growtopia | hxxps://www[.]mediafire[.]com/file/sa54z3xwr9jwo2p/TriForce_Installer_Official[.]zip/file

Analysis

max time kernel
393s
max time network
397s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
21-02-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/sa54z3xwr9jwo2p/TriForce_Installer_Official.zip/file

Score

10^/10

growtopia zgrat evasion persistence pyinstaller rat stealer

Malware Config

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/32-869-0x0000000005820000-0x000000000588C000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-875-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-879-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-876-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-883-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-887-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-919-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-931-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-936-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-905-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-940-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-944-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-946-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-949-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-952-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-954-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-956-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-958-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-960-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-964-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-966-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-968-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-973-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-975-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-977-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-979-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-983-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-981-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-985-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-987-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-989-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-991-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-993-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1
behavioral1/memory/32-995-0x0000000005820000-0x0000000005885000-memory.dmp	family_zgrat_v1

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 15 IoCs

pid	Process
32	Ilkdt.exe
5396	WinHostMgr.exe
6060	WinErrorMgr.exe
2680	KeyGeneratorI.exe
3208	Sahyui1337.exe
4112	KeyGeneratorI.exe
2368	WinErrorMgr.exe
4140	bauwrdgwodhv.exe
4196	Ilkdt.exe
860	WinHostMgr.exe
1036	WinErrorMgr.exe
5520	KeyGeneratorI.exe
5208	Sahyui1337.exe
3236	KeyGeneratorI.exe
6996	bauwrdgwodhv.exe

Loads dropped DLL 8 IoCs

pid	Process
4112	KeyGeneratorI.exe
4112	KeyGeneratorI.exe
4112	KeyGeneratorI.exe
4112	KeyGeneratorI.exe
3236	KeyGeneratorI.exe
3236	KeyGeneratorI.exe
3236	KeyGeneratorI.exe
3236	KeyGeneratorI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
27	discord.com
267	pastebin.com
277	discord.com
340	pastebin.com
344	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
266	api.ipify.org
330	api.ipify.org
385	api.ipify.org
480	api.ipify.org

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	WinHostMgr.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 5196	4140	bauwrdgwodhv.exe	202
PID 4140 set thread context of 5820	4140	bauwrdgwodhv.exe	212

Launches sc.exe 26 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7104	sc.exe
5116	sc.exe
3268	sc.exe
1036	sc.exe
6000	sc.exe
5892	sc.exe
6368	sc.exe
6548	sc.exe
7100	sc.exe
2836	sc.exe
668	sc.exe
724	sc.exe
3100	sc.exe
1488	sc.exe
6860	sc.exe
6828	sc.exe
3840	sc.exe
4068	sc.exe
5768	sc.exe
6988	sc.exe
6524	sc.exe
6080	sc.exe
6240	sc.exe
5200	sc.exe
6924	sc.exe
6068	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000100000002a911-855.dat	pyinstaller
behavioral1/files/0x000100000002a911-884.dat	pyinstaller
behavioral1/files/0x000100000002a911-870.dat	pyinstaller
behavioral1/files/0x000100000002a911-910.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4156	schtasks.exe
5428	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WinHostMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WinHostMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WinHostMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WinHostMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WinHostMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WinHostMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WinHostMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TriForce_Installer_Official.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\TriForce_Installer_Official (1).zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
3172	msedge.exe
3172	msedge.exe
1888	msedge.exe
1888	msedge.exe
1460	identity_helper.exe
1460	identity_helper.exe
3436	msedge.exe
3436	msedge.exe
5940	msedge.exe
5940	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
3208	Sahyui1337.exe
3208	Sahyui1337.exe
3208	Sahyui1337.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
5396	WinHostMgr.exe
5820	powershell.exe
5820	powershell.exe
5820	powershell.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
5396	WinHostMgr.exe
4140	bauwrdgwodhv.exe
860	powershell.exe
860	powershell.exe
860	powershell.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
4140	bauwrdgwodhv.exe
5820	explorer.exe
5820	explorer.exe
5820	explorer.exe
5820	explorer.exe
5820	explorer.exe
5820	explorer.exe
5208	Sahyui1337.exe
5208	Sahyui1337.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	Ilkdt.exe
Token: SeDebugPrivilege	3208	Sahyui1337.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeShutdownPrivilege	5168	powercfg.exe
Token: SeCreatePagefilePrivilege	5168	powercfg.exe
Token: SeShutdownPrivilege	4108	powercfg.exe
Token: SeCreatePagefilePrivilege	4108	powercfg.exe
Token: SeShutdownPrivilege	3632	powercfg.exe
Token: SeCreatePagefilePrivilege	3632	powercfg.exe
Token: SeShutdownPrivilege	5588	powercfg.exe
Token: SeCreatePagefilePrivilege	5588	powercfg.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeShutdownPrivilege	5720	powercfg.exe
Token: SeCreatePagefilePrivilege	5720	powercfg.exe
Token: SeShutdownPrivilege	2424	powercfg.exe
Token: SeCreatePagefilePrivilege	2424	powercfg.exe
Token: SeShutdownPrivilege	960	powercfg.exe
Token: SeCreatePagefilePrivilege	960	powercfg.exe
Token: SeShutdownPrivilege	1476	powercfg.exe
Token: SeCreatePagefilePrivilege	1476	powercfg.exe
Token: SeLockMemoryPrivilege	5820	explorer.exe
Token: SeDebugPrivilege	4196	Ilkdt.exe
Token: SeDebugPrivilege	5208	Sahyui1337.exe
Token: SeDebugPrivilege	6100	powershell.exe
Token: SeDebugPrivilege	7156	powershell.exe
Token: SeShutdownPrivilege	5696	powercfg.exe
Token: SeCreatePagefilePrivilege	5696	powercfg.exe
Token: SeShutdownPrivilege	6000	powercfg.exe
Token: SeCreatePagefilePrivilege	6000	powercfg.exe
Token: SeShutdownPrivilege	6508	powercfg.exe
Token: SeCreatePagefilePrivilege	6508	powercfg.exe
Token: SeShutdownPrivilege	6512	powercfg.exe
Token: SeCreatePagefilePrivilege	6512	powercfg.exe
Token: SeDebugPrivilege	7020	powershell.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeCreatePagefilePrivilege	764	powercfg.exe
Token: SeShutdownPrivilege	6292	powercfg.exe
Token: SeCreatePagefilePrivilege	6292	powercfg.exe
Token: SeShutdownPrivilege	5728	powercfg.exe
Token: SeCreatePagefilePrivilege	5728	powercfg.exe
Token: SeShutdownPrivilege	5380	powercfg.exe
Token: SeCreatePagefilePrivilege	5380	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5480	TFInstaller.exe
1996	MiniSearchHost.exe
5412	TFInstaller.exe
2680	KeyGeneratorI.exe
4112	KeyGeneratorI.exe
5520	KeyGeneratorI.exe
3236	KeyGeneratorI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4932	3172	msedge.exe	79
PID 3172 wrote to memory of 4932	3172	msedge.exe	79
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 3432	3172	msedge.exe	81
PID 3172 wrote to memory of 4796	3172	msedge.exe	82
PID 3172 wrote to memory of 4796	3172	msedge.exe	82
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83
PID 3172 wrote to memory of 4772	3172	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/sa54z3xwr9jwo2p/TriForce_Installer_Official.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce04c3cb8,0x7ffce04c3cc8,0x7ffce04c3cd8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8652 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8872 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9008 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9296 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9520 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8428 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9444 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10020 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8952 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=8820 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9284 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9676 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10004 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10188 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9796 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1020 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:6536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10180 /prefetch:1
  2⤵
  PID:6652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9088 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10088 /prefetch:1
  2⤵
  PID:6564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:6832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10316 /prefetch:1
  2⤵
  PID:6952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8680 /prefetch:8
  2⤵
  PID:6344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7868 /prefetch:1
  2⤵
  PID:7140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9052 /prefetch:1
  2⤵
  PID:7112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:7008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15806496368699379415,1882974498927503231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10348 /prefetch:1
  2⤵
  PID:5180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2420

