hxxp://odjajiasj]\

Analysis

max time kernel
1800s
max time network
1418s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://odjajiasj]\

Score

8^/10

adware discovery persistence spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	TeamViewer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	TeamViewerQS_x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	TeamViewer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Executes dropped EXE 52 IoCs

pid	Process
5748	TeamViewerQS_x64.exe
3152	TeamViewer.exe
3372	tv_w32.exe
1392	tv_x64.exe
5968	TeamViewer_Setup_x64.exe
1600	TeamViewer_.exe
2520	TeamViewer_Service.exe
2988	tv_x64.exe
5656	tv_x64.exe
3368	MicrosoftEdgeWebview2Setup.exe
2288	MicrosoftEdgeUpdate.exe
840	MicrosoftEdgeUpdate.exe
2272	MicrosoftEdgeUpdate.exe
5148	MicrosoftEdgeUpdateComRegisterShell64.exe
2772	MicrosoftEdgeUpdateComRegisterShell64.exe
5176	MicrosoftEdgeUpdateComRegisterShell64.exe
2612	MicrosoftEdgeUpdate.exe
5060	MicrosoftEdgeUpdate.exe
2988	MicrosoftEdgeUpdate.exe
3016	MicrosoftEdgeUpdate.exe
4148	MicrosoftEdgeUpdate.exe
5840	TeamViewer_Service.exe
5776	TeamViewer.exe
2732	tv_w32.exe
5148	tv_x64.exe
1320	crashpad_handler.exe
3660	MicrosoftEdgeUpdate.exe
4348	MicrosoftEdgeUpdate.exe
2156	MicrosoftEdge_X64_121.0.2277.128.exe
3832	setup.exe
5340	setup.exe
3068	MicrosoftEdgeUpdate.exe
1088	MicrosoftEdgeUpdate.exe
4712	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
5496	MicrosoftEdgeUpdate.exe
2380	MicrosoftEdgeUpdate.exe
4848	MicrosoftEdgeUpdate.exe
5796	MicrosoftEdgeUpdate.exe
5920	MicrosoftEdgeUpdateComRegisterShell64.exe
3236	MicrosoftEdgeUpdateComRegisterShell64.exe
5200	MicrosoftEdgeUpdateComRegisterShell64.exe
4424	MicrosoftEdgeUpdate.exe
5404	MicrosoftEdgeUpdate.exe
3672	MicrosoftEdgeUpdate.exe
3296	MicrosoftEdge_X64_121.0.2277.128.exe
4632	setup.exe
4008	setup.exe
4812	setup.exe
2732	setup.exe
3988	setup.exe
736	setup.exe
2716	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
5748	TeamViewerQS_x64.exe
5748	TeamViewerQS_x64.exe
5748	TeamViewerQS_x64.exe
5748	TeamViewerQS_x64.exe
5748	TeamViewerQS_x64.exe
5748	TeamViewerQS_x64.exe
5748	TeamViewerQS_x64.exe
5748	TeamViewerQS_x64.exe
3152	TeamViewer.exe
3372	tv_w32.exe
1392	tv_x64.exe
5968	TeamViewer_Setup_x64.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.183.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88AE912D-F121-47B7-941E-D634A5CA6570}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88AE912D-F121-47B7-941E-D634A5CA6570}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5B44BE66-4A80-4C24-9857-9840D975FA06}\LocalServer32\ = "C:\\Program Files\\TeamViewer\\TeamViewer.exe ToastActivated"	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.183.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88AE912D-F121-47B7-941E-D634A5CA6570}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.183.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.183.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5B44BE66-4A80-4C24-9857-9840D975FA06}\LocalServer32	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\notification_click_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\EBWebView\\x64\\EmbeddedBrowserWebView.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88AE912D-F121-47B7-941E-D634A5CA6570}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.183.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\notification_click_helper.exe"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88AE912D-F121-47B7-941E-D634A5CA6570}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.183.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1600-2824-0x0000000073A00000-0x0000000073A0A000-memory.dmp	upx
behavioral1/memory/1600-2908-0x0000000073A00000-0x0000000073A0A000-memory.dmp	upx
behavioral1/memory/1600-4011-0x0000000073A00000-0x0000000073A0A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Checks system information in the registry 2 TTPs 28 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\SET8201.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\SET8202.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tvvirtualmonitordriver.inf_amd64_1054e453ee23bcfa\TVVirtualMonitorDriver.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\SET8201.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\TVVirtualMonitorDriver.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\SET8202.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tvvirtualmonitordriver.inf_amd64_1054e453ee23bcfa\TVVirtualMonitorDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\SET8200.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\SET8200.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tvvirtualmonitordriver.inf_amd64_1054e453ee23bcfa\TVVirtualMonitorDriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\TVVirtualMonitorDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46cf95eb-d0d5-9a41-a484-e2d110e4c484}\TVVirtualMonitorDriver.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Notifications\SoftLandingAssetDark.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\sr-Latn-RS.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\dxcompiler.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\ta.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe	MicrosoftEdge_X64_121.0.2277.128.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Trust Protection Lists\Mu\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\km.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\msedgeupdateres_ar.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\msedgeupdateres_mk.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\TeamViewer\TeamViewer15_Logfile.log	TeamViewer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedge_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\msedgeupdateres_da.dll	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\eu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source3832_2144298193\msedge_7z.data	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\msedgeupdateres_mr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-manifest.ini	TeamViewer_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\msedgeupdateres_quz.dll	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Locales\km.pak	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-PipelineConfig.xml	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\ru.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\mi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TeamViewer15_Logfile.log	tv_w32.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64\	TeamViewer_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Locales\fr.pak	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dll	TeamViewer_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\msedgeupdateres_tr.dll	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\msedgeupdateres_bn-IN.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\psuser_arm64.dll	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\resources.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\msedgeupdate.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedge_wer.dll	setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tv_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tv_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b0000000231e5-2388.dat	nsis_installer_1
behavioral1/files/0x000b0000000231e5-2388.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 45 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tv_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tv_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tv_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tv_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	tv_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tv_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tv_x64.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4948	schtasks.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\121.0.2277.128\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blizzv1	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvvideocall1	TeamViewer_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{88AE912D-F121-47B7-941E-D634A5CA6570}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvsqcustomer1	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{88AE912D-F121-47B7-941E-D634A5CA6570}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\teamviewer8\ = "URL:teamviewer8 Protocol"	TeamViewer_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerSession\shell\open	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebSvc.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvfiletransfer1	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\AppID = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvsqcustomer1\shell	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{88AE912D-F121-47B7-941E-D634A5CA6570}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{88AE912D-F121-47B7-941E-D634A5CA6570}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0"	MicrosoftEdgeUpdate.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 897613.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 315434.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6120	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
4044	msedge.exe
4044	msedge.exe
4744	identity_helper.exe
4744	identity_helper.exe
1832	msedge.exe
1832	msedge.exe
1928	msedge.exe
1928	msedge.exe
3316	msedge.exe
3316	msedge.exe
4336	identity_helper.exe
4336	identity_helper.exe
3692	msedge.exe
3692	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
4252	msedge.exe
4252	msedge.exe
3152	TeamViewer.exe
3152	TeamViewer.exe
3152	TeamViewer.exe
3152	TeamViewer.exe
844	chrome.exe
844	chrome.exe
4632	msedge.exe
4632	msedge.exe
4104	msedge.exe
4104	msedge.exe
5876	identity_helper.exe
5876	identity_helper.exe
5004	msedge.exe
5004	msedge.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
1600	TeamViewer_.exe
2288	MicrosoftEdgeUpdate.exe
2288	MicrosoftEdgeUpdate.exe
2288	MicrosoftEdgeUpdate.exe
2288	MicrosoftEdgeUpdate.exe
2288	MicrosoftEdgeUpdate.exe
2288	MicrosoftEdgeUpdate.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1600	TeamViewer_.exe
2168	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found
720	Process not Found
3048	Process not Found
3532	Process not Found
3836	Process not Found
1016	Process not Found
4400	Process not Found
2068	Process not Found
5800	Process not Found
116	Process not Found
1448	Process not Found
2940	Process not Found
4688	Process not Found
2052	Process not Found
3256	Process not Found
2716	Process not Found
5248	Process not Found
2836	Process not Found
220	Process not Found
2560	Process not Found
1936	Process not Found
5404	Process not Found
4412	Process not Found
3960	Process not Found
680	Process not Found
1704	Process not Found
5680	Process not Found
5532	Process not Found
5916	Process not Found
3420	Process not Found
2000	Process not Found
5424	Process not Found
4632	Process not Found
2304	Process not Found
5692	Process not Found
740	Process not Found
1516	Process not Found
2380	Process not Found
1260	Process not Found
5548	Process not Found
1232	Process not Found
444	Process not Found
2936	Process not Found
4596	Process not Found
1828	Process not Found
6004	Process not Found
6128	Process not Found
5240	Process not Found
5536	Process not Found
4488	Process not Found
5712	Process not Found
5208	Process not Found
5452	Process not Found
5940	Process not Found
5072	Process not Found
2252	Process not Found
5624	Process not Found
5880	Process not Found
5204	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe
Token: SeShutdownPrivilege	844	chrome.exe
Token: SeCreatePagefilePrivilege	844	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3152	TeamViewer.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3152	TeamViewer.exe
3164	firefox.exe
5776	TeamViewer.exe
5776	TeamViewer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3604	4044	msedge.exe	85
PID 4044 wrote to memory of 3604	4044	msedge.exe	85
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 316	4044	msedge.exe	88
PID 4044 wrote to memory of 3076	4044	msedge.exe	86
PID 4044 wrote to memory of 3076	4044	msedge.exe	86
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87
PID 4044 wrote to memory of 4660	4044	msedge.exe	87

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://odjajiasj]\
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac28c46f8,0x7ffac28c4708,0x7ffac28c4718
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8064227353553055210,6957272106757749059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac28c46f8,0x7ffac28c4708,0x7ffac28c4718
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1764 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6552 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,9349655164895818447,16971566558046986455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Users\Admin\Downloads\TeamViewerQS_x64.exe
  "C:\Users\Admin\Downloads\TeamViewerQS_x64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe" --action hooks --log
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe" --action hooks --log
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      PID:3372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbab0248dh628bh4044hbb9bh8df92151ec47
1⤵
PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac28c46f8,0x7ffac28c4708,0x7ffac28c4718
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,10030329447797480109,8611628605079371359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2920
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.0.1713876422\2050336883" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22e6bec4-bd9c-4bb0-a400-e55e17e4c867} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 1996 1c1cead3158 gpu
    3⤵
    PID:5184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.1.998952925\36637150" -parentBuildID 20221007134813 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 20707 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2839d190-2fde-40c3-b418-9eab25deeed0} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 2400 1c1ce636158 socket
    3⤵
    - Checks processor information in registry
    PID:4512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.2.331730745\1942753347" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2892 -prefsLen 20810 -prefMapSize 233414 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3edb50b2-1c6b-4808-9b36-a8b2002828de} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 2828 1c1d2b9cc58 tab
    3⤵
    PID:3548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.3.724344536\1125264445" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c04c9665-bed4-4e5b-a65a-b6f421abbc03} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 3564 1c1bae62b58 tab
    3⤵
    PID:5548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.4.1230364789\379095469" -childID 3 -isForBrowser -prefsHandle 4212 -prefMapHandle 4208 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {898eb7bb-a556-4225-bb34-c4f0885539c0} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 4224 1c1d3a88b58 tab
    3⤵
    PID:3188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.5.463023938\348918957" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5112 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07a9cc13-418e-404f-89d0-58862692d2d3} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 5124 1c1d3a88558 tab
    3⤵
    PID:2520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.7.1216561968\74539411" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {200ddc26-e91a-4c61-af51-eddff6402e92} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 5532 1c1d49f0f58 tab
    3⤵
    PID:5040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.6.1203284111\12785853" -childID 5 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {681cf9b5-6188-4b63-973f-c5cdd79fe29a} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 5348 1c1d49f0358 tab
    3⤵
    PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.8.2143530678\2124404169" -childID 7 -isForBrowser -prefsHandle 5788 -prefMapHandle 5784 -prefsLen 26206 -prefMapSize 233414 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ceae753-0cd5-4d50-ba31-dab9b87b57bb} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 5284 1c1cef82c58 tab
    3⤵
    PID:5420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac2409758,0x7ffac2409768,0x7ffac2409778
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4664 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:8
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5492 --field-trial-handle=2032,i,11620800395885947274,8186641827584590354,131072 /prefetch:1
  2⤵
  PID:5248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac28c46f8,0x7ffac28c4708,0x7ffac28c4718
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,7557031236306450818,18146681142116824652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe
  "C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\nsd13E6.tmp\nsi1406\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\nsd13E6.tmp\nsi1406\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1600
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F
      4⤵
      Creates scheduled task(s)
      PID:4948
  - - C:\Program Files\TeamViewer\TeamViewer_Service.exe
      "C:\Program Files\TeamViewer\TeamViewer_Service.exe" -install
      4⤵
      Executes dropped EXE
      PID:2520
  - - C:\Program Files\TeamViewer\tv_x64.exe
      "C:\Program Files\TeamViewer\tv_x64.exe" --action uninstallpnpdriver --inf "C:\Program Files\TeamViewer\x64\TVVirtualMonitorDriver.inf" --log "C:\Program Files\TeamViewer\TeamViewer15_Hooks.log"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2988
  - - C:\Program Files\TeamViewer\tv_x64.exe
      "C:\Program Files\TeamViewer\tv_x64.exe" --action installpnpdriver --inf "C:\Program Files\TeamViewer\x64\TVVirtualMonitorDriver.inf" --log "C:\Program Files\TeamViewer\TeamViewer15_Hooks.log"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:5656
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
      4⤵
      PID:4944
  - - C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe
      "C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe" /install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3368
    - - C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\MicrosoftEdgeUpdate.exe" /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        5⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Checks system information in the registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:840
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2272
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5176
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkNCMDJBMzgtQzlCQi00RUZELUE4QjktRTM0RDdEQTIwNEUxfSIgdXNlcmlkPSJ7MjM1RDQ4MkUtOURDNy00Qjk3LUI4RjQtQjNBQ0UzMkE1NTg2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxM0NDM0IzMy1EOEIyLTRFMzctOUM1QS05OTE5QTg2NDBFQjZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODEuNSIgbmV4dHZlcnNpb249IjEuMy4xNzMuNDUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMjg4NzkzNTgwIiBpbnN0YWxsX3RpbWVfbXM9IjczNSIvPjwvYXBwPjwvcmVxdWVzdD4
        6⤵
        Executes dropped EXE
        Checks system information in the registry
        
        PID:2612
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{BCB02A38-C9BB-4EFD-A8B9-E34D7DA204E1}"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5060" "1112" "768" "1108" "0" "0" "0" "0" "0" "0" "0" "0"
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4024
      - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2288" "1052" "988" "1012" "0" "0" "0" "0" "0" "0" "0" "0"
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:556
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{bf608007-8079-2246-ac6e-d656cb800885}\TVVirtualMonitorDriver.inf" "9" "4e60e5847" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\TeamViewer\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4360

