecc5598dcf88cc495b364f68c24df44875df936a55c28c1493c37c51dc2f951fbefd04956b1
-
SSDEEP
12288:0OlDZpFgBN4ybmhP4gtCOwCtScLDkdAI7uyLt:VlF/4NvY7tggYmI7VR
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Manipulates Digital Signatures 1 TTPs 26 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 38 IoCs
Using powershell.exe command.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Detected potential entity reuse from brand STEAM.
-
Drops file in System32 directory 7 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 64 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
NTFS ADS 2 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 60 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 15 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\1dolar....png1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6362cc40,0x7fff6362cc4c,0x7fff6362cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4444 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Windows directory
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6e5824698,0x7ff6e58246a4,0x7ff6e58246b03⤵
- Drops file in Windows directory
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2936,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3748 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4324,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5200,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4828,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4872,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5356,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=872 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5384,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3500,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5460,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5516 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5648,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4424,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5988,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5960 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6124,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6116 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6240,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6264 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5676,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6448 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6596,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6584,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6728 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6860,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6908 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7056,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7028 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7172,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7060 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6868,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7324 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7468,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7476 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7656,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7160 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=4976,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7092 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=3328,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7716 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7828,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7836 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=8000,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8016 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=7988,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8140 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=8128,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7688 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=8404,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8416 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8580,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8424 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8720,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8732 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=8588,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8868 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8904,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9016 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=9244,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9296 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=9336,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9352 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9260,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9220 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=9620,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9644 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=8764,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9044 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=9480,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8740 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=9936,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10060 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=10192,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9376 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=10216,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9924 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=10536,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10500 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=9504,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10636 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=10760,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10768 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=10948,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5976 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=10788,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11048 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=10112,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5940 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=10604,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6048 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=10136,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10852 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=10076,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9388 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=10048,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11112 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=4448,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9788 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4452,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11068 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=10576,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9444 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=9328,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=11060,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7888 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6388,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6052 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=9700,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8604 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=9264,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9736 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=10164,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9516 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=8448,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6404 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6036,i,1016852502595343564,15001263430113099471,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\SteamSetup.exe"C:\Users\Admin\Downloads\SteamSetup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Steam\bin\steamservice.exe"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Steam\steam.exe"C:\Program Files (x86)\Steam\steam.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
-
C:\Program Files (x86)\Steam\steam.exe"C:\Program Files (x86)\Steam\steam.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=4920" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x298,0x29c,0x2a0,0x294,0x2a4,0x7fff46a4af00,0x7fff46a4af0c,0x7fff46a4af184⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1564,i,9694445446734441178,18287357544486546455,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1568 --mojo-platform-channel-handle=1556 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2252,i,9694445446734441178,18287357544486546455,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2256 --mojo-platform-channel-handle=2248 /prefetch:114⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2348,i,9694445446734441178,18287357544486546455,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2680 --mojo-platform-channel-handle=2120 /prefetch:134⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,9694445446734441178,18287357544486546455,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3084 --mojo-platform-channel-handle=3076 /prefetch:14⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Program Files (x86)\Steam\bin\gldriverquery64.exe.\bin\gldriverquery64.exe3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Steam\bin\gldriverquery.exe.\bin\gldriverquery.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe.\bin\vulkandriverquery64.exe3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe.\bin\vulkandriverquery.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Enumerates connected drives
-
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2808 2812 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2844 2832 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe"C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.22000.1_none_c9ae46ac3b5c78ef\powershell.exe"1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd" "2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /c ""C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd" re1"3⤵
-
C:\Windows\system32\sc.exesc query Null4⤵
- Launches sc.exe
-
-
C:\Windows\system32\find.exefind /i "RUNNING"4⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd"4⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver4⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV24⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"4⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "4⤵
-
-
C:\Windows\System32\find.exefind /i "ARM64"4⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd4⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "5⤵
-
-
C:\Windows\System32\cmd.execmd5⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd" "4⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"4⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':PStest:\s*';iex ($f[1])""4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':PStest:\s*';iex ($f[1])"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"4⤵
-
-
C:\Windows\System32\fltMC.exefltmc4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\find.exefind /i "True"4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd""" -el -qedit'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd" -el -qedit"5⤵
-
C:\Windows\System32\sc.exesc query Null6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "6⤵
-
-
C:\Windows\System32\find.exefind /i "/"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver6⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV26⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "6⤵
-
-
C:\Windows\System32\find.exefind /i "ARM64"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd6⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "7⤵