C:\Users\Admin\Downloads\TriForce_Installer_Official (1)\TriForce_Installer_Official\TFInstaller.exe
"C:\Users\Admin\Downloads\TriForce_Installer_Official (1)\TriForce_Installer_Official\TFInstaller.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAagBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAaABsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAegBqACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5396
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1048
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1980
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6000
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:6068
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:5768
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5588
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5168
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6080
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:668
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:1036
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5892
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Executes dropped EXE
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
    3⤵
    - Executes dropped EXE
    PID:2368
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EEA.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:4156
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
  "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2680
- - C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
    "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:2208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffce04c3cb8,0x7ffce04c3cc8,0x7ffce04c3cd8
        5⤵
        
        PID:5240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:6176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffce04c3cb8,0x7ffce04c3cc8,0x7ffce04c3cd8
        5⤵
        
        PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:1876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffce04c3cb8,0x7ffce04c3cc8,0x7ffce04c3cd8
        5⤵
        
        PID:6720

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Users\Admin\Downloads\TriForce_Installer_Official (1)\TriForce_Installer_Official\TFInstaller.exe
"C:\Users\Admin\Downloads\TriForce_Installer_Official (1)\TriForce_Installer_Official\TFInstaller.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAagBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAaABsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAegBqACMAPgA="
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6100
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:860
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6856
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:7028
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6860
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:7104
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:6240
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:6368
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:6548
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:6524
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6512
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6508
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6000
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5696
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Executes dropped EXE
  PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9576.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:5428
- C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
  "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5520
- - C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
    "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:4880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffce04c3cb8,0x7ffce04c3cc8,0x7ffce04c3cd8
        5⤵
        
        PID:5128
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5208

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4140
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4764
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5704
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5116
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1488
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5200
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5196
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5820

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6996
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:7020
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6736
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6840
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6924
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3268
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:7100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4068
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
65KB

MD5
4b6d156ac817f0a55432cf7f0afa64c4

SHA1
9433f463ee0391e702d22e43f764aba754ce1782

SHA256
2898553cb20b4c5161f63c8709a4514d7a59d3923547dc6d3a9278974a318b8c

SHA512
261f4a1ad2e9722d226df12664e701f88ab88e68c0f90adf63c6e8595ca5370cc497df37f24ff7729471e2b532b45639f4b53549e9eaa23b3b14c11cab25236c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
84KB

MD5
078957edcacd0fe602beed01b5fca7ff

SHA1
174565cd895d86370024c8e0e2e298026213bd93

SHA256
c6d4ed999a8ce7018a0970ef5d911cd2c56e5db16f4730e942dff2c08f169c3d

SHA512
004b426fda84dabd00d67932f887b331ce5175ce1990324c803aab883ed13952a1a1d2a336f4c494ae0f355e066c629f632df8ddd822c6c712346020da8d6884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
96KB

MD5
4eb4262399f5e4d91a0522414c350142

SHA1
e8e6c68d29604de24b8d41d89bacd9e032504abc

SHA256
bd5c21c4b1f5b6e23258c0aa87a2db9f5612a1c957f31317f71b3d1c6856a5c9

SHA512
970279e5aab4ad6141a1e6fca2d1325c05ea0c31a5e186790e730588a84ce707c7f82c46f3f4a467af293b7f0f79beb7a9d1e994a5a81038eb9e7da8f28d76e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
21KB

MD5
660c3b546f2a131de50b69b91f26c636

SHA1
70f80e7f10e1dd9180efe191ce92d28296ec9035

SHA256
fd91362b7111a0dcc85ef6bd9bc776881c7428f8631d5a32725711dce678bff9

SHA512
6be1e881fbb4a112440883aecb232c1afc28d0f247276ef3285b17b925ea0a5d3bac8eac6db906fc6ac64a4192dd740f5743ba62ba36d8204ff3e8669b123db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
71KB

MD5
442d02a96c1a6d402b3e208a5c0d0ebf

SHA1
579acddb5b8621366b51726b40ec01f8d21d3608

SHA256
be2782ac10e1d1b876c2164186806a6d6259541ad06e7a8a04f91b3e573aa5b5

SHA512
121fd41509987231785f17174fdc1f295fd92f5aad5a196af2ae4f68c9a0b6f484d8db989ac463f070a9b0ebaab0dc3a86871f6eed7a6cfe21bb6a16c49c2503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
23KB

MD5
de2313dc0be95330ebbc549d57cc1c98

SHA1
aacfe80ac4371be2d6cd4160e40b721911d22234

SHA256
fdbbe08bafd1c02f2d0f062f11f22897ebf325eb92a5eea42384175c2e21b42f

SHA512
8e59359cb529887e5926ef6747d5ee0d91c94ba2fc2b5e9736f36d57b9b56db49dae040139efe0dadd9aae0ed8aaef950835c38672df0478e5ab05f97bd39a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
29KB

MD5
f81cd1907b9c042b550f2d9ac82ad528

SHA1
1278e54b9b105239beec42f9ffccecb8bbad196b

SHA256
642d798441c1030de5a4f999de11bba5af54e5e56cfcb963ae5b5b4f6b1cfb8f

SHA512
609014ae05844feb9e4fe58a94bf5b980808489e5c8ede512c1331ca25a18b411503a1776aff6601576ca33e4adec5a17b34da76e6ca7043ba663fd65fdd8902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

Filesize
125KB

MD5
226e013e66a30793fee0f1d025ba75dc

SHA1
a42fc75a4b3f30badcef9a558a30f3b2f6709504

SHA256
74c82eb0c5f54cfe3196cc33037e75c706c9e694486edb46416c308d0fd14a8f

SHA512
eb683bdeca60c8227272d76611092c6ad50c5f7c707f895b7d220aadff64c8884061561aca546afe917cb646e9298f112d76e78c30e6b655ecbade3ad4d28f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000059