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
PID:2988
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkNCMDJBMzgtQzlCQi00RUZELUE4QjktRTM0RDdEQTIwNEUxfSIgdXNlcmlkPSJ7MjM1RDQ4MkUtOURDNy00Qjk3LUI4RjQtQjNBQ0UzMkE1NTg2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBQUJBNkMwQi0zNURCLTRGOUUtOEYwOS1BQjE2NDJCODVGNDR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTI5MzA5ODkyMSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:3016
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkNCMDJBMzgtQzlCQi00RUZELUE4QjktRTM0RDdEQTIwNEUxfSIgdXNlcmlkPSJ7MjM1RDQ4MkUtOURDNy00Qjk3LUI4RjQtQjNBQ0UzMkE1NTg2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxQzNEMDMxNC03MDkxLTRFREYtQTlCQy00QjA3MkVFOTY3NUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyMS4wLjIyNzcuMTI4IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTMwMjQ3NDA4NiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMzAyNzg2NDc2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjQiIGVycm9yY29kZT0iLTIxNDcyMTk0NDAiIGV4dHJhY29kZTE9IjI2ODQzNTQ2MyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTEzNTQyMjI0NDUiIGlzX2J1bmRsZWQ9IjAiIHN0YXRlX2NhbmNlbGxlZD0iNyIgdGltZV9zaW5jZV91cGRhdGVfYXZhaWxhYmxlX21zPSI1MTc0IiB0aW1lX3NpbmNlX2Rvd25sb2FkX3N0YXJ0X21zPSI1MDk2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcyMTk0NDAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMzU0MjIyNDQ1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9kNDVhNTJlOS01NmQxLTRjYzYtOWJkMC0yOGQyNDY4MzkwOTU_UDE9MTcwODkxMjM4NCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1PVXJ0RHlOaGNoekZMQXY5V1VWVUElMmJnakcxOUclMmZuaEp6WGNpJTJmT3VtT2NZd01KallKb1M0bHViY1oxMmFIZiUyYnhaelFzZmloRXNLdkN4T1ZWQnJudFJ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iNzg2NDMyIiB0b3RhbD0iMTc0OTYwNjk2IiBkb3dubG9hZF90aW1lX21zPSI2ODciLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:4148

C:\Program Files\TeamViewer\TeamViewer_Service.exe
"C:\Program Files\TeamViewer\TeamViewer_Service.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5840
- C:\Program Files\TeamViewer\TeamViewer.exe
  "C:\Program Files\TeamViewer\TeamViewer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:5776
- - C:\Program Files\TeamViewer\crashpad_handler.exe
    "C:\Program Files\TeamViewer\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports --metrics-dir=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports --attachment=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports\28c960e3-f2b1-426a-525a-3818d8782d34.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports\28c960e3-f2b1-426a-525a-3818d8782d34.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports\28c960e3-f2b1-426a-525a-3818d8782d34.run\__sentry-breadcrumb2 --initial-client-data=0x990,0x994,0x998,0x98c,0x99c,0x7ff7ad303590,0x7ff7ad3035a8,0x7ff7ad3035c0
    3⤵
    - Executes dropped EXE
    PID:1320
- C:\Program Files\TeamViewer\tv_w32.exe
  "C:\Program Files\TeamViewer\tv_w32.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:2732
- C:\Program Files\TeamViewer\tv_x64.exe
  "C:\Program Files\TeamViewer\tv_x64.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5148

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6120

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3872

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5144

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3580

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2988

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4464

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4620

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Checks system information in the registry
PID:3660

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:4348
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\MicrosoftEdge_X64_121.0.2277.128.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:2156
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\EDGEMITMP_49B55.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\EDGEMITMP_49B55.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3832
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\EDGEMITMP_49B55.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\EDGEMITMP_49B55.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1E844AE6-7497-46BD-A660-39EDBAD10CB4}\EDGEMITMP_49B55.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ff7573a1d88,0x7ff7573a1d94,0x7ff7573a1da0
      4⤵
      Executes dropped EXE
      PID:5340
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzZCODRBREMtQTBFNS00RTg4LTlDREItQUEzNEYwOEI5NjBBfSIgdXNlcmlkPSJ7MjM1RDQ4MkUtOURDNy00Qjk3LUI4RjQtQjNBQ0UzMkE1NTg2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswRjVGNTk2NS1BQTUxLTREMjEtODM1OS1GNkE1RTQ0RUZCQ0V9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyMS4wLjIyNzcuMTI4IiBsYW5nPSIiIGJyYW5kPSJFVVdWIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQyODcyNzA3NDgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDI4NzI3MDc0OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDU5MjQyNzEwNyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2Q0NWE1MmU5LTU2ZDEtNGNjNi05YmQwLTI4ZDI0NjgzOTA5NT9QMT0xNzA4OTEyNjgyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUtPa3pMWjlDZFdSWDlKUEgzekZLJTJmelNQYTlnRWU0Rks2WSUyYnNKSlp2TEh0JTJieWhJZGcxQ0pJSW56WVg0VTZJMHdOYjFsbXk4QmVjS1dXYllrbXFyWkFnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDU5MjQyNzEwNyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZDQ1YTUyZTktNTZkMS00Y2M2LTliZDAtMjhkMjQ2ODM5MDk1P1AxPTE3MDg5MTI2ODImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9S09rekxaOUNkV1JYOUpQSDN6RkslMmZ6U1BhOWdFZTRGSzZZJTJic0pKWnZMSHQlMmJ5aElkZzFDSklJbnpZWDRVNkkwd05iMWxteThCZWNLV1diWWttcXJaQWclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSI4OC4yMjEuMTM0LjczIiBjZG5fY2lkPSIyIiBjZG5fY2NjPSJHQiIgY2RuX21zZWRnZV9yZWY9IlJlZiBBOiA0ODE1NkE0NDg1Qzg0NUI2QURDNUE1MTE3NkYzRTk3QSBSZWYgQjogU1RCRURHRTA2MDkgUmVmIEM6IDIwMjQtMDItMTVUMTA6MDQ6MjBaIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IlJlZiBBOiAyODI0MTM5RDRCOTc0Nzk2QUFEQkI0MjdFMTY3NzJEOSBSZWYgQjogQ0gxQUEyMDQwOTAzMDIzIFJlZiBDOiAyMDI0LTAyLTE1VDEwOjA0OjIwWiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc0OTYwNjk2IiB0b3RhbD0iMTc0OTYwNjk2IiBkb3dubG9hZF90aW1lX21zPSIyODIxOSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NTkyNDI3MTA3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ2MDc0MjcxNTYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1MDkwMDgzMjM3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzQ0IiBkb3dubG9hZF90aW1lX21zPSIzMDUwMCIgZG93bmxvYWRlZD0iMTc0OTYwNjk2IiB0b3RhbD0iMTc0OTYwNjk2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0ODI2NiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:3068

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:1088
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{93AEA42C-D3E8-4BC8-8D9B-A94522CE095B}\MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{93AEA42C-D3E8-4BC8-8D9B-A94522CE095B}\MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe" /update /sessionid "{5B2CF23F-A8B8-4FAB-A412-A8D54FB43700}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4712
- - C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU7F54.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{5B2CF23F-A8B8-4FAB-A412-A8D54FB43700}"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Checks system information in the registry
    PID:2380
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4848
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:5796
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.183.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.183.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5920
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.183.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.183.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:3236
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.183.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.183.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5200
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODMuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUIyQ0YyM0YtQThCOC00RkFCLUE0MTItQThENTRGQjQzNzAwfSIgdXNlcmlkPSJ7MjM1RDQ4MkUtOURDNy00Qjk3LUI4RjQtQjNBQ0UzMkE1NTg2fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7MUE2RDg2OUEtMEI4NC00N0I2LUJBNzEtMkEwNkIzRTE3Njk0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3My40NSIgbmV4dHZlcnNpb249IjEuMy4xODMuMjkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MDgzMDc1ODEiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1MjE0MTQ1NzgyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Executes dropped EXE
      Checks system information in the registry
      PID:4424
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUIyQ0YyM0YtQThCOC00RkFCLUE0MTItQThENTRGQjQzNzAwfSIgdXNlcmlkPSJ7MjM1RDQ4MkUtOURDNy00Qjk3LUI4RjQtQjNBQ0UzMkE1NTg2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxOTQ4ODY3Ny1BQzU0LTRCOEQtQjFCNS0xMEVGOTkzQ0VFMzF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzMuNDUiIG5leHR2ZXJzaW9uPSIxLjMuMTgzLjI5IiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUxNzI0MjY5NzUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUxNzI0MjY5NzUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1MTgzODMzMjU3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvODE0Yjg0OGItYTRlNC00OGY3LTlkYzAtYjE4YjU3ZjZjOWYzP1AxPTE3MDg5MTI3NzEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9TjBkcWNRRG5ocER0Q2ZwT3ppWENnRVA2ZU96aTVjWjhpZUVVQVBsNE1Gc0NWbjc0MGJpRG1GaThXUyUyYjIxaEslMmJocDZCcDNMNnJjUGZLQXROYXFoT0h3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUxODM4MzMyNTciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzgxNGI4NDhiLWE0ZTQtNDhmNy05ZGMwLWIxOGI1N2Y2YzlmMz9QMT0xNzA4OTEyNzcxJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PU4wZHFjUURuaHBEdENmcE96aVhDZ0VQNmVPemk1Y1o4aWVFVUFQbDRNRnNDVm43NDBiaURtRmk4V1MlMmIyMWhLJTJiaHA2QnAzTDZyY1BmS0F0TmFxaE9IdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjE1Mi4xOTkuMTkuMTYxIiBjZG5fY2lkPSIxMSIgY2RuX2NjYz0iR0IiIGNkbl9tc2VkZ2VfcmVmPSJSZWYgQTogMjYzNjZCNzBDQzZGNEJDMzkwOUUwM0M2RUMyQTIzREEgUmVmIEI6IExPTjA0RURHRTA5MTQgUmVmIEM6IDIwMjQtMDEtMjdUMjE6MTY6NTZaIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IlJlZiBBOiAxNTM0RUI0N0UyMzQ0NEJCQjY3NjQxM0IwMDBENkU5QSBSZWYgQjogQU1TMjMxMDIwNjE2MDExIFJlZiBDOiAyMDI0LTAxLTI3VDIxOjE2OjU2WiIgY2RuX2NhY2hlPSJISVQiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTYxNjQ1NiIgdG90YWw9IjE2MTY0NTYiIGRvd25sb2FkX3RpbWVfbXM9IjEwNzgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUxODM4MzMyNTciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUxODg5ODk0MzciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSI1OSIgcmQ9IjYxOTkiIHBpbmdfZnJlc2huZXNzPSJ7NkUzMkQzMzEtODkwMi00NTcxLUJDQUUtNTM1QURENzZDMzUxfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNTI3ODExMDUzMzc0ODUwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iNTkiIHI9IjU5IiBhZD0iNjE5OSIgcmQ9IjYxOTkiIHBpbmdfZnJlc2huZXNzPSJ7MzJFNjgwNTUtRkZENS00OEE1LTkzN0QtNzdFNzAxOTU5MTAxfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMjEuMC4yMjc3LjEyOCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iRVVXViIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2MjU4Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7OUE2QTUzREItOTg2MS00NDdDLUFGQ0UtNTdEODBDOENENkY2fSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:5496

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
PID:5404

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:3672
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\MicrosoftEdge_X64_121.0.2277.128.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3296
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Registers COM server for autorun
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - System policy modification
    PID:4632
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ff78e641d88,0x7ff78e641d94,0x7ff78e641da0
      4⤵
      Executes dropped EXE
      PID:4008
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:4812
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ff78e641d88,0x7ff78e641d94,0x7ff78e641da0
        5⤵
        Executes dropped EXE
        
        PID:2732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
      4⤵
      Executes dropped EXE
      PID:3988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\121.0.2277.128\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ff7bc1d1d88,0x7ff7bc1d1d94,0x7ff7bc1d1da0
        5⤵
        Executes dropped EXE
        
        PID:736
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODMuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzhDRjY1ODQtRjNGQi00NDcxLUFFNDItMTdGM0MwOTBGQ0M3fSIgdXNlcmlkPSJ7MjM1RDQ4MkUtOURDNy00Qjk3LUI4RjQtQjNBQ0UzMkE1NTg2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4QjIyREMxNS1BODdGLTQ3NDctQkJBNS02NTE0RjM4NENDNzd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTgzLjI5IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC44NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByZD0iNjI1OCIgcGluZ19mcmVzaG5lc3M9InszNkVBNjNGNS02RDgzLTRBMTMtOTE2RS0zM0YxMzk4MDYyNUR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iMTIxLjAuMjI3Ny4xMjgiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzUyNzgxMTA1MzM3NDg1MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTgyNzc0MjcwMzMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTgyNzc0MjcwMzMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTgzMTEzMzMyMTIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTgzMjcxMTQ1MzEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjE4Njk1NzA4MjUwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTY5IiBkb3dubG9hZGVkPSIxNzQ5NjA2OTYiIHRvdGFsPSIxNzQ5NjA2OTYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIyIiBpbnN0YWxsX3RpbWVfbXM9IjM2ODU5Ii8-PHBpbmcgYWN0aXZlPSIwIiByZD0iNjI1OCIgcGluZ19mcmVzaG5lc3M9Ins1MzgzNTRGMy0wMUM0LTQ2QTctOTg3RC1EQ0MzREQ4QTVBQTR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEyMS4wLjIyNzcuMTI4IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJFVVdWIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjYyNTgiIGNvaG9ydD0icnJmQDAuNzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjYyNTgiIHBpbmdfZnJlc2huZXNzPSJ7NkIzNjQxQTAtMDE3OS00MkIxLUI0NkItQURGMTA3RUIxMTZBfSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Installer\setup.exe

Filesize
6.6MB

MD5
7a4813d6dba0b2abf7376d79e068afb9

SHA1
a790f1518cb919875b603fc180e92f96c9e076f1

SHA256
dec061040fb655f176211bc8a3fc3a0c6d096f23d35129804a98261f1534447e

SHA512
6d93407376271abb5c902b6f508c33c83fa7e69fb192a61efa4d7a825b7abfdbfdf7b8a5f934857082a2976cd9cfcdfae1d76596aa4a2f1bebb3d712e6f6e4b4

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A6BCB126-63E2-4174-BA93-5CA6AF83A684}\EDGEMITMP_3A7DA.tmp\SETUP.EX_

Filesize
2.7MB

MD5
0ed7bbbdacbbd94c0760abb77afda11e

SHA1
3479618828b563ae2085904f69fff8e23a3641d1

SHA256
f624dac76d9a82c87f9c40c5726fb1a5141e6daa4300282d45c873d86a90a4a2

SHA512
46e4f6e15eb52eb8078428f720d0173ffcadfa46acfba51d4142b371329147815be7ab688f4a35eedb92471a5f5092f4d1650015591248dbf19a69a792997832

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU84B0.tmp\MicrosoftEdgeUpdateSetup.exe

Filesize
1.5MB

MD5
b32d72daeee036e2b8f1c57e4a40e87a

SHA1
564caa330d077a3d26691338b3e38ee4879a929d

SHA256
65f6efdf6df4095971a95f4bf387590ae63109388344632a22458265ab7dd289

SHA512
b5d62ce1462d786c01d38e13d030ad6236ce63321819cf860cc6169f50f6309e627bc7709b305422851779e37dbae9fb358008aad8d6c124cd33cdec730288d5

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
c50b449e30d69096ec2e846d32b9ea7f

SHA1
f77043a0ce863bb720b84d989d583ed21606abf7

SHA256
547e43a4e2b4940bf7b42114ba8b6820c57fb6bc91a3b47565d2d8f412f3b95b

SHA512
9d6fbafd86e31bb60cbd15eb052348d75f2497d1e3aea888489644847ed8b4f236366ac61706763531e9abc8aa7151f3c1ad4cdf2b037d9adc17cac1edc43bab

Download Submit
C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe

Filesize
68.9MB

MD5
bc8786bb6cc5cb2dad6810cb77d016b4

SHA1
d8281321345a28c3a9f66b167a11bc65e06a2e58

SHA256
399fc8fa99336440ccb445833596eb6ac937cff5013d135155e8599e0fef3d5e

SHA512
e8a09ed7369c865f15738b6475f1ebe9bb7c847348a81440c1712f8354c5550ac46e84f15e2b2a8b01a0e3ae684fdd6fa44b8de6c8375034cd73bb117d2ecf41

