hxxps://filecr[.]com/ms-windows/

Analysis

max time kernel
838s
max time network
831s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://filecr.com/ms-windows/

Score

8^/10

discovery evasion execution persistence upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1932	netsh.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	kms_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "rundll32.exe SECOPatcher.dll,PatcherMain"	kms_x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	kms_x64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Mini KMS Activator Ultimate 2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Mini KMS Activator Ultimate 2.0.exe

Executes dropped EXE 15 IoCs

pid	Process
6020	gatherosstate.exe
740	gatherosstate.exe
5716	Mini KMS Activator Ultimate 2.0 Setup.exe
4400	Mini KMS Activator Ultimate 2.0 Setup.tmp
3624	Mini KMS Activator Ultimate 2.0.exe
5940	Upgrade-latest-294120241941-ce0243a9-7c9f-4904-9586-bdcbced7ea18.exe
2860	Mini KMS Activator Ultimate 2.0.exe
5072	Mini KMS Activator Ultimate 2.0.exe
1356	Upgrade-latest-294120241941-c4abc36e-0aef-405d-bb03-fdb3470497db.exe
5588	HEU KMS Activator 42.0.4.exe
4844	7Z.EXE
4564	kms_x64.exe
4352	kms-server.exe
4468	kms-server.exe
3188	kms-server.exe

Loads dropped DLL 9 IoCs

pid	Process
6020	gatherosstate.exe
6020	gatherosstate.exe
740	gatherosstate.exe
740	gatherosstate.exe
5508	rundll32.exe
5812	rundll32.exe
400	rundll32.exe
1136	rundll32.exe
5488	SppExtComObj.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1840	icacls.exe
1808	icacls.exe
5576	icacls.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5588-2471-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2684-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2685-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2720-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2768-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2825-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2828-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2829-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2830-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2831-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2832-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2843-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2865-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2870-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2883-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2884-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx
behavioral1/memory/5588-2885-0x0000000000AC0000-0x00000000013B1000-memory.dmp	upx
behavioral1/memory/4564-2886-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4564-2684-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2685-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2720-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2768-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2825-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2828-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2829-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2830-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2831-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2832-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2843-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2865-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2870-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2883-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2884-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe
behavioral1/memory/5588-2885-0x0000000000AC0000-0x00000000013B1000-memory.dmp	autoit_exe
behavioral1/memory/4564-2886-0x00007FF629110000-0x00007FF6293D1000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\SECOPatcher.dll	kms_x64.exe
File opened for modification	C:\Windows\System32\SECOPatcher.dll	kms_x64.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Mini KMS Activator Ultimate 2.0\is-F4BJC.tmp	Mini KMS Activator Ultimate 2.0 Setup.tmp
File created	C:\Program Files\Mini KMS Activator Ultimate 2.0\is-5HJ23.tmp	Mini KMS Activator Ultimate 2.0 Setup.tmp
File created	C:\Program Files\Mini KMS Activator Ultimate 2.0\is-CC8OV.tmp	Mini KMS Activator Ultimate 2.0 Setup.tmp
File opened for modification	C:\Program Files\Mini KMS Activator Ultimate 2.0\unins000.dat	Mini KMS Activator Ultimate 2.0 Setup.tmp
File opened for modification	C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-ce0243a9-7c9f-4904-9586-bdcbced7ea18.exe	Mini KMS Activator Ultimate 2.0.exe
File opened for modification	C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-c4abc36e-0aef-405d-bb03-fdb3470497db.exe	Mini KMS Activator Ultimate 2.0.exe
File opened for modification	C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe	Mini KMS Activator Ultimate 2.0 Setup.tmp
File opened for modification	C:\Program Files\Mini KMS Activator Ultimate 2.0\Microsoft.VisualBasic.PowerPacks.dll	Mini KMS Activator Ultimate 2.0 Setup.tmp
File created	C:\Program Files\Mini KMS Activator Ultimate 2.0\unins000.dat	Mini KMS Activator Ultimate 2.0 Setup.tmp
File created	C:\Program Files\Mini KMS Activator Ultimate 2.0\is-I1FDI.tmp	Mini KMS Activator Ultimate 2.0 Setup.tmp
File created	C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-ce0243a9-7c9f-4904-9586-bdcbced7ea18.exe	Mini KMS Activator Ultimate 2.0.exe
File created	C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-c4abc36e-0aef-405d-bb03-fdb3470497db.exe	Mini KMS Activator Ultimate 2.0.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4656	sc.exe
3612	sc.exe
5268	sc.exe
6048	sc.exe
4156	sc.exe
3976	sc.exe
6028	sc.exe
5896	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5344	powershell.exe
3944	powershell.exe
5508	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	Mini KMS Activator Ultimate 2.0 Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	Mini KMS Activator Ultimate 2.0 Setup.tmp