-
-
C:\Windows\System32\cmd.execmd7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd" "6⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"6⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':PStest:\s*';iex ($f[1])""6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':PStest:\s*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"6⤵
-
-
C:\Windows\System32\fltMC.exefltmc6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\find.exefind /i "True"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev6⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck.massgrave.dev7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.9" "6⤵
-
-
C:\Windows\System32\find.exefind "127.69"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.9" "6⤵
-
-
C:\Windows\System32\find.exefind "127.69.2.9"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "6⤵
-
-
C:\Windows\System32\find.exefind /i "/S"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "6⤵
-
-
C:\Windows\System32\find.exefind /i "/"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop6⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop7⤵
-
-
-
C:\Windows\System32\mode.commode 76, 336⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N6⤵
-
-
C:\Windows\System32\mode.commode 110, 346⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value7⤵
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':winsubstatus\:.*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\find.exefind /i "Subscription_is_activated"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net6⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\sc.exesc query Null6⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
-
-
C:\Windows\System32\sc.exesc query ClipSVC6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start wlidsvc6⤵
-
-
C:\Windows\System32\sc.exesc query wlidsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start LicenseManager6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query LicenseManager6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start wlidsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start LicenseManager6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
-
-
C:\Windows\System32\sc.exesc query ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
-
-
C:\Windows\System32\sc.exesc query wlidsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start wlidsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
-
-
C:\Windows\System32\sc.exesc query LicenseManager6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start LicenseManager6⤵
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "11" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Error Found"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value6⤵
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440 0x80131501"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "6⤵
-
-
C:\Windows\System32\find.exefind /i "Ready"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "6⤵
-
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "6⤵
-
-
C:\Windows\System32\find.exefind "AAAA"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\ClipUp.execlipup -v -o6⤵
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem3FBB.tmp7⤵
- Checks SCSI registry key(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\mode.commode 76, 336⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N6⤵
-
-
C:\Windows\System32\mode.commode 100, 366⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=35;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[IO.File]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':sppmgr\:.*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\mode.commode 76, 336⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver6⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV26⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "6⤵
-
-
C:\Windows\System32\find.exefind /i "ARM64"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd6⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "7⤵
-
-
C:\Windows\System32\cmd.execmd7⤵
-
-
-
C:\Windows\System32\mode.commode 76, 256⤵
-
-
C:\Windows\System32\choice.exechoice /C:120 /N6⤵
-
-
C:\Windows\System32\mode.commode 110, 346⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value7⤵
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':winsubstatus\:.*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\find.exefind /i "Subscription_is_activated"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"6⤵
-
-
C:\Windows\System32\choice.exechoice /C:10 /N /M "> [1] Activate Anyway [0] Go back : "6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\sc.exesc query Null6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
-
-
C:\Windows\System32\sc.exesc query KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query ClipSVC6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\sc.exesc query KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "12" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Error Found"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value6⤵
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440 0x80131501"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "6⤵
-
-
C:\Windows\System32\find.exefind /i "Ready"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "6⤵
-
-
C:\Windows\System32\find.exefind /i "2de67392-b7a7-462a-b1ca-108dd189f588"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="W269N-WFGWX-YVC9B-4J6C9-T83GX"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE7⤵
-
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"6⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"6⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServicePort /t REG_SZ /d "1688"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "STOPPED"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\ClipUp.execlipup -v -o6⤵
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem2C8C.tmp7⤵
- Checks SCSI registry key(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(6837379)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$([DateTime]::Now.addMinutes(6837379)).ToString('yyyy-MM-dd HH:mm:ss')"7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':regdel\:.*';& ([ScriptBlock]::Create($f[1])) -protect"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\mode.commode 76, 336⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N6⤵
-
-
C:\Windows\System32\mode.commode 110, 346⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value7⤵
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':winsubstatus\:.*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\find.exefind /i "Subscription_is_activated"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net6⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\sc.exesc query Null6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
-
-
C:\Windows\System32\sc.exesc query ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type6⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start wlidsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query wlidsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type6⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type6⤵
-
-
C:\Windows\System32\sc.exesc start LicenseManager6⤵
-
-
C:\Windows\System32\sc.exesc query LicenseManager6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type6⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type6⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start wlidsvc6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start LicenseManager6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
-
-
C:\Windows\System32\sc.exesc query ClipSVC6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC6⤵
-
-
C:\Windows\System32\sc.exesc query wlidsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start wlidsvc6⤵
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query LicenseManager6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start LicenseManager6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "14" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Error Found"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value6⤵
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440 0x80131501"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "6⤵
-
-
C:\Windows\System32\find.exefind /i "Ready"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "6⤵
-
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "6⤵
-
-
C:\Windows\System32\find.exefind "AAAA"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\ClipUp.execlipup -v -o6⤵
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temBF75.tmp7⤵
- Checks SCSI registry key(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\mode.commode 76, 336⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N6⤵
-
-
C:\Windows\System32\mode.commode 76, 256⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c tasklist | findstr /I ".exe" 2>nul6⤵
-
C:\Windows\System32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
-
-
C:\Windows\System32\findstr.exefindstr /I ".exe"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-msaccess.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-excel.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-groove.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-lync.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-onenote.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-outlook.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-powerpnt.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-winproj.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-mspub.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-visio.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-winword.exe-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -svchost.exe- -unsecapp.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -svchost.exe- -dllhost.exe- -dllhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -setup.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -svchost.exe- -SearchIndexer.exe- -powershell.exe- -conhost.exe- -ApplicationFrameHost.exe- -SystemSettings.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -cmd.exe- -conhost.exe- -steamwebhelper.exe- -audiodg.exe- -WmiPrvSE.exe- -powershell.exe- -cmd.exe- -svchost.exe- -sppsvc.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "6⤵
-
-
C:\Windows\System32\find.exefind /i "-lime.exe-"6⤵
-
-
C:\Windows\System32\choice.exechoice /C:1230 /N6⤵
-
-
C:\Windows\System32\mode.commode 130, 326⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value7⤵
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s6⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"6⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"6⤵
-
-
C:\Windows\System32\sc.exesc query Null6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type6⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type6⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
-
-
C:\Windows\System32\sc.exesc query sppsvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc6⤵
-
-
C:\Windows\System32\sc.exesc query Winmgmt6⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"6⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':wpatest\:.*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "15" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Error Found"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value6⤵
-
-
C:\Windows\System32\find.exefind /i "computersystem"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "6⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440 0x80131501"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"7⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "6⤵
-
-
C:\Windows\System32\find.exefind /i "Ready"6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path7⤵
-
-
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k6⤵
-
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)"7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-AppxPackage -name "Microsoft.MicrosoftOfficeHub""6⤵