Download Submit
C:\Program Files\TeamViewer\TeamViewer.exe

Filesize
65.1MB

MD5
e4932194febc950babd3b9a8c989c01f

SHA1
34dd08a7a3282dab3bb7cbaffff72a1dc4b7f01b

SHA256
7aaf46b43474ef24dd4c66d22457e69eee2b4b6174fee19c4dfea3f9b06d4ef7

SHA512
92bde7ff602b26cbb8abac83d517e5c46b5aff07971cab5149a40f66ee907ad5c07385254cf88cdc5295a4b1e2a5a96ed4c3a264c1630cc9cb16ca4b8243fab5

Download Submit
C:\Program Files\TeamViewer\TeamViewer15_Logfile.log

Filesize
44KB

MD5
ba2d19fbd7659f0735499652da700bcd

SHA1
4eed375514cbf7b2764aae93f62e6a48c38a52dd

SHA256
3b1a6e45938c131d2da309915a1a69d5da89da6bbd8ff978b7c87145c76253b9

SHA512
2c031b84352acdc53453cd6a496e653f2efbd0d7f3302f33b49a21f3740cb7764a2e8004579dc56b950fb91e9cdd13585cdcee9a550fec1a4eeabc60452768fe

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Note.exe

Filesize
636KB

MD5
5b25ae37b4c3d76cb96d7aebf4694275

SHA1
9ecb3e547195dbd3f2c48939b28d3363b40d10c5

SHA256
2628944ccaffaa5a8754682d86ddc091a01f17346513dc8deaf119ac08f89997

SHA512
eeec5055ee303fe3ffe3d743c86404e062b7f503652749589fe8d5ab6751ec649d0876a9b8346847607336c6b8a1a11dace68f0705e166f2d51b4d7908f6fcee

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_ar.dll

Filesize
372KB

MD5
a8b556543df66307d3a82bd4e6d22529

SHA1
c6cd0e99e235cb7a12d7959b9841c5c074b065e9

SHA256
2bce5388c82beca5ee298531b5af6b32fce96170f5b4cbef540c5abc1de48d71

SHA512
42938fbd54866ac7ec8b6020b43e08ba8c209b75621b96aa7fb8c9d92072c7c6dd9d43cdd02c9a65fffe54d0ac84abbdf951b4675ae2c8433eaae30531e115cb

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_bg.dll

Filesize
435KB

MD5
79b4aa8962d42bb637055427474e3d23

SHA1
3a094ed028b540d8759054d7132380210ed9fbca

SHA256
474ef76be1b87bbbeaea99062fa26a0b406d7025299ee4841af159e40c2e702b

SHA512
8fa320099b046da415fd195b7cfdb324916bb9af31adcce7366692ad26ebe310c38e7915d960688269e47c39957c48ff67c12b9e7047ab902dfab074118ae37d

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_cs.dll

Filesize
406KB

MD5
dfe945b6a9afaa3703ee4e3786b9c3c0

SHA1
24f22abaef1e55e8c0457d9dc1f5bb31e441eb2a

SHA256
17299c83489f208fbcf8f23071ee98db700fad3e838948256a6973c7b3966941

SHA512
89dcb4210cf7c7a6427d82e6aa9ee205795da7306c182209f0c33a1c368def1ac4ac32a147efa3bcc8616ac3394d0e6477a17425686974bd2dd808c07bba2440

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_da.dll

Filesize
399KB

MD5
c7e8044595ba0d3747590052c23faf72

SHA1
4bc3aac4b1c89b48c414586f65f3923cfa5560da

SHA256
60d36c363bf7181a50c30c28256846db767a3a3b05bb4a15ddbb8c9d0a7c2400

SHA512
0cd50e14fd89f186fe58604e293c8432cbc6bf9313837677c1c8af2b0ab7ff6006e874a4b4b5724dbc4d4448f589733ba25005274d90e25c7830ab77f0b54c2f

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_de.dll

Filesize
446KB

MD5
e150b473063bc435e6f803fb58d5fbd6

SHA1
e6965db67b9a1b67269c684e8aeb25038c8ad5c1

SHA256
b21bf2a8f58bd7d2140e0593ee9d1e87e816d3f5e531c275bc26db164657e829

SHA512
40ebe20e34e72149af3ce316c9fc5e50ab143250748cdf8cd1ff6eeab12b7ac832c882bb8c7b8116c61f43707e03f55f192cf17c6850c0532fb0efd540affdae

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_el.dll

Filesize
474KB

MD5
60bd399174e1d075ac3b01239c3d24bf

SHA1
3ab3d767c4c7523a63e2a9bc3c8a9524911bb667

SHA256
95860cf00dafd73f58b5b7ace812ed829a60d925ac98892231810f15cdc82044

SHA512
f58caf3ff5c21e5de6b75b824d779f8c3f5a07a5e9e3e6a8da320e20affc0eccf4247d5e89a15e1ec63f33d84c088f6635683ee59963d3aaf77dd912ae92eb4a

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_en.dll

Filesize
390KB

MD5
ad3021d2edc632c2608429edc2aae71f

SHA1
7acc02c178b37b946468adabdd39bc6e9284f096

SHA256
81e7cc78e1d387099978c5327b323446c17e9a922bf83bf6e922f1e7925a6b92

SHA512
7c62ee328a5b79de9a02a5d972256a98d10b336f888475204f39af2b19ebc8dc292553141c695c5e8a729067a929c7bf8008e8b07d30eeaf90ea8aeb0c9dedad

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_es.dll

Filesize
443KB

MD5
35e3afba0fe64ab53c5b417d7b814deb

SHA1
8e7ba2a142a76b1e8f17c73b971ce7a19200d2db

SHA256
557e6e2b634d226ace658ebacdcfa5480fa7846541068a1e5f965c94b8b7e634

SHA512
9a15ec191600f3702391eb92e8db89f9d0e6cb9108d586fa08cafafd29d120bf61bbb5d6e7c4e58a2a9c3aab4f9e707da3736b22bae2bc279e8b1a1cf09a3eb0

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_fi.dll

Filesize
401KB

MD5
e423be52e393ff07cfc9ab96c75f2dc5

SHA1
93a39efe98b975c274900582abc7a0e54101a0a1

SHA256
79b2c00ebe337a1c93ade7acc4a84c980c048fff399dfa40bc953b696933aef9

SHA512
2aab027908dbefdc94b6908a8f64b1e153eabb5826adc0f2cd1e7a06bae5191c68145377d16c2b65270ecaadb91fb19fafa9ce2f35e600f361a67c83d63e233b

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_fr.dll

Filesize
462KB

MD5
c25cb8f109cc26218dce43d8816c115b

SHA1
74286c930d4005ed387ece4318960dd875fa5939

SHA256
40f01bf69c051b202efee9c43b6e4aabf95d2f7593d1d935e00d49bcf2966034

SHA512
cf96378427ae1f407d46b84ee8eb85738ef555d54bfdb2fef4605574e185a42644a82366fe7ba0cb7bbed568be2d93bb7fd037e4a455be9969a7626e7d31b8ab

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_he.dll

Filesize
327KB

MD5
c0948b52f1dee466673cf7f2f8f1e51a

SHA1
58d75aee4150142968aa458611a4f7aa2e7bb5e6

SHA256
83a5c19ecd2b77ab198d2041a19cfc9b3d7de071f5349fc997d5a971c70a4557

SHA512
44532e1d3d4700faf3955315936b292982d214f3e430b51e8146b6b57d60c35986e43f70ef463021f5618a5f12d593d0af192bde96fa4d3a182f3c5946b6eff9

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_hr.dll

Filesize
423KB

MD5
faf1ea14322d868f4ab2cafea53548af

SHA1
b5faf5f1247a62eaa862faecfe512a7266f7fddf

SHA256
75a9f13d01fd1a99585d37cc63d76144d75ea7df94263c4032c1a4167ea3465a

SHA512
e8ae6c7c633a88de166c90784425fa288c105603c79841f1bd19054e98addd9102068465eb8067948dfe4a6d31d57f7b65f0c5fcea9806c9f0856608cec8ce24

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_hu.dll

Filesize
436KB

MD5
3832e948804d43ac976d8e2b0a43bc3f

SHA1
b4f565e4989652cd0b11a201b41e1dff88be1eee

SHA256
70d532435ba56adc1faba97b57f02183a7bd3ab5f1cf3a30bfb2268da41d5b2d

SHA512
c6f11bea1d9110bd3ea23433b82aec9b01e345cc1e6d1af787b9b15501471785ecd3e22e7ddf48a29da807bf82f3491d9186b5f7aab997cdffbfd11a64c3e0c9

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_id.dll

Filesize
407KB

MD5
4f27fb3c5910575c1b5346bfb0e63423

SHA1
3ead34697011bfee996c0284edf48ddc1cf8f5e2

SHA256
6bd170b820043e9fad422aa9586db8f3afe4ffd3d6075d2e02994854a5886c0b

SHA512
9d99f7b1f48a5d6c1dc068fa8e735e47bb39553dcc94b8624a36e3ff98bd06fc510d1f8124116647c1b4aac0003cebc982c094246fdf9eee94b0ecc79c5f7be4

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_it.dll

Filesize
439KB

MD5
b4e5f0baa553dd789faf3f4d304fa67a

SHA1
bac9fd62a19db0bd8594e097036cfea4514d6202

SHA256
8470a32173a48594297cf39f6ff9656e56b9636921864c64f3e68ec2ac65d239

SHA512
ec6b9b3dd0ac4f36fdb25b5c8401e93f3ffe65334486a4f71417f4d348d3426a2233099aa2b332c20e55b368059f16f7248b31510cf5b0dd84ccae11e34afffd

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_ja.dll

Filesize
249KB

MD5
f410a3c934b4d04ea577fb0abeda8b27

SHA1
c6313f96804624588280f01765cb48c990634bf3

SHA256
fc5145543974abf13678bdcdfbf1abbcc918ed28d8830ac2d4700b098708deff

SHA512
ebe77ef0281783966ba22167b0e29d62fd42e19b947c58f2b93f317df71b15fb6f1a2467568d9801b15bc6a9903216ba077d0176fa55f630ea5af44b4c1c3cf0

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_ko.dll

Filesize
242KB

MD5
c74f2b02a902c6769a237800f46902d9

SHA1
a6f0c7a07a8032d7e74fb70ebfabf5c6ab42e27b

SHA256
70a4ab0ffdf84cd511ccc3e23fb89fbaa16291de96380611298cf68c4382756a

SHA512
dbefa737741c6575a62e9636cdb5300327895fdc9cbc7bc4415ec00258fd2cefeec1bbeff1572a84911796a8d88f35c9f9d39ddf7215d1cbd8274999459e7958

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_lt.dll

Filesize
429KB

MD5
a53e85292fe5549b86f197003e64866f

SHA1
25fc393023b8fe08727fb9db43f5582402ba0be1

SHA256
8a8cbb208ed4a6d03ce74c812110d4aec30b7a7704af48f9c93399fd3aa1f270

SHA512
c18e52c54bc5411b6bf374723de97ef7762220d61878fa074ab01c2d0d186deb39ab22ebe8ef481281043828d9704c7d2fb7d0586b1fb4c16aa13acff6bbb909

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_nl.dll

Filesize
432KB

MD5
f4af28dd5170ebfa73d1e1ca4cb1e944

SHA1
9df0f05052ea97f425599d37c5c5c0c236e0315b

SHA256
b259a71e220dd70fca83192fb17f170e47a62d7aa3e3090d4bc373c4ecc3940b

SHA512
f2429ae93d33e9cda04142ab378ecea28357100b32b5b9ac460eaa5def70bb90cd60634263b50ed55de164d2cb9a091c9151c59ffc5cdfefa2ba6b82be0eafdf

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_no.dll

Filesize
395KB

MD5
c20a05c242cf4a19fc7d01981b8caa9b

SHA1
28eaa9524fc540efacf2b8fd4115eb30fa86ab2c

SHA256
d2f6ea4f63332cc2d7e6c1e49eb0e05cb331da9bc5036f81c4e18db8eaf68cad

SHA512
43e1b18d8eec91f63c32a9522f8af023ab807f0e87a5f84bf28440b01af15cc90e9d2c33adbed8a48d84bf073eb7dda4ca111c5ebea26c647411d46fb9764d15

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_pl.dll

Filesize
432KB

MD5
01aa5fb812c4a55c2955c2dce4f2da0b

SHA1
078cbe6eef144aa467cdd23b44f5d12b5d8ee839

SHA256
c844e7293dfbf208521407fff4f2bc9ca6a7843c268f5192b6d2737affb82ba7

SHA512
20c8a1025085f63e9bb8e74e7cb22d1529ea0e0d9dc196f22787aa46131ea83328a6202594e7ec8035513c453a975cc4d5152073d270d75dad4f22593022bce3

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_pt.dll

Filesize
426KB

MD5
5adcd3330cb4d75dff04565305142e38

SHA1
2ca56e185fa5db2e905762d693c4b9a4d498672e

SHA256
53bf632bb73f354b6647b809787ea59157accfe2f56f17454923a8308aeeeacd

SHA512
227e3ccf1454be5ce84833e5cc0be62827f0415a1815c6e71edfce79e286d15b813986ec6429e046b00d0a58ffaa9c5dc17424b35a8b0553799e0df1ef735598

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_ro.dll

Filesize
449KB

MD5
9d8bed2cb7d9cab0aa35054d7208ee44

SHA1
2e2b9d714278865f325234e90fc48bc4ec4bb6ff

SHA256
02f883402304aa9201727d8f79d7db06ad8e5fefee2a0d2d0a8e0ea10b48c227

SHA512
917b72a7491574a10b0fe1590a034fbe389dd0b5c61fb2a95d8edd8a403ce362cd0ae55936d39b8a2925c21fc1f892f41be7025c661fcac7a438abbe6b22eea9

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_ru.dll

Filesize
433KB

MD5
49eb222c22eb9660669e77d4f04fbf81

SHA1
1556ab372a4c8cac0d34e942d28341e74ea60915

SHA256
39e958875950608c48b9b7df748c48f01ecce9fc8ed2537cc6afed53a9dd5b56

SHA512
9f3cfc102ee7530d22854070be9949ac131b3dcb73987c621265b4551e3a4cbe1ffdf0118fa7488e7626104d11746b492f5aeabdfcb08da557b6cbba0571a326

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_sk.dll

Filesize
418KB

MD5
8e25a355e29f3aa4fd6eeb06b52e86f8

SHA1
4151e5a389b81867ce8f968d4187307e3cd7504c

SHA256
817e134b29e61589962a98a11ca58501faf38525d842087cd47c74dda3245812

SHA512
6ffddb0617498bdbc76174079a91792cc7b71e5f89f5ca7c337407ce7637a026c097a61c6310daa70464fbe5bd16c320cab91a06bf770023c8784a3c653d8618

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_sr.dll

Filesize
418KB

MD5
b3fd6da7c26b825c76bee38ff976a733

SHA1
c5cbcdf86aad6789dba88962fa34b65a37229df7

SHA256
bf8c75eea9792e76490754bf63238fa61da872add6a478dedbdd86333ebc8d8f

SHA512
3165cbc367d8137744eb206e7edb888683459ae9d0e2471063224663b1ef3897a62eedae6989347557f99a05012c0d406cecf30c2ff8772b61ad745a1cc02f99