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.0.0.1"	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{1047576E-E215-4C71-A9E5-3F88915FD876}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HEU KMS Activator 42.0.4\winmgmts:\root\CIMV2	kms_x64.exe
File opened for modification	C:\Users\Admin\Downloads\HEU KMS Activator 42.0.4\winmgmts:\root\cimv2	kms_x64.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 559461.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1100	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3104	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	msedge.exe
2364	msedge.exe
1608	msedge.exe
1608	msedge.exe
4936	identity_helper.exe
4936	identity_helper.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
4160	msedge.exe
4160	msedge.exe
5344	powershell.exe
5344	powershell.exe
5344	powershell.exe
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
5740	msedge.exe
5740	msedge.exe
5740	msedge.exe
5740	msedge.exe
4400	Mini KMS Activator Ultimate 2.0 Setup.tmp
4400	Mini KMS Activator Ultimate 2.0 Setup.tmp
1976	msedge.exe
1976	msedge.exe
5696	msedge.exe
5696	msedge.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe
4564	kms_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4564	kms_x64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5796	7zG.exe
Token: 35	5796	7zG.exe
Token: SeSecurityPrivilege	5796	7zG.exe
Token: SeSecurityPrivilege	5796	7zG.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeIncreaseQuotaPrivilege	5344	powershell.exe
Token: SeSecurityPrivilege	5344	powershell.exe
Token: SeTakeOwnershipPrivilege	5344	powershell.exe
Token: SeLoadDriverPrivilege	5344	powershell.exe
Token: SeSystemProfilePrivilege	5344	powershell.exe
Token: SeSystemtimePrivilege	5344	powershell.exe
Token: SeProfSingleProcessPrivilege	5344	powershell.exe
Token: SeIncBasePriorityPrivilege	5344	powershell.exe
Token: SeCreatePagefilePrivilege	5344	powershell.exe
Token: SeBackupPrivilege	5344	powershell.exe
Token: SeRestorePrivilege	5344	powershell.exe
Token: SeShutdownPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeSystemEnvironmentPrivilege	5344	powershell.exe
Token: SeRemoteShutdownPrivilege	5344	powershell.exe
Token: SeUndockPrivilege	5344	powershell.exe
Token: SeManageVolumePrivilege	5344	powershell.exe
Token: 33	5344	powershell.exe
Token: 34	5344	powershell.exe
Token: 35	5344	powershell.exe
Token: 36	5344	powershell.exe
Token: SeIncreaseQuotaPrivilege	5344	powershell.exe
Token: SeSecurityPrivilege	5344	powershell.exe
Token: SeTakeOwnershipPrivilege	5344	powershell.exe
Token: SeLoadDriverPrivilege	5344	powershell.exe
Token: SeSystemProfilePrivilege	5344	powershell.exe
Token: SeSystemtimePrivilege	5344	powershell.exe
Token: SeProfSingleProcessPrivilege	5344	powershell.exe
Token: SeIncBasePriorityPrivilege	5344	powershell.exe
Token: SeCreatePagefilePrivilege	5344	powershell.exe
Token: SeBackupPrivilege	5344	powershell.exe
Token: SeRestorePrivilege	5344	powershell.exe
Token: SeShutdownPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeSystemEnvironmentPrivilege	5344	powershell.exe
Token: SeRemoteShutdownPrivilege	5344	powershell.exe
Token: SeUndockPrivilege	5344	powershell.exe
Token: SeManageVolumePrivilege	5344	powershell.exe
Token: 33	5344	powershell.exe
Token: 34	5344	powershell.exe
Token: 35	5344	powershell.exe
Token: 36	5344	powershell.exe
Token: SeIncreaseQuotaPrivilege	5344	powershell.exe
Token: SeSecurityPrivilege	5344	powershell.exe
Token: SeTakeOwnershipPrivilege	5344	powershell.exe
Token: SeLoadDriverPrivilege	5344	powershell.exe
Token: SeSystemProfilePrivilege	5344	powershell.exe
Token: SeSystemtimePrivilege	5344	powershell.exe
Token: SeProfSingleProcessPrivilege	5344	powershell.exe
Token: SeIncBasePriorityPrivilege	5344	powershell.exe
Token: SeCreatePagefilePrivilege	5344	powershell.exe
Token: SeBackupPrivilege	5344	powershell.exe
Token: SeRestorePrivilege	5344	powershell.exe
Token: SeShutdownPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeSystemEnvironmentPrivilege	5344	powershell.exe
Token: SeRemoteShutdownPrivilege	5344	powershell.exe
Token: SeUndockPrivilege	5344	powershell.exe
Token: SeManageVolumePrivilege	5344	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
5796	7zG.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
2068	7zG.exe
4400	Mini KMS Activator Ultimate 2.0 Setup.tmp
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3104	POWERPNT.EXE
3104	POWERPNT.EXE
3104	POWERPNT.EXE
3104	POWERPNT.EXE
1228	OpenWith.exe
5588	HEU KMS Activator 42.0.4.exe
4844	7Z.EXE
4564	kms_x64.exe
4352	kms-server.exe
4468	kms-server.exe
3188	kms-server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4660	1608	msedge.exe	81
PID 1608 wrote to memory of 4660	1608	msedge.exe	81
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 4292	1608	msedge.exe	82
PID 1608 wrote to memory of 2364	1608	msedge.exe	83
PID 1608 wrote to memory of 2364	1608	msedge.exe	83
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84
PID 1608 wrote to memory of 1664	1608	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filecr.com/ms-windows/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6292 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7352 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7364 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8032 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8044 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8204 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8544 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8716 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8948 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8972 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8652 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8640 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2401.msi"
  2⤵
  - Enumerates connected drives
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8764 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17140749113577637643,7769434358185993699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1592