-
-
C:\Windows\System32\find.exefind /i "Office"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath7⤵
- Modifies registry key
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath7⤵
- Modifies registry key
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path7⤵
- Modifies registry key
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path7⤵
- Modifies registry key
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path7⤵
-
-
-
C:\Windows\System32\sc.exesc query ClickToRunSvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query OfficeSvc6⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v ProductType6⤵
-
-
C:\Windows\System32\find.exefind /i "WinNT"6⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID6⤵
-
-
C:\Windows\System32\find.exefind /i "Server"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-WmiObject -Query 'SELECT LicenseFamily, Name FROM SoftwareLicensingProduct WHERE ApplicationID=''0ff1ce15-a989-479d-af46-f275c6370663'' AND LicenseStatus=1 AND GracePeriodRemaining=0 AND PartialProductKey IS NOT NULL' | Where-Object { $_.Name -notlike '*Office 15*' }).LicenseFamily" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-WmiObject -Query 'SELECT LicenseFamily, Name FROM SoftwareLicensingProduct WHERE ApplicationID=''0ff1ce15-a989-479d-af46-f275c6370663'' AND LicenseStatus=1 AND GracePeriodRemaining=0 AND PartialProductKey IS NOT NULL' | Where-Object { $_.Name -notlike '*Office 15*' }).LicenseFamily"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport7⤵
- Modifies registry key
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Wow6432Node"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k7⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Retail Volume"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "" "6⤵
-
-
C:\Windows\System32\find.exefind /i " ProPlusRetail.16 "6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds7⤵
- Modifies registry key
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "6⤵
-
-
C:\Windows\System32\findstr.exefindstr /I " ProPlusRetail "6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "6⤵
-
-
C:\Windows\System32\findstr.exefindstr /I "ProPlusRetail"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo: "6⤵
-
-
C:\Windows\System32\find.exefind /i "-ProPlusRetail-"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "6⤵
-
-
C:\Windows\System32\find.exefind /i "2024"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Retail" "6⤵
-
-
C:\Windows\System32\find.exefind /i "Subscription"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "6⤵
-
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"6⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 06⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Windows\Temp\MAS_fe1befeb-8a7b-4de3-a015-46290f438f57.cmd') -split ':hexedit\:.*';iex ($m[1]);"6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\find.exefind /i "Error found"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo " ProPlusRetail " "6⤵
-
-
C:\Windows\System32\find.exefind /i "Volume"6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }"7⤵
-
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-3870231897-2573482396-1083937135-1000\Software6⤵
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\15.0\Common\Licensing /f6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3870231897-2573482396-1083937135-1000" /v ProfileImagePath" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3870231897-2573482396-1083937135-1000" /v ProfileImagePath7⤵
-
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f /reg:326⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f /reg:326⤵
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\16.0\Common\Licensing /f6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3870231897-2573482396-1083937135-1000" /v ProfileImagePath" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3870231897-2573482396-1083937135-1000" /v ProfileImagePath7⤵
-
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f /reg:326⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f /reg:326⤵
-
-
C:\Windows\System32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f6⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:326⤵
-
-
C:\Windows\System32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f6⤵
-
-
C:\Windows\System32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:326⤵
- Modifies registry key
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing 2>nul | findstr REG_6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing7⤵
-
-
C:\Windows\System32\findstr.exefindstr REG_7⤵
-
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f /reg:326⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f /reg:326⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f6⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f6⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\59a52881-a989-479d-af46-f275c6370663" /f6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default" 2>nul6⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default7⤵
-
-
-
C:\Windows\System32\reg.exereg load HKU\DEFTEMP-6311 "C:\Users\Default\NTUSER.DAT"6⤵
-
-
C:\Windows\System32\reg.exereg query HKU\DEFTEMP-6311\Software6⤵
-
-
C:\Windows\System32\reg.exereg add HKU\DEFTEMP-6311\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f6⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\System32\reg.exereg unload HKU\DEFTEMP-63116⤵
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f6⤵
-
-
C:\Windows\System32\reg.exereg add HKU\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-WmiObject -Query 'SELECT ID FROM SoftwareLicensingProduct WHERE ApplicationID=''0ff1ce15-a989-479d-af46-f275c6370663'' AND LicenseStatus=1 AND GracePeriodRemaining=0 AND PartialProductKey IS NOT NULL').ID" 2>nul6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-WmiObject -Query 'SELECT ID FROM SoftwareLicensingProduct WHERE ApplicationID=''0ff1ce15-a989-479d-af46-f275c6370663'' AND LicenseStatus=1 AND GracePeriodRemaining=0 AND PartialProductKey IS NOT NULL').ID"7⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "6⤵
-
-
C:\Windows\System32\find.exefind /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call UninstallProductKey6⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "6⤵
-
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"6⤵
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C01⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem3EB1.tmp2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem2B82.tmp2⤵
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temBE7B.tmp2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
3Install Root Certificate
1SIP and Trust Provider Hijacking
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5c9727664f3e57950952d4cb76800b7f1
SHA10b58abc114cae80ed8f602a9a936f47bdf642f58
SHA256fbc9b166ab694de517c09df6577dea960c2e89f323dbfce0e4c97d10d3619629
SHA512866f293030557bbca462f96df8ac2dfe6951cedd3170b1ab175961f16341e6659679ee2df12518642bd875eeca5bbdc6a681c1e7c4f8724e2883ce43c843194f
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
3.0MB
MD525d04794548edf1cd76c76a4c2cf2871
SHA128f6e4baa2ff6f8b175387b514e9d8f64875f2df
SHA2563bb2acee9c23d5bc423c150fa6d2c7ab396f1ddb4f11e730e8c242d780187443
SHA5127b196cacaede87974508f10fa4c71d4b1bbdd81292f23d9526ee1c7fddf722e49ac0a0f1358a1421a81eeea59bd4a46cdf1c2568f701b2f07dd7b8776ca59526
-
Filesize
446KB
MD5745897fc2816625a0e5f1ac0f9af16a2
SHA1cfa9d4dbd1a5bc728ed712cef8b3fadc903d111b
SHA2565512cabd57b6e1fbd2b96c298d804a3795cd317f61e154aedb335f6c119eaf62
SHA5127053e9c95b943a30006065a66830bfeb0f37dfb185fcc27019c205e3cea358a0f71ff8007cb6aa39bf61e3406e989ac8366226d83dea5e37c429a5242d1786d2
-
Filesize
850B
MD5485f3cd5a94355f8e6b0aa101abd9f04
SHA1a91650f4f103fdf08c8c261cdb1746aca658229e
SHA256ecb94457c6327a56138dee83fcd82e61352c45e7097309a2effc694e5e78d1e8
SHA51231b1746d7491d4be907bfe966cecc43f9fac099f897f423cf0b85bef4846a325d209ab64408edfbbd110ca3d3d61644d0cd547e431ae6e6ccd5a74cd9dcaa794
-
Filesize
11KB
MD57e23e2abf1e03fd0d3c0ed71d3e67201
SHA177e9ff622eb2b07d4eb908146251d2061895fd47
SHA256588aa09f39b70d191b92c2414217429a2fd21c4fb7c3f21fa1d57ece2f552209
SHA51214496dcaaccd6b00b156d26691465f6fb85da94b04d0a804ad22a8f42d992ef201c4c92b87e2c9d6e5b80ffe53049ed8b44d67ec304bd604d18f6204590c7bb3
-
Filesize
850B
MD557626036538c8abbf5bc761c8ecbb274
SHA1f3dc829a302cd7e268b566eff47b9c5b3badc33c
SHA256aeb0afc185056f716552564e277ef8a6740a4e7f1600032153eebffae18b3ed2
SHA5122d508dc1d441187d18502f3d470a27cc8a34af5b16a97db713a2c34801ad65eaf4e15e7b13fb216c11ef4ce505e438e4dd49c326e8217341735ecfbedbdcd330
-
Filesize
11KB
MD5642d05fef3999b47e67a3b979395d87d
SHA10806dda798421528f8e61e81ac4aadd20cc101e7
SHA25653bb64373a30ee2b7b2d2fca25f1d0047fee7d932f351d902041b3d5fad6016b
SHA5127f362c47552e0e31c1361f5cd81c94a7e3b1755b4c336b36275a4f42b77ddc775ad5c46e5aed5659f10beef92f228d52882b1fc421bba093373df82f110e2b2e
-
Filesize
850B
MD5fd580865ff5b65ffeead3da78f9d244b
SHA1f26c08181b87d1a6979f97293413d25f6f2862e3
SHA2565256b74f3447a7fdbaab2ebe6442160dd617fb10800fd0045895b280f603604a
SHA5125c7dd9a96db711627e4e2f0bc57bc56a1ebd22d8063cc6b8d5d10ad86104b0aaef52fc17e84ebd07d902d345931aeb33e8ba1dfc334e8da251b538e5e8fb10bd
-
Filesize
11KB
MD51c213c5e8828353641cef6d74ee6838d
SHA16e16eb31f642327afbed7b8d4ca56e791b799cca
SHA256a1cbfc3eca8b075ce204c629bf0cf36b0add593c8a28040018319e5e2533ffdd
SHA5127b7a222c49a95cea34d8ea005302295572a9955a396bfb51e929a83fd351a67c55c4b8c1647eeb0d4d7bf5e9b0c9502d7f4f4e75970e5b004bb72b4c5c2abf43
-
Filesize
62KB
MD5b4c6016286bdce7c51c3634999f2ea5e
SHA1c446378afc6b12c372bf4dbf33efa61e9f7fbbda
SHA256a8f8ab6c63c8d4471d158010f18cb24d4d2ccea495a160cdcef95a96183ffc6a
SHA512a121b4df2348ef53413b82c69a66ad3654aaec7d40011dfa4968f9a6b9a5e1252089f39f4961f2305a678c227abc14bac88a3674ab960fc52f71f7c3776c928d
-
Filesize
880B
MD5dcc6434e76ccc91fa6c35df0d0d6f5ce
SHA1ed1d50016a7db340208145d988a82ce7c126cc94
SHA25645526926c328fd96d9be162238b22694fc496d7a946c0e5a085b83257e7e25e8
SHA51290e08c83dfc95cac80150ebda86085ed2dc86fbc1b2f1112de15638f548e2eb4fc954e3ecc17d828a1a6ed549acde8a1f8ded666865d46ef30eb026127c8b102
-
Filesize
11KB
MD52317370717a6bf28b9af805dc45ae5c4
SHA1ae6876ee8672be7ef18ea64af2293e0d4bf8703a
SHA25601cd704e1fb542c10b368985c57204b1f78f1d61b07ae6cb193b47aab12cf663
SHA5125257384b0e7d49852786f81b03d5cbf4026705c1ddf0c533faac970d92cc9e7b9f3a954bde5eefda6c883bbaeb7feda50292245fed9fd1e5914a404d66357ec4
-
Filesize
880B
MD5f35d405459f10fd3d1f52f6dd64252ca
SHA15f3bf4ab1c25ec54e79afe7f92390a624ae5cf14
SHA256384f7c7d81020a72029972324ec6d8b84dbb3f342418c15e0833db02174416c7
SHA5122bf358ed9e7c09f49280bffb7e200d93ecd3de99d0a842bdbb468b808383aa16f444ad8888f030d1bad5e00fd49c7c3d01a72a256c96aadcab04dba59fbe0a7e
-
Filesize
11KB
MD53e3b6511ef707e9d2344b320407ca1da
SHA1af55e484ad47daeeaedc5efc0d301ed8d6a7be16
SHA2568b8be00e22af7c415c0086e48c6ce86ec5d146c75a43829ead4a82d25b5ff636
SHA512a14250cf607d8d3bde7b9f118bdebcda8deb1b4866042be3aa4d266fcc4734f47f2398c6635d4884d16935c58df6e3a64c68a6196e9892c0c6e2195904cedb30
-
Filesize
880B
MD55fe646e5f52a6183027c87160b922e2b
SHA153123095d2ff679db51a55961e7efa6f3c2cd09f
SHA256ff729c37c44b93705b3d7f3e07a35e1debb5deb6be7a00c0a82546d0fb88c0e0
SHA512a8e7b4f06fd7a2f46d75ba2a43e924aec6d6e270a0ab7b6a3f6cb259d33f7ac78b00ecc6d6b39e8f0433dd35894972790c43d81c7177bfd72decff8a4a768ea7
-
Filesize
11KB
MD59473054628d25757f804cc2584a931ac
SHA11ec0e971be84d5e980988c16e1dba3b5323e7ca9
SHA2566c699e95e7a018673fe586f5b96ead5bff5861f22699049d72d92ecb53497a47
SHA512668ac3365f98ea2c6ba58d13017dd4a2f8ae28dc4bd8e8d72ee6fcfc3a7b51bf0b3f658e8a95c6f5bd2015000f3a347ca417915d99ca4fb7f4a98271a27ad1ae
-
Filesize
13KB
MD5d80746b2f94a3a28e380735d4b8a9ea3
SHA1adf85a8d951e2ef30100f88bd072d333839462ad
SHA25645bdf89c40a35f2bb5e8a49a8fe3b67a9984adb4f65bc40ebf4e320c50194218
SHA512cfc016d2f98385f407d660e276e31891939792d7de667dc8fe0faff37e38fa7f02b55526084682c75d474757c2dd790b714ac2fe1300f39f54fea61b4b3780d1
-
Filesize
7.6MB