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_sv.dll

Filesize
398KB

MD5
5e05ea7238c3d446495d9430d7c4a926

SHA1
6716ba32f515aa52f63f2bfb8a12c133710c7a71

SHA256
34b083d47e6e93f1a0d1b00865cd6bfef1385b98feedf05d89850fab6829f90c

SHA512
ee8fc2010f90d9b81a588765c0bf826abcf900c26ba15fe0e17054dddd9fb618c60bd2b055a2c0fe31a536facf059f1d07932fcb183e4a104974ee8b7c2a9bd7

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_th.dll

Filesize
386KB

MD5
da78240dd0cea6442b94c0a7ad0be1ad

SHA1
a2e6c1a9d82d257254c8cc437f53442418f864d6

SHA256
d41d47ffb684986747941f227dce7b85719c7a7406e9e94bb25e81348525aca3

SHA512
a0d0a18d59d61d9d7fed173d21d30ce8e5c89a353e0511975e0b5d5cfa910791b00a243aa1062d4c591a25bb320161661e89b5237a97973f376fca5771965e23

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_tr.dll

Filesize
404KB

MD5
c57e45058cd4f71293f7e155bb96339b

SHA1
65887cdf24b48298b4d862a524ddbead39fbd316

SHA256
67ea7e147cc3590d809d310f65002c4a67fe3fa7ffbcfb91362de352ab6afc33

SHA512
d44a71f05c9607893532d82b00eaa31c0236a1967e1c252a13a50f3e918c48ed413c56e6fb1dc67828f40f54da5c010fb933b1e4cec9630379319408a942ef1a

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_uk.dll

Filesize
428KB

MD5
315a6b4a27ff859b8951a2315d255b5b

SHA1
3dc2b85e2f3c542ecc1acb70073792d51ed5700e

SHA256
7a23e091a5d3af51763401b24f72d1661f239ca673bfe672b478bc0b3c7c8f8c

SHA512
5bf207bab968036f0754b5bbec271497476addcf9964a6c614336e55e311768e9a9f26c20f4075aabd49478ed78977285f2d7492cc5ab153a7941b64c8e20927

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_vi.dll

Filesize
433KB

MD5
fbb0cc3f7593441236f1dd8fb7aded6e

SHA1
76c9160d7970fe3adb932ec5bed8f601e22ed1c4

SHA256
8a8e65fc684ddaa342704fbcfa3debd45f7228fe12ef252c705931049ca02b11

SHA512
9961692692a6d58fdd90a62818daa30d691a2868a72a702165748cc643dbacae43f309c111a8f3eca12da7945243b08b0eaae114d714331d431dbc8da618cb0f

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_zhCN.dll

Filesize
189KB

MD5
8eedf4f04ac5044a31d65534718805fb

SHA1
fedd20bccd58d2898b52e5b0e7d9a2c178eade8f

SHA256
ecb16edd97ec1b665a74954114d14d3d0c59707da69e640c12a19e2eb3d39660

SHA512
da09e03a83a26f8180e913946a46fcc1a9da8e3b21c7fdff40528403b0e103fee787b6596dc9cdba0e53073abab30c7c307c173c58add7680f459a9e1ae8aa64

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Resource_zhTW.dll

Filesize
190KB

MD5
f0a67a30ef7ec8d75a8a52cabe9a9e18

SHA1
318c07550b37f4c53665b4fd6cacbf9c15956b38

SHA256
07f1c426234f98e4b85c014eb52ed488648145ce9a02d193127ac16325024786

SHA512
5c1b8da0286971d9e8b33f11baa3b26d94c63953d226a85b281286f16d9c4bde0e47a8e3a0de179f5c09dee406079946157a516445da20887f4003fac6140642

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Service.exe

Filesize
20.0MB

MD5
fa4aa1dc8171ac9024aa7c646dbe2b36

SHA1
9c41d160973442e908c572b290a6e5f7c4217048

SHA256
344d6ca88d0e256b7f04d9352f7b13914efa7a748a0423f2e239b5e73f1bc414

SHA512
5d1788a13fff6591c1e6431f195c293053412edbc16379500241ca69138c9ab577afccf996c498cd323626330cdbf01d08bd396e5b13f3cc4bb776586332961e

Download Submit
C:\Program Files\TeamViewer\WriteDump.exe

Filesize
506KB

MD5
92877942fbffeaa13ed64ec34c30ef4b

SHA1
0f0620db4de8a52a06830bc0a57efb4d590b394b

SHA256
d1e259745f48ed0e07e702badcdd005969f3380662c6feed5669607ec0d199df

SHA512
2d74ddb31e7ac26599156f6086631cc1efab83271d2ff8e9cf9f57704178f7e460206e551c166117caa674be102b16e41e4b1365d18c292085a90ea65fc420bd

Download Submit
C:\Program Files\TeamViewer\tv_w32.dll

Filesize
468KB

MD5
621d655a3a1ce63af3132cdd50247386

SHA1
2818b81f751aebec6b97d80bf14c1756452a4551

SHA256
68cb240c80cba3ac7b2ef9e6bc9cd8af377347f80e06cc928e1f21083e5a8100

SHA512
da42591565e2c7386b4c9fb56c907f8c0c030684ccdeb4d2e16949595cd9f16e70648dfdc625baa78cf3cead0d25e0705ec5da1770d05d9cfcd3873faa130b60

Download Submit
C:\Program Files\TeamViewer\tv_w32.exe

Filesize
350KB

MD5
8e07556b0be3b6ea1212dcf61ffb90d2

SHA1
62147cbc16101bb994df417b26b367e1aff7b794

SHA256
5cbbff20f09a5317ad6c0384e7e942ae1f5bde9a44df20adf536ccc2e4641cb9

SHA512
336ae6c3675bcc2fe7967212601f9885a6ece0e388185cce852c6df5174ec1bcf0accfe0805c3fa71106285f69846702fa41ede66c3f330d57860f0c12d65a4e

Download Submit
C:\Program Files\TeamViewer\tv_x64.dll

Filesize
597KB

MD5
73f8782219f4a984d8a62f176ec2a6ec

SHA1
07288cbd6ff5204ed7d590550d854d3dacbfd570

SHA256
9941bd0b045b2fd3848804e0dde0d17137e6617491212aa8b98aa0f6602e6157

SHA512
06465a4b262b9f0af9dd04785fea8f62fa1e9ca0e43eaf9740457a6dfa6c9df4dc6f84cc24e1be0aab29a2bf3d6231adb0608dfcc7691358ef932cd84ef5829b

Download Submit
C:\Program Files\TeamViewer\tv_x64.exe

Filesize
415KB

MD5
76d4e976b6e55bb2aceaa1fc50385b66

SHA1
9f1c57933d9eee83e144ebaf9909a3e6dc1b8352

SHA256
c1038a63515c35bc21b3ad16fafa070240eadc6e3fe45dfbcbc3f708ce2b7cc3

SHA512
20476785a8ab0ed72b727872667dfb14bb33ab72bb0da84c318b189f6a62cee9c63d754d25b1560ac28c55b41b65368b3b52a520372373998b77c394f24bae58

Download Submit
C:\Program Files\TeamViewer\x64\TVMonitor.cat

Filesize
8KB

MD5
1f2380a5474583dba929f761a760546f

SHA1
561248613c6f443d8a993900e2dbebf3b718a660

SHA256
143df27418b1eaf375bed6291765e2e77166830d6216a6bfb71a075735f05da5

SHA512
4309403df0a29c53190833aa13a6e67a4501650b77106bc62925f691dffedcab184b6df3b8ba750e0a8fd4c9b6e0919b729f5bd250413178cd7a4ce287241aed

Download Submit
C:\Program Files\TeamViewer\x64\TVMonitor.inf

Filesize
1KB

MD5
5c05880e0ed65fac3a4dfb7b6802b898

SHA1
55ea8dac7093123e26584a49012517818c0f586d

SHA256
60fa2925c589ac38bab74713e1b0bb2a205a8c825d614b971fc3426991cd86ca

SHA512
5176504de06e6f8249815f8f8472ed7c9a26003e92ecd80299da8b611a630a1ba8179419cdf50f02b78a19caf221d6e0ae59452b224dc55feef72a93cd4d147d

Download Submit
C:\Program Files\TeamViewer\x64\TVMonitor.sy_

Filesize
17KB

MD5
b7ca6668278fbae3fbd649285f8ccc35

SHA1
dd5cd2fb0e6818eb56268f0d6e72d0f5ac74aef4

SHA256
78318c6a8ae65fb3afe6ba06cf1bda69903390e250950d3bf78895cd79afd4d8

SHA512
7305b979abbef7beb4789261e9fc0ebde00415bb00eceee2289cd1fcf91467ccc7c84ed77e7f5cd042243508b5fc8c3384ea59d6a1a17497781110fe5238103c

Download Submit
C:\Program Files\TeamViewer\x64\TeamViewerVPN.sy_

Filesize
45KB

MD5
6317a1890582d5abb3e3e3ee6b217411

SHA1
78f44d94212467fc61b98efbda91f2bc701e1a39

SHA256
3a09c3a24ec480ba4ad466760996e0f3ced30c1499abda32da6ead9de5d08836

SHA512
6241dc81ef29736972d2e8ce3fe0c52371445cf80e5ebf22630d9f29b1953470a0f2c15a57262e400f90773eb74428af4521c744acfe7d202f19ebf9b7ae3e03

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
100KB

MD5
da5ac6db87a5818e14a62a2cb2c5962a

SHA1
5d3e8e68029c4ca04d4a7a40f7b4dbbc0159f32e

SHA256
59355367cfd1f721d0d11aa0665d0fad05831fabdfd8bed6fcf48760d98bdf6e

SHA512
c55870e1c8965346dc5f324524e1be6d1ba4124e56a525ec290ff0def4deb8358d4369780540719539dacc693e8dcf5a33e3b1cb6ad371aa2f0d4d94b94df1ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7ec009f9-a9a2-4fbe-ba26-a84c515a070b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
cac3a365e9dfd3efa23af0192f2f6cd3

SHA1
7c6fef81e394da9479720776ae42f75bd4f4b009

SHA256
0f469cf68e3f5f63716e2205c4b0d11a3b2f00d48068a23db472935d72069a00

SHA512
7132fca05b1ed90e9973844ca8d418dae4f5139774645987f5616f17188a16093eea9f0c11e5d2bb4199ca3968e4ab502cb64a6d6d848effde8cd5f8b9bfa2a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
1f17a676d4e5ba07666146a334bc6ec1

SHA1
3f85ccf1db03cfa22383cea853e28ded6d4c45a8

SHA256
60bc21c228cc8f55fc7830447267d73634cd9c75f10605af77b53a6c5e948c2c

SHA512
99dd95ac1487d140ab1059fe086d797f697ebddff6e1951f029c0676e1770593539c4998e7426dc128043473037d3c54162a7149c43ba3be8f4f8ff0eeb6e766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
eae8a1db72e0bfbbb027fad190e6fd86

SHA1
1a05933b74529d5262d8c2df3f833520462496e8

SHA256
1a8683d4098a71d5a6e9cae93bc80d04efab2f824abea3ab9df8e2f7c223dc3c

SHA512
d1da68ac236c6ac02e7bf859a4342327d9a7644a20910e025907877075fcb1ab5afd2c47cf57d3e92b93f35ecb30ef2f037e9f633d01ed01a32d662b80c291e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
6ffca3175d8a4dd1658043e62849e222

SHA1
a5978607f504ccdf4e66decb89869ff9096d9cc1

SHA256
bd39d042a2f2f3b84c49f003de8c1ea07d6328a5c570767fb1ff608b4d905db4

SHA512
5586049b6f5ccb2c2b1e3a00e5ab2dbb415da76d675589e3428ac24b4a98c66e29f3d455ed4600c2bf161aab977fdd1e8aebc6f6a0ea3d3adf53af90369ef5e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a611344ca984cd4c8c92d8f9acf29ec2

SHA1
e98fc8cce7fd801fc505b43590dec4058f2a9585

SHA256
1d65a85205ec87be4f02baeadf81f8a9e6cadc5209dd8718ecd475e221811a94

SHA512
c632b7bbf9cc3d497a9ec939480d51c9b5b6662480dc1387e80856689d6cca9a042dd94a56cd3540065877bb64fade3303eba6e8d8e3796e4d00c6551a21f705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
28aa66b8c7e9b134e18de2f6d06ca867

SHA1
eee9e4c614e58e7e2b535152fe7af810a67444db

SHA256
9e1f648a181ddc2555143e245b46af72d39c22f7c03444892a9e54242d1efa59

SHA512
dc232ddf9195ed87706d5cd911e4edf18e8b9b533f52c93fda6a56fcd491d75fc652287237e77cfdf257d15d61424a33d9633112e5a86ec2d37f3b0ed4c7f016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
020c52f54a6b0b471b4c02e951c5578f

SHA1
75400f7345734bf49d39ca3af354d44f4f5c3b01

SHA256
d0a09a462795f952b3fabbac5f9aa08b2cb234eb84e1ac99462b5217f62de230

SHA512
3af4bd7ea54afb5001562bd0ad80dbd961667574b1b5a335e5c59075add43bf65375fa0591ee63d4c8d7ee048f6e82f1be6d5f458822213cb58d2b16293b6c5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f784e147914f50748e22b0ad2ee952e5

SHA1
ac770bbe3bbfaa9374c70d1d19b2500975af3867

SHA256
c86e3bf987a6cd644c285b8a64e938c10a9e72e967d64847e473251b759b3393

SHA512
a8494d714ca925e6f4ca8fc606d072e1ce06e39aefe860c8fd33b95113b526f8e2d49713b9f0683f21f7837d48835c3a906635d8badeb026579bd734dc04f264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
93b496bd816c476135fb2ff2dec60414

SHA1
acb13b320590b1f2f805652cc63c0c6eb76fe9f2

SHA256
45bf3db7e0ede4d8306c0383c5dff16af68bc716601cc635b266540d862b74cd

SHA512
b481980a70d4ee3cbd0e01368e98c8fd7f24264db41743d4799c493efa4aefd9965bfc20475511fa97444cdbf92c53f015a5d74894ac2b989b449a217a0b6cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
686900325de60576ab1f37e6e46da4b4

SHA1
33e8d87ce8608854fe07555d5549a12ca984101b

SHA256
8cdf3b566077854fd0b2a307a224f882fc02bb400247befd9a5a821ab11072d7

SHA512
f1c536ea2e8e271688213ea74b76506a62616af50eb9b30b373b59433d79c22c26e1506e3367cde374d4fda80d9f36d8dcdf6b6b1a5b102b702f1f147ac2ac2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
da68aece9d2d3caa837460c99dd567a8

SHA1
af25233ba5f6b978ed88687945210dbe22463ed2

SHA256
3b3b963465f4ec28a228e3410b3b60963549e8848865005167854944563f8ad3

SHA512
6735a99dee70006d57aa21e006b9c1ef31020571ff934e534008aa50c305680fdfc79ea3da307b4308a3a89164afce8193982dae8aa1475139c10aa86adcb810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
d0348591631a5d9fa99bceedb646573d

SHA1
48f00ae4f63467efcb979c42bf5522a65002aea7

SHA256
8a1e03731ed87f2a451591c03a9251645c59e9f6c42a7c5e4a5e806086c1ca88

SHA512
c25803c2c6f19ae183c757db650b80ff74f4c4749b5abea3485a64b65b12f9c01e3eff7d5ff384c96a1d3c8daa1d5cd8bc8045ccd6059544482fc4f53c5157a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
375c669f086824b0c30af48d03bac9ba

SHA1
7f7afa11415beb2c517f602dc06718d58546f18d

SHA256
6f1b54d6211c401ce8c106e855784897fee20c70cc7a12436b5a30333fe64c26

SHA512
25e74e2241882e6962db0868ff65382fae3948778af4ea47ba7f14b68559bef8f9fb5d7babd7ddad23c726bfb9b2c20ff889bafcca7e35a6ab7541df5ab8b912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
01ac1ba5ac63e0f13fd9129c2093fa13