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\" -ad -an -ai#7zMap27930:110:7zEvent4587
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5796

C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\gatherosstate.exe
"C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\gatherosstate.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:6020

C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\gatherosstate.exe
"C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\gatherosstate.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.cmd" "
1⤵
PID:5244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\slc.dll",PatchGatherosstate
    3⤵
    PID:5484
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\slc.dll",PatchGatherosstate
      4⤵
      Loads dropped DLL
      PID:5508
- - C:\Windows\system32\ClipUp.exe
    "C:\Windows\system32\ClipUp.exe" -o
    3⤵
    PID:5540
  - - C:\Windows\system32\ClipUp.exe
      "C:\Windows\system32\ClipUp.exe" -o -ppl C:\Users\Admin\AppData\Local\Temp\temD43E.tmp
      4⤵
      PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.cmd" "
1⤵
PID:5740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\slc.dll",PatchGatherosstate
    3⤵
    PID:5872
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\slc.dll",PatchGatherosstate
      4⤵
      Loads dropped DLL
      PID:5812
- - C:\Windows\system32\ClipUp.exe
    "C:\Windows\system32\ClipUp.exe" -o
    3⤵
    PID:3032
  - - C:\Windows\system32\ClipUp.exe
      "C:\Windows\system32\ClipUp.exe" -o -ppl C:\Users\Admin\AppData\Local\Temp\tem5AD3.tmp
      4⤵
      PID:4404

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.ps1"
1⤵
PID:6044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.cmd" "
1⤵
PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5508
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\slc.dll",PatchGatherosstate
    3⤵
    PID:1200
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\slc.dll",PatchGatherosstate
      4⤵
      Loads dropped DLL
      PID:400
- - C:\Windows\system32\ClipUp.exe
    "C:\Windows\system32\ClipUp.exe" -o
    3⤵
    PID:5240
  - - C:\Windows\system32\ClipUp.exe
      "C:\Windows\system32\ClipUp.exe" -o -ppl C:\Users\Admin\AppData\Local\Temp\tem240F.tmp
      4⤵
      PID:664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MKMSAU.2.0.ZDescargas.org\" -ad -an -ai#7zMap5246:112:7zEvent13234
1⤵
- Suspicious use of FindShellTrayWindow
PID:2068

C:\Users\Admin\Downloads\MKMSAU.2.0.ZDescargas.org\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0 Setup.exe
"C:\Users\Admin\Downloads\MKMSAU.2.0.ZDescargas.org\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0 Setup.exe"
1⤵
- Executes dropped EXE
PID:5716
- C:\Users\Admin\AppData\Local\Temp\is-5GJL3.tmp\Mini KMS Activator Ultimate 2.0 Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5GJL3.tmp\Mini KMS Activator Ultimate 2.0 Setup.tmp" /SL5="$602A6,3655766,57856,C:\Users\Admin\Downloads\MKMSAU.2.0.ZDescargas.org\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0 Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies Internet Explorer Phishing Filter
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4400
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Mini KMS Activator Ultimate 2.0" program="C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe" dir=in action=allow enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MKMSAU.2.0.ZDescargas.org\Mini KMS Activator Ultimate 2.0\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1100