Filesize
426KB

MD5
fef02690e17e13f092208e78de1c38e6

SHA1
b62bb72ee9a597b317e18a16303ac397efa30f6e

SHA256
598bfbf1b9245dfd71f38c8d39832264a9d78ec346fde7788651c75251993d06

SHA512
327e654625df4e56e242542866a3bb8560dfef18e22b0506606fbfa4ac27d3c2485517b4c55c966d0f60409af1498f6ac7790e9184c77b2f6576d56d6d49279f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
118KB

MD5
cc109cd9c8fff946bdd66eac833953eb

SHA1
56f381779e79106931dbd00d5de75a44d5a8f681

SHA256
fe287d1d23a1312bcfe167e7f286eecbccbe24b46fcc4a468d12d9826b6b5b67

SHA512
fb3807f6169536650f19393a9556d44e2a0a5ae40b5115f0c2c7b2c8571227c7852286c9f1477fc150d15752118caf23fb651266ce03c47fd80242ce8a49073a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
31KB

MD5
abb55fe29f8ccbc96b50c502b9e1f6ca

SHA1
30ed1d2f0ed7d7c613be0fbebbd2e4c35600c041

SHA256
d1b040f2efee700438d7ad284b1551210e4a0d4498ac7072cf1a4e15fd73747c

SHA512
dfa558e5a547bed57f428a3e409ae37bad7537446c2ab49bce161f13640b386fcab07698399abf491bc3f38f860385f1648698d7a76d6ac7ccbeea842a9583fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

Filesize
102KB

MD5
6a2298e92f4163f3ae75a1f2a2373bdd

SHA1
3fea68ab27bfc355df8ac421c060e57240c3a32a

SHA256
b3ee43775d0371a665bda8ab4a43206bef23c6ab588fae0b11c6b51815643538

SHA512
2ee61fd022c2041e66beae1b5ae0f8455a0f733eb85475b20c0478a886e8d27af1186ce6e43e1b4dda6fceeb09422af581afdc98c1878942bc4f9cb7cfefaa63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
16KB

MD5
501ef121a314cbdc4d42992b260436d9

SHA1
9a64c4451e0dc55a26ee534aba8201839604111b

SHA256
85b7ec4b8a9c1afeeaa903400474e61a463a61953f6fba789ea7c8e0bf1c5aff

SHA512
70460b3760ab5a718d34e7b455ccb2944abc656aaf2b1487d758fd0030a11e12d9cde3f18541605aef494cde1acd60973083be112d94aef7f6e8d55ddfad58d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
76KB

MD5
90150623135c9d72c3663b6075f535f6

SHA1
127a80c59f4cfdb670ca3bbcadb6e3e9775c597c

SHA256
6d393a5eba7792baf998ce31a68a42fd4e8f10df911ced33c912143b247b3c4c

SHA512
215df839a6e5468da82c4cbe292a6400c390d48ad86b0801431a831826e04876a58eb37364975298ee841b0b3e841d5f6bfacb84c7c5a4105f1f47b4e2e7ab69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063

Filesize
21KB

MD5
44129a82842153ef9b965abfb506612a

SHA1
c0964eb2ee1a76d48e4e09e31915415d74e18bbc

SHA256
8a3908fb32a414703eff3e435566b1e5598eb3a5d50c500e70eb1a5c20d003d7

SHA512
77d149f19343d765834f2bcaa02bc160c75bd42db1fc431aba87f78257a83c4c8a7e5953c247cb7cbbaf4ae44ace269eb0a5194dfd7489d66f69489ce5dd78d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

Filesize
27KB

MD5
638a4990025383a0f83ebf29bdb84a68

SHA1
153e8818dc42f598e47fde8cf398f1447649a4d0

SHA256
878e34b89800bb271d3588e526eb3598eb3822e263f3bdaf53645847d39d0ad6

SHA512
59a505fa1a3bea1511e8fed16dced733299928b4081665d3e3fa4fc71d6f0ed0b09934805f442bf190c9093937e1494ac938167f9beaca0223243703f73efe87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000065

Filesize
598KB

MD5
a8095d15e1038e91fa4f78bfeb1b1cd9

SHA1
463454b038497eea491a5d9ce6ec576dbb186eb0

SHA256
cf92f88e82421962b0de25fa87387ee7f782beff2600556edb051c071eb46418

SHA512
b2cb09e2bec9f035b97e4d4f6b35e09ce7cf48d12d0b2197151a6de2224690122e3fe23e3890bd149fa205f2b8427ea66e7006c6edd9ed0c7b792de5a4b23a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

Filesize
78KB

MD5
33140474de25056044b7c3dab982ec64

SHA1
913c0b1cb51ecfa9158b3810c6f06ceda577963c

SHA256
6c895e15ff3b92d341cb2242e69e868e40e134eb12ea036d0e860d14ecd97cdf

SHA512
d91a6a576b54c825417819274e299f8cf2be30717f4090b0a3fa5e0f35f4a7c84588b5fcc60326e178f135bbc26672ef34c883bb8533e3d1d9024ff9c935ff01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000067

Filesize
40KB

MD5
1ec1698eaf537aad6719fea124ef390d

SHA1
20827c56cb4d64f105da42f5bcfa1da733f3174b

SHA256
13f8b2abfcae6c9a355db9e247f5b1468a07ca4785343f2a23e0111af9c7eba1

SHA512
4ec8ae201f80d4643d05c289d65ee84e0b0b583ae62c6a73a487f2c9c04b209eb4a12f5ce151bc76208eaa73e55f58adbe47c06b642218ad0ce9788d69af594a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

Filesize
64KB

MD5
deb1f24781b537b420239d10b45e9e46

SHA1
37bc39d3c2773280bce8ef3705fe046b8c210841

SHA256
4ae9113f3df061ec190e87c36849048b92f6bf02f01f8cc187655f0e6494621f

SHA512
f0f4cc45bb41329050fd42d54437a215b2b152fbe944b27b5b0171868928f9570e211a1af0cc5499b451bf816e8925de1cb8259e502e697fb2713d4ae458c788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000069

Filesize
66KB

MD5
5e47b0357560d1961c588c3625646011

SHA1
b96de7e5f5310edb7e392546b343d27e32c875e3

SHA256
4e97a76368b732b21df395ac9e6c8f64f8f5bc0b3d5e664e40abc7b6e9dde6e7

SHA512
0d58e988e23f857ca85ef87a01ce116ee33b283ad61cd8c5f62b761f1e005f95645df09f1fdd286f07cb34379f57e8174f94e3813d18708e136a691f1869ca97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

Filesize
37KB

MD5
eef2ba131dfaf23abfafac6b25c980e2

SHA1
95afb0942f84f95017251d7d47adddaf341791c0

SHA256
ffff2290b62abcfaaaf54aa41154693a613735382e7df2766b6db795c4d85532

SHA512
eb560e9e631a8f74825c0ab8985495b84b5188a6f9a49de3d2221c4d8f4cb98a39f8ab3f7aa082d2dd0198ec4e8dff34d42126b44cf49be035b5a7ba41f1a005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006c