MD55440ee9cd44616d60cde57ebdb286e95
SHA1bb7635d6911311b2f3a637a2e9d8446fd0698678
SHA256e3ba35c5572761c20eb59e25b2332a0cdfb726c48963d40291d7f977531e47a3
SHA5124600215bd9788b30aa5a5038d6749aa294ca0d6d0063335979d2f4acc29af09967a9160bfd8a2ae093f7fcb95c80fd51ce832cb639354360965d0202a044e1a0
-
Filesize
4KB
MD5aaa2e20588e154a10747bf1b31b55125
SHA103cf9f79b9cacda13aeb644a88180222240b6f0c
SHA256fd12cbad7d1155b311d97dd5da05869200c50e7698ce997cb96004f18018ad2e
SHA51229df908a09bfd551c50a3c64074c88814065b5b4cdc0d8a1fda5b1d01cb1f1597f2b71b343b59b9fe99ec7123fe48f9a83f93c0880275c19969523a8bd56dcaa
-
Filesize
108KB
MD57ecb661f50f34a941a44dac7241f7d08
SHA1772b0df3ad4a89a078cd4ff8e5f45115778d04a2
SHA256e2386b60a73fa7c95a8968161fb1c84dd9143462b2880133778a3027f75730f2
SHA512aa007a71da51b145a7fc702a0cd8930d43e03a884c331afb48de01e82e06c20d2a5325aaa893d03a25e5b670e9e0a03f002b55d9620202b6b48045e4a79b577b
-
Filesize
16KB
MD5e1eeb7e26ab04075eecc7275239b20b3
SHA1ba62b37d4233b88948fdc2ffed08f3c82e8627f1
SHA256d6cdf961c6d2712fe1958815e51a30960d79fff1e97788b7741627dba972e8f7
SHA512dd64909c983794c8ac6c33b74711a89b3b33e4429bb5a3a2a2b4e38f5d74902b1589a97014a35fbaf97b469fa57a11314c02d68e1db0934de5244308699fc262
-
Filesize
4KB
MD5f8d11c60b70acd2ec9154ee676f615ba
SHA1a869fc75f44438d9207511dc73bae976f558ba6e
SHA256b342088c8a4403092703bf40062041265e12edd204aff4f6532226478a65cbb2
SHA512c4c324e22ff7570c6d9a6fcd5ea3bfc4917a404110b3e202be847355c57c189096feb5c37c0a36c541f4a9d9e80bb1f1bc5db3f4146e515ba34468c5547ba907
-
Filesize
78KB
MD55f0934c524364c1e1a77db8ccb832c5e
SHA1848eec26bf024a7c350bdb02d0e92116a4882b76
SHA25682589b2d5ecae5ddcda39076a33180b6cddb7f54a0cffd4329087eb1f507bed6
SHA5121ac672272b16a6bfd3977886fb773a21d8606a873478ff036a462728d18b59e9c68a08606e1f869b7e6606416b74c90c72ff9be33036371282564b0d3723a222
-
Filesize
908B
MD50ed609c8782c37c67a5ca7233f08d103
SHA1c286345aae83608005c0e20aa000acdbfabbdac8
SHA25610913008d1befd194fc4c96cf0ea20112e9e075974ff5420557141b7ffd5198f
SHA51292d4547b36cf76823bd9658cc8476afa33f1b20425fae2bd05ea353b6d4de6929c5b72f10100aa1b11493c177df0526aefd1e7d3fabc10d848b88d9f0a382d9c
-
Filesize
11KB
MD5524014d39a54d3908de59807c09cae3b
SHA1cc166f76626f94cdbabd8095286a82a474af9f8e
SHA256f259988c45f54338d57175fcf4fb9f895d484a4eb0c4b861a3abe885c263be66
SHA51202bdff78beab753a58f46579e61ad4d2953475edb53b57f75ed4828ff04d9641f114357f11059ae28d82c1d28f7433a4eea7b7cc01c1fcf85bb5dc6d58261182
-
Filesize
908B
MD5d2bc82e2f203cc4778ff312475a1d37a
SHA12da7e8f3e8e4189acf5624bead6b7b983af17e5e
SHA256e34e79770b6a3a4ad1583c9a90ac12aa4348ad134366c0b0436f00162fa41734
SHA512976b018f717e45136be48ee8b4ba2593f88e5ca3c6d14602621d2a394d13bbbd6e707ee3a611442caadc3f5f1ac1a8de87b0407da8178a74d25404cee3d9657b
-
Filesize
11KB
MD5c1e58c73d935540d0673dffb303aca5b
SHA12a95a12c512a2aaf29587db1ec4271cb92846bed
SHA2563d004ae76cdc99ece59a0dfb980182a727635459eefb4590d8e2c80ac3115b44
SHA512471b7f432369940d1854dfe50a71e06df25550704efc4f83c60815bc017dc19f875e2ee3733a9750de4e79c6413db59e762df42777b945d0bc045893604b23c3
-
Filesize
224KB
MD5fda48714f6a291e25a1a219e89d59d9b
SHA1c1e8ddfc64995c0acc48623f30aadb1448bca62f
SHA256be2885e897470da3778a661158dc21f32a4aada769996abda082cc4bb6030086
SHA5128508ee381bfc5d2491fdd9b14603003264441222984762d14f06440afbc2cc88d80b95bdbbec4089127ec76402408a60b850e1f46ebb5bcda5aa3ef1b6ce70ab
-
Filesize
1.6MB
MD5574d91266ee9fa03432cf50da30dd232
SHA1b5c48a695fc376c174a79954a6d49280178eb4ae
SHA2566f262bba82eed8a8d69fac44e491b99cca2d4cd448166291ce2186833e730a85
SHA512f052ec088a703e50c893decd7f88c0af2b36251dfc70b08e513d55964d1be299f0d772d52e71bf0aeb9abb752eda156767b8be321320e1c60f78af285b33aeaa
-
Filesize
898B
MD5846e77a9f3c6bb2ecf5518d470b2b908
SHA1f16c73c5b7a4b0a596ab41472a246faffd9a9b01
SHA25617a9b9222850ce3e6786cedd7c698aa145453b37cf8f03d676fbd89f70afa072
SHA512d94115b82c4abb4570a821919458fb2f322d939928fba6f00fedf139f489f358004de4db3b58b4fce05afcaabf7fcfe9e51c3cb7d0f6f43bebc56c2094086941
-
Filesize
11KB
MD5224d8b3ed1cc4f5b32e295612f1c263d
SHA1d84f00249e43dcf21d4e68c1b2b21efed5f3c267
SHA25620e49d3119901517f055950021e922971cc65578c4ea2898593e29becafd2676
SHA51287f9a1d17331e85a3df58fcd92e65a60f7b1a74eeac6c6707aea56fe7dde578f1b09798dc3f7a7c0a4b65696524793d7121b19d27902ecfc215a3233128dccd2
-
Filesize
898B
MD5ec5a78ba8d91e89c0d9b3683d0cfd5d8
SHA10db33de0721fda2e302c39b98f3987ddb9267850
SHA256b3d09766f50b21e4b825d1ec7908cadc7fd74625b4757dc7952344797c72ac07
SHA512c8ed1321211aa260ad8fa7314cc4036a743c0bc1ac06defc9d061edd4c3032f1e42c6cb06f2fa8836e66a0a4816a921961a5379b0e20ced8fd4f398085b125d9
-
Filesize
11KB
MD57273fe5d0ce6473e646ba240e3fffc8e
SHA1af11a7b48bde2b1046779147c84d3287a469639f
SHA256d4e738f4e3d39e7001830f71b52836a20707d14269cba22f34f3fdf0436981dd
SHA5129efc625c42ce99028297b23c78226264c851d74d84158c2221c2ff9faffd37248a3977461e9fc021e25b903bbc11ec475178157bf9fae9512bfe39eb98404a6b
-
Filesize
898B
MD52408534b8cefaf5362700e8afedf070d
SHA1f197be5f143eae025a5c40837b8432e89b8752a3
SHA256e89e45dabc6a2422cd5f523d554d6314cf9ecec2238e26c6d8f63f040ed9b6c2
SHA51294b78d6d0b597fe9b69d438f4ac3d0855ccc9c684a28070bb9e2cc44d171b5047b8c3da03406a05405c74ab56081dffbfe84478064b0b0884bfb6e415c3159fb
-
Filesize
11KB
MD56d525c5be39dd69154fb0cf297fa9c1b
SHA148b89a8803b7020d7a0bc5dd760c261b2dbb87bf
SHA25682a7761c6042176cf97947da1e910ce8a320fa7a17dadee2a115ac5f34cdc744
SHA5120a0416c8a7f967ea869ffe2fe77535cdfc9211d78fbff89e58cac0a4cbc38ba182fb3e88f4de3d38c010f6222ba52f8f10e3f58b4d13e5c7438f9a81a8f871ef
-
Filesize
366KB
MD5d78266c35a0ed4bb6fb2f6683c8a6e68
SHA17ebda40cdb602b20323e6e7d24f28f25a931b11f
SHA256c68b82408df6d0e6f7c7ca0a5e7d1c80af6cbec57788570bea58efff8053f306
SHA512e60ae6b2cd22614be134d06ce823bc5d31d0aaf1f01dcc4fd0f6021bd307609e8d2f47ebf8490d3bc33f0b225303b63e44f09384bc3804494f595e876e673854
-
Filesize
146KB
MD5e8013aaa8fea097b88d7021039154ed9
SHA14866c788df4739c011e62f3634989e8959832730
SHA256a3334e83a418db4f304a621c2a498db48c0f8fe21f21282cc61e5ee9b80c1370
SHA5128614a03a87b2c06d1d2e577def16deea927e010d0f269f37613b9b737edf72350a5457b22a82d96ffd6d02747bf70116be301f891a0b103214ea3a8263cce32d
-
Filesize
898B
MD54da7266720463186401b1ee9ae625e09
SHA1040cf60bc1f52402d10e0b898e38b907dd9d9ba0
SHA2562ec5d00d46355af4cd7d06a00745e726b87c329d090e0acc02f767e75c60601b
SHA512da22f8e24f5d59232adf9e77914d65a82ec2bb1331a83f72c2d45f8e6e27de3bf113173ba56bcfa40e95851f105bfd941cf63392bd6d4fd4a9b1eba36087c091
-
Filesize
11KB
MD591d3ae6b71705330e73ca4159817ff4e
SHA1a941037aa373a426e73dfb853526f150ce4457b0
SHA2564d16c2bc77cc45c596dabbccf24e51b8d6b47c6582d540993856337d9c7dd6ea
SHA5128866140622e9241bbc2a5f7f26f659b7d2dcae7890c6ad357f76afeb5b96e6b30914b2b223906cd1f2b29eea27e885e33774782cd2c3b688aa1da72ee61a56f5
-
Filesize
898B
MD5de2943783e864e16eb161a507dedcd3c
SHA1577774c71730c72d22a80e5d049073fc23f8023a
SHA2566aa7490ae4134caf546322c9aafdf062082536e1b4c8ed063c8bb5f93cab8afe
SHA51200abc7a380a864e808e2b0de3dfa5555b0bc691b0d8153bcf24935495b21722be21f9143edc67c7a0fe69f9e3d1e6ebb3fedd633efe439e6b58c1b5594c051ec
-
Filesize
11KB
MD5da8a2cab1ddbd3fa6cfa43c0bff54348
SHA145268d28d4e628781f65f08612394ff7e0d38720
SHA256a19e7736666470a6eda6d00473cba753deb0e8fb40d3311daf3c50676040e200
SHA51218be388c509985137e34d4ccac72e60dd726f9c64b76e25988b7c91b3a306f1d15b21546face19ca087db02b0949306a554a889e3832a39c83f5f3686dbb5b10
-
Filesize
898B
MD55062f0598bc909a99bd21ff77d3421eb
SHA14917cf83d7e3ebac3fbf3e405c4dd633430cb98f
SHA256e2e634f5552e5214c79cdc2a33672f2cefda7c73fb6d9c7b87916130a969c4b8
SHA512ed1d812cdf867b963d0a9bebdb6d63698bb107409920ccdb770e197815f5d72b35cc8c1e3602d4b5c63adf06c0d9e125c5a5ad6eff2da22df373b06c7c88be2a
-
Filesize
11KB
MD54667b1d3fe384b97a94deb1553af2174
SHA1e14902922748fffc1f65cb299b52c114887b761c
SHA256705b42f6a55a4cecd347ba954089148572ba9fa033e5a08dba176b652488457d
SHA5123f2db08d7fbf8f6042f7ff1001f20df3879402a25e7d3b8bb7270ad3be7216ac07a8ded7cd62568d6292bcf3828286105e1d9b87f21dc3e1764d0bc20985a8bb
-
Filesize
54KB
MD54f94bf5157da351f7d0089a0b72b1ad9
SHA1c61d8fb8801a3362fcb8eb539003c996cd94e9fd
SHA256257b042bbab38406cb720fb9b2275828b003c6be15933227ceac68e08b846412
SHA512f75d0365f67ff6632c8d1a3745e8e8eab55b25a562841910320dfda967a5428a5afc469a211e90d7ac78930fd55e0597b11aaf15cec5e57c0f22c02da53881d5
-
Filesize
16KB
MD5df0c6bb7965a3dfce5f0f158e9d5251f
SHA15250b2c7d557a71dc9fb0823fdc0cc94f0a81e35
SHA256883e42e3319fa4c059623e4d5a937215ad2f2cb123e88aaec27955f258627c4f
SHA5128b5f7cfb9d3d857b2396706cbcda445b9131abf79e84296ecbbffff0dc1588b19399b506e4e3110ac4782f60ddee081cd5243e598e0871738803512358efee04
-
Filesize
902B
MD50da2f7810a668012c630db3fa8230499
SHA19ca963ea4e3544609741308d71863bc86a0c0ceb
SHA2564d997a3892a9fcee4bedb3f47b91f068d6ac823c5ee5f00d1887634e438f41c0
SHA51257e214fa9ea204094bed5086d6542a32774b3f234edd93d6f9eb364cb7a0825b2056bf2a299c65f8395545fe7f5e21869525575dbfa3c0b35c796f8de6c543ee
-
Filesize
11KB
MD515caac1ec79f05d8aa62aaeec6903e8d
SHA11990604b5491cc83a73f592d1e70b41be5a2d998
SHA256e485f4d3468410e989c147c9abeef742c57650a794e0ff18c2902eb976d25cc2
SHA512d418191828c8fca0a4d092d2101191fa5afdeff417cc4c9f1ba02795e3e4981a3ea3b0478c6abc00e284f95c5529a686411b90870569bfcbca15fba61372d402
-
Filesize
390KB
MD52cf01239384af6de8b712278d7598e90
SHA1613cb264d8628008809878154f6eb17f35031c04
SHA25651a234186dd5e1087a7ecb79bb8538767bd4bf46c645e1a6e83f972de726e95e
SHA5120e2dc0cf2d2925895af2e5fb918f0c171bcabc6dfb8c094dd63ff7df535f776ff2c3ab89038ca5bbff0f4c02d8474055adfe3609c70d97870c46504f7bb871e6
-
Filesize
908B
MD5a9762e02d260a34b79fdea198f3e82d6
SHA15023fc4a74ce1eb15893cf0f724e658c9c5236eb
SHA25615cb74f02499b76c42faf72e6364392bfa997d0b2668016bec69dbd7d0571578
SHA51261aba378b6a2533b9f67b4f46a2873fb08be4fe55c0de18785cd1720f4041aaf003ab0310a1d7415d8153508789ceaa82fd1b0731827f75aab41c5962c905502
-
Filesize
11KB
MD5af6ae18e360ffca6c0ceaeeebbf6d8d4
SHA10b4ee1121e9070e95147f6c1664f23a9c772ac7a
SHA2569ae57781418fef37b51dcbeabd4e26dd82a35c3aa2c15917cb98656889d3c7f3
SHA512eee57abce64bd9b1514a5a3a074948547725e78aba19e085b53d9e8156613a1ee30e60fef77429844ec4abd22ef02c45fe9f31aebff0eb7925e0a62e2b4efad0
-
Filesize
908B
MD597cf058f86fa06f7e5893211dca28a42
SHA117bc3e8fdc48c24ca60d7b1ca10acdbfbd8b5e9f
SHA256742530e55d505236eae91ac26a923b2efa8b454fc0b449ba43f1d6a28ac5b52e
SHA51284df980720e846a8a3651d62f2639108818d18db139c6e0b41acb0ef4642312e11689bb6971ef778c1638d8d53430571eb8d560061e6e8c0cc13c1f40b35fcbb
-
Filesize
11KB
MD56a5ee23e3d7b67dfc39ce1c085d8c654
SHA16f9c0d88df3df2cf86cc543822b2e6196e849b15
SHA256b40f265fe31c5dec0943b2d910e997ca1840ee290912b814eeab333af71fbd48
SHA5122d0cb3ada34426ec079933c96af4e3e67795cba52a6a78b520b7c7aa02a7e0eff53a33da206c7843df42a257474380b3014338c2063dc8848edbacbc6cadbbc9
-
Filesize
908B
MD59184814c35561939e4b0ad91788441f1
SHA1a5281447d62fb3acb7915e757c68b6c29ae69adb
SHA256788f42981bf0bf25f0899d9e3c19a0d6edea44f9c1f9eb616160de99b82e8d27
SHA512cdd744fa29b63922cb112d645badfe59176bed7a5c2ec12e3e8d095ca2401588565f356aea4a1f40157434fd8d20edbcfc92febc4fc33e4a13a20abcd38ed199
-
Filesize
11KB
MD5acfd9dff068c374658366e397a5695d4
SHA1bbd33c62b022d3592e0c2a67144070ff4e2709a8
SHA256a4d8b8a525271bfa836744b7705f0993ab454d9a153f81b3502cc62d9284dbfc
SHA512b2ca941ee0d18bec576ba84e09403cd8dce41b9017134581f1a2e2babe25dff99e9f172a6e9764ca6c58d5ac679405883640e2b7bd108cc0308336098d9099ae
-
Filesize
19KB
MD5f8354171db5fc4506cd0a0b9a3c9eaf6
SHA1f155f11010d91896161a2818815a1dc32f183731
SHA2566131d4341986952f7343eeb984544a17bb5f121e1b24ad572ae93d928f9179fe
SHA51210aa970372b956ee7d018b4d5d8bd7faedaef20b83ada551e7a260730d5a642c9ea13548743ebd470f5ecbc7a08ddead828c41e229c96538d93d3f0ea7cea52b
-
Filesize
904B
MD5967be7e7a5e3cfc4902a4dcd26eda18a
SHA1f0b364113ccd380a256a3f6217b8795300d0fe30
SHA256071549c2a67ba11cb90362c3a60b904e339c66d33add4e0fdaf348f17365695a
SHA512db437ef46aae9b0f45bd21958397c163f2c55c85bda25215af041023c63531ae3e0b62fec62ba76b70c6a297b928fb7c8a79ce82463ade93d22a6501b756ccda
-
Filesize
11KB
MD5e9e2502356902589e8b0b86314294f30
SHA144a972c0ccbd52ac6e21f2c0cc1dc81907b5e7dd
SHA256c1fb9faa66ac74fd4094538d83afa96c8c3a5bf7f30ec302b7ed1ad1f4d99b25