C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe
"C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:3624
- C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-ce0243a9-7c9f-4904-9586-bdcbced7ea18.exe
  "C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-ce0243a9-7c9f-4904-9586-bdcbced7ea18.exe"
  2⤵
  - Executes dropped EXE
  PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/minikms27
    3⤵
    PID:2236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
      4⤵
      PID:3804

C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe
"C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe"
1⤵
- Executes dropped EXE
PID:2860

C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe
"C:\Program Files\Mini KMS Activator Ultimate 2.0\Mini KMS Activator Ultimate 2.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:5072
- C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-c4abc36e-0aef-405d-bb03-fdb3470497db.exe
  "C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-c4abc36e-0aef-405d-bb03-fdb3470497db.exe"
  2⤵
  - Executes dropped EXE
  PID:1356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/minikms27
    3⤵
    PID:1660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
      4⤵
      PID:1084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x340
1⤵
PID:3360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5044

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\HEU KMS Activator 42.0.4\" -ad -an -ai#7zMap11247:110:7zEvent28713
1⤵
PID:516

C:\Users\Admin\Downloads\HEU KMS Activator 42.0.4\HEU KMS Activator 42.0.4.exe
"C:\Users\Admin\Downloads\HEU KMS Activator 42.0.4\HEU KMS Activator 42.0.4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5588
- C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
  "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE" x "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe
  C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x64\kms_x64.exe
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Win32_ComputerSystem CreationClassName
    3⤵
    PID:3868
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Win32_ComputerSystem CreationClassName
      4⤵
      PID:5144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" SoftwareLicensingService Version
    3⤵
    PID:4868
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:WmiQuery "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" SoftwareLicensingService Version
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query sppsvc
    3⤵
    PID:5300
  - - C:\Windows\system32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query sppsvc
    3⤵
    PID:4852
  - - C:\Windows\system32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query osppsvc
    3⤵
    PID:5456
  - - C:\Windows\system32\sc.exe
      sc query osppsvc
      4⤵
      Launches sc.exe
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Windows\System32\SECOPatcher.dll
    3⤵
    PID:2852
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Windows\System32\SECOPatcher.dll
      4⤵
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
    3⤵
    PID:5072
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
      4⤵
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe -S"
    3⤵
    PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
      C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe -S
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Windows\System32\SppExtComObjHook.dll
    3⤵
    PID:5004
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Windows\System32\SppExtComObjHook.dll
      4⤵
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Add C:\Windows\System32\SECOPatcher.dll
    3⤵
    PID:4804
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Add C:\Windows\System32\SECOPatcher.dll
      4⤵
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Add C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
    3⤵
    PID:3188
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Add C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
      4⤵
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SystemRoot\System32\WindowsPowerShell\v1.0\" & icacls C:\Windows\System32\SECOPatcher.dll /findsid *S-1-5-32-545
    3⤵
    PID:1588
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\SECOPatcher.dll /findsid *S-1-5-32-545
      4⤵
      Modifies file permissions
      PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SystemRoot\System32\WindowsPowerShell\v1.0\" & icacls C:\Windows\System32\SECOPatcher.dll /grant *S-1-5-32-545:RX
    3⤵
    PID:3828
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\SECOPatcher.dll /grant *S-1-5-32-545:RX
      4⤵
      Modifies file permissions
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
    C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe -P 1688 -R 10080 -A 120 -T0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query sppsvc
    3⤵
    PID:2016
  - - C:\Windows\system32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query sppsvc
    3⤵
    PID:1872
  - - C:\Windows\system32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query WinMgmt
    3⤵
    PID:4128
  - - C:\Windows\system32\sc.exe
      sc query WinMgmt
      4⤵
      Launches sc.exe
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query sppsvc
    3⤵
    PID:5240
  - - C:\Windows\system32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:5268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query osppsvc
    3⤵
    PID:5544
  - - C:\Windows\system32\sc.exe
      sc query osppsvc
      4⤵
      Launches sc.exe
      PID:6048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Windows\System32\SECOPatcher.dll
    3⤵
    PID:2660
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Windows\System32\SECOPatcher.dll
      4⤵
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
    3⤵
    PID:5312
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo //Job:MPS "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" Remove C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
      4⤵
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SystemRoot\System32\WindowsPowerShell\v1.0\" & icacls C:\Windows\System32\SECOPatcher.dll /reset
    3⤵
    PID:4728
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\SECOPatcher.dll /reset
      4⤵
      Modifies file permissions
      PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe -S"
    3⤵
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe
      C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\x86\kms-server.exe -S
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3188