Filesize
89KB

MD5
5fea4631cc4851d74b24917afb797e3d

SHA1
950042d475162cd9d8a6455321fdb57d538243c1

SHA256
18a314fd4fbede49bfc6dd18cf3ee774243c4a468d51cf9a7efcf4d0e0dc5641

SHA512
e483ada58586432871749193e71ddbfe19bb765b78418c79e9f33a406f8b94f0557646460a9ae37b61ad4ad9689f6b7a7775d17b273d1c30abf3a3b862405aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

Filesize
24KB

MD5
772921a67ff6a39c4b4447ea06576497

SHA1
deaeaa4770a806c4effdf626bee5646150c10e19

SHA256
33ec947034d642e2eafe5c2663ac97375eddcc21c54a67a3a13ee79e4f783954

SHA512
83d8e5063f5bda2e7ab29c2b693fe3a2cfe1a373340ff1437da8d6a03bcd82cb9f6747ed7be8db78a024f940b0bff307e05d7806d8718a5f39098ad7f188c5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006f

Filesize
50KB

MD5
cd2f3074326840d55a3c3ea1e99e83fe

SHA1
3a2e1d1a93506526ae3ed2b44d584af7771ff8d0

SHA256
9ec9f50ac6a5dfdf7ace0a047ab4e86a7f8ff297030f93f9b8b4e27c57fdaa51

SHA512
0685f7e50451e87f8d7d47f3373d653f7d6163ffa8ccd143a85b179d2c5c51cf494e8b5f7e561436c35bfb8ffb9304f0c49962a8bf7065830f0cc95281f4ae6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000070

Filesize
21KB

MD5
ec3c217eaf452a394a13c58c4a61c46b

SHA1
56e64676baf30fc34ce403f37f7a7a796c241a4d

SHA256
c33baa98dfdc4f836d08d3c83eb8413266b622fc3e57a6012ca3fcc1c23d760a

SHA512
19ad9a149362816f9540e16984711049b2d2c3efd7ca70f359f382369c1f0a1043c8ad6f1c048fb2d11a122e17b55abf4bd67b537f63816352dbbda809c6953d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
355cbd439976cf0c032f99ab691ec5ae

SHA1
20fc12f89e22ff93f162a2d7bd4e4c37198ddb52

SHA256
808b530579a6251bfd94faac7fa5927fe3f8fc8292373678a6d1a80fb61bbee2

SHA512
139f922b7c09611b700a685d71f3028b2bb0dc602e7aa47dbe0dc5d6fda89ae936c46b196e2c943574cfabec616d57c4f4255f3bb98678c641a3a10b362e3961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9e1d4b35ae41fb758d4ad9555a4b9792

SHA1
d81a06004a8b24daf3194b2fae5dc4296aaadf23

SHA256
b96e8fc21444ce26abfab0009cfefe2f004220443835a50c8c89917528dba645

SHA512
8aa058a556a70f411b7677087eb5b7eb716dba210f744aa4afe4b8051c88b2f71d252fe3b7ec2e94241a4f7995b11d47dea2c5dedcfe13a6a0de4d6a47da9545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
55e6ad6be4760a34ac13f4c53864bed9

SHA1
67423f9c0c2c62d178cd865f33d9d612191b1879

SHA256
ca40169935c6b5a1b9a4e352e55497b58ce199af1de5532b344e73321b943c2a

SHA512
511f31a606f6aa784fa04af227bc8c9d94da2dd5e3d4a170b72d6079c1fbeea90af3b5a8b97f21aa15dfb244607a3f9500544b558d23d48f9cd3dedb8e74f902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
da66eee25129aa17df0caaebc05f6fce

SHA1
4704db93f80a03fafa4c54f20fec3edd69cabebe

SHA256
0b9a0672b8d411e2bc0f7590d823070994bb5fd0c4f56c125aa26964e9d2f6da

SHA512
d2cafd24b5b8b709b952e0289477dd4866d9f5b53adda9456986695aba208febf2632eb8c41e4d0e0a7b0bdcdf96e00b1db1d60d7bbc96fbebc8fa712c774e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.msn.com_0.indexeddb.leveldb\LOG.old

Filesize
737B

MD5
336f4ec372f46bdb799b18f2cf2accf0

SHA1
c5ed44901c3ec804cf50f06209d05d321af014ee

SHA256
8e0a8234e455408265d3370a5f1926e628729c37fd0dd7cf2d482fe57e63cc13

SHA512
748f4b58517b89cdef46f50c81200200ed4353e5489ca8f5027e7e3c00b37ddf119016a2283e00875e66cff9075faeb92846879f0ced6ffc1ced87834b9b1b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.msn.com_0.indexeddb.leveldb\LOG.old~RFe5c5f7d.TMP

Filesize
600B

MD5
15c5f207bb3f0f1abdc79884c32dfc63

SHA1
f7d4b30c3e7fa0a0a4e07932f1012655cff08ae6

SHA256
7fe509938cc56d8afe1c0dfd7a7d8bbfc5f65faba26381cfaa8db20a4fb70330

SHA512
6f3cf0bf31da745db028666ffefc9e55cc7db2e78a145c421031cecb5a59932aebb3c7754e6917771556fffa01d3949fb306805bd1669a78106b0c6232c069d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
ce6eaa8dd503d9e8dc5543e2347c8886

SHA1
4a3c0f32062aeeb23d103389f36d40bb5263ba23

SHA256
ebc11c27cd8c555d5b6cf9aff3181730fa0221ae7907f38c14018244261efdcf

SHA512
e024b47cb5f30210cbe3c6a4d00f2ca3fb1918d6605386d214b4880bb3d540a383b261daab067bc84995b939efe64c38c23102a6f032fd2510f6dbeae8dd1ecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
7a6191977a2b5e2649348bca4ce00c56

SHA1
2a948b0ab2c1f0968e6b7912507373a609a34d4e

SHA256
fbc89ebe6db47b1fdd4a7e9ab29e80412c3c71e89913c85c62e25fb3eb63c001

SHA512
d4f926d3c8127fb090ac41c5da483e0ee431446051de1760c99e64062240e3d47004276f7684d575d7bd900effe7c75e42c890a185258ee4a703ae0e4878e011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
fe1c088582231a4baa4e5d766efce3d3

SHA1
652ce9be5ce921d1860078e4ae289e0e9fb5afb7

SHA256
ec0f8644e7b65e09016e84e2be42c25a125dc9b9e00db6669892cef7043fdfc4

SHA512
1caf8aa3fc405c927313bf741cdde78bd6a2663b9e93c80fa2499b9d3f37a05bf27aa58459dc4cf3dee93e22e577016ab71a73b6f9dfaa0735860576b3ff156c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
02253919effe1ff060f9868de69847a5

SHA1
fa4428c18b03ad24fa5f735cf418a6da82e82863

SHA256
a1cd7654ead323e3a5b28354c2baa79d13b1f7162273f926e05ae5761f5e4761

SHA512
a9d5cddf47bcffbccaca59aae0cd8a6b39062cff2b85edcb808a4b0b9b0df0a2df1e39bb04043934935ec3dd6e414d3769ac3c0928e57a576f56214c6b3b7b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
b93045abf35151744ce81ffbcd5e9fde