SHA5127e51bd97735028dd90e855d8e661e2aa8c9e859e2b4c02475d65ba67eab8cd99ce207795e9a6eb4b146483852bd90255feaabc7b50534a7efc43bbfdfdcc2849
-
Filesize
904B
MD58a138a7c5f6826e2adec47162589bdc7
SHA18ba9043cc728827655406126e46950e6a6bf35a1
SHA2569d4041b781a2fe7e677cbbb210497abce1c6e566047fe4592d6b2bd182768c43
SHA512beb99a0c999a2e2b3bee93c32246826608d74c95b4aa1e5993228dc5af9e1a775035f52bacbd488d7589f9821fe17df2652f94bc5b66297963fc3f6062b8e0fe
-
Filesize
11KB
MD5aef35350473c3e263b6d8d4a76616b7d
SHA1265bf8cadf460109a3a2d0d8e23b7b1eb18d7660
SHA256fe61442089ed613075613d0db818e9f1c87907dd5c76dbfa67e93abf7f24e135
SHA512b4f966b9c921364283a6dc42d8b44ec10e8d032089dc157c23ecfda55fbb16f86b9c02cbb22fa0eee51dc784ed83876c9b29ee9cb1cbe823e3b99bf08e46cd76
-
Filesize
904B
MD5a5c7d3197e0ac097600d2901ed4f6e77
SHA1a459c50978c7e377f1130d7779f4a2fa41d0033c
SHA2568d0b449684a977a3d81b8fad0663a20555504e8609c987e84364a6e232b51356
SHA512f9d662be82e96ff035c7aa938a9de7f47162bd4564575eed4aaa42ed4ef49ced0fa4a9b6b2b789b5655c3ac6787f7b3c8439d82962d9668c1d31e62a54a804bc
-
Filesize
11KB
MD58b1132f4e0387a233497141cf30b1edf
SHA12afb866bc5093b1281b2ad0fc4a29bc2cab035d5
SHA25651063c0b520a9ab73aa3a0674c593c3c3de26fa9709175be085d2d8c456ab54f
SHA512f528da8cd45823fadecf870a348f605e8fa199c6bb139c7930392cf638289c794ea15746cb0f4b9d918a1fcfae7c6578261e7c20fced854e9afa20974e252490
-
Filesize
918KB
MD5be6f4fd7365dfa124d60114095380602
SHA166a41958ead9151d7e61d690f12006ca8a40df89
SHA25666d6f247e3cae875c3c86dd16ea1aa3512663b8aa8626984007bf5343326bbaa
SHA512e9f7d819714c905577a2603aa30cc72b87b7a66561c7cc6029dedf48de78fc3db580069602dedbc6b18496217da6b94bbe0c2734ba2dfa5f8b57b7fc6cbdb781
-
Filesize
896B
MD5070f18d93af687edf010efa343dcc983
SHA116858f9fd0d8ed788ec49460ca2b596c193d2af1
SHA25689547b37ec7e20f96e1f1b9aeabbe86cac8a0372bf1520fbc2272eed16f8b4a0
SHA512e7b9ca446b5ebf397e7c220e8a0f639ce20fb35a11010b641f6727ec1c9119093790d4f5521ebb28e8f6de4ed5c4c4f58a27355fb5d012ec949f0de3df5586de
-
Filesize
11KB
MD5a06591a7b689e5fe00f6755a180af130
SHA1a581485fe2c6d9acf795e80c7d6b0f3a0e721584
SHA2566555b4dd2c4e4164c8e00c06f6108a9c1dcdf141a5ca54bbe5675e08750f63b4
SHA512bc0195276fa8c7937c7c39d567a7f41cc4ef92521836515c11ef5b422d68aa791b96fed829900e998435eb5b719c3a21e58c94534ec1fe4d637e39d43407e4ff
-
Filesize
896B
MD59f8ecff52bd15cff2deeb91bd325e101
SHA1c82a0eddc66f95f0bfe1fc984671837cf0b07a65
SHA256aca44b663633d4785d4fca1ed45d2c1d58c994fd927374569b8b5bfcd7079170
SHA512cf52103d480a589e88c909239dacf5add2467adf6f4ad52d89af16ffb9a5cb32d7e771fe005694d37189ab2ecac08cad9ca7cbcc7d971f17d384a959705f168c
-
Filesize
11KB
MD590891a2ac9ef19d26ddfae3dcb69fadc
SHA114af0ba5b5b4ed5dd82685c7e50a544a5c5e7a98
SHA256dde3ccb81cfcc3eb4cc65752fe14bf0c7ffc6814d55f7c9bca4d9ae638b30f6d
SHA5124f97ab143a719bd614a63a3b34bb6ab6931eedf310e2e077c361fd63d2d579e126a3a419256834b021d86250114ecf4c0ef120c9fb267be9aea004b252c17a49
-
Filesize
896B
MD5f1e8d3b056eb17b33d6d23b5dd20eb56
SHA17556e1bf214dca70ffec24768f3c549ab4ab1886
SHA256e709b2b5901d6987b46febd4f3d5ba50b94e4ae4e0a6bde09ec981509b72000c
SHA512914b340a8c175dfed4cdb99bf071e14ab787481517009ad92680725368dd7b7667dfe2ffcfbaa871b2a9edad6b8566828133dccbd0a0c7fb90cbabe4f812da87
-
Filesize
11KB
MD53fd311d5a5cab694d93c6de5ab39adc6
SHA12950e2cecaa45f46dcc443037c7a4db550533578
SHA2564e5cd2074b70b073ff9010a22f6e469fc08c93f63e14c85de93377c2d0e97fe3
SHA512fd884db714d134994c1ef742ee85d5002b07e29b8bf1db2120a4139198f162ad67b093be3f232eeff3e05976ad243ef691af69db86ebcc8e2d6f0400245c6a35
-
Filesize
44KB
MD5bc959a160882b0de0583047b1b5b93a6
SHA178bda837a0fcc25623b54e95f3eff76c3bd79332
SHA256b9ffa79403a9c57e5a36d6632bf8ebf8da0f6256c0b71fe4dba50390df17702e
SHA5127cd370afe9903daf36543a2d57ffc869f2ab324fc4ef363119d4923eb3b6079485d6f1a0304b94b928aace18900d034d74ffa0d1cf8382301f6e22f4daf4f0cd
-
Filesize
41KB
MD591ceea551937cb5da627f33ef7995ee8
SHA14e7483605c4027381e4796345f0a0e6aa9342a5b
SHA2564256104f1e0eb69836f00b38813ae62f79abed1724e0b07f8aca908e7bb74806
SHA5122d720c8a331278707913fc064d7a0c2727ef13b3f8cd46aa4e4a2936aab2b1228d78c1662856739964a87a33c312be2d3f65170f38d65545f3a3184c0ad635f9
-
Filesize
76KB
MD57173d17aa9ff4cda07fbfff21a584a67
SHA137b04626e282aa6ae2a2dc96117dfc5b0b1f25cc
SHA256972595aefda400197282647fa6d6e40b58ac15591443213682a87d1ac80cb867
SHA512b583058ce0a7bac48042d63142342a430701f96bb8c8c0f00e2bdb168cf431e2f98a58bcb889623f6e6775195a9d4bae8f37686a48a2cd0034e426d6089a4167
-
Filesize
35KB
MD5da7787ae5278031ef79441d29599dcff
SHA14e2a4c70035808dd8bffaeb6ded8fe2980566e0f
SHA25606afbd06123031d3198a25ed0cbb7cfb08c1184cb58ecd7d12f42c235ebb5b39
SHA5122c1ac894e778aea4515be33b9e894f89a527a5106734a8ea6d6693557aff8417a7f7b340834dd1d207e85e250e718c1d0365332e77ffece2f9e1e81b0082bd7e
-
Filesize
35KB
MD586a1d818b679edbe94ab51b963ba79a1
SHA12b9ee6b54aa2f709442e7e514335e2548c933318
SHA256b36b011818770bafe044bd83826f38eb81093f529872a0b83e341f6863b3cfaa
SHA512ee1ee27bc740b4e4e29a11f4a428b5ccf7ef545444db972b64a8f4b7884462b8c589b5911d7d33e3f2a7b0d97dcea0b5d610a99a00b04d8b3099e695f9acf5b9
-
Filesize
21KB
MD56083b2909a6c1ab52ce84da1b435e7cf
SHA1e851ccddf1fcb0c2fd9cfb4a357f72633452f240
SHA2560ef563502d57298ab0962de24692931a32327fc1338cbd80b6b0b2cab067c956
SHA51253b8aad68d574e57f88fb3663b41455859b2c84ddbd152aa1f0973df15ad1ea1e72b57b54a0984ff8e4abbd1e4606833fb2e132d1d49d428f2e0ea4e7c4568f1
-
Filesize
24KB
MD5d87310699e3baac5ecc0f64673fe3485
SHA134460b0eb74977b98d9d3e683d5ffa2aec11059c
SHA2564f9a3c48edbef17a0984c473d0d100e5541a26a92ed4ca3b336974c5eaabb4eb
SHA512096196d3ff876b7cc5173e0d30125174e6fd1bb60432aa9cf64c3b22fd5ed2fa5a8bf35824e5840ab248b1015907eea0eddd964b4191f52454b03edf583e0b38
-
Filesize
280KB
MD5a3ae8e892e025e479978fb07fb449784
SHA171a1641ffb0da859af5e355c5bf4a9bcf1746e74
SHA256a991c7d6fd80ce581f8bbeb7268032f06c9434cfa67298b0669c84d38be6535b
SHA512e39d58dc26f8710006fefb51cfe1adb34c8886b6b281a8ea3d87a89c116e255d39c028cc42fce05a8ed61dc0a7c602e344e6c0957bc4156f9a76677687591a54
-
Filesize
108KB
MD51c8e5ef9f86430fbda800e45c0a89aa5
SHA14e18ee249a208dbf7d7b52d412fa0d402fd3ff2a
SHA2566e18c01cb3fd1b795c062a00d2921e8e0eee8efd89fa77d50c5e16f2b7ce74b6
SHA512721f29dfd9beed272cbe213eadaba62aa1e1979828b23a226cb05eec536ac495eb33a01da05de82a23113a6d0ad4012032f453339499db3816abfecdecf19b66
-
Filesize
152KB
MD56742f826c21773c933fc2a68ceecb99b
SHA1dc689d3fb31e7cab6a33cd2192d6114542173514
SHA256a203989e4399f9443a8848486292dcf04d7c7180dc7d1b4af07030cb0532e036
SHA5124138836bf9561104facb88c175d9a1d29863110b7e0108149cc0ff32edddbd30ee1b0ba4b7ee8137ffe36c973aa2901f7c23a3dafc79a26b09a64a8b95b6db9a
-
Filesize
140KB
MD5cad14a2ced4a556139097c1f716eae70
SHA19552115b645c17165bacc2231725b3f8073105a3
SHA25635cd20b4567788e3229be61becd6ea1eb115a2b81bfacf3d65d81d0003ecb96a
SHA512df629a07c217880f174d52772090d49a5e88b73c0df45fccb714cd6ac4c01612e0aa755a1a0b9ba6c2a7a6701e6e94653e71a54c97a1076b7a5bde99d7f0c331
-
Filesize
189KB
MD51f50737bb92b1f71b15824a0f113d3f9
SHA14d78793ea921986d011a024b91ac59d6c02de6e0
SHA256f48f267a6e081809bd5ae607aa649529849a6541ca303a5653f6515d865a6b57
SHA51289e6be6df11dd02896382a7cc9ee41ce74d5bbf845722531ff9a26fd2cb1a016925ea7d4948a4a652c079dafd084538b9b74c4a5dc0bfdd3cb2f0293796481f4
-
Filesize
76KB
MD5d68368708be2b6dac797743e23dbf655
SHA1e843b858d72359ecf6fcdfca328ed19a7f23210b
SHA256dff2dd57e4892ce613b160c935e2d0215d3357edb7791ceaaf880b5995c98361
SHA5122542ce485c0c630b09be44a4faa841a3ebf2e1b7bd794e0b3fda4e866d97361b014eb3895c70c6b7acee4e29dcfd46b76697a1602666d1febf9cfa62988ea86e
-
Filesize
428KB
MD59e877ffed2e2c9a013c59581f88786b5
SHA1d3bbb3e2c36520ec267463916d3356bf4fcd8037
SHA25613f36534cf603cd722ac9078e51930cba190395d23d6688b65a8c788262759e5
SHA5125b4ff6de141bf2dc321dfa05fe8c93f64ca91eae6b41041264736c3c6db9d0520c135103873c5f32a47c742fb51317b3303e7656cd259331113f9b876ad17613
-
Filesize
292KB
MD5bc9a83d77cae33f9eb9bd538ab65b2a1
SHA1363fe5bb344cf1843d5f7eb2b0a725ac491ad6d8
SHA256d0b2520c660959e388b3b24b1ebb7a6eca25dde878b0c0ce798657ae422a9c3c
SHA51237ac66723c5bb78e45df3ae7175b497353343aec2eb5412213e3c6a1f3558e9cd68479728644643faac97c34ec3f3c43b7d01bb36b1e406613cb46ae4cef1c57
-
Filesize
128KB
MD5c7fc5f01de9577403a1ea8aafad79e72
SHA16422fa355184394ace02c0ba88e5b8af3db7fa6c
SHA256c778577e39211753844d5fcd2267464c043cea271c1477e866d40c9cbdbe49ef
SHA512b7af7af4aa1dbe92000722bad422af6d54c842af065427e1cf82f61b1a0f82e71f2a2c9b4b12d1642205dc54ca23ecd4ac61c8015076389907914b0cecd04e87
-
Filesize
92KB
MD5535d9d8441e0e22aa3f407c7197f8a0f
SHA1ec6d047e975c107a7ecdf78bf352a5a68f53392f
SHA2566e6afa2d6e7c46b9c64406efaf23bfdd3f7fd7a25cb757580f70730f4096ddb5
SHA512f5e051ef6af191d86797a55dcd114ae920f8a285191f3f09c3493497d381f9ec70921d712c93280b3c8e82fefa77c040cf51e8af3a1e52b040a7fd442d9ee95e
-
Filesize
356KB
MD55e1a793d9615d4d9e153ee416abc83ad
SHA127d231f4d1e2b473f9695daa21b22804db779826
SHA2568186f5e641a5b0770b635814b5cec2a5dff43158918bc1174edb328194b27090
SHA512f54e786f2fab5324ce87be1d84ae69f63afa4ff5399e00248451375d2a56b5a0d30c74b27e5fd56b06976ec62688b09dfa39c4a1a02d47c3aa92da21b5e95876
-
Filesize
352KB
MD503898441f5d9a8809c04fe746fd498b3
SHA135cfba8e3600bd0a3389e96dd56ecd8efbf5ffc6
SHA2568da3b816828229f66334565432f12973529f0d594b685c919b753cf2f692b296
SHA512dc2c0f6c8d4985770535962ad31e55c13abe248363c12cf55a14bf1fe9dbbb78a2c91eefd9a4711beb53606202b1c2d5648971339c4edb9a61dd271b61416b12
-
Filesize
82KB
MD5f148286b321ed09c2d17e9e3637c807b
SHA1b0928429f52028b512dad9c7e0996ee7ade315d3
SHA25633fc291a41f38880549e72b23ec4598cb7404259a93775f59bf2be17f798a69a
SHA512d175430df339ae9b0f46d00aac752697f95ced9f7407b2d15505645bce313536c065ccfe2260787d4f387ad548f02a94457e662c32174f36ee97a76fa8e59f0b
-
Filesize
41KB
MD5e3c8239a97601bb203b9e9037eed89c2
SHA175f0e5f417477d4c491e8ad81f498faf761618a1
SHA25627864727360196540664a55e1808db79f07303949156f843f0520106ebe047db
SHA51271304187ca95a404d6d175d40be1dcf40d1744c644412e702a25fe7e9745977e3f826d7a9ba1f694c3da4382e8f97fcf41ec8dfdf40240dabee932619e26e7f2
-
Filesize
76KB
MD5219c69df0c23fdaf84e4c9ea2835a628
SHA1d3b091bfcaa8506d299cb1d7453fdce7fb27dafe
SHA256e9cb0016e439bab9d34038b15798cd9261640dec8c577a0035314de5d7892457
SHA512e209df73a2dccfbc349657925ba9760dc2ea9b52e696f5159bbf3c729e768ebf43a1e6e86a28bf6b023dfc78fd217f03648513479956bfffcd4da04d1cadf8e8
-
Filesize
80KB
MD575e8bc00ad7da1e7628f146dc33cc83a
SHA1b140b32eeb3cb2223efc7c92346e3c4ecf65eb7e
SHA2565a35e93da45d610cebbdc4980e7a33b3d094039a49823561c8a3fb87e88f747d
SHA512b80522f835414b493c97715823902443088bd33c7e54a5fda665d73de7899df5e59c44aafdde33ffc9d71dc7c48036cee050dfdd87a24c29a9fff8ac1253acd3
-
Filesize
48KB
MD5775dac5f81248b14182c82013672c42e
SHA1cef7bba712b25da04f60f597cb614c7e4b87f24e
SHA256e95e6d348912c8bec21b006ba6ef77e52fe74287debea2864180c0511e68766f
SHA5122d99dd61a4ede26a11e6f4c3569732c47911605543e7a72b0298ad25e0a573ba884bdd5719cb8b7cfae43b25f41ccb764c8a233d978346bd49bee1104e7cc97c
-
Filesize
24KB
MD52a9b706d83be29f32a28f29be397e533
SHA131135de80dd7b7c4a27516806fbbb13d871548d9
SHA256db47a4a99dc0cb5f558891ff552f75053122d04f4e4a2ff6165734cd456a0236
SHA512cee9cf2576729b34f1352f63d9684695bd491586d31d3b3e81b11f2136b3843d513dbf59280b5aaa63b1cf085f0840040abcdd9d3d72dc15103987b2ad812e64
-
Filesize
36KB
MD5bd3e2c28c647533a057b5cdf8bff2c5f
SHA1d36c80e460c5dde615ab1c268bd89309225ecb82
SHA256f2742a96cb0a290ab71e316c086db449e6262a4614c70956f69165df8f9a0d3b
SHA51214aba74084828f9710a1880d8ab55d7c76532d90ef6c9b8b5aa4cf7c67cbae1892b909b35e9239afba181a09f5bb59bf2607862d16330cae09fdcee0248a18cc
-
Filesize
52KB
MD563a1e9cde10490008ba7ef47a12179d1
SHA15299af182b7cf08f95fcb3815149d7c54e73187d
SHA2569b151503214ef428ece37af31d3d8345f1dc27fd26d17b59c52b718e8fd08bc4
SHA512dc4074fd0614212d54dad0370bb99d53dbf9078cd3d4981d96f5ecebe36c82df0406cb2c232d07a1928a1ddddef74d832db3e7f479d5d3c1292481143c382efe
-
Filesize
36KB
MD57a016cec8851a57b2f0376ae6d1fc837
SHA1f161f9d8d7b073c1f17f55719c37124969bd7d2a
SHA25619e5e00b55a8b1fc36c33d0d4bd0fba24a03a0959e91f3ab59acb353fed9677b
SHA512f646fcd298b7a5d7b451219544ede8dc7e09aa3ea6f9a4256d336373d63b475281020ac70e5e08024e2dd8b8c886ff8607ae3139ada650eb8a6293aa0a141456
-
Filesize
64KB
MD54d4774a30da56119888490cdf3157b09
SHA1360221725daa9b7a14460fe6939d54b2173fb8d1