SHA1
7a85a2fe50966d88460cf30a230428a8ea32c2a1

SHA256
8f92cf37b4025c87605416241a3334d49d9b28d832b6b30cb7831e791fa950b3

SHA512
a2c0ce4c97f3dc00a662dd6e4cbc65d6ee0220a9a4e41849b2170c20f29299c8f3b1cf5f3ef17d1f8a11391f78d795c701b89aed2ba4c30958cb4ea25a2ccbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
6adbf1083765579cbb921a4e6d302fed

SHA1
4799652d8d71fca5b0ad3ec949c0a3eaed74c778

SHA256
626a5b00da93587a0d532845bf788351886fd2d6356ca4c1a806c7f46b18d6fb

SHA512
c46535eafca5e4a7cd29babc7a9a18c10a5d762133da246112fd0c296efd4c23017227e8550bcda2e787acbc205c69293700eb3fdd8fbcc77338e9ef16f4c0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
29KB

MD5
ecc66f2230357c37527a8b438d137940

SHA1
9f50933ca4610ef8a5e2ecf403e7bd1019b48afd

SHA256
7dffbd6247a1e87a4e47462e270c37a50e21c551972ff2f808837f4db5762182

SHA512
c688d7f38d71af3435bfc74c6b3d0e5e5d0bf81593b05630bb2d1b2b51752dab5a7b2f9464bc9341c1310bd5f556649c948af58f7230a16bb975f92c30897682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
4599656a233f55a99303e90574db89f4

SHA1
ebf737f8cf4623eb384cec57fea9caba6e66978e

SHA256
7a29b32fc6a4eb3af24c29bfcdd2da73d9e32e781392d5ec7759cd991fc5348f

SHA512
d7ff3378bb1289421c4c0df4231d50968c7432f4c4bbe674299db4cf95d82cb9657fdaac4535aa3c85ebbce0ac6c90a42dc37356a08e3384f817619b9c9ff796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
33KB

MD5
3cd0f2f60ab620c7be0c2c3dbf2cda97

SHA1
47fad82bfa9a32d578c0c84aed2840c55bd27bfb

SHA256
29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b

SHA512
ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
74KB

MD5
bc9faa8bb6aae687766b2db2e055a494

SHA1
34b2395d1b6908afcd60f92cdd8e7153939191e4

SHA256
4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed

SHA512
621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
37KB

MD5
46b1aebdbf26db3e8c638dff8c399692

SHA1
7749245580a51faa7ae4c82f41ef0da55369ce83

SHA256
20d3f796102512dc5e1646037b2445a79699951f4e5fdb80d81cd0fb15ce26dd

SHA512
5685580bc1b264f90a13e12a81591724e3fc425064c4d5fd45f692089b2ebdf10b8dc83e19af48b65f3ced79811cad4d956c8f5356e8dc914a2714d6b86f1b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
36KB

MD5
2e56a1b33aab59e3c4ec244f45ded8bd

SHA1
2d4a0df5a1a324a57991e01a5776b720b3eeb360

SHA256
bbbd734610919b155a36c5df00f1296366a28d7d201359305320056b16e77917

SHA512
6ae2f5f4affd6648b67538586234436302a19f811fb6ed01982bb4ef5eef7d00172f376cd6d7bce7d5e1d394b5953a29578ebc86343444852c468d82d31178d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
61KB

MD5
3243b0f19b1ecf7955a63ce436e225d5

SHA1
fe1b5b899febe09ee1cffe32b5c63b22e16d0619

SHA256
784ece4fc4916dede1bbefae7c48f5e70a8f5dfa6825068a44c3a463f4ffd550

SHA512
a4671f267894cd50f9689bac4a3784f1d0ae57f1e1ce872ddbca4aed451f76322cf0bf5dbb3e5a23148811ace0e978764d1dc1788879033e7491686b45b091f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
104KB

MD5
3f2a535b1e27945374137f772d728035

SHA1
b2dc0c39df7857dd87787541bcccb869f8ab1fc9

SHA256
4a6bf8f662f43d8cc9067320aa02e45de43057107e0792a05c8da757ecb882a5

SHA512
338c0a207f3b4737a03ebbde0b55fe9316e387b763da595602b33d772d71059916a51e44e94ac24ebef93276dc8d16d981612fa487e41c244b88ff8cf5240fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
99KB

MD5
033a3fe8d32412ee2c0fa17fd7bc9315

SHA1
74ae04a387fa12566f1dc0c36fc205b592383383

SHA256
fa82e84515b8466c7ba3c96306c5a82fa46bc146d08e4240f266a1045a7a97db

SHA512
274bb90e8b0c24795d5e9bd081983d7481302c01eb48194bc86559dfe2417401a53344963f43e0601b2964d8dc73f4ff7351fad910d2fad4302093ddd2df6caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
20KB

MD5
faf7a6c0a8b654b101d38933799c0585

SHA1
a1f45f0a5f24e4b55e709ca43b4e7b72a8e82778

SHA256
27682f31e47716456f5d1f0115e93a84406e77edf7614512b42c365033040b21

SHA512
3414d2b3d165b3d4f6c2fc476354e41f69b16c3650d992f428863debd0e65e6e8a7f228b969a03659986eb3244c21e97c465fa2f98ca3dd57127a29c7ddbea3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
55KB

MD5
e7dbce02ad6599084fe266d48294854e

SHA1
5c755ea9e27dac93e3c5b7ad501571c186631e8d

SHA256
09e88b8252b268138adf8c7a0123d44608f31164e3e18af63f17adcac21fc6a3

SHA512
a0abe0aec37a3ac26b09d43f6785016e0021c2b02083e8071aa4f130b7f8e17ff03feea9af7667d0251eaf54fffab794712d0a2148d88ba9e9f41d9213d5374b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
19KB

MD5
651421320de5f942a6048b627fe38f9e

SHA1
21edf148140cfccad4b2f64fd93491cff578be30

SHA256
eddf6b9b64a30cd3371e73ee55ac867b65c7da580e51e79bca5f8bab8f7317c6

SHA512
34bbd7c1ebda4563d19172a16882586d8b3e03ba76e862680a90b5515186a91e811d835976cd06e5c5f1812eb1f90e38a311de40db3e43c94c2b237f21ec23db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
107KB

MD5
62b86153e73e83a4c42e410a1f1108e9

SHA1
1c53fcccb6f4180be492713ec88eb7543fd18615

SHA256
cf1d2724bc98c35591f4340222c8dcb68c85b06d9c862f6737f728d80e3d32f3

SHA512
ba1a0c9468992bbc2f508c3430b22d1d9f241fd91cc66ea31cedd81858efb0c657c29eab5f4872a1a2f4683664a4f5bebf0e39706c8d51abd0886bf6462549e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
46a779f5a69fbf50008360b3ab4a1095

SHA1
e6a1e907e25d0cc72f1afc43f7d211cda709829f

SHA256
b75258493d824ccc18d00fddbb0f23cc32480d4c7c4ac2f0e5c34c79dae4bdfd

SHA512
5f41a7ef97a185eb3c20478a4588c6f958249a57daf7392095181a067869df42bc3e1cebcb7fe452068352f5e374fa38b1cafd9b1f3dc3e6a58d65b71bbcd7b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
65986c0ede00693a1cd500f35d2f7e03

SHA1
5a4d7916d2ec1c271d6428764a5c0a1db11c2cdc

SHA256
1ac59573dc1eee73f2b6390181e439b7f46620cfcd8407e5fed51c9ea438c9f7

SHA512
905cdf48fc3041b2427c47895f385cfe3ea1e9e0e0ce063cb3945f49a8a864fb72d031ade67c09fb7d28b73d11dc734d40bfcf906cea60eb57e05da494242280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
359304c63476669aed7ea8692596c860

SHA1
caf0a19cfc8c64ada165f25b93779a22895ee841

SHA256
c7874e79dba58a50bbd8f929151d839936974fddd0c4cbc759bb7eadb56a2461

SHA512
f5d4201c4b07bdb2e047797b5b99b18a61443083d16e611cc992b743c22a79f7e51835fe32acb15ee56f9f5a0241ac58f2eaa321a38ae853b6c84d5d290d0205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dbdba2e75c17e8ae2c4c3a64d0198476

SHA1
b8dec4ee72c96a52b4a4f175bca406513f3595c3

SHA256
b360adcfe524ff750578dd8f104dd3e37d46d417f3ed94632d81ba972f6e7963

SHA512
d02af7cdbc9ded04af44d517f2ac2dea605ecbb4f451c4578213325204f26036f5b80f6e5620b1466ded2d57f0499badcf144bc8f96343128d9a5de13e3e3290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
5553a59b2dedc453f6901a727b8f0a73

SHA1
cb4a74b0858d90a6f1d602c33dff780858dffdcf

SHA256
6f597d4864defd9b581eff19176b69dc6efd66933b84c783a4a1f666aeff5cc0

SHA512
4255e1020d57053750d6b069f0f0fe3a3b0f6da0cdc9fee62f79900845a6068205f37d492da28ffbc63ee64f11460b4c487c8f427ad6f9b9f41932b25f70810e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
a0033d9854005ace00b7244590810634

SHA1
4478fe05ef4dd224c05a18be597d25342812862e

SHA256
95aa47b877f7fdd9eadd0b35ff721d0e1be66eeaff32becc73c239249ffbdcaf

SHA512
38d7f798f88cada6379c2538fc233f8b02be3ac0c7fe4fce4c9c861d840633e7bb16abe6b4edcfc70b5288291e38178dd8c39e50792a9e3500f880cb901ca79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
9c27010ceb780c6fb67ffb236e73a35e

SHA1
82c356f03d181c9180440a4e98c047d91dfccdb6

SHA256
d986e69fa8500c3a4d9a51414b64833d098fc331326c14f2fa2fd0ddc975ce75

SHA512
b46d975a0d479ebb47bedd0ae680df7f0d1b9e03fb7bf1eee104c75ff5ca5d3f90a8b1688e1d1b6943cf8b0c329d603651a949f7ccd6067d8f7ce1cb37c6443c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
966a6df3b8816af6749e60b81a3f899d

SHA1
f8e59dc322ade449c6a16ab4bb17ac1e48e75935

SHA256
aff5a78b9590063d8f2282380be4d91f599aa341b0fe1e5fb8c973a368251611

SHA512
e6f0d5e055a1c577ae9ef78f24711216be9c72f8cdc1ec0464e2e0236d494e9a5be9f4da302ec8a1a8e666c500d722ac63a5997c7030911029144fe2be04bb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
5b2ee5b4c96a3c60e172fc11d2b74092

SHA1
cfcdc4a457c0f7aaa055bbf3d7a8c46041694a6d

SHA256
4b0eec16aa744d04a7face231cfdf4dba790d844999cac58835e9aabc50a1d3a

SHA512
d872dc8a265455012ee7f880e3cfb7cbd9617e8c7048bd2de0333333b7c508d43700a26d98d01fe8bdd315cef2ca9ba4f8ba55df851e083debf140dbd7aaa024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
2KB

MD5
7df185c8cfde7c463d05a874e233c3f4

SHA1
8ba2513ceab324c49f1148c1ae18f01c0aa83cfe

SHA256
819c2ca4013a4a272ea7baafebace2274b6748d62177f7dc0cc9f9e85fc2ce64

SHA512
0d2e92838bb1a28a046577507488d0f171158cff2371b0fbeef9403ae45eb470bf3fc58581ee6b444252765151c2ce9077ce4da61a5df9e95842632fc7d0349c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
252B

MD5
421a5b2e37b00cedd5d5bd0f3a3fab40

SHA1
4d3986524766b6828157d832bd95905ec24ea8e5

SHA256
472561103cd9bd4d8dfb318f9da83bac92af497bededd97eae50132ca80371b2

SHA512
a3f2aae71fbf412d7541b6aa4e37847c5db143a4300571a450c55ec927e05737595de3ae08919e861b46f676e23d419f1a6241d832fb366cfbe97f084c4251c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
ab665282b8273f60f5e2100de2daaddf

SHA1
7ca7f7d12a32a74064993bf210e0222526d33133

SHA256
b4db64ac90bffd8e2e707ee652063cc2aee1c59c8d74c0138863367c6d9f5ad9

SHA512
5186eb8f43de02b421a8c72332d682a82985acde3c6965995550cbfd2c6e52029c199551ae887fe1a9e708f66f933a383f6ce16dacfbf1a91393920190f33885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
393B

MD5
ec927e8e1ae383a5ecae6c4c10e80184

SHA1
32748621a4b9c32825279efebcb54c99b1b715df

SHA256
66905f807e206819ec9c22ab5a4f528631bac0503c61a87ac60b90130efc379e

SHA512
afc00648b219886ce1e12b1c016f3bdfcc5ba66b47123606c6b8e0dabab6367d3b2d736c932ace95f334c8ff9140ae57f5c91b3e2d918c79b12a249f94bfdc82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
3d33d5d4274b28dd5fbd0229e3c14a97

SHA1
7cbd04d55062f581fc64c76fd1031d305a7f6e37

SHA256
ac6deeb2eb56ca5a93b9ab183e4fbafc0bd2dbed6c0f7e915898d76117d1006c

SHA512
66c300bb814a090889d2ae3cf8d6faa94e08fdb32e7e2b5f562cc71d874d816c190bcba2a0074ba1eaadcb1def6fc71db638653d50fd6384a5496fa1cb03faf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
1c89c82020b55c5ea10192d2fe77f0da

SHA1
799aae4f1ccd647a86ec5dff1f7c35e792e82da7

SHA256
c86c2a1742231a2f521d687c643e651851cd04f6917689c299be9433803e0187

SHA512
47e5e1198a10a30fd7ff141e36e4c674323a026558afe4741deb945cdad3b483cd6fd595b108e0afd1eaa0d0f3ed52c0e56047ebe1e3b147402480e11aa70d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
0692c8d04c70855896b52398eb1ae732

SHA1
c61dc19fd88db3bee2399d296fc9522618079d63

SHA256
7dd6059e5bc9eab0f31e64aa035c0f947f0c0d63e4891ce5b000bac7c2bf1c5d

SHA512
f515122798289189362a11cd7b2c7e3939983542cb9bcf2eb0451750b7e91c2b229790acc6df25fee14cb96ed32c80237241f98f7e6e7a49671cadb0950b870d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8978ce04759e2276ed63a4c8d08c717a

SHA1
3efaffa5a2e13ee3387fdef603f93a6f222bfb3e

SHA256
65a6acc59f4565273e383ccd29542be14a6319ca7e456b49a65681ea843b1799

SHA512
66ca17283439b801b410ccd64267390efa50e4b6c54dcf05ba2c5bbd32fee2823dce0f190f7079d97a05ccee99903afda75ba83cdd2703a0e0384843c7b2ff10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70122a88d1b71641aed6977c8ea746e6

SHA1
6a9fe3f3fbe343f0541c9208625f8be1a518f95a

SHA256
59966ef6f45ca5ca9fd1cade1bf9bc3273df1191056a42d85be1fcc5929e20ba

SHA512
e4d1d4f9d0254f6cd81843fb341038387c9491f6b13abec0d8860f1dd4731bf6e24612865ab59428c78f0d7d49be3b29d7894f216337cfe2e77136fd499e1c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5352de5f39f39fd9dded62b39ebc6681