SHA1
83ca451d704b5a7e873bc8af7757ef35405d7ca6

SHA256
8e55765350c5f489daec30b0fc2fb3bea376a02e94dd2fd7f4271b2c4b00bc14

SHA512
183b2c99ec726a3fa12b991c3a47a91cef3043a8acae07601f6c43d89ee486f707ccbb6c0a4b53150d0bbd9c18710f04fda59137de69c96217e0c0648f67b429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
e73ebb0c63b8908d974ee48d4e92dd79

SHA1
1e47081577a801c97652843362461c0b8e118887

SHA256
444c2b84431439875dd2e42b55216a8dbb2e901908193077321d9de51a53ec4c

SHA512
2634997f12599f64bc1685ca367c9731a7a6b1093b8d15236a93d225decc46d065ea6d072df1094d1d7a0155ef183a7cf72537d28a688ffb2cc80d86b3f33dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
0dea567699699db7f4ceac98c76d286a

SHA1
5130cc98306ceeb92308e0755c8bdf3ffbb90027

SHA256
0c479a1c9f10f3d23c1966ecd4f009026067d531d8387ddae7e90cd25815edd6

SHA512
5f5f443a96055ab089511f93b8e3adba2bfa1fb3adb3efd60c26115f73ca0a1fbda84cafb2a8a047754ca374571e6c5392849fdc71f51bee1f84c357303e2e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
ab776148457428e4b580c91216723199

SHA1
6a5df58f407ceb4a1ac31db3d5ea4aa946771dad

SHA256
05a45f75b1767b6a1c40da5aa2af0cd4f315697e50666c43212c6207c6736b8f

SHA512
df53b5617aab2ab0304e62f312b1e102d77dfae1f6629cdd737b27360c9d1e34bd91116a4c4697ede5a1d6e3a417348668751484308408cb219b1d3b40b7e909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
74fc12bbff681fbb40b00c79f7e47e11

SHA1
7a833803c8738f750d669ed600991850257998a4

SHA256
927e071f60583eccd36e864579c638367635dbb0d4c35e61420ac4d6864b7422

SHA512
478b4df2e7be4fc92f7ee45c93d5861c34f82957e3774bfbe99a83b4d0066f1be5b0253adbfc8e422bee007e1b03603228d77a106515ee3415a246d9eb83fc8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
b1f8f78bf20f314d84369305ad511f27

SHA1
e1bd987eb71186e119faac0b3aa63501aab51550

SHA256
e92083113ca13567a73ed59835720fac772cdb6440506bb465f5227779f95f19

SHA512
6aa8f4235b95cc35ca20580e7dc455939c95af22218a5e875b3aea2ec476955cd9eaf1caeedec7d83d3677dbb61e844a3eb1eed2194c7c58a6ff568725a53266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
14f7c4cf9a49cedda8ed6bb9e2195bab

SHA1
9ba4c69f7bb8c167f40e91733814a2ef3cf4956f

SHA256
e9e81676cdf22cd2a3d3ca2493c92659c3c338fd5b1aab0199d9867ea25ecf45

SHA512
b8457e13eebc326e4fd805ea5c8dd37eb6a1c39dd26a0adea812a64c23e195982161a34c7c34d20407931a0a96322a88ce56e660a06ea263a9ac3e50406ba1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
69f08fd425f14f68ed825fd4a761e150

SHA1
f3248adb302c6c3b178df739814e8fe2b321a16d

SHA256
4e3afeb17d4f6a522e4ea051b7779012e20d93d68ca9063e02c305f30d2decae

SHA512
149a33e54ffa20608a99e3cc592a8e0315348936544d73a81c6320f6add10d43878650dac7252386d419eafd7a9a36074aa8f30b11a711b47f77b526ab8db42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\03dd824b-d331-4a34-8cff-b8bf5e75536d\index-dir\the-real-index

Filesize
4KB

MD5
e14b7dc5dcebe4ab5ab6e7d6bc3e1448

SHA1
c3fd6a32b2a18a0d70b5cb71e1452ee368ac00a9

SHA256
4f029ee709ea3c34996723df045238e1888f35dbfc9d54c0dedf7cb780b5dfc5

SHA512
ec61eef8a67c02c9c693fc53b33c8d03bdab22d1fc16079e59fa2807440f5fe7dee0e6723b456b0c5f1a043d42713c001815b0bea10fa9f7f45be8c9c77e29d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\03dd824b-d331-4a34-8cff-b8bf5e75536d\index-dir\the-real-index~RFe5d2a9d.TMP

Filesize
48B

MD5
0222886984af22289923f210579a6dd7

SHA1
66c79c6541c715eccb67711e22b17a0ecc52152a

SHA256
fc59421a61153b3a4b736d0fd817a42a94d5b821c74d0f74f36d165406ee683b

SHA512
73b8f3d7c3519c51c1fd20804532a9ff23df27b435a32ca86a613db680b10ded89164b15ca6733e5b99b11bd204a3c88f141c12ed1ec730898543d4fc184c9bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\index.txt

Filesize
93B

MD5
13bc55be07ec2a8494d078abd30f174a

SHA1
ca8f8bf1521fb2a4de500e07a075f571f1882208

SHA256
9db7b26819bdd08123dd702e9c8dcd6cc6bee42d12310eb732fd10a224c3666e

SHA512
b5d3e7ad93c95c23c70dd012c1dceb44c5a68b32ebd043e3fb40200a9c917173a0c4ec67b0998bf0554007392614bce26248228c96cd3346d7bba2e638fb9406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\index.txt

Filesize
89B

MD5
ba0fd8c6205b5b72b4cb7a8da3341c91

SHA1
d93198b25edea029128f26c02d0a88d207dd09b4

SHA256
b18e89b7ed76e9bdc487de263dbb6b973a5644bef39f6f136afa2ab1d3962ed5

SHA512
8071a085b3a99c993e8d4953c31babec1c2e45662c92d572790f8168989846e928b281fe749c0ea56f7c454eff5290bc888165a4da518e987c83108032d57741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9d08074e329b88eb7ad3dcc1c883c52d

SHA1
81c91587871132e3c93bc00d6d511b67e0c2be61

SHA256
417e1ce00e35cf26ff0f066ec75620699118ac9b9284fc2ee36f8b6dd98328f8

SHA512
6d01c37fdbaaedc95a7daac12d7938f763cf2630583573c5e810183d55c566dfa46bf7a288b4e26b94e17f95fbe3bc173de4243d34d74a22c96967edf3339acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5cba6e.TMP

Filesize
48B

MD5
73b9bb7d4ccdd565886b65543c8bdef4

SHA1
32c951a3ba63e35560738ab05dd55833d26f3f2f

SHA256
44c8be4b0833391e22c781fbafe2fcc7dfdd3b8df9cbf892e84a5472baed8663

SHA512
db93f4706ffc97ad9ade49ebde634c436bc049ea14eef713a389bfa99099bb66428f38d7b0005cbb6bc1d1c812ea2f7384fe46f69b6e7176b789a24dfd2afce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
359160b9135a58e99c4c1b00837a2a05