SHA2560ee427eaedbcd82bd07674c9793435443c5b1c0780092909cf791198f0ad85e7
SHA512eca13baee14a633c3a193df85c28eb797c18063977cea410d6ca41d0aca87379d04e6d2850a032ae5264e536863186e96eb9dc8baf1440517d69e33d4de73130
-
Filesize
62KB
MD59002a577c07ab2b99979435cd8b67acd
SHA15b3c6231c113b726ddd55fd8a8e3ae84b1526820
SHA256c323b9ebba3aabb01111f281f604ec0555c6030134ca18422ac7f6c73721d9c1
SHA512f4e066679e9c34cb44cb459ba178fd43ef2e600f94f86ded21af1583f182050178a57271f2a15967c2caa87fb6eea1f5409edcb87b95775245db45af6506bb47
-
Filesize
61KB
MD5218e31b07c6e07633a84f0248730e220
SHA147ee36529b741f3d52c487e6dad151f516c2eb5a
SHA256241e01940f6f128aecc75d21f148468eccc2d368883f0f5a869fb7f58f57e5ec
SHA512e0481b2a424da192bd9ae9728a89f7c1496e887f198150016ed262b924b1634b414613bb80b969effadb3e34a108992768102f48da7a41ea87b9f2a459a2ddd0
-
Filesize
81KB
MD593030b5af327ece3ddc3518410e1af59
SHA14be27729a906169d2afcf025e10f308fce35056c
SHA256ea82d8bd8289e5892cad2443c1d586c0a311ddee52a8fda0f75072ef2317b650
SHA512247e2d5e63e6bb12dd826e452ce7a1e086152a170e7f15c0d7794a1588838c2b6dd4038f07dac42844356795b72b5aa357e01039e419c6c5d90b05ebfd74da4d
-
Filesize
200KB
MD5c30dfa5fbf9f2e6d18ceb7108923fdfc
SHA1523c4b9043cd6d722c01215f64173b9287623d76
SHA256ec383c0455491bdcab4a1e8692359543d96f82ad73602c171734ae8ce45449e8
SHA512075b726d3e37d9ba15db1aaca781502aff97b90dc6a80c4e1be20368dd1c9df13160b9d8bce09bfe467b406f7d0b698c6ace6aee5b0bf4149e4508d9ed74cab2
-
Filesize
197KB
MD5fca2f9f00de26d0b5af4881836d6337a
SHA1b11dcad7c00c2c85354b131c796ae34bbbefdb38
SHA25619e6ec40e9a239b3b208eb3f7874a76e12adbfc8b865f43452296df66a14e501
SHA5127fae923c2a9c604991b172ac91e7e9e4298c01391940f23a190eb4bd3920c97af2476f1a4730cac350ddbd8956806e98870b46137b1711b224a6174c441af738
-
Filesize
27KB
MD5aa8ef0154efa83de1c2786ab1cb76f37
SHA15e4fcdf55c34538dfdda172a985731019f74898f
SHA256db7364a16090f58ce23aeb0426b005b1d1a965307d7d4de117a553c190ba5d57
SHA51217d3c193a516bf56ee6a28ef708b01c618d5a159d7c389be6f54579638e3d9c0a9a3add7dc6e19c6f0b63b235c53bbc186d92e77c60ddc297e2df8c612332bbd
-
Filesize
15KB
MD562faa6fe395c5810fe4fceffcba62966
SHA1ed830d3d1156c3a5ea6502148f4347af0c4a8051
SHA2561db349e42e9c57afdefc29f18886a98290099b74210cb396ac5485247bcee099
SHA5124e876c4afdce30b29275eda6ecbb14aaf56bdaef4a1951e6ad09bbe2af5a37667d18f4358c895843010336f467e0bac3a7f8449a907011124d4e374c7b0c1e54
-
Filesize
90KB
MD5facce237d5cc5e89d8e92a36289f588b
SHA15b91fe97781b107df2754a5d38807a597f1d99a2
SHA256ed9b46fd9f3275639988cb71eccb7c3f31b48282ed78e4abc9ae303cab219bf9
SHA512f0363e0c7414157dabf929fa9c4b49b74d86a0997481b48d29ec3f0708221d9fc4954f4ba93f4299e9ef0c31d38dd8a691b908cc6557864c1a4baf3f448286f0
-
Filesize
168KB
MD5d2d2a9e08ad2df5d73ca0aa0797cd96a
SHA1f6050bc38d27c805daa078383506b93c5dd854c7
SHA2561246532e2e335750fcdeb3c801f98eaca1ac6579d1bdcae1c5ca89f8b24fd879
SHA512197385ac8d349674675fb411cbd246b53b0860f8cbd47b79f6f05ebefda4563e75285cac2bef45ceb12cdfcd4b4d42c47050767608f96eaebc7111dbdbead1de
-
Filesize
55KB
MD5158f96bd130a9f3a1f7e91dc611e8b7d
SHA1207264f61e8d8cd77c7dd82e7c8c38927bcdef85
SHA25689885cd48e706c533aeff66d45cfee67561db4708bef31367a546f685f30eb55
SHA5126ae9e17dddd7ae166fd195d202d73904bf6482d727f0a9d5cc01454d4a58f9da027acc9591dcfacafa039379bf151cb385ca4208ea70baf069516ff98fd31d4a
-
Filesize
139KB
MD532f2ac5f45b93b733cab1865affd588d
SHA15062e6d2a8c1e06e19c9f0b29164915286ece618
SHA25638f422c1c5751cf6796c44fec1c478a2a5379ddb6f3512004f1fcedad3b35cd5
SHA5128384c6aef7c32ac0f10aad8490d82b1553c3d194dd3f7821bbe2c75eb50a6e5ece195be6c09615f273d3d4935163c15d1c83e7bc4ef45fd1113a9f0641ae0bf1
-
Filesize
351KB
MD518a9dd94b5112ea94f3fc9fc22ff8409
SHA197a0b82343ef1599e517946a2c3c259b61e53ca7
SHA25655758341c4094ac4cbf26712f45f1ed17fc1f570197538ac2267bd896a9f854e
SHA5127bac448be18324efd337c7cffbae2c6db763d9d7450e70dd33b214981266008b7e4d0a895c7fd214d908b3eecb9a7a0ac0aba1d57c9e1fdcee3f9e72c39de3f6
-
Filesize
456KB
MD554c12705dc6a32282762bbc4252e2b9b
SHA12d1fd38b5f3db7c7f0d7baee446a00099a506d50
SHA256a5a600ca8a60a0af629047ef8b227feba5221c5697f820da69e274f40869a6cc
SHA512c4d96a8d8064ef917ddb98532360a8bf318535b310f908a384c0ca140ed058f5f3f24f34c3992da4399386f546381cbb1eef5432b3ff2b7c19e0491dec8d4aaf
-
Filesize
137KB
MD59f735917c0bba0f42b40e719047eefd5
SHA1d8c1ef036b9d841db86ffc76d9150064ee836cce
SHA2567acd536b7e7fbbf4578ce24aa39740279e7ffb7477bb77f6a2c7afbc12f16c83
SHA51265522b77519efd6d43f17848ecf65d4bfed8f07d9f4212dce7f6c905650b4107396e7067c62802c7c953b02f78e924560c8ff151e195c0cab37606be69270a3e
-
Filesize
334KB
MD54b15c6de8b0cbeb6d4d7d6e14b9ca7fa
SHA1af3b589712be828302778a6e248ebd659fcdabfe
SHA2567150db5b3af392a250b79f1078c87848a08b6c13448943d5a0478c2d37645b85
SHA5121f68f55cb4c32d0abf929b3382d9b773369f376853912829299c6386648c39807c6242eba037bb3988ebecd0e8b7197c91583243154c569bef1f70d0d958c491
-
Filesize
75KB
MD5683fc126a13b915b3ff36735ea5ca5fc
SHA1d1ccfdf78919f51b09fbde02c2cf0f332601bd74
SHA256b8361411d7b7b0094669b0f74ce8afb488cfad61e2c26f76473db9ddae702929
SHA5124d88cbe5c42815940595b1c7d466ec84a9e753977fa234591c0b14d2d826423c5bef13aaf93e4f3637a669c56e040da53529dbc31339f18b0587b0c1270c14d9
-
Filesize
389KB
MD51a063e60707636e76e61ad9784bb1eea
SHA1baf498bac402a29b1330fcd20cfbacbc5d245cf7
SHA256878566ee8a41806ee9b9c4cf590e1953881dde2127616a647fa31940a5096cc5
SHA51239e2bcd04f4ee4e6280b7723a628acfbceef254fbea62833a34d7f4cba566c9556bfcfe2424ada027112a8b722da8349331ca416d00d0e3d6afbec96e3d91a65
-
Filesize
131KB
MD5d8a76dfe6188e600bd7a8480dcedcbdb
SHA140080e226be118c2a0a8f9dd70879467ec09f198
SHA256a1254966826e2849b1ba2d630e93ca7b75105c8d3acd9be795d625edf835ac0a
SHA5129a01c3290be7d309e23a6048731c541cd0c602669ace34779e1e69c29da154b378edf0cacfe92354996e293bad205c1bfaf6a003840cf53216100cd39bf6dd76
-
Filesize
8KB
MD5498ca4164255d50764a01ea647a82e50
SHA11361711fcf9e795109c4d5f9630029f44557b2ec
SHA256d0fb1048abd5a4c2c306369ffdee63b0eda13d32891081d40054402850db7c04
SHA512bf28dfb970f464e8e9f03602d5ee9925f8ec54e413876dc566d804916b3ee25660d4253449d59f31bb42081e68f8820fa2d23056c6ff3844b4c6fe98826f4bf7
-
Filesize
4.2MB
MD533bcb1c8975a4063a134a72803e0ca16
SHA1ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65
SHA25612222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1
SHA51213f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49
-
Filesize
16KB
MD56e857dec47f235e99bb05f9be0c08839
SHA1781f8a1cc57667e91e59755c336ffae3f577906c
SHA256e65fc318b28e6c35cbbe41b63a4a9a289753bfe1b96938a39f7ed4fe49b82f99
SHA5121c6be8774f319b0b186e40bc586536a44c86dcbf4c256a69163e1c6eafde514ca88fb00903f8f1c828afe101fd4a04591284c2bd3e3a4bf6b20d9e7d0dd5dffd
-
Filesize
1KB
MD56e6a2b18264504cc084caa3ad0bfc6ae
SHA1b177d719bd3c1bc547d5c97937a584b8b7d57196
SHA256f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53
SHA51274199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679
-
Filesize
1KB
MD5a2ec2e91c3ef8c42e22c4887d032b333
SHA1e2c738a2e9400535b74e2263c7e7d1ecefe575f2
SHA2568f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3
SHA512b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3
-
Filesize
117B
MD5b46cdf246adb25dd32b81a328e154f53
SHA1181a1ead2bf44bfafa67339153c4e446863b450f
SHA256a3d8a2cba6e356e02c0f33b50e3a9e61d2f9dfb6a26b5983e30e7786da95dba7
SHA5129230a9ca314bc2ab9dfffbf2ff069e7fb7ab9f57f130cb20e44776b7a82060fb0c2f93359b91d7be95f50ddfedc203a58a623cafbb07170c5822dd06f8a549d3
-
Filesize
15KB
MD5577b7286c7b05cecde9bea0a0d39740e
SHA1144d97afe83738177a2dbe43994f14ec11e44b53
SHA256983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA5128cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0
-
Filesize
20KB
MD500bf35778a90f9dfa68ce0d1a032d9b5
SHA1de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041
-
Filesize
23B
MD5836dd6b25a8902af48cd52738b675e4b
SHA1449347c06a872bedf311046bca8d316bfba3830b
SHA2566feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA5126ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80
-
Filesize
1KB
MD54ea5e69be2594ff53aebfc3e8df3f388
SHA1973d649c634e955f4355c1663388ca3ae23b7fe7
SHA256be8d206903cf3c312bd1bedaeda0d346c545321e13d83bd2d6f33a711f4ec64c
SHA51258f8cd9bff4ab58519225abaef3d0c895f0f8807a890c12496821529a6edf606743d4fa54f5349dd186b00da5f59ada513769f77c070fe5cc7167807ae5cf895
-
Filesize
1KB
MD567a8abe602fd21c5683962fa75f8c9fd
SHA1e296942da1d2b56452e05ae7f753cd176d488ea8
SHA2561d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA51270b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6
-
Filesize
899B
MD5923ce4120dffd5255bfccd38b53d9403
SHA149a6ee78cc1616864e2e35b76396add0452ee09c
SHA256f7a53c5a32dd9fbd55a36bdb756f33ecf0f42f25eca8b6fafabd1fc516659e24
SHA5125338a2425a753c1438447c1715443d3be21013e0a665a5b1c0ac1f1ecf474368bff9ad131ac7e8f94b4a75cfaa74fb976661d90181ca6ada109492efefdc1568
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD5e7dac0428003fa3bb106a72d4693641e
SHA12b36e16eddee1b3283568c96a90789ce829f136d
SHA256da11744a8cd72f4534075112aebb00abfd8475cfa916f6915f5f9f5fe0432f05
SHA512277f969a3c23ea365af53d68ec78756b27b40862c44531093caeec09960348c6650ade97042d31221adc189dbed48741533d1735be188a06f6b22e6a9d8eb3f1
-
Filesize
215KB
MD5d474ec7f8d58a66420b6daa0893a4874
SHA14314642571493ba983748556d0e76ec6704da211
SHA256553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69
SHA512344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348
-
Filesize
24KB
MD587c2b09a983584b04a63f3ff44064d64
SHA18796d5ef1ad1196309ef582cecef3ab95db27043
SHA256d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0
SHA512df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067
-
Filesize
72KB
MD512ec32578358877c92e6d069c908c847
SHA1e30c0cf26c31e6b2704d97f49a8288847bebd0f7
SHA2569cba0015bd7bf0068e37a8ecbb14e39b5677936657ef8b675619b1427f98d08a
SHA5125fbaa12108fe3fa52d706e8c564caabe0db509026998eb2770b9b66a6610fc3c7dca1fa5b08fff71d429e4b608ef03454ea33ed26668c9894f2766f2991049e5
-
Filesize
24KB
MD5e47e4276e5f3c8f996d74260be43e8ed
SHA10773d4aedd0d5c3db7e6435e43cc04fa86271093
SHA2566e21e91f8f1feffe52c37bf98dc3b1d31edbf7502502f7702e6eba719f3cc790
SHA51295d5958d726df4c565dbdb15c80801a3de0926cca1d9433c7c625b3e045484cf415872cd2dcc6704bd15e9bc43e699779feddad42f7d50e818b3e48fe716112c
-
Filesize
18KB
MD58bd66dfc42a1353c5e996cd88dc1501f
SHA1dc779a25ab37913f3198eb6f8c4d89e2a05635a6
SHA256ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839
SHA512203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6
-
Filesize
216B
MD56f012ebfc5dc075eedf49fedbab2a8bf
SHA1defec4f8c2847464e6563cae12d62d475f258696
SHA2564fb8afef8c39dddb91a5abe24b112439f2755ceaf97b84aa97a85034f5120932
SHA512e4449c34d3873ee4ee56c8123bc390524ca97033141ee047795a2cfb7e2d970e85e4fa63cdbb75ff1d1907fa73b0844a1ed9871dbf9ba2e2e4266e20d88ee622
-
Filesize
3KB
MD57adb144ea5c7a7a2f09bb226d288a77f
SHA1acd20d5ac6d176fabf7a928c287c5b9ad93980df
SHA2562c036cbaa807e55d5a2cf64aa818ebaeaa72acf7416f470dbf4e1784cccab5f1
SHA512d590ff77907efe4b742f6fd81550b6449cc48cf40518721d098b42520a5f3273265b7bb3759d1408b979175d9de552416f547e640c72905a5d5550440af45324
-
Filesize
216B
MD59a5aeefe4765aea53b0d1eddf2c5086f
SHA179a6af1875cc05d69e8a36d311bde0de7aeeb669
SHA2565485d0c9efa84ec5549a5b3c48c6aa58f8654fd926516c2d49020b3c1598be0f
SHA512f23f838089fa7d5213fcc6d7643f0ab9535baf4f17c00625e88423e33328f6e2fdf451d40b3a5f6dbc446d8635a051325dcfe6a7077efbb712fa14df64b3f6c4
-
Filesize
5KB
MD586357a9b163b39c55348eb2ff02d311a
SHA1626764e8e1ca7581dbbe5c5cd3ff802be88e51af
SHA2560874c5a63726f6ec9a320d84c5426f9fdc7df51cce1404c21f05d0125fdff1f3
SHA5124da6b2b6f4abe3991807f0ce82a006a2797f7b17abce1e7754ce945f32532bde023f98bab490c5860e785e528f031c5841e3ef1d26d09ad5bde44cfd783005f3
-
Filesize
5KB
MD51a6468cba4848dbf311d34661665ae02
SHA1054f5d2e0b60cc3d6ef104f65b19f6937d773ffb
SHA256eab3253f98253f3748157179c015a3d4d0bf11bd29cdbb91bd20b37383e6ed7c
SHA51244f1b14f26487b5f11ecb6bc29698ec40daead917a2c98b1a240b91d0f391ff43b441cd9c309a161b96d5bb8219186aebb53760141878a618595aa8a97e76ca5
-
Filesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5b5c735d2c977387b1fc0537221766247
SHA156a0eee376b83f8de9324ffdb439e831d2134ba5
SHA256dce4be275dcd08619fc39aaf0cfde785351248343e2c8a32e808600f915e46e2