SHA1
4f1dc3a6af37e9c49fcd2384e3bc4b6b35c0f59d

SHA256
9801bdd752385dbca1963da115655e8023bd1efb264bbe303aa95b48e41c099a

SHA512
fb911e279805f00746bfb3ec26a85bdd47d2f8b0578fdbde99c49d0c7828926111c16396da81c8aef10ecc57d8f7313883cdc85a3344721b1b492b6afd2ce99e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3234dd50d88f43b2debd61d5e52b36a6

SHA1
4a50310f5018a92bd253ccef46e93e511ac32e26

SHA256
db089b7bce1365ec0ea184b02ede1799b2597caf5b511b8427547fb823f07ff8

SHA512
d1d8ee6cff26aef37a9251ca7f0b6417b0aa001ea39bb0a3c7da8973f2d75e7bc5b41fac4ecf0c3009243c16b468f496f9c8561d6ea13742b51008ad0f3aefba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad9e4a2326a8a9d131de8ea5d6d0661f

SHA1
9354a7e996b68f40f9e31618cb6597657e756aeb

SHA256
f0043dfeebbee78f0ba2dc053ec3c891813267671c88e7a6bcb9a9d9d3a7b2fa

SHA512
d34a938e760a0ef7f2c5336b82e25f6cbbe24dc452c8077823821f1f44ec7292c06cc1866a11b46507860b67ba9fd485d3505b2d6694e08e7ade00fdc24f81b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c8258601d42106354e308a49a688ba1

SHA1
eda75ec2c2ca12b9b69854196f9ed7d5e05e5619

SHA256
7694564a02a9fb417e97038aa92216f7cd2b8aa0258262db1281146e8335597e

SHA512
d49c7f1018505a83ba16cddec2e4a03637b092fc518d1a040676663fbef6c8ad5bf469b2a4e0afec31257a7579617d22b4a7dcb9018c74c6e897ea34b31c8744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b9abfa5543b276e935b47c856d7a1136

SHA1
060ca776f4989a5e432a0db45400cdea2637a646

SHA256
873136b0dd0eb9835177c2c0d218b6d3eb8f04872ca063b31d8b65b559714601

SHA512
e1a703361ba7d7d6442d68c0fcaa460b248e3a4f47a18ea0c5cd78aace10bebd777920c24a04f891ad108a4eb668ed70aae0d7448f2d96228246cfd4cb460734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
572b6d9a0bf3f2c811b81ea11ce91759

SHA1
c8bf795ac40f854d59ce345a6819008c56605d32

SHA256
a1dac8a22e68c48f005156d759c9bea3909ba5951a970c2170934ec9a91d3665

SHA512
8d7a6b6728001df642a74cc2ee77cb02ad6926b807435fa47bb96bf8bb17f7d3eec9848552d402895dcad9876030d947cbd1968e4093a4d74555ca7b632b8167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
937f70165dfc5a2a4b77a7276e5774d5

SHA1
a8713bf983b63d74e032fc65fd22c8a8147d16fc

SHA256
7eb55215d95ead061aba113478dbc592931f07a90d4e0d3fec2088e1eb2f5bd0

SHA512
d8f372ff76b41f12a13462c8f000f9d25049c6663fb5dac4b2cc9fdf0fcf24d9c929c90f116767fd387bc7fb155b2c768cb58d4fc747f35272e18fceb25159e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
309f6e481b2a780f4972e961744d0c2c

SHA1
7903ade17c90dc4b3b907f90e5079285d3d28a41

SHA256
2813e2f53b4b30b384e968168893e3ff9e8be73230dc338514346adfade80547

SHA512
c045267b1d4e46019b69dda4da1c4ab18127a3c73e4e976dc5b70064dc124645db7d59c2c46a2f992c5c39cd57ed4c82d4bab4ec7b84ba4b79201746db43348c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
58a5abfd69cba5bb4860de95b5653569

SHA1
3a86bede5dfd64700cd1f53d99b3b8913975c966

SHA256
67e93acc67a4532315b05143bc68d266d720ce9fe888a01bfafecd68f975a537

SHA512
64c1c8d37bd2330d27c767bc506576ca815439880acd981f494bd2d58f83c374c45fec0b86696823ee4fa06dbe25338533e9e407d625c2a2bc4f00f633dc9c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3ea66b78773b5eef8130f9df61be1cd6

SHA1
886e841f2dbd5af1194f0f66233113376a8f2508

SHA256
46bc626a084d34f5760bb0dc2feb951f0d7821aa23f5c7c789a19a3ed05f5379

SHA512
aa802d4c937a0fd599d20313e31e9aaf14f155595c3cd7f270bbf8b29a4729bbe5da735a8f5fe86445b6d2429d122c63ad874aa7371e9c23d8d69783e8d62998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
02961c7af26c20931f31f61311a83518

SHA1
b02a480a24509bc9ba0c2bd56b91c1eaf5d14392

SHA256
c6fcf40d77d60281b468e137ba678d6b331a8547dce883453c97305aff569a44

SHA512
82b2a0afb97771e466a421e041a707ac73aa67d4df2fa6d4e7d1d7827c7f432d460a71497518d6c1875785174aad61fc0e6516db889f995bec3bd4a5bed6a471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
f743c1d9c19a896e05cadf8407e01ab6

SHA1
8dcd743c1bf6501bf698644dc3d062699a6bba21

SHA256
5129366fe25e1aba0b42b34ee75f009bf0d95bf5c8a74d867236fbc74cbe13cf

SHA512
2c3a7bb6f6d0850f7990ea397feed0eada6b4067695a0c1d46992a34b6949f41537f05400f714d19289abb83658a99642000a01f8eaabeee76fa50d689a3d45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
af2b7979e96ca62ea33a91771b8b55b6

SHA1
9e79d02dba0ebe298017cd5f65bfe5b4ce7f02cd

SHA256
4beb82765a00e3b56a17ec40883d47c79aec90e2b5e4ce658c9ab05d9d4d179b

SHA512
b29b1b5fff425d9495d0fa52967a6fe081c60ef1199c94a09a712b45dc651004a819f62a01c2ba30348d9d0756f91afc980b6bf59497bf8501bf3290f83e3870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
29a002d18168059418e4ad2d415e0a04

SHA1
52af19d0574423a2285bac7b5962aa6da4d00b2d

SHA256
50bf40b1816802297f7a421edadf7b12a320a9914dd5542e90eb5decf1f643ab

SHA512
266de18916b068e76682f67ca919077ac05b4fc1901d8d14668bd61f42721d7d798a965cfec250ef4c0935a61980fab9b6e1dd20ec48b545ab29b599505fb623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3b3881e3b427b3d811c0df78e9b7c21b

SHA1
ae5e4fe2d0b469fe24494c2898f0738e397586d5

SHA256
aabeedbd14a19222983ccdd6b41384abd49394b24fc8fa8624998042bb791e47

SHA512
a2b66e38ffb518338354d418e39a3098c303df65a3c44a6b8834344f45a67f431cfd785ebd8690fb25097ad2dfbad64d9b3894ecf7724a9a21b5c2d564a5373a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
42c9333fbee38660ce23a662fdce57e7

SHA1
b067f93bdefe81877297dbcbc02cc1b652622962

SHA256
2114bf59c94cea1285a8387d94105028a204d94ac8ec7b5801a0aaff7bc43822

SHA512
084e30a0a81c0bbd9b15c3c7df06e4738fb32389d5e0b53fbd19a3641153995f369850d69f07d8767b5325b747fc30cbface03f31ccaeec4611ab3b58fb5382a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d52dc2ca09d662937e3e669200ec0cb9

SHA1
d61e36c11bd13511e35c2221ce2d82f509d38e91

SHA256
288af9448609160db5ae774bb18de8d77e367e51f21919a22f85fc1954140fed

SHA512
dc294f662521adec1ae09bf0e53de9de7ea1f17f8cfa5ed42b1310d0127709e2755d586e6329fcbdd65a10654d5157f895809fdd95bfdaf2c72b704d70843eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
406B

MD5
7bb813d8aab3cd0fd2726873fdd22b2e

SHA1
6ee70931391c4032091d3482f4d6789d810c0de3

SHA256
fb3d33883e1d8cc1d55c44636637d1195586a6419027c2e9711298e70b8a172e

SHA512
866079fb66a98d8bd1062a847cb33253daeb5ced04f1b59b273ea89bccb83964ef151037c2a9a9de8d5b922fbf5e0a9e5447d4eb63f4c4b1253b0697478e8b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
1c99cc78c6f889bfcb91ebe338d70d3e

SHA1
9a9d916619fa1f4bec5ed540aad6192268af123c

SHA256
0baed63469a7e7a108cba9e9a5427101c7238e3d1966881c0329249bd86c7c57

SHA512
6af8552f3466381bae882478105a82f4beb361742912232f22433a691001eb7401230c99c602081a2b22d29114e7bde8be2668d562831bab1aa670ac8593936b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13352780509077408

Filesize
9KB

MD5
61339cb8dd3651b7ca7bd5b1eb38fca7

SHA1
b8f5a0f62c570b47667e6fa3ad5541062b50122a

SHA256
481ad8fdceb8e0e2acc2e6b1768b03731944d11b30108b8fc140fdc4739606be

SHA512
2732ecb80864e39f8fa8cecbc50f7886fa74f5c267c63dcc50e465f0cd1ed9397ebc1216f35aeb6f30bc1cb917f5903d21a241c6b63e882cebb5b4bdecb9d988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
a79e924df64bf1aef7e583f846a0d0c4

SHA1
48a490e3c5ea3ef3275f82f3c7fd8193756679c5

SHA256
b3e74185fe7b8967f80fb60bae7d23b344d7838ecc218860ada2f6ef63785472

SHA512
1781d0eedd9f424ad8f5eae4f98eccd2549622559010f748c38d8fbc1065d08e157302432a77edbdb6be906cb8b077181093dd90c3a664f14ab84d2c3e05af3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
8a2bb401a7b9b3f978f00022479d5e9d

SHA1
fe5aa2c371ab11b54b342bd3d02cd60ff0320e2b

SHA256
fa5498141b40602781264a02ce4f73e29f33eeffb0ef810b9ee5844007e84fe7

SHA512
6d2883b59b3a239cd698dbaee9c649c35ef12c59e9c535e5dddc202e5b6ae7885a0781dfe20a44c515108c3495f8e5583ee373b96011f58a8ae3cbfa7059c29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
be9575b167ac125bebd4bb4075bd6fdf

SHA1
764163b5c5806602eb1ade15fbb578e9ef7c4752

SHA256
c7c0317e0f601e763717f967b5696096eddd59ecafa7c3d89bdb2f2126db65ab

SHA512
c8bb5f1125c7ae2d2f9da8310c5c7d8020c3c0fbf930e5695eea8a0929c631cd48f7e845c4a73bda09fc6b4eb2d8c6746535f213b5df7a6ef9190a2d0dec8841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
780e9eaa63922ae31ab6d5be11040f33

SHA1
f37a7e60a6b223b1877c5d3a21ebe12a88f8c5c5

SHA256
031f27c9748826eaa692723e6ea51b0cb48b6813e890ea700b49e9c0632f0e4d

SHA512
4a9261fd29f59cf9c920ada794305b926ddb5de6f1d2a1192961beb0a1ec124c006632a7bb1573e1e94cf75dfd3b501424948c3b899db88ff98c1e83c81e9b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
0b96ebab1391265c7f6b28d55475f0ef

SHA1
50dfa9e70c811cab5a010fe24bc88f8a326f5f93

SHA256
acca0a4adac0f7e52982231173357b017435a75466a501100c8522af59fb6434

SHA512
eb5586efe9bdee0007d2d157def9967fd056e9b86053e00c0fb80e41ec776b1f33d0681c56ddd86487311daf540260341935baf9c35b4a73dd36ce5312da4eb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cdcc08721cc442160444cb1e34c61ca5

SHA1
3f4543af658d9af94bd575a7eea23848066f2bbd

SHA256
2619207f27de8d68877f4400af704ae6e1c07ff81ef4f2410a61b5ac61f6d8b7

SHA512
e081af13d715571ef3f2547d5750a3a5e711ce2ddab14841dcafaef716580f459be533106db69bd47732eb3841b751e881c2a61c160bb32090ec5a39cd0cb5a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
45b27b778ac3dd8b69dd15c0d41b62c3

SHA1
964c745547365da7ed40f3dae2ea6513c73197d8

SHA256
8ded08de803784f4575412ac19caaebf47212329cccc4e1df7f0c97631903015

SHA512
5c6a77c4489379eec609cb0c1441b940c8a3196bf7b565efed9639afe10d9cd5d04b2c85b045cfdda7e6c5bceab0dd7dd5b4082f5faf5197688a08f5bee00f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1f643ef0895431c893edeca968f9f18e

SHA1
e2af7fe70c2b3bf0dd4b3b6e1f99f27be9ad961b

SHA256
f6fad524f763c21ec252acf7f3c2d4df72676b82e7bd9cc92b255845adfc5962

SHA512
976b2eba66a4388d24a1368c00e976aa15c8d5852a052bd13fb38d97aadcf1791e76f6e76f19b11ba7e8cd6312eb5250992b76a43d56ed75048517ff0621abdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ca238a8edf1188c5bb3a5fea18769200

SHA1
546e7e6242167d963b5de6c7979acdb541310c96

SHA256
19278d2946c6dea9a6a57d06d2840ecbc563db1e3fa2b6b5a933dde40cf2880c

SHA512
f0d776169c1c998459be0f25f7bb0b5f257bfae4cb3ca31aa1b3598953df8fc3b6c4ebff52d5d9a84fb92d403395ade9c48e9d7c099d1f55822a3b0d96773498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4484ff726760e31558b075819b287c1a

SHA1
f8de60a1713578c779d1841d7a5433ff221092ad

SHA256
3d1eba691a526de66184f5fa3a3ddfc716bec3394e6f25822a40be7e8b6b94ca

SHA512
5105620a3e491f51540f9cec9d8453ab0ce9889e7c70e25e4662f7d3fad6714fc0508e5a0c76a35f75bd33e12e58fc5ffeebe2a0c6bb3b731fe7814ac991ad51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582575.TMP

Filesize
538B

MD5
f254ec2acd5ce1b229c18cd2f93cde62

SHA1
2fdd00b9f7ee6e119c8d859cff5a42ab2e3dc1b0

SHA256
b4516b1f6f0d9bcf3fddc9b6d21ad8b92289c535799fcc8a27b4eff5921ad79a

SHA512
6a0a4574284ec78142c58e80c3878dd04ad0975d438dc706d002107e0cd01b77a98670306f1be36d010b1ca5b2ffeaa1ddc1e8afd481e05d26394e161093b6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
bcd35d88b964ee1cbd15996bde949364

SHA1
48578b9f253c723ef1ab6fb8096c0c4349b42117

SHA256
46f262a8d634ea369a2e1a6bc04485b6ed766cb6fdc257de6f9892135076b51e

SHA512
6f32013e4fcc99ca6d7e3b231067a0e885593a5d637bde9562af4565406446cd989880e95568cfd0187650cb4c231d432d19e17a83282cedcdfc29365d323bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
d711a2843e1b44f7400398c41c588760

SHA1
fee31434e1b7f5a9f8d9574ea1698a653e599e1e

SHA256
d4db33fad157df2a9a8cac77980ddf710f0cd4f53893d1ddc1c69ad0e939a61f

SHA512
6fa09cb363cb9e2bd3feb539a9a714196eb3cc2d6be4cf65950b54fd9fe3e219b215609068a71da9026f77c3961de7377228893a3a6920d4d6e13a8b96643f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
cc69b87863ec09742000eb8df82cace2

SHA1
1bda046b24ba5ef55b6dad9d8ce0c01adcc6dd17

SHA256
cd116171710afefad674f8814fa123e9772fb4e2c29a553e25f2316101f2cd98

SHA512
167b67f5cbf9ccb9bfe04dafa98e8b2f4813653289eea926f41854d24ea6b38371fbd95f64d75263fe3dbcc24092f3ae716addf62523868a721df588848d12f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
206B