SHA1
1a20875666e5300a49225650673f328d94e208b4

SHA256
c17e45afcc47865fd6fad155b3c98b1738ce0ebe1fcd016653008c71b76258eb

SHA512
2e3556082347edd5b0bc112cbce58fda2b7dbb3f594ff34f7f799405114e6e35388945fac0cfbcfbf07e89c381321035953b2a0f56885f79f36cf172202279a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
4075bbe4c82f8e93fcb441bd8d7a5351

SHA1
b6da372652a2e0dd6ce8796ea50401557d9d9e3c

SHA256
d43f20bbb95530e91becd250187ebb4bde790408a82a248fbb8cbbbb7f99aeb9

SHA512
2f11912e49918759ad3f5f5c10d5cbb204f300cb72f707b180d94c7de2259ab12db8a03fcc46f3c6cd569fc91d8acf14506f72d803619e92d6064ea8cb79f668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
a91840c3bf17d88da032fcac7cb78e20

SHA1
2668d99182223951cf280d13aaddd43ce0b71d5c

SHA256
48d545dabd5ca2c84df1ce5577ac3f3433049eb51421ae5efd7b04d9ab863189

SHA512
732133ee2b78382bee562b8ab39a5942eae0ef7f1fb8825272144ff9f511efe3718a8a03bb282f6be43f50a3d2c133f3cd9ab2eafbf523ece7669429ecf01109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
cd6f85d8b86a6df881fb4488626c789b

SHA1
62acdf39b77213867a80b0f6a3d2bffd0b6ee0e2

SHA256
450324085679d431c39c7ddd46d738af9bc4c4f8762b98f4ed29a685755e9559

SHA512
9d5e417c367ee87bbc145cede66a04a40ccf530e69bceee4b7802025a2d66ed6c602cb38cab59fd3f4c6481ff2d986f475c5f2583bf8da47b9a3d2cba597e4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f34d53437a304fbd299aa05500f28c67

SHA1
063429c57b41c892cccfbc223cec250766439a2a

SHA256
52f0d337c709c2c3c61d50cb6ec8e7d5766e9458c068964dcaf0d6cd50b64c0b

SHA512
42e14f29cbd9bcaa1b1a7ebf2b1aa6f67c7c6492ec26784ae7e2787cd95f5459716a544eeae68c7842215fcfa86fa9a7a031c63b9ed80addd1445166193d7625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
6f9b86a2fd7171ff63da814838381f26

SHA1
03d79ef263ab110842d38a47ec9adb9692839988

SHA256
b491307e728946761b2f7855fb3989be7296e98032e0b059bef978c1c9bdfc92

SHA512
de30a5b5e3b57e47f4bd71d349b0f80f9215850d64884767150b65e5943d8165b45a3fbb9a3850b375f7a77c2bda1ac41c2d63cc7cdb6a265d050d0dff482d16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
9470b62cfecf126eb7ed7d976b4b4b90

SHA1
b855b41b7d90caf6bacf69d0e92b16b3caef32b6

SHA256
de6e847211777e173a052ac1cf5febf60b0d77746b7f5767586e7192d9a962c4

SHA512
be9ba75777c31c7dadbeb0052d9b272980da8ccf9d536a41d48fb2a6688f3bf668eee9b78085ae4aa0454a1687ade9c53806dbcaa596cc000ee89dc3d20685e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
c9e2ca0ddee9e35fb26a18aaddab7a8d

SHA1
5141b7c4bf2483856e9a269ca42cc43a9feeac37

SHA256
bc9a96c2db14ae3ba810c6e7e733da36acb2d5a1eb847cbc9875b7b789ccd436

SHA512
a3dc78a1b563e5f9a07da4ed9e6e98a01b0a05103011107e526487184f572cbac645d2ff7740f3fd822d51774b32bb19acce9b63aaf677347bb7633f59682553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
45a9b2a760f52ccbb2f5d02bb8ed82c9

SHA1
a57f34497b37d6f856032b5da0afa650e06cf6d2

SHA256
f8cb50a99a1e3fe573a085564a3ac9beea87d88f944b973ca99eaa916bd0643e

SHA512
f0e4825562af7363859ef2214d12dfd48d3dda1dbda9cc91bdde2b0dde2bf3049fb989e345fda359db6a5e7b1b4492ba7c3514f262db9fd540f571d690f22873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
3f2a0c85b6cd1340428e19b6a7a69a87

SHA1
7b7f443f067f262127a8f0d56b8f3810f11ea2a6

SHA256
ea2beadfe2b3c6275ec00294e6619ba2b24c519824400ae3feb55501ccb9d2c0

SHA512
f47f2793fe73bf77e735957b29a0069f07a29020a5c1a66b8e0bb1e945a0076b6974411fe6140d22abd4b91ce7ec2991487114425c99a78cd0ede7e279ffb075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
15b8574ea20f2f83f25a55f90d5ebf54

SHA1
e63d1cfc65499e7db241c2ebed91baf94e79040d

SHA256
5b94136b944209087b4ebd2e449834cf9fa21e3f43be3aaf44a9d60b3cfbb203

SHA512
cbec1ceee5c1884d83ee6ee48b7e7a0aea87287cad6f98d28b9591c9dd67ecadd1f6e89e58d4894863f35dabc1a5ef27a6a102c263569dd0ec35dd28b72dd50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
775ae822533519e86afd15e359792786

SHA1
cf5be56a072bdcad4042af6098dbc59f493940b0

SHA256
e50189d735d23894dc81b7dd6bfe9f5db4d017c48f5a9a405244ffb0c8ef18c5

SHA512
c6e0b6c35c812479bb877f433d59bea1bf41840988ed4e67a8e93852789f28478a9a2bfd77e5be70d7da76329272362d21f3b775f095bc7864860cad9a0b1045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
43489b2d08b3aad0eac243754b8f826d

SHA1
831e7a9c7397186740804e9851413b35780ad5ff

SHA256
c4d5edd96f4842d5ef61a63d43743c70bc46f32a4e408b99c5ce2038e35feb98

SHA512
b3d3d5c60736175dddd3c1923267ac707f2c1ac2dfa08ea61ff1ceb5b6ef1e0407885a42e1a42713c097bc68d4ee4591f17beae04437855143036c5c691c9cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584551.TMP

Filesize
872B

MD5
e539b2c2c6597f7834b64dba117c598c

SHA1
5426bb48611fa3da98f2a26fa44f4ec2692b6e09

SHA256
bc9f014d3e06bafa93458b284598d385dcedcc32b7db53137de5ccfc85081a83

SHA512
c2924dba94e83eb1668a601c82029240b3fd003780b7c8ec2bdb665cd91bfecf769f2c84a3ef434e5623c92f9f5521e71509e7fd961fac5e5a1df532897b5900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eb10d471-8209-4d4e-bb9c-e003b1476476.tmp

Filesize
9KB

MD5
7042269350eca3594ccf20fb24f7cfed

SHA1
c75b6357673e3c631aa423b02fbc7654df97c8b8

SHA256
cd71b4dcfd79ffd76bc4ee7d014386f7d75bdad4a18b54050139a638aba81851

SHA512
2a13851cbc1f733e5557dcdb87dab650bd79a8365ab7bad77aa4440a7cd85bf9328344496d5230409bb75174303a920846ea64d738331acd278aa93c093601ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3643cd5ef834977c32becc6c6d8a0f93