SHA512f8a64154b204057f86ff64174131a869d1b96146581f84e38e701e50d269dcf234c307f88e1869350182b61980428bf88170448bcf230257175b62cc97c09494
-
Filesize
32KB
MD5c47670e30ae953a278f64b7345e3268d
SHA1ec83d2158a9650f889df2980efdc27119defb3e1
SHA256744106d4c024908e5f1666e0286c7a4964c1bc7bf091129c63ca87732f64d9c9
SHA5123131733c58b95ae62d8b62e483afb3389d7ddec56739f144fe5cb6c9e390ada53f1674c3e97a941ae3498669781657919426315e77bcf3d29f31e78f62754e13
-
Filesize
34KB
MD54b6ea9b2ce7eee10eb6ffc5b00745f84
SHA176eae5e7bfa103ca196f6b2a154501631c571766
SHA2567c411961a0123d33ae065621f25531a1950eee06190e62903c6fd208b2db9ac5
SHA512d1e04383a3af0a07a4958d22211ec07568726c89cd2e810bbff976bcb05077b9472aa15536fe77fbbc3885f1adb731a81df1c122a17e381be7d4154fc88b16a0
-
Filesize
33KB
MD5115c307a1713cef4195b2ef9f35d2d23
SHA11935d360af68b13a0a4c08cc08dad18ef3ed7c65
SHA25601409a903660a2d7b5f339e5a8bf3a4d0ac2345219736f7c40e3ee5d0d445872
SHA512ac596c5341a735898533d3644c826bd627bacd8e1e42d8e09ef7b421edfe86f7cf5f050f461ef7344152681663fba90a25f23252bf5041abe520d30c91f893c8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD55eda80e070cd724e1e6243e5549a1b1a
SHA1044461453ceec6eec3e1c0bc634b5a580491564d
SHA2569a17a5ae01d009610001892dcc12d1baef08b199531e0a222dfd0e6bebe09fe7
SHA512287191268cc8a87e1e08eb44c86577dbd6409e85a83d2fa792afd8e861485ff127b733e9e5012c289475c6f7dfa03040be2217ac7ff2ebb118d3fe82f72f6401
-
Filesize
7KB
MD56582ee69c10c6f39b0c5ca832a018149
SHA1e2c7da0a8d695fe353dcd2acbc1c49ffc83d18ed
SHA25670a7603527a25d7881538d8c41ee87d0f7f5f01cae3591be8bb7aa4d890b2a2d
SHA512aa49fb35c082690d64273fae87d167a13e172ac927395d9d46767fb2b769325764acbeef3a9c3f67e79316b3e400ba0ac562a8532bf5d5cebaa3372f99d4b76c
-
Filesize
356B
MD589fc1041b3f6a19b23d047bfa3ffdc37
SHA17d47f5cab1d8bcf2241ee545492f83ca8252ee71
SHA2569fa870fd85c0915cae08cecfcf9de1cdd50dee61061fd0c61b2315e1f62a1503
SHA5128701d293a1ac8e368bf9fe7ef90a8459447dd477a6775ed52f2add91fd91c718a970398eb298a2932f759862070693d8c7802b7249435f419273b4ab91b6a671
-
Filesize
859B
MD5705bcb6c390fb47149e4240b72b331f2
SHA197066c499461362cc04bc179c06091938a27cecf
SHA25661e3f8966c0f35a58a7531514aeebb2f628fcefd03a77dc5727d4e65c2b6a6e6
SHA512812aa97e56efeadb856cf202697ed951907ff5096573a2e9d713f112b48fea049ac462a6d7ab1de696b7bdbdad099467556646493e7645f3ba42d8f8ad2909fc
-
Filesize
5KB
MD5e07fc6f7df77941e86a97c479fa8720e
SHA19c44f47109e57c0a9f527372c9799dde7b8cfce3
SHA2560bc32886287f2acd82822ebd5bf1471a158eabf1c13b776515f444f4194b0452
SHA5125d84ced6018beb32f9bac88ce94fe6c06d9cb0d6cfedfd4f49da83e8f84b12c3116c21ceebb14f500a64569cf05b87de6db8b3216c901094dcc8f95598e31e5e
-
Filesize
6KB
MD5597389618a9b58a7f45f17cddb9cc02a
SHA1ec02b864e18d893cc6559aebb4ee5b76db8f0795
SHA25676104cdedbe2ff10d644460b24baf713838bdcd78c533e7313603344c6b64681
SHA512fdf71382735fe7b3b955d6eaa5e2f5a58b9f67c88ec95f2d999fbda088a8835dfdb42fafb28a4468496c258cbe3ccd4392cdcf72a73a0b496dfd8cd77386caf6
-
Filesize
6KB
MD586b7297f8d18eb21b3a2bf5f97d9784f
SHA1349c77376175a1f8622bf470b5a64cea3e0147b3
SHA2568065798bb8580e933964e9a54111f6cfbafd74367191e0c5d37d8a436d4482ef
SHA51232323b9df5cbba7fe84e700d8d942ebd30eaae339700415fb894060a9766645cd819a7656717398e844330adee850c39982875256931c5595c56d33c285ce9c4
-
Filesize
5KB
MD5cf71e0eb1d233b66a92d8794fe822161
SHA11554a7571da1cd882ef37251d38d2defa879c44a
SHA25606fc437177d4b7e14918b754b2f479c8080aff182943602b890328a6936c9e1c
SHA512cee76f34a1a9d91307753165bafe916c3251fce299969e179255d3f3e6f7798ac538d865c6ba6b0b66737d71dfd816f7c85b2a49cb3daf2f3591296715ce3464
-
Filesize
6KB
MD5563a5ee68ae00b00dfd89d6dcd0e4624
SHA19f5d2a74d3154c0fa53378e89a24884f9e834639
SHA256a2f2675707eae3b145713dfcbe8dc0cae873f48ddbcf62889e20846f61dd8f28
SHA512c79ada529791bbfaf8947fbcfce8faa8fc4cd13b5d8254077fc14d1fb654c7ec9f3751bfce9a5e0bd504e5a1d0c044d1741f52e6af2d57ffd520bd3d079a1146
-
Filesize
7KB
MD5e81ae394f07dbd2b9c5e0583e81dba0a
SHA1676c98d2e5e64e514983cfab79ed69964cf006c2
SHA256118c82691f539c1b3ffa3ab6298771d47e46a925d660b57a483d740c68372c95
SHA512aa8a168674757e5604f2c0f9d739754b6dea197a12dde6b580654e3b06f550f64ad33c3a3ae1e6da34a0f4dd3d021d9fe05921c79709efc1956c19281da919c6
-
Filesize
7KB
MD59e623c0276f2a28a8b3b5f23c623f20d
SHA11d3d948cb05c8181429be8e60398de178cddffda
SHA2568bdbf237aeb34f7e08096c4c71c154c85f6028b9ea9150d2811851c09b33e65e
SHA512aa65699abfae2aeb39fc8891dde681947eda104b7b13ef760a34567b873c8579846a92415903e6b871cc6c0489f2150a6446675540d092c9f3ff93eb42026351
-
Filesize
6KB
MD5abe8e3162dc33f35ce29d2101a0f4984
SHA1a9fc604e478e32287f17d65e1d2286ee291436bf
SHA2568e1d1e08cf3738fe7f7a65e282ceb4a229d8045d12130f67391735c6e660d01e
SHA512898a8de671dbc8b958a2d21892b5ff8d59b8e33a010e94dc80c81fa3ea1aca31240adc88eaf81f5e668e6486d423c34cb1ccb3cbd42debe8475afd6d87f04a30
-
Filesize
11KB
MD5ce259146af868a6f990ff3449d15f4f0
SHA15a0cddcf52c20390a08deb84dda5e9725f04d141
SHA2563cbbe5cbac3652c460b2337929045b35dd898f65443375451c45bff839b7ae39
SHA5125597aa8ad18ae6b6761eaf40a70e8adb2329fb4ca69afb3d2d2b47bfc5021e36674900af2b866c28f19e3bb1ad93874b512f79ad0af3fa769c65d7c355a782b8
-
Filesize
11KB
MD5c880e03ba049cc7e171b5e93febe3560
SHA1005180b52cec50efa7255311b6e1e7461056cec9
SHA256d7628f46f651c40b4406618bda542ca073a50fc2a3c580ad96e6d36ef8bea469
SHA512c815b2c41721f70ab6bccfdeb6444842dd9cc40ea4925087085677374ece092cbc560ae22e59057ef2c267831ef13dffa44ed679bc2671845638174d5d84983d
-
Filesize
9KB
MD58ae63ece77cbe6ca9932e269ceb44c1b
SHA1cb1c2925f2e0f29bd06567c5da604f840d6630a0
SHA256f3084823fdc37491a8cda7df60ac8c9db37c7be4ba488adae3fbe3794cdd9671
SHA5121a1d641aca4d4f5afe70bc5e2b391210a8a5d8b969e65c16bfc05de60103afe52175318996e0e262cc3249b751458dfed075a3483165f82ac57dbaf06742f2b3
-
Filesize
10KB
MD5947533d2896d0f171a643c41bc4271fb
SHA1f2a2700b6b7ca2ec47bc680b31d2631e819cc028
SHA2566154d6f524ba9d1d7a6264a358dbd60814b59a86a728a190f90c8159b28680b5
SHA512d715df317ba36656e50ba057b5f1901290367c5955f4c2e5cb97e547c73509d217d64a7b3867a596dd99190bcf60e978ca266d04cd6de64ab59c291aa1aa535b
-
Filesize
9KB
MD5c47404bfea6933855899b11789556816
SHA180320a5510f0e67c7e0b74fd2b0c20d6d84a31c7
SHA256aee9b44d2ac462932f7fb0ae2cb30570e624584e9226c75c1f9ebaeabc0c4cca
SHA5122fc717583c3dbc92b2144f647ea9ce6e3ab00d06cdd6b40ce537e12f524dceeeb198d2fd34e0fdcd54c80abdc3a7577ab86efe83abe95e533516d98141eb84dd
-
Filesize
10KB
MD57aa6fa70f3e1a2acc73a15b3bc6b3ffb
SHA1abc3cd312b3ffecef8b1c7dc9da1bbccf9a2a1d2
SHA256b3fbb815e98f663f808952813fa5197d9704a35b011aa296a255421692a04f2c
SHA51279aa2bec930b4de5b5a4c7a430c4b35e9c1ee3416ac9513c4acc743d5a323b0e7efa08750db88596e19539cb4bd964d52ecf7bf1f2b13327db649b634422f978
-
Filesize
9KB
MD573724368a55fa78e3b92c0254b65c379
SHA10a8bbc886cf1edf2a9fc0fd64aac09ff90ed79f5
SHA256ab97edfe0be9667a556e34b0cc1780c6d44f10a1f430c40976f4dc276c36a249
SHA51248f49d191ad83e21c300742f157de2b6a61b5f6e2aa3905417691fe7d73368237e3bf03d9897c4ea8d92053fd039aee44010a4aadac32cd3553315b260a79dbe
-
Filesize
11KB
MD501560ed42fcd24c43faa5b820bad5ee9
SHA1447f3dbbcb5c49ed12ebb009a5b8f2a458b7bfd2
SHA256d0eef04ad97a2f48346bd9c24fda414901d52342b984bca55bac2771a4655308
SHA51222b43445ec5ee23accd91cb89a2a19dc3cfbe83a52a3332102068ad4624bdbde399edb1d86bdc07e6b2b51bee31ff866888bacf80854289db8faaaed8d5c1174
-
Filesize
11KB
MD522ba2644cca48ce07b19e78b60f17545
SHA1afb380080e17d2ba1b9457a83b1a9b35def9b931
SHA256178588ebc9fe079836f9f46659d1298e569dc42f801ba758993c13176c471d91
SHA51203a0f07a787fa7d406eef08b8fea1fa09c17ad4366b451ce64aee6a056b2ee13248ac758bca95ddb16006b5aa99134c68a3c50183b40e45667e631bddbd7b903
-
Filesize
11KB
MD506b9141c5c25e8b40470c8ab6b01a9a4
SHA1bf1f37b9adbba60374b18d96c04af9228c5559a5
SHA256161f91ee1a2bf914590e0bfbc9f62eb9b91e7d5b9ef5f730b80668ee05b70cb4
SHA512f1b15bc8f4a3fd618b8c4b17ef51d359565a73483cac91d3cde5d6e87373d9ae5cd5975a192878fb7ded8ca47f535d5b2ed22a026a25932956872ec99f1c05f0
-
Filesize
9KB
MD572b8a02a08edf84de4faee28aa0261b2
SHA1896e90d02034b094706056f776dc90b0280f6f41
SHA256825547b95194f008435f1f7cc092027f9ad85bc139687f29442606f42c34c144
SHA5126ff8f4ecae5b03484d7c372b413a6d7d5734dc87015fcbef7349f1e0be1f730985a4aaa8fa11baf3f90e97c9d2a9b7e4e80a4f54c7ca8f8ab199542f9a20c2cb
-
Filesize
11KB
MD5710dc18b20baa8d00e75c64772ce166c
SHA1d375fdf27a5c8a8ffc67ce4674b9089995a3a8c9
SHA256537cde35ef2040f9790c3712a720369d714c807dc8a7f8977106c45b52a27d93
SHA512eced1fee512d5148364fef0ff03f288b28a93ec40f1d0fa52b2389bb1dd77d7780ad1d69e22c98352cadae6c36afabfbfd5f90776690d6222262d671c3c8e751
-
Filesize
11KB
MD5d8af3f93493af94671a7a91d6c24588d
SHA19061989e06e178c51fc67d5a6fec71f2cff5230c
SHA256183e692074f731da7c9004a04d9e2f0aaca752a03de9755360dace2f58bd3a02
SHA5121a52df15f0c4de55942321bfd732a4c7e99bd065575c9c3d2f6fd519b6277f431aa23d1583f91afcdd3ee013686886fa8ee19f6d033596a5f5a53cfa524679bc
-
Filesize
11KB
MD530371110882fe13f6b326e633a04c987
SHA100cb32dd9ff163ba3b509f7193763b38b1753c74
SHA2562e8c69d1a8fbcecddcd57054fcd52330e9b105387105a30d3cb69b20daae242d
SHA5125be7e38ed4c143c58b66d59360f87938ec4daa5a932a6194695d4f93d882db34aae8455f55d4c1ac7070703722e1e91c9f935b58d04c44aba2c6a666a4e56dd2
-
Filesize
11KB
MD5174e434eea90ce7c6672e69d1425581e
SHA12c4472e9867a1783c59731ed5475220cb241836f
SHA25636dad602e9c016922d7a3993cfa1063261a800f9b9720d80c77b6a17748bce69
SHA512ee5ad821b95b4eb1bb719bc99a86144ded03061b19ba66d93837a3add70d2949d58ad491fd4ca7c9952ea5f96982f7a0e290ced5e6de5c520682d9c267e3f151
-
Filesize
11KB
MD5452a8f197c609a0cee1c71a6a77aa5fa
SHA1e50b9feca3ce931c7d20991e03eb1ab9179bac19
SHA2564bf6902f87301926b5b458f664188761c045eb71c1dff6e8b82e5864a9d17f62
SHA5128f234b32adae5da7c47e4d7aba14752715f2a69d8c24c0151183d5ec82f49617a0092022648763518338f14b0605f1b8bf30b8dd45beb902533c0e77a1513356
-
Filesize
11KB
MD5bd13d2259cc97580d438e6ea15957a8b
SHA1176e8457e7bd32d3f3399f7eaa2a88ee14580a3c
SHA256055f2915394b960d0b35dcd1021d52ada9f39058e03d1c5476dc00c7843ea158
SHA512c69f0167e67bd333a2556f941ba091b19b92d63350ffe16267515c3bfd7f0fd0b15879f8c90456e1081ccd6a9edcb9b1b1d3a4aff065f0d7b16171dcad7beada
-
Filesize
11KB
MD53beca1c50c20edb4368f8692a6db7f19
SHA194a5475b52a72f534fadea044dd5cada1a08cae1
SHA256a570523cd71457dd9b7d209e32bf7568debd0899894c4b670022c59420965c89
SHA512819aff39e6a12cd5521078dd3ae255d72895f738e2df0bfefa581edc819c6cd59f68b61e37baeb20557e34851198e876c825b042c6fc03c1d18839282a90d6fe
-
Filesize
11KB
MD5b6a2555b88892714ca22570873b5f488
SHA1b2e9ac3f5e1bce3176656ef5b766a1d2bd8706d0
SHA256376fe645991ed35e3ed31d99a52fb4ae45fa97cea8c19a023bc793cfbaf64033
SHA512f9a938361227972297e5b427be8d671a309bddade84033921dac1ae935b0ab16b22d1848d973ef63141a057ee4376bd2d7f9d6368fac30a2fec47fea866ef946
-
Filesize
11KB
MD53709f0babed9e993a67440f5e49ce865
SHA1aebb814a29bcd3f243e736672eb27390fc1ee60c
SHA2560a32cbb863d6f13e75910d83a97af56ae4f38991d8d3d4b464be77eacdaa682e
SHA512bbb321fbde006eb2ae9c44675a1d15ae3c9cf9865303d103a103a54d659716c76ea506b4d769c8a0eb6b0eb0bb0ac02d6de8429acb9edcf803af1a0b6bd85d3b
-
Filesize
11KB
MD591d9ddcd32d8888666fd5ea7b39d4c41
SHA1299d11d4060dc7dd3fac9215b1a991e55c4ae7f0
SHA2562c3389dc417507c9f01ce10b292f473d7ab6ff17de75a7038520fb0e96925f05
SHA512db309fbb18f6d274bfbf9f0d18eee0cb670e49b0071e37aa17102b3c4560f4fef22758108449433b9ab761626140dfbe575467bedbf430b5042e9170a4d19c9d
-
Filesize
11KB
MD514c7616c8174818be5ab896a1b630969
SHA1f65339175f104f4e3b4e5481fc4e1cdad0bc9c5d
SHA2568f87634805f69d2fe4c78d45436c4bf65fb074c4476bed2b23648da7e1d40a87
SHA512bad3f22adedb55b14cd3d6fa50e28197633455898501a4af326e8d7adc9bb67f5d69056c39e6cb39ff50e3b6e9c9efce7e0c8ac165a35f693625b1a45e7254b9
-
Filesize
11KB
MD5c223fd51d5b2a7fd9b43ad34d9a3bfbf
SHA18b4d096d4c561eff6341e09b735b7ab684b7bb09
SHA256e493767de8e9bbb77f99949fd6f34c7bf8cf2dd18af4f045771312af698ce19f
SHA51290a872b679b9ec491b95963bb6fb9da09845eb64d5339524b48950f02f40f2831ce43c626ce23a401b7d3ca829cec60248d3edebb625bcc842ce49f48b91161a
-
Filesize
11KB
MD5d85b70b5bd2a30f2e8798316de42f675
SHA10c7bed76c43dad5ea39adf2481a053471986d780
SHA2566896e7d215515d5ac70c4b01b97f13073c7bbe470a53701441042d6efa1519b2
SHA5121c86bf9fa3c002c80194629d3aaf0e4c4cd13b945cfe2752e6927196b93665709b82acf0399ac0162a0b841402e0d180d4e9e2211ecb050430879c868a246beb
-
Filesize
11KB
MD52830e0b35d2c9915c4ae378700bfa104