MD5
962a7a68985f8f07310e6db2dbc56956

SHA1
ca3020d5d3c30a3f18ea5e0c9283c9637e9dafc5

SHA256
b890c26a4aacf842e5a7c594330c56c5296ecd63d86f6e8ff684354a624b3579

SHA512
b552ec35dd6e3ab3c778b45a01232b77c859d9fbcdf58cf21471c6e290418b5e26a782a6d68867e7cdcb877e76cdc652057fd2dfe04081ca8366f26eabb3040d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
b4c10c48298ff728ae969f6e0f61fb7c

SHA1
33dd3bc4e8de13a8e2488acbefe2900786b0a45a

SHA256
cf7e78d38872b6b33165f4115f5d79662453dc0b09c092ca42481d76ebb12efc

SHA512
796f733550b3d81766b06d7a8dbeaf16a89ea073359d4fb81213019594445cbe3613c9e09072943d5c62cf00613112bf1bfa134602b85943420df8caca9f3228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
02191ec2b37c6cea2f99f3896a751b9b

SHA1
75e7fb22b53b20ab3636086c0b55918cd506f416

SHA256
6a3c100a7d91ea772cf5c6a81e49a96c8dbd6563aa47d4990425fc709061796b

SHA512
1a18c7949c8612fb8acf00d5043b7ed3516336cd2f1380abe0c0ce3db567b1f54cfa1a570f0e23763815baaf79d1a30d986b266d686579568e71994c63eca0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
04b195384e64458f815bc761a6312997

SHA1
9d88dc826382a8fa23a33334146d5ad751a22f3b

SHA256
8d7fa3af59058a67982c4aea5352f8b42abaeb6d28f36599cb760b15981a04e6

SHA512
e772021c4d41e5cf4c5e0da80824a3790d319985102a9cda8e6b6e0596c36feec3d16f66de3d20833a8ce2e32fefc620a9890fd5dc5fc9655018c9c0b0aebfaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
174b9eaa29beee6ffd49d42b8486cc56

SHA1
62e9f91bdd3514c63baa821cd2d9e5f97730ebc7

SHA256
c8108061a55c923bd46e17adc755b3fdb2a879ca5985b11dd2ccb502830161e5

SHA512
4a48aab10c2e731d0b28573ad7ff686b139e779e85ded5e9867d7840b26d0270c2fe28355d08ab66f80dd8b3a92fa6449c9050d83ff170748042a88508a27bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
4270d4c38a4d9c792236c98d0200bfec

SHA1
fd1cb01327e6d5834da517b132a7473489cae940

SHA256
aa5d271c2463b6b08fdf6e6bf79ad161c1cb57b6453d74ff827b5eb826ac96b7

SHA512
0dfbb9eba3d9838f0e227c5aefcd2d22174f8b5d1df5203520ee0bb8c744930a11dbf21ee47893d7aa1e1ec7fdd56cddc10517365bc9b4d9ccc90e8d4cd43d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
3ed90af0aac5511244cbb02a6e16ffd9

SHA1
b68bb59b65bd75c4dc3ecca0f343ff60f3ac6acc

SHA256
442f1742d3d38e47c36a09436d0b51b337bd974b46939597c32354decc24078e

SHA512
6276590d7e8daaf60f4b79f530338b3c97ecbc72493409f31b45c13ad01ed3a697986aa1b168432e9b9dcf77f49dbdc6b6519a67c66ebf4e02baa4303832006f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
22KB

MD5
1ac9e744574f723e217fb139ef1e86a9

SHA1
4194dce485bd10f2a030d2499da5c796dd12630f

SHA256
4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e

SHA512
b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
16KB

MD5
a33b3a3fdf5161be5bd861804961f557

SHA1
68a57897f1686a3e62ce9808165e18f31661d077

SHA256
ac33d8bc6d9a5e769472877d7dd3d035f8088274b886b16cb1898b106da48560

SHA512
c94c29a5a9da89044504fe06702f00a7fdd5bc7b85e1733c0cc9a363a812c8d8f95672ea7731643229fa4ae2f1a632c73096d90b63799f5bae7639b41151ccb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
16KB

MD5
dffb7164984c0c892ad67aff97aab87d

SHA1
df94cce03775263525ecdf1a4f6a55adf2e0b6f8

SHA256
6103cd48521fd7b05920814ed60455f92b327e00330008ec4f161e9bf5135502

SHA512
bc8c4f3643e19b8e2ead7808a433f9b3a07b7c64409b9428ffd5ada52052516bd7eceb77f0d4de1340d0b08b4fb943aeb827667aac9935fc1aa559173daad97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004

Filesize
17KB

MD5
aab2532f8363e63359dbf0c31981f57f

SHA1
a21523eb85636a0455977ffe525260a1a8568043

SHA256
a6abef5f074c67b1f9fbee679151a4c705b71f054c98f720dfabdc65786d5d13

SHA512
7b3c4ce6574b36bf0d4e05bba1063798b525744fdb37b28ad6fc78456ef7d704677795ae4dd0d0eda0954d15b3776395fa931abf82dd4b64583c360dd9916f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005

Filesize
16KB

MD5
507e84952813ee5c7b57489b277d2082

SHA1
3bc9052a4b23bbce030f8f9f48646461fa88c106

SHA256
0b7d5c2bd00d3eea03c36a6b1c072a307debfe892010c78c11cea5138d8eba07

SHA512
6ee8e67f81fda20d1a0aaabd9fde522981589210e4569476c23aa973b12ea16348041b7166efbded04cf71dbaf76e7284fe5b72db715d8cd77e43abec8b8ac06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006

Filesize
18KB

MD5
c97f596ec81f8f81efa6a914b735fc55

SHA1
ad0fa14d4a6610a0883c05f3b4cb737d7ede3cda

SHA256
c8aef0e56b54fafcca28e5fa4af3c4e993c1d62bf47c28998c80d017e16996c8

SHA512
36cc7063bce9f2cde27430ac473752528ae0a7d1b4dfa2a3de2247f05882edad8a8928066f21b15bb27cf1a21592a71b9764133981621ba41bf12129cf285f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000007

Filesize
17KB

MD5
009624665e45fdcc351a1a85bed095f5

SHA1
174fda5a4f87ad3a2c981565d1790129e6e5824b

SHA256
e2df64eef859783975a2028474d42e7c57f6b6e0936fd1261a15de513b37ff34

SHA512
fd0e47ccf8c8905b50ca94f9fd027a25f5fd65e6eb47f6d6c650dd86b1c238181b40e5f6aab66ba9f313e828d302a559012e8818a7aa20cb2afa67fe13d742d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000008

Filesize
17KB

MD5
d22cb8682c6c279a568ed39bdc634f0f

SHA1
677360e899085b1fe7af0098575842261a6d854a

SHA256
78b575d52c9342adcc7b89ee8545e0577169b0d520a9924c7d53bc3587b240e0

SHA512
2ad0f705556abae3edb620d4370c1e72c749935d6ec079a10272ba2cbfe42d06a67f6fa1c3d80755aef9419391f701e98d479e946708e26980497f438b154ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000009

Filesize
17KB

MD5
cee822f498eedd3a752cb16a76e4ed99

SHA1
bec6f9c9325134c983a82a16f5bafdd33a9ad84f

SHA256
dae2b9c7bddd3688303dc6a3a9cac80e444c71074bc0986f90f8356ec6a5463c

SHA512
2f55348944aa090fc754d4cf3e66fdc4816b493fdabdd909b3ecab98ade9b00711dd4ed1005d1229ac813f15abdc622fe6bdee948e8c2e846efbe7e3d2e92df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000a

Filesize
16KB

MD5
f3737cdf0f15bc6fa219937068e9dc9b

SHA1
6def46a79cbdf6447950641591360138e56b92fa

SHA256
52062268695290be6f7dac4d39b5ca6a1cdb5092f6c0694a613661920ad0c81c

SHA512
f123b4fb9542a553c0b31bc64d931a207282ceb3a74204e7331cd9229e2e4db0fcfd48929056e9d72d8ba80010808a74fc526ae40c0296e546dada2e13f1cf5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000b

Filesize
16KB

MD5
f55234db88c6538e3f4ad45c114435f1

SHA1
c4dba9a32f50f2d9a27ce81a1d62f7587751e6b6

SHA256
bf139ca7efd187c36f3ec33691f427205a63ca2707af18bc25430637928d713a

SHA512
8a621fa5044977bce987b8259dc850faf83f4e82f4df1a7a689dbbb0b9b065676842f7ac462b77f66c3ef892c3272960bf5de4c0dd4f02e85430b368867feda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000c

Filesize
17KB

MD5
6bc4851424575eaf03ebe2efee6073ab

SHA1
2d014fe2feb929d03a46322645a94556ca5c9e96

SHA256
abaded8e235fdf329521806af30a1cc7701eaca3fe2efccb9da760ec6d8e5e4e

SHA512
af3b7d93fa2243475d74d4bd7f918ce2706bf6eca28029b9e49869f5f793e483efaafdfab1fed6306d5fc77a5ed3b27097b27448cd04560bed4df6fa3268ccf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
90377d816f686fa4185cdf3dfe21eb50

SHA1
b833dacd37d5f3c9b9e019a0f3561224c91c69dc

SHA256
e1e4bbca381b0eb37fd8c46f087c2e7f3ae2ce85201d6237102bdb7968ccca86

SHA512
ff43475c3b5fc6fc9d95c73d982e1f66a4ae7e87a5a38fd20083e3f9515a12b2dcb94ceecae390d0e6899ed6a9f537c953c9ca4c17375d6ebbc463fcc9e95002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bda789dfe2ca9ca95fe6beffa9c49fbe

SHA1
f0afe08f0db78502585ac36c86ea42127ae4d5ad

SHA256
a0346942cb983befda9d5126e2a3f89bb28d6c4b77532f77c68cdaef6a47cc01

SHA512
dfe068d3293e2350cc6c0cfb2e9b7e789e3e92fd5e5a4fc8db61fb030a7de6b229938083679907fcf0ac078d7c0243561b9daeb9bbeff006bfb9e6cde098bdf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f88c6f6a1c6d7284c24997193029f8b9

SHA1
ba1ad0a87b2f44aebd3866557b932f804c5c1bd6

SHA256
10a444d08d03518c9f740dcaa5bf9feb452ab52ab32d2df4bb8902b64af4a36b

SHA512
3ee0fb0e2b10d6e06172302c2438c87da3b6db2f6779deb2bd055fc948e63a33409faaa5836765fd41bcbb5cd2a038042548669c1a4933f09403c987336bbe2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b93b692fc538f6ccb3c612f7d84bf5d8

SHA1
0900d0dd447532d392322cd5b4889ca584d1d594

SHA256
88a75f81afb94146bf78eaba956f0be32c829ca4421a4536aab0408b5057010d

SHA512
90afb5232cb5c6739a2b6d845284f0a006f0971b3796716b7d582e140d9a5d9f2c5d5367043ea1bee99f88134dc33a3b9300161d46eb6450929a0eecf9f32f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
82d04f231d07bf4863d60ac48674dc1f

SHA1
8434d33b77a4c5ebece3d7150d198d567fbba2be

SHA256
08f2d7995c34decde87ff285b66d78b050b4e68dee120d2c2cb6bc49fa01cbc9

SHA512
7f30defe49e21da82e37c6f0303e658922fc43eb18a6480446b297637ce2fb6087b7f523809ad05b7ced7963110eb0095346919984db5774c352b5910fe7450f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8c8987c434a6a47901ceb9375106efd

SHA1
e765e96cbb85660b8d55104c623c1c5fb00a7c55

SHA256
163d9708cd3fed5fbd18b628402ac9e004965c633da861a0877b929915420cc7

SHA512
66f6874e792f58ef75c02e0683a69609bc0611f4add51caf986c6c907d5e557513e134ea4625514ee449fd945e48dd6e302675f8c01e6610c7da8cb473e2dc06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3ceb2293c087cd8fb7c86c3b66272ffd

SHA1
beecc21b2f007df9f38c9f61ff78ad1bb09c411b

SHA256
db8cb359b669af4d1a5d362d1dc1ef153bfb00dc69316d4ba7bf8bf3a576b1ac

SHA512
9c1a2e064114b2ca5b4f80566618a38122658e507b1be9f8e7e053adde41cbe9298ed30b64e9d4dcfe428afb0cd513ab83e7dce6a2bad4a4cef4497afc81f52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5766647dc6e78c8d038d617318039f56

SHA1
2d6ad75d9253ff9346423b74753b019554ec3844

SHA256
8d9623a31e09786a2674dc14fb5080bd5afd04805cd647a411751ea9928cceac

SHA512
3396d4717fa515a112c41e95d8c32d98d2a9719d4bdf7d98a18bdd5b82cefe70064b8c64ebbf81635e39e2cd67fb748a674eee6d268021039a9baa56bc6dd7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a42c4cc8450f1bd0d917eed9145fa73f

SHA1
037e2e190a6a8b3adf28aff74504367d48873651

SHA256
ae48f959e4894f493e9c804eced742ec6714bc3a63394891b3d9241f40b6de68

SHA512
692070ee539dd57e08a984057b74bcc3ade8ad31890abbbe079310121b370402377b0eaaf8568ebccdc425ae0412f5b152d3804cb2decdc10a5bbc6324f633fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c6d3893ae7bcd0fe7c7bd0510b4f287d

SHA1
809cc4515ef40c9de410196012c5d68fe594c2dc

SHA256
b0d8bb1deda89b79ed26fe33e44c358cd876788024b5d9fb5d6cde12d05ec715

SHA512
b38df15fe7b4952d844607c9a97f422e4b07aefe003dbeaf9f58c7df990f36e8e848c5d5041542940149583515205972b929e56b861aeee03c068f0524866291

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\26F1182AEF22F7998025C54DACC15E6223C9087B

Filesize
57KB

MD5
81b8ea8252a719f91ca7a659a700c54b

SHA1
be048d047eb972e242b1f2c9421561d5321045d5

SHA256
9a8e52e093e1efa8dcf3102b428b55655cd9143c8037f26088406c5a202bd888

SHA512
5f280008035e9b43b03713a7ef70f0ac6cddb87a7ecf628effe15f0a4cd59242391cb233177b448c80fe675218ed1e31aaf86e57655b20994d7486c978b221a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe

Filesize
3.2MB

MD5
a84ddabef9bfd38e4dd18b67e630b70c

SHA1
3e59347bc1eb11eca713bfb2a780c0acf1d3cc74

SHA256
cf7c305cd1e8ee63cca9f829b25bf0a6b5e43eed0d1920f58ab23d61cc312ddc

SHA512
91499313a053bf773dc2079661781120016ce9fd6e1a25d9ea7de594ee9e8518f1d8d1b0f5df92ee20aa2e07fc0cf56946f3b741c15599d7081faad1f52112a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd13E6.tmp\TvGetVersion.dll

Filesize
686KB

MD5
878c644c12c3d96438c2909fbb7375cd

SHA1
4fb206e213bd088e28a1c10ab815d1bfd1b522f1

SHA256
75cf60d72a2cb6a748db6f69e2bfa065422df7bb6636d3c214f5435341574a66

SHA512
df0d1903901ffaf7ca1ee22cc5b8bac37cb554f78ed07a8ccaf84a2cd6fb7f9ac5599caad83d92079e170190701a9391468331ec8aa562bfdf32376703e05bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd13E6.tmp\nsi1406\TV15Install.log