SHA1
ee29fe003796be9903d12a5dea5a8508d08dc2a6

SHA256
d1c1faf1aa66448ce86cc2dfef08f12f6d394d66dd49048efb66adfa404b0610

SHA512
d0da51ac087cef2f2cea03f51af4ffc95f5cbf03cfdf8c9d1573debd7dbe87e17ee1d4f4cc4016a05d1a01486540e57b22c3d09635dee5bb392c72bb1db15861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
146c408256cb9b3c297a030762d348df

SHA1
2eb452b21b4146b7d68178d55dcf64000c6b3947

SHA256
4f315697d53e2b0d02af915615d27d6fc495371e318508b5904b66cece80161e

SHA512
f3ab352ce86ce87c8263d19fe152ad1e403ecfe8aacce438c042f224f5071e45465784f451c5ddcef2054ca59dc72836c510cdc4b9fbc6e0a92c8acad66b001f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
f2de638a4259125fdc63c3e174803714

SHA1
c2dc76d32dbc368e8b576a5dd9e0a2a7a5d6fa66

SHA256
c76921cb128864fa1ede8f5f96285a688474149a4d0ef6f15ae131250649a297

SHA512
625a76f433d1b50172950eea73425706e5be7547d589f0b660d7ffab6440f9f1542acc1944d20d64ba493c15c420593b12b53e6ad8fe181c0134001581aa7b19

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
31490a459c198da08ac2babda98140fe

SHA1
7d0ce403bc81bf92be58d7ad48763948920e8737

SHA256
f1cbb3423476a4c6fac691d9dd20e577518781c4ca79874e74d52f2961a62276

SHA512
1ff445b321634318fdca6fd7f946088a8309d283824205b5d1f9ac4d544d492bd608aa324e292ce99d332c747be3f49a59090b91e46e296335822d5d400fc715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.4MB

MD5
ce46d782afb394984e771eb3ba6bf43b

SHA1
5cd200835bff0c4c5f455a5be2b37b9bab9fa0fa

SHA256
b21c451f35feba757bdcb02d0163c9c669b8377c5e2d066fbaff1b19b896af00

SHA512
06ca300d8c86bc09fa0584d2d5c8f60522cade0d66500b5dde9749bac58644f13b42e300ef42a78b853c357788ed605ea936ccd97480fea865ef87ac0a9862b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.1MB

MD5
f7516c5caaca80ec3de66364a24c0cf9

SHA1
37ba4cb0ee9d961b0bcdc2b313da563605592bf1

SHA256
fb4ae491e147fca99d5af7674ab32ec9d146e0d624ab10c0de52f3654674c1f5

SHA512
a1daf267c28e86664288482be2720d462285fbe4ff64c5a6fd9648af5b8a50e7073fe139178ad5af00f4de072abc915b34d8f8f5ddc17d9b7e5fee2d54fb899f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
512KB

MD5
eead9d6a936e06d8e4bde69416edf494

SHA1
83799dfdec0a7413d9be77da483fdbfa0cef6f5a

SHA256
56f4565aab6820923927e5f5f8612eee4ef4eb1f1bc9cdd6679dbb3d972524f2

SHA512
93140f963aaef8764f25fda7f1d125d03545dec501f47e5a0aa7a67f3f6c03a69a32bf10b3121656fd05e19033df8a8bcbb02a881532fbc3f111c21818a45656

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\base_library.zip

Filesize
1.3MB

MD5
44db87e9a433afe94098d3073d1c86d7

SHA1
24cc76d6553563f4d739c9e91a541482f4f83e05

SHA256
2b8b36bd4b1b0ee0599e5d519a91d35d70f03cc09270921630168a386b60ac71

SHA512
55bc2961c0bca42ef6fb4732ec25ef7d7d2ec47c7fb96d8819dd2daa32d990000b326808ae4a03143d6ff2144416e218395cccf8edaa774783234ec7501db611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\python312.dll

Filesize
2.3MB

MD5
48bc42b56bcc72fdc80f37c8254f4925

SHA1
d6eb14a4d3076d330096459c7e8830ff23622f44

SHA256
7ee64d196e19c4230fdc83a2920b2cce2fbbffcbe9781f1fe0603c77a9313fd3

SHA512
a85d97c167e67c246bd2a8b2d1e4755416effd35044fd8be4875a8a45993e947495f8feb8a74dd8d9801e4fd4ec53ca371edb9b4e9cdca5b6f85e90a63130b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\python312.dll

Filesize
2.6MB

MD5
58175c2250285e9b5e3530efaeed2cc3

SHA1
e0a958c20f19d3b6a5b70b99d6df73dbf0cf1743

SHA256
4a914aa79787151ec95b0b87b0639d2d3c09041c7d66cf84e1d242bc7062ac7e

SHA512
82937476263068ff3235879d70c22cd591b16822442b473cc77e51a09729b81a38b772b464d4da8069bac7f8958e76c504360cc0f0f173422b120b508d64b714

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qj3lofb5.rkx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
64KB

MD5
8636cf9342ac6a28e8e0b5ff63f9bf6c

SHA1
261a36686436084eb3ae59ae9831dec54d426dc8

SHA256
ac34f9ace31be89324cbe37db78a00e176b148d00df9c6cd7631db560a48df06

SHA512
5933e245fb2d473faac40fc03ac143f1f5f264e92d7381d2555ceb1ecd81ec834abcbff256ce4d1ba3711866c55e13fe399f2fd8b47b10aa8d8548813dc94af2

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
3.2MB

MD5
6ee9da9b4648741f37112db7ce9bcc3a

SHA1
315ee654647e4fb33cfcb3c8d5898cc8e75716e0

SHA256
906ab725998242905b5efdcd452b0fe2191dda458930bfa651e234430da8937e

SHA512
b3c7eb0aa4fdc86a747f8bd511d68606183ad67b714e7588ed3e47cd5945591667ef9eb35bcd45793e122501560eb03c9843eaa1be6ea1365642b31ae24734d7

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
2.1MB

MD5
809fac85a32132201c36ec4d32b1b2f7

SHA1
8727fb41f3846f8fbeab65729126953ea1b30cea

SHA256
909e12e4eb3ba5f3aabc565f69b96a04b65b5a9cfc3e7c9db18d93b9c3b7439e

SHA512
8c802a49b9167eb22c601c82d1fc7f2689df3ec825f15507e382b8337d0c33a1afb8305aa68eddd6a0370a000b94bc3d4754b81f4c15989c99f68c4eaf810968

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
1.6MB

MD5
d9fb2e67ef003b5aff95670b891c094b

SHA1
38597aef4117187d55ddc17e76230f6512d8c429

SHA256
cea66de3d6790c78b8c00d485595ad4ecb5ef0c549ef73a1bd9e2419de6a6c56

SHA512
37f5effc9620d027d116b4d06a9d9aa4bda0c4014839d952c7b02c34af5bb1be1d58450c8af0f5015ec6835573a62689df0926de0b46b3b9568ad1b3038913cc