SHA104e3910da9ea2bca5322cf3884907f578893c1ac
SHA256ac99d0d47f7e7c302c2292d5bcd0e152459b604235c312432012971310362d16
SHA512ea822b05cf43321bc3aa5c8dbbd6db9a68a92beff73d93bcfe60cff3460bcdf80a3336d582e1c9868b106faa34e1e1b8bac68d4552eee2cdbe1080442a1e84f1
-
Filesize
11KB
MD5964123220bce1d8b9ae7275e57e2babe
SHA1d8ef0a50d5e1b6021f8232fe57aff4359db497cc
SHA256f5d60255596c4e817bc0b47f7648b7f13e177b9ebc8fa18824085abb072cb241
SHA512662dba07eb574f2bcf2f30de07972558a1a2012a3912daad625613eec1baa656991ae90622b902af62d08224d530fadafe3582400d325a1cccca6754d0398d2a
-
Filesize
11KB
MD591bb7a902d817ad337cd993022b9e42b
SHA12eb49f65372301f68d5098dbf3abe944cca5a1c3
SHA25635ccce2995b97952ab1cce4435d26860c03f54fe696177f4681de5d3b2499196
SHA51229f6065d3f69ffa05daf2c0087e8d2894051e01f94edcb5a6c5f98222eb8c632bd9aa57079607e8c88c0e1ed2ce92304d3c7e77191dc107156e15d1f1e6a5042
-
Filesize
11KB
MD55aa409dd8abf25cdd28fb737322156f8
SHA1029c06d27e4a7724862387bd30a0013ffb46c5ed
SHA256b1093af18db238face1550e2474f1dd1a8538229c45b241910e15f74bc921e38
SHA512c9bd267cd0b312df16bbcff8be2ef990851de119df9d275e007fb8e9f4e5755e136d27ff42b9cda56b7f2b58d949787176101d9ee79cd7f18dfb94cc44ad0c14
-
Filesize
10KB
MD5f2ab4d1ab3267d71dca7313fb3633ae1
SHA1244f31afb0a057b9305c1b9569d9f1fcaa95e9fb
SHA256af37debe02e9fcddb50a907f5bbe73fe11ed2a99d8a57852ca797f0e9008512a
SHA5126b182976ed8d88eed74bd188252d71a3c66fee9fce5c12c967428d8bef39cc9739eb9b73b597ef46c468e42cd9bdd7184026e421bc43de9dc756ebdc72d05ac7
-
Filesize
10KB
MD5b154b3d8c13c7b8e3acd714b4b9b3d0b
SHA1d1a2f639b1bed7a21db8dc40c76032e02c8b592f
SHA2564afb42e7b23aff6e122d349421f25044e33140755ed10c52cc83e80bc82baae7
SHA512a49f6ea50e73de334f83f77adb744566d3478931a611d2418146add4b03ce224f7bf765312c68262582ae4a47438e48e6ddaec58c92b7a4a2c21299e57970805
-
Filesize
10KB
MD58778aa562d1f7cbba55b544d57fa9212
SHA1524638ab961bc1aa6c2cae3a3bb9d0adb94278a0
SHA2564b2bcc74f9b22cf77a7dc3fc6ddd5e7acd8de9f948af86c5bd84c32115225b4a
SHA512a9d57f2ada1a4ce713dfb06b75814d9ad857a295b01693735717bdb80b18226925bf2a164d49131456f194d7bdbd1e3e4c2f945e4e26d6ea8e0268b310e751e4
-
Filesize
10KB
MD5ea261919ac79bc9cef66db4f8c0c1b17
SHA1da70aee82d3f0fd739b4c44bc4d1263ef164d174
SHA256a2fb3b4612cf509bc4eb8762d2ac357954fff3e094159adc84aaae8a44e36cbe
SHA512921e662d0fa6e933ba4ce29d9d005a41d9c73f3cbe3e740fa5b74775ee5c131379d2e5207e3dd478f005db1c576e12239d733e7d5034caabdcfe90dc6c371ca3
-
Filesize
11KB
MD5292dc62e1a8f978d5b3549e4c8a4ca0b
SHA1d2e2fd12d9fbd9bf877be73bb0ef4333fb6d23c8
SHA256437e3253a11e1070afeadc25cf7894d439ab6e43595ae65479f19530c10f9b5d
SHA5121d65531c7c594e45be4df139c834d038a06179622cb74dc5fe368e67d7f0a4bf8117b804ec844a6d56c9389a772a7ddfd3ad1a99e0fed7d97a0283165da21bf1
-
Filesize
11KB
MD5b38cb04084f261046941011c376b0fd8
SHA19a6e8a15d194ab25f54c35946cbc07dc415ddb91
SHA256b282e600084a8f02f20b88194bf98697c9a35674262e0c17ef0429b006ffe9a3
SHA51294c8a21d6ab377053d2e3b908c3d55b19e5cbbef31936f5e8f907b94ee774411044416c859ba5320842c166d28496cd03f375902d8736e6d691538591fc56eb7
-
Filesize
10KB
MD55c29c5493c82d98349efcabb0d621b6a
SHA1479e145360ddfb231872b0d7c8daed410814b6e5
SHA256206446902f7e58678e6cc8dbaa62a7194ac25f45ebe6a45ab56ded82457aeb8b
SHA512bf6a72ffb1bf0589e127ee2b7994809a9a88ddc233951383e87e285ffa692b319eee4c139bdd52644cfc73c4eacf7727441f32649aa7717b7b15e7c056fa4e6d
-
Filesize
11KB
MD5469cbd06ffe233d499d3d16cb7ad4c57
SHA10699671616a3168036b9e941d70942ba420426f3
SHA256d152730d3b93bc1f336d04c989b57552109eba82f2404ed4920d607280572731
SHA512e764c96a7f0f476136731a8a8a14b0163e587c894d0dde6e1fea1990ca4be03bdb08e76ae070955b33368f91811f4e3a03fbe024eaff75baf535bdeb89e5d41c
-
Filesize
11KB
MD574e777185ab0171ab269ef689287fec9
SHA1d24c6e827d27fa077efd819f6eb640fa5ca06177
SHA256091f953059ff3c34abfa922ab496479fd12b7a16648889a70677ae5188a0cfa0
SHA51238039046bd42882a7a197c2c17148b4d9af359e44f5dce706a359d0a4770105ba942064ec3eacba1ab4d2317f3ccf6895cddad19cddee285c0f8afc2823e7427
-
Filesize
11KB
MD5b533c654eb6fea8af938055c76d92056
SHA123e778db5aeab3cb89f6b3f52311207ca5c5a62d
SHA2569cb3ef8e5fda2b295bba69ba6c4f3ad6b4c109ad5e4d4094747a43335be9e744
SHA512ae8ee804719288d63c0a213e069c6f5e3b59f7f56c8e7822d73a6c480fb11f38f3447658f0c235bc234b5ed7b458bf477af36d3eeefcb878194610dee3dbf03b
-
Filesize
11KB
MD564b0e3febd0f55c7f8599de01c543383
SHA10b64bf0c3ea0eb8be7abe42a8d759543a45cfc68
SHA256f371f16ec96b017f6716d7efc898ae7ad5a3f626cb74fd4ca73bb471ed4f348f
SHA5120ea8ada6c423a0d15fe226a90d95544b87646beb3bd72c5fe12fd4fd89c54da4864c10a2a6015150cb72dcabe063f666722cf15fde273a943a57e63c41ed7e18
-
Filesize
11KB
MD51902f423c96b93a0dcb929e42c60bafe
SHA114f67b4b0867cb7735de8f3d583046dee67b4c16
SHA256211b3eee5ed5c3a44edcac059d841fb9d6c81760272a7fe2759d9a842a19da90
SHA512d18ad76c5eb043665c31f7f7c36cfc5990f438165300693313b1342319aca15514bbb49061e845f073e76449221bab0801bc297899734b00c29046eaf37a3140
-
Filesize
11KB
MD5418a2a58cba0806df8556ea7a15b903b
SHA1d857b79c5f8fb86c3ecbcfe8fdeba3de78cddcbb
SHA256b90f9c8e3fde8272fe0839919cd3a2a3cebdec6d0cc904ab360d3ddd42b7df92
SHA5121fea8f693f97e79255060547dfc9113550049c73096b464ea259a35e2f88724834150df642452dfec7783bbea1402b8a9964adceaf506962b7ca404ec51dc12f
-
Filesize
11KB
MD549fe5159b84d56fd5eb78c10264c0abc
SHA1f135fc98cfe9322e8c11190df02ebffbd09e2931
SHA256bb9c651840944b6f4d4bcbb97c79155d4b891cfba64584d5e3eb1215d03facb8
SHA5122772138d8ea6d4a012c989edf497ef4c8fd228cf429126767258f393579eea95b81deb1f91f156fbc7c6ee1b486ff736e0a3f2db89a7a04f758f98b80c8a1a87
-
Filesize
15KB
MD5b76b0dc7debfe49732222193c910a13c
SHA10d685250741e6dc160c5b944c0374cf62540375f
SHA2561e1d43379f829af4ed55af78a5f8deced5a5fdb400f7c5c4c6e804bf7f27ced3
SHA5121c5cdd3619a707daea17957ce0164ab799d0d646ff4d59804276c34dfe996d8e3b529466b78abaf90f4cdff5877123af53a5cdc5239e8a8753871a9cad678dac
-
Filesize
72B
MD5ef839514912df3a0411cbc6d9992f716
SHA1b133e38ecee25043c88b532f508d68bc71bf8f5f
SHA2567f29499f450daa99840c8c6e95950b570ca58e7a1252593210b9a627483128a4
SHA512e21e71eb1927dd419641aa9732010a4b309627e60126a0939c0cc9a886ad4690a8f18b4ecd08f7572efc5a4540dea3424bc5384e28743501956c2a21dc7a1d38
-
Filesize
230KB
MD5a1a016d542ab767993446183ee6057bb
SHA11a80f02fb4fd1dd9c5fb20d9202d9e99b6bfd73a
SHA256d80cf53c8c165c0441b8be96433e14cfbc1ec1e5468798d3c95faaec39c7d6bd
SHA5125458fc402ad7f5c2773e661f8bc407b8993f6fa342e9ff38895c3cdb47b0f09f660ff3957db100764ef5e2a16e8f5390f52da8601fb5bff4f1cd1d85b19e556b
-
Filesize
230KB
MD51c031589a06aebfdd92d6a2f76dddd9f
SHA1ac6c350dc578110da39faaa98fef5086a8f4270d
SHA25696da381a7277a25916cfd9bc37839cf265c45d603e6aaa4e4da1f80e2934cdf0
SHA5127f3a09c8e5ab35420436805a11a184d5ae552beba073ead4b400579c6a8992269edbf00b8e985b55b9f48b981b185d35162a44c113dcce92acc55cb6d8d9d809
-
Filesize
230KB
MD5c1284f88511f39abf0e7e30670511cc4
SHA185fc7760a86e67ef97462fc0f04a9a83196712a6
SHA256803c4d2037003b80601e124907a80a8c2d44a467604b0de1d3e91e557506b3e9
SHA512cc7e713910930dff70b2e030f9461fc9e631bed80c02faaa27f5e0017479764265d9b73194322b9a4ad7c1c0c54a1e277f1154690bba84fda50598badf83b9c0
-
Filesize
230KB
MD5504efd668faeb48b10465b8ac6d7a99c
SHA13b3a557975842aa50e8c42e6ca4666f15855c653
SHA256c71cb39df636efe6ca32841aa4a5aa1c913b36825b53fb96b68f1e99b5160935
SHA512c08902404ad1c01d2e96670407c0cabb2059010edb1f7c3905abc6238b5bb11512abe6c13a055ed242214f81f2e28fe173f13d449e37b77c7cee43bab2d51f08
-
Filesize
1KB
MD52eb0516581f575d665c8f25ee96d69d9
SHA1d041bc23b9053c09588c4feb81f9a145aa24aec3
SHA2561d5fa257306338d5c41cc387525ab4ecc6677a5896858b76e2272156269cd5df
SHA512382e8e90451eff13a6ce3d4e6f979c69612016f634d6e884579e7b6d2ee93b6b1b3b21294a161099e33d4d81aaa5cda5582e6a28a799e726e887e409b54ca245
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
216B
MD5b91ecb7b21f2f7a73ad9bc76c057ef52
SHA12748968acf20e230e83cae0075c522a1667bf49b
SHA2560347b28229515280f88f5469f560627886bfa8f0e8f6585165fc51beab6164f2
SHA51282addad71110031e3148ee764dba39c8cb3c04279b9a7a0805a734dff3bcba226358fb5ddd92dad1d4efe54b7e2a30623be3c991cc75397ab032058a1dd88f1e
-
Filesize
48B
MD5d2a3a8f4c7b73db2db2f4d3eb7398033
SHA1d2616c3e684e426b1a00eab7c38cdbfd244cfc8b
SHA256e7e511bff615115c9d1dadf4044f7db8033a5db04fffd1d537bf796b2b555aa8
SHA512c89427261d9601f1646a4b74a44afbdb3f161dbb2306d4babce5fc9f91b7c044e9a07dc86535f0bea3c745f6f955c8f778b7332e3b153d2a6c83b000c9a85750
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
110KB
MD5db11ab4828b429a987e7682e495c1810
SHA129c2c2069c4975c90789dc6d3677b4b650196561
SHA256c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376
SHA512460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88
-
Filesize
22KB
MD5a36fbe922ffac9cd85a845d7a813f391
SHA1f656a613a723cc1b449034d73551b4fcdf0dcf1a
SHA256fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0
SHA5121d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b
-
Filesize
150KB
MD53614a4be6b610f1daf6c801574f161fe
SHA16edee98c0084a94caa1fe0124b4c19f42b4e7de6
SHA25616e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b
SHA51206e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281
-
Filesize
20KB
MD54e5bc4458afa770636f2806ee0a1e999
SHA176dcc64af867526f776ab9225e7f4fe076487765
SHA25691a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0
SHA512b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162
-
Filesize
17KB
MD52095af18c696968208315d4328a2b7fe
SHA1b1b0e70c03724b2941e92c5098cc1fc0f2b51568
SHA2563e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226
SHA51260105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5
-
Filesize
15KB
MD508072dc900ca0626e8c079b2c5bcfcf3
SHA135f2bfa0b1b2a65b9475fb91af31f7b02aee4e37
SHA256bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8
SHA5128981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
2.3MB
MD51b54b70beef8eb240db31718e8f7eb5d
SHA1da5995070737ec655824c92622333c489eb6bce4
SHA2567d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb
SHA512fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb
-
Filesize
81KB
MD5fccdc45ca17e5180b40efc28052bac39
SHA1cecb5a7e8807e619956183897a64930ce56294d6
SHA2564ab37b0f9c5fe3505e1ecfe0764aaa04838cf81f9e0a402425e057f7a251e621
SHA51267a9cd2066155b35a4b11e7917c2b6dd1d39828bfbe2972b22eea79c1891fd142f50273dde0cbf0a500259fb468f7636db05131a70b3c54a143f945d037da1ce
-
Filesize
89KB
MD5ee6243df5ea48d929da4790efeea45c9
SHA19c21d62d7ffca1c68e615eb57bcd5d4ad3d090db
SHA2560503fcf7646daae6e5445d8c5f248384542d2eeab4c7d8ad3cd5a47759759a48
SHA512283c6a7bf2bc0b3c2dced9ea7c763c71b6d68c57da6845985f8faaa9cb7649d945a3be2127bbc1e77be792f925e14cff191c9d6bdf821635d438f985feb7753f
-
Filesize
13.7MB
MD5988d663ba702ffe35f7f8080c83d2feb
SHA1dbc3538e352831bec7c2e09ecd091f1fba34b62a
SHA256b640c2c6e11ec5e31a255641f86b765ff5fe29d419de45b57510cf3eacf633b9
SHA51225204f7649d928b3b6728317ce4b247d1f907e3a26dd49a096ad0d9ce41cfd5b0f512c9450fcca81b6d72a640815d9943931cb0084180e53ee201685f9f8f1eb
-
Filesize
10.5MB
MD57e0018916bfa26c6b54df0eca7d4f0d6
SHA1b60939c99c22c5a534ecbe3417fb15168c563cc5
SHA2564d365ae8182347c3d9bf71b67672a75a9e87073d7966c0ba6dda4c4c524d82b9
SHA512c3b255da47739d3a40c2a2b8c0e8b53c596af07dbf3b285f475863ee5f100d49355dbcefb36a047ee124a287b0876cd93ca07a1b843c5e7b7c427628008319ba
-
Filesize
156KB
MD513ea3cf3ef1d41b5255ae931b73554ae
SHA16ec7efdf051f7c191dd04b1bea2601900368f48d
SHA2569dd837935725f1cff8f10e8bd5b379ab3d538fb4f1ebe797a0e119bcfc156154
SHA5128458812914398cd850bc36c898925483d125b37db38fd716e3dfe82409a41b9da3f436e21daeac8eedd28df3d4ed89626fd0fdda3a6033f9eca2392b2ed22d02
-
Filesize
147KB
MD58429494617582f54116cf0c8e07f4409
SHA1239a7fd661136e3a6a6faa4368a5b2d25364bd29
SHA2563aebcd3eaeae32fd06f10a22574b5cf901ef3e44d25db0b7bf872980174b8aa6
SHA5127bf6233c16061baa4554eed4e2fea6bb3edd985fde445383fb904a96690a45dfdafade2c81aca8804b617226ed6a44ad37b8008b23f67eba97dddccf9c9fbf13
-
Filesize
216KB
-
Filesize
304KB
-
Filesize
280KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
3.3MB
-
Filesize
5.6MB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
1.8MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
672KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
288KB
-
Filesize
176KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
4.8MB
-
Filesize
3.1MB
-
Filesize
48KB
-
Filesize
48KB