Filesize
4KB

MD5
c1e69c7f640fc21b7e6c4bcd089a6dd4

SHA1
4be594473b0ffceb54a38ac500dc3e46d11a4567

SHA256
caf552ceea377e9c98d2bca43ecde54f25c602ee8032b5186dd20bce09965a75

SHA512
7a31f23cfe990bff11d55c864ab5a8e3284d67588383a35808b723eddc472a9ded6c74654ea07d37e3b700236b2e2beb1170cd507907284c22b7e37ed9587551

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd13E6.tmp\nsi1406\install.ini

Filesize
78B

MD5
3cbf67758d749b5bd3073fb930800b96

SHA1
122c567c624350ddc2283e274dc60df8a97f9e96

SHA256
dd81ba541afa8504e07897a1ec6f21ad8f59ba43e06e7acc39e9110abb2924bc

SHA512
e02a9b46427c7814f010fe0eae27111b99022c0c150a9a4ec96723a0b4dd7a3bc020324a3b5e564cef6407f5f37d6372d4c2f4f59485d68c53afea2b379db3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\advanced_unicode.ini

Filesize
1KB

MD5
f68824a4130ebaf6bc7ab0f62256d7d7

SHA1
40af19a0d92b3c9e1a8b1eaab7d12c69e5df436a

SHA256
cd8149a2e89373075ee6db800b7f2496bacbfe21b23e4a06a3453632503b3965

SHA512
6a173aaa183be0e5a516cad484802dae1fc53a414f870f93ea846a9ef9f9df35153766ef632eb5e8ced8f94c2ed09a9decdf3465d46b0dcc44a6918d88e242cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\advanced_unicode.ini

Filesize
1KB

MD5
40e79ef3593eac128472214aefd5f4ee

SHA1
ae2e956ee5e3da8e5b8181ae9e99063cc4632acc

SHA256
6bf4a9e4a720167c13b5d280db4123fc451e06cd695c91304d8631dfe5b316db

SHA512
caaf7230efcf7245ea37ea3a2b4e683c9ef79c45f02b6275aeb6628a48d3584cd2ae20471bd79df1220c6d8a54a40b9f941309a82d37af591de966ea2371f02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\linker.dll

Filesize
56KB

MD5
b05a97bb3f532b7cf57b8eedf198d7af

SHA1
83c13a90f4a3c1c62e132f5f3bc70c97c2ecfc80

SHA256
7817f79bcdf54ef8617f15b5c0b9b92053549d5a51fa280722ee7179311b69a1

SHA512
40706c5fc72198148962d24046722fc5e488c0cc4b3374a9f4b652175919e97a8712e882940db8c26479619a26ec4e2d41744627a9ca52ec7cb1ce4f91d7ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\start_unicode.ini

Filesize
2KB

MD5
e895098bcf80b6a11910a09eb747c229

SHA1
384b162042e8885d0335f60d11d231377fcb999e

SHA256
c0ad127dcfbaba1d8a8e8f42378e8d58e986cde1796f033952020e46b668d7a9

SHA512
8ef0ac3a3713a318d74b5e32a7915cc83b21759e85f39680508f5ddbab731329b44853081b7f20b33cb97c7465cd162ef830f969f988607a9bc0eacd9c1ec84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\start_unicode.ini

Filesize
2KB

MD5
47e3f0ebac4d8e74dc736a4dce7adde5

SHA1
101c434d226d15cae6a7f441ce563723ff94e0c0

SHA256
4deeb36d526fa30eb98eef1cfd2eca97ed18981152188a3ee5919779a241c355

SHA512
1dbe7e2048c4329ef5d4b3625790ddadb762307dc9870a236eb78f0a0ad778e884dd4c9bd4f4ef678a9b0aeacabbf9d84f5e93c1afb60769047f96ce2c59b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1696.tmp\start_unicode.ini

Filesize
2KB

MD5
6c750368cc0af7b44d46078432bfb397

SHA1
418ae0827a483c4cfa241fe59eb89994f4572c4d

SHA256
62e6b153da3990a15174ce5b051d2020d6025f65c996eeede4b80391952b32b8

SHA512
ba12b4045eedc72527d69b232a2f41816c1e6f1dcd9e4b878e32ba7424a2482c178b9e2b061726a72b2f804595c1571385b5056f5cd5b973ea4aaa164b097613

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8A67.tmp\System.dll

Filesize
23KB

MD5
938c37b523d7fc08166e7a5810dd0f8e

SHA1
47b9663e5873669211655e0010e322f71b5a94be

SHA256
a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

SHA512
77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8A67.tmp\TvGetVersion.dll

Filesize
696KB

MD5
41c3a6594060581d3bf1a16ed4ae6a72

SHA1
62bdf8c2a3fa5f70e8b25e83c946debf80c8fd47

SHA256
e35396c7d7e32a8fe771895ed9ea16bd85c8544410bf4dc70a42ccd2884cfd83

SHA512
3fee7ea74b4173b2815d631c8e69f5a21f2a170a46ce60424f9b9fb03cf7a35eab6933210497f851816a1a85eb3fdb682781ccb5e2607b7ade6dbc7a098368bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8A67.tmp\nsis7z.dll

Filesize
187KB

MD5
7fe20cee9277556f4ef137e61d29d9f5

SHA1
d53c37dbf548914ed20c8ebb21186a95beef1ee3

SHA256
5d71aaeefbc81732017e9040c8087e6686a16dd54e6d9bcd5ba7a47af68cc925

SHA512
a90250214c6c5048b098e031fca5a8097854a8667330551d7694740e3bc83f7d77791d314e3ac75617ef1834b75c41e3e3d3c74da9794a207894c13fb2d4bef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{bf608007-8079-2246-ac6e-d656cb800885}\SET8193.tmp

Filesize
11KB

MD5
b6399716fe7446c91191ed33059b43fc

SHA1
d458fcfc349d0626e18ad72797ed6d977e9e52bf

SHA256
96a6d0c71faea00f0042648d54339b76c0d739bdf94a1c744ddfbde26985cffd

SHA512
57ba5325d91cfe8bdbcb1f4cf4d9416647e2d6535b18f5c555399e6f093cab1fe16b9b45d7aa9b14cc1f5bdfc6b636ad99bbbe38a883addd603ce9b130955737

Download Submit
C:\Users\Admin\AppData\Local\Temp\{bf608007-8079-2246-ac6e-d656cb800885}\SET8194.tmp

Filesize
69KB

MD5
244ac1f9e5c37e35678065aba6ebcef6

SHA1
3d93538b166a250934361f634c775140f18114b8

SHA256
39f2a6a603a90e5ec52a31ec458c7fcb7fe1b347bcb9b3cb3494f6054e845d39

SHA512
de841a34399a9f54333db97987c04fc0904b6aa0b39cd498754017d9289afc392c3e9833a0826950471695a460fee128bb3565df495458379a2cd4be308108a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{bf608007-8079-2246-ac6e-d656cb800885}\SET8195.tmp

Filesize
4KB

MD5
7d965acd74478af89a529a15cbec85d7

SHA1
1d13cb0da1625ee91b403bbda6abf11485322f2d

SHA256
e1cbea57572762d79aaeab3b494b9f3c5b7a8ddac62fecf14377208ab064f1e2

SHA512
6dfc1cb27911bb7da2a639a90be78645d88210260b310c938853154dbfca7666018f830a2c4fbebab83438b2140822f5ea8789e608ddd2e67d4bbd28c0989a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
750a1e0b5c107a492061ee06d54ee97f

SHA1
996649c25f6b6514d2e9c408788788ab781b6376

SHA256
152f0df1fd6b126a41171b5a3fb91f51315261339d0f0f39d04c5fa1320a3038

SHA512
3997bb7113fd94556ab2f88c372beae676c0ccf4f5d4f4445f75a179c4931aa8d99e657d4c337c3e3a09092fcfe2c3a52b1b134c6b039c755bad4e9d8801570d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\23359e48-8ad9-46ac-a91b-c9077936dcb8

Filesize
734B

MD5
794ceac6a6b13d59ea91eff9eab6f05b

SHA1
74d05536e349ba8020648980fc15e103e26c12ee

SHA256
1e8b4d98ce02df76074904f329d4ff1e46e6e6d740c212121ca49c506c432fe0

SHA512
c3b63bd801d225eb187018e221eeabf3141d427b9de8dffaeb00bb3d09a33b0b081af022d9d9a5a888c738102a520f5398fb221ddd6311dbc4f6c64513d9a3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs-1.js

Filesize
6KB

MD5
e688d8e330aaea52372ab14e99d65109

SHA1
633f317482dd9a5f13a21b0f7f55683248ef4c11

SHA256
0e5f5bf2567d2bc71ff72c52439f4459f778192c807d1f3f791a44288adac9f8

SHA512
6bb28cf7db38147d87884febb17766bc3d51c543cfa8020a4135c0031e994fededc5b992eafc6fd95733a881ac7ef6fc50d35fd3ef67dbd970211a5e08d82f82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs-1.js

Filesize
6KB

MD5
2284a233c4f3f62686cfa2add39ce982

SHA1
72f016e74f80665e98b3bacb537a11c6ef5b33f2

SHA256
570f1bf1f773aab3c5e20a24b0d03812ee12c1b93a8e665d95c48894768544b2

SHA512
319fb4162ecf0640cbaa77559c4be7a0a876aa69e65291d4c4f45991e66d254eeb084b1b528c1b43a636faac9f6338c609d5b8587695256511e148e57bdc6d94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
375ce1e8da41a3d428990d5f6f20576f

SHA1
de63fe144115576b7b2735209e8b819d71434ee4

SHA256
360c3a62eba2bf210485b2f287482d8cd61845bd779600b344deb42681206de0

SHA512
0fda58328a4db00d034dff7f553f8d7a5d0d8dcc03d990e6ea261ef427f5dc47ec159058a12c87b2c8342985d1c3d0d77352143f3c92c1352ff8786d317b54f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
9ef4ad889c4b193d9da0a03fde8e736b

SHA1
9978a97d30b2413b3fac40a4969103bb90873385

SHA256
717ecab53ed706a805667f81a1729ab17d3b6d46e233ca2eeee296f046052315

SHA512
5df8472bf7b55cea7903befca553bb3ae42db35ba1c9c68e4563217f5e92e19ae92e7c40a751973b0a9097f1da492e221500b27b82be4d6b4c2e867cf5967b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
519e4b141c5d2a8a6a208fcbef4577d0

SHA1
8ef1b4aec3d15fff3f440e149cc1054a52598ade

SHA256
84d92aceed17403cfed0da3a736ded114027668e0003fc9c3065ed94514151b0

SHA512
b373b22ea830a59af654e664f3bc0a727f71d6faf4c74affb4e0d589daa4d7f843e0c8a1b910b2f5f7da8d5811b763a5a52f2d87916e03949cfc21e10ca799cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a2b36740b115be529b0ea1e8f0162655

SHA1
8aecd734108182c8129d905fc39b84d2a884fc26

SHA256
efbc4f02d0654f256044fa0b1d8797b3ad8b7d57f136b736f9bdaab970b63c6b

SHA512
70f4ce49e537e870bdd129b5b4c6f957d24085887a5315fa00a99a76d1034025abc1f679ea75e16d37cf1e8d04885db8394f8a6e964b2cd6deda3c8dc842f7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
40ee22f45affdc1d890dfc6018c46901

SHA1
39c141d4fd152d14f54507622b6ff5e22149563c

SHA256
e9e99c9df405ad7f4250f2ae18226d10b2ed93927a6a0f84148ac72df2d57ba1

SHA512
a7d82e46c80c27bd5df4cd5c44e1b4b69411cc464247e168a14e8745f25668970729731659a59370dc0c09007780d4aa1e9fd42b76ed852ec0f06931c252fa7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
115KB

MD5
1ee410361a8af1f23df6769d34ebb4ac

SHA1
fb6bf1eb7e2dfe14b3407be43a516f192074a8bc

SHA256
a47da63f09fee54c0e6b86ab01920157a47cef9e5c0e78cd8dcb4707805bcd68

SHA512
c8b4dfac16b3cbe2117e5b7f91f128ac06a65d8843c0622242fb74166ff4629359aaed51f99ad59d22c60a0fd561dcf0b7b952facc28975fd7cc5542879d8613

Download Submit
C:\Users\Admin\Downloads\TeamViewerQS_x64.exe

Filesize
30.2MB

MD5
375e8b82100176e0b1c5c9da6e4d2590

SHA1
1e34b849cad8d1aa7f91dad5db5ab487066dba71

SHA256
ba116caca955f575e48c6d8e768d14573b4e1f94cee7794b5e4c51b4d393fdc4

SHA512
a8cc21183863ee16314cfeb13bf0473755e6dcc9672b610bf3d9b98e3b7a7d6f8b4ad9846a653ffbba33553c420ef2ad87983b398d3b6f8d15f0bdcd51dceb42

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
68.9MB

MD5
f2525c459ab246ccf7c9a88307ffe703

SHA1
e6788f610612d81c6f2607cfa4edb89a6aca0e16

SHA256
7dd62e431cd22adefb4a3059d1129d42c4db636be15fd49c566496c2a4a63be3

SHA512
0cfe14c80263d362bcc95eae426b35cd70b8897ddb710407123781a0130fcb238fa5f3cbc1488c4ca6e5de65f534c17374ffbb11f99c7fe06ae69e203a95310b

Download Submit
C:\Windows\Temp\{521658F7-23E4-483A-86E0-E83D1FEBA6FE}-MicrosoftEdge_X64_121.0.2277.128.exe

Filesize
105.7MB

MD5
004649152cd414f6c032d4670971e2a0

SHA1
40dca57ce764889db356ccd1378adc323d41aec5

SHA256
03e38daa4a3e320b3a30908351c8de89015aee4a823e8002f0279ca242fb16bf

SHA512
0225a446bf3cd5ba430992b0be85b93b68284a2580b6ab66dad8b80082dc73a6dfdf60a0c387e1d0197dc4f271ad0f1e909595f20c17adfb7e11461d6f860e62

Download Submit
C:\Windows\Temp\{FCF99C71-E012-4FD2-B3E8-9513B25C3203}-MicrosoftEdgeUpdateSetup_X86_1.3.183.29.exe

Filesize
1.5MB

MD5
4b804d73bbf035317c7ba20591e5a194

SHA1
ac4853a7f3de88e1a02fdeea2ac48d6e616d822e

SHA256
611730ce9e8cb3b7fd31a9e064308175eae4c173b46a84529ee43b4f22c21455

SHA512
119da62879ad4f9813b2a6a4ec7b6b7c6a6c13fc661fee06bf642e36a127c0dbf206de06a9c71478f213ee43ab5953d5bcf43ff7755657ec34db2ef6b89beb5a

Download Submit
memory/1600-2588-0x0000000006CF0000-0x0000000006CFE000-memory.dmp

Filesize
56KB

Download
memory/1600-2824-0x0000000073A00000-0x0000000073A0A000-memory.dmp

Filesize
40KB

Download
memory/1600-4077-0x0000000073A00000-0x0000000073A0A000-memory.dmp

Filesize
40KB

Download
memory/1600-4011-0x0000000073A00000-0x0000000073A0A000-memory.dmp

Filesize
40KB

Download
memory/1600-2908-0x0000000073A00000-0x0000000073A0A000-memory.dmp

Filesize
40KB

Download
memory/1600-2897-0x0000000006F60000-0x0000000006F92000-memory.dmp

Filesize
200KB

Download
memory/2168-4232-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4241-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4240-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4242-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4243-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4244-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4238-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4239-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4234-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/2168-4233-0x0000028E59A20000-0x0000028E59A21000-memory.dmp

Filesize
4KB

Download
memory/5748-1412-0x00000000069F0000-0x0000000006A22000-memory.dmp

Filesize
200KB

Download