Download Submit
C:\Users\Admin\Downloads\07338c0b-a16f-4b91-b929-e59bb2211897.tmp

Filesize
2.1MB

MD5
8126dab3cce0302c737853faeef34cd3

SHA1
ada6de595b5a539352eebcf38945d0a59eddf36c

SHA256
c0ac640360609a1002bf09ce96840bf4d0ee2f3f138c403ec52bdf84b63f9ce0

SHA512
1580a72893247f45d45a96f3df6e5ec194d073a5b4796341b0b6d33b4474e6837e288d083d2b5db145856c4c92c5695b7a2d0a383c94c9507cdc4b5674923cee

Download Submit
C:\Users\Admin\Downloads\TriForce_Installer_Official (1).zip

Filesize
11.6MB

MD5
fa662c27dfff91676f490d65a9e44703

SHA1
3eabe6db99d7139a0af66cf025c10e90912bbdbb

SHA256
07b255620b36b0a5874ff59dd5a591008d76e7bef96b958a0ec4f5582d625df1

SHA512
0ad400ec5c8fe110a897a6410c000d3a1dcd3744e6c15350bd37a495852a9363db4ccce937f4135d99ba7df524b220172ffb692f647abd6a2060f6fb328d2a7f

Download Submit
C:\Users\Admin\Downloads\TriForce_Installer_Official.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/32-975-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-968-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-977-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-979-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-983-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-981-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-985-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-987-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-989-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-991-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-993-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-995-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-847-0x0000000000F80000-0x0000000000FB6000-memory.dmp

Filesize
216KB

Download
memory/32-869-0x0000000005820000-0x000000000588C000-memory.dmp

Filesize
432KB

Download
memory/32-875-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-877-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/32-879-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-876-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-883-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-887-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-886-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/32-919-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-931-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-936-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-905-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-973-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-940-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-960-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-2566-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/32-958-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-956-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-944-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-946-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-964-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-949-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-952-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-966-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/32-954-0x0000000005820000-0x0000000005885000-memory.dmp

Filesize
404KB

Download
memory/860-2691-0x0000022B1FED0000-0x0000022B1FED8000-memory.dmp

Filesize
32KB

Download
memory/860-2660-0x00007FFCCC280000-0x00007FFCCCD42000-memory.dmp

Filesize
10.8MB

Download
memory/860-2669-0x0000022B1F980000-0x0000022B1F990000-memory.dmp

Filesize
64KB

Download
memory/860-2680-0x0000022B1FE00000-0x0000022B1FEB3000-memory.dmp

Filesize
716KB

Download
memory/860-2681-0x0000022B1FBD0000-0x0000022B1FBDA000-memory.dmp

Filesize
40KB

Download
memory/860-2682-0x0000022B1FFF0000-0x0000022B2000C000-memory.dmp

Filesize
112KB

Download
memory/860-2683-0x0000022B1FEC0000-0x0000022B1FECA000-memory.dmp

Filesize
40KB

Download
memory/860-2690-0x0000022B20010000-0x0000022B2002A000-memory.dmp

Filesize
104KB

Download
memory/860-2679-0x00007FF474B50000-0x00007FF474B60000-memory.dmp

Filesize
64KB

Download
memory/860-2692-0x0000022B1FEE0000-0x0000022B1FEE6000-memory.dmp

Filesize
24KB

Download
memory/860-2701-0x0000022B1F980000-0x0000022B1F990000-memory.dmp

Filesize
64KB

Download
memory/860-2693-0x0000022B20030000-0x0000022B2003A000-memory.dmp

Filesize
40KB

Download
memory/860-2705-0x00007FFCCC280000-0x00007FFCCCD42000-memory.dmp

Filesize
10.8MB

Download
memory/860-2678-0x0000022B1FDE0000-0x0000022B1FDFC000-memory.dmp

Filesize
112KB

Download
memory/1036-2806-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/2368-2659-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2368-2647-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/2368-943-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2368-939-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/2376-1100-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/2376-1040-0x00000000073C0000-0x00000000073CA000-memory.dmp

Filesize
40KB

Download
memory/2376-963-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/2376-998-0x0000000006FC0000-0x0000000006FF4000-memory.dmp

Filesize
208KB

Download
memory/2376-849-0x0000000002B30000-0x0000000002B66000-memory.dmp

Filesize
216KB

Download
memory/2376-999-0x0000000074580000-0x00000000745CC000-memory.dmp

Filesize
304KB

Download
memory/2376-1009-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2376-1012-0x0000000007000000-0x00000000070A4000-memory.dmp

Filesize
656KB

Download
memory/2376-1026-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/2376-1028-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/2376-867-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/2376-1358-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/2376-1125-0x0000000007670000-0x0000000007678000-memory.dmp

Filesize
32KB

Download
memory/2376-906-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/2376-1089-0x0000000007590000-0x00000000075A5000-memory.dmp

Filesize
84KB

Download
memory/2376-911-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2376-1080-0x0000000007580000-0x000000000758E000-memory.dmp

Filesize
56KB

Download
memory/2376-932-0x0000000005B60000-0x0000000005EB7000-memory.dmp

Filesize
3.3MB

Download
memory/2376-1057-0x0000000007540000-0x0000000007551000-memory.dmp

Filesize
68KB

Download
memory/2376-930-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/2376-925-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/2376-1058-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2376-961-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/2376-1050-0x00000000075C0000-0x0000000007656000-memory.dmp

Filesize
600KB

Download
memory/2376-857-0x0000000005360000-0x000000000598A000-memory.dmp

Filesize
6.2MB

Download
memory/2376-882-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2376-1055-0x000000007F320000-0x000000007F330000-memory.dmp

Filesize
64KB

Download
memory/3208-874-0x00000254FED60000-0x00000254FEDB4000-memory.dmp

Filesize
336KB

Download
memory/3208-918-0x00000254FF800000-0x00000254FF810000-memory.dmp

Filesize
64KB

Download
memory/3208-951-0x00007FFCCC280000-0x00007FFCCCD42000-memory.dmp

Filesize
10.8MB

Download
memory/3208-903-0x00007FFCCC280000-0x00007FFCCCD42000-memory.dmp

Filesize
10.8MB

Download
memory/4196-2802-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/5820-2654-0x00007FFCCC280000-0x00007FFCCCD42000-memory.dmp

Filesize
10.8MB

Download
memory/5820-2631-0x0000022851FA0000-0x0000022851FC2000-memory.dmp

Filesize
136KB

Download
memory/5820-2648-0x0000022851FD0000-0x0000022851FE0000-memory.dmp

Filesize
64KB

Download
memory/5820-2625-0x0000022851FD0000-0x0000022851FE0000-memory.dmp

Filesize
64KB

Download
memory/5820-2624-0x00007FFCCC280000-0x00007FFCCCD42000-memory.dmp

Filesize
10.8MB

Download
memory/6060-880-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/6060-941-0x0000000073240000-0x00000000739F1000-memory.dmp

Filesize
7.7MB

Download
memory/6060-856-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download