C:\Windows\system32\rundll32.exe
rundll32.exe SECOPatcher.dll,PatcherMain C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Loads dropped DLL
PID:1136
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:5488
- - C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    3⤵
    PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mini KMS Activator Ultimate 2.0\Upgrade-latest-294120241941-ce0243a9-7c9f-4904-9586-bdcbced7ea18.exe

Filesize
459KB

MD5
bb56cd028379e2a0068a7181e14bd46e

SHA1
ffd97fae874e31fa9acac574d5044b553fd97813

SHA256
62da6265c2110cffebf1cb9dc562f7077312a8ecf5adfb90cf751bcc300d50ad

SHA512
7040dc77c0f49807e70c5399518191d30874f631eb62b4522333d25a60c411d6675cdf20bec7bbc65235d8edfce960f9e6d86710ea4fd52df0991d5876bf46fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
bc70cd9028d311a425f4066b359fa95e

SHA1
4d8aed0679dc840fb60a4107e6112109ee6da812

SHA256
fa3d02bd5bbeb2aa10b2a96c7658b8169df8bea936569322173fbb3f59b1fa34

SHA512
7e7bcd2d0dc1cd39efe6e4ce95e9c4a96e7a3bfba753582d153a6183524143834f6860c8fea410ccba80bf9af049c387b8ddb3d49e2011506d60a40d1794105d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1eaf2bfc-845c-4c01-b072-9d2bd0a0b400.tmp

Filesize
370B

MD5
c956fc1b5111193354d4fabdcfd11143

SHA1
2d9aa2704fabadc748c683ea3f767ebd5c1403d3

SHA256
964437306eebfe69aa837a76652e9542107dbfd42ab248b63b42325b212dd9a4

SHA512
e3c59071dd92de559d522ebcdb01eae1b5849f79231948d46a7cd7049f669f586628826c4220d94549b6818c8f0e5677045970cad004750bec002d9392123cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\758d5b61-fb13-4428-b9be-963a0da40241.tmp

Filesize
2KB

MD5
780ee9978ee64ccb8054e95ee90b6b31

SHA1
a34e4f1bd99dcc993205a894ea790d4d0f99529e

SHA256
924be1986c88878dbc863fc7eb7fc58f550f2da5f770b45d4231b6617b105f87

SHA512
6c670d2d96c2108e4bf9567324a663e6786ff6c5c84ce0da9dc702d471ea897586914a1599884aa484a51573b024a355b6ea0a41b979d4b76b851fca38982f96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\87d70e20-1478-447b-93d8-0463b83b0a53.tmp

Filesize
5KB

MD5
5a56e55115416e38aaafa67510f69eb2

SHA1
47b1b0e049fd5acb183ce00ecd3bfed929357a45

SHA256
7b308d25a86862080124a6ffb5aa4f0d94ad051e7c896120b060efa8e62703ef

SHA512
b47def8a2e8959b353a1c580ba7865ebe664ed579f29bca5a386b2548d2631a3cd3bd7cbdc81fb65f0dee56ecc18e4481d58a973782110bbe647b1e5876298c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\960c6e17-4678-4eaf-81c1-5c005fc48b99.tmp

Filesize
2KB

MD5
f767897c6ad4580123c1bdb1aa236d0e

SHA1
3c34cb55024502d73cc8804fd3820ae05205a137

SHA256
26a9aa7b87b0694dcb6aee6431be5bd159786e3a324a7bc07a334b1d5920410d

SHA512
a685f556b91f25562837508a0310754af2ce567e89349efb983b69767e8152698b27da4f347321d8fb89dff9498fa9de24cef2eeeaaf2c6b3ec28da6e2c3952d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
27KB

MD5
9b87e4c79c2721d746b42a1fd16225c0

SHA1
2f61da82e666ff6644544da5da7cb7f31d138cfd

SHA256
12a79bc818f1683137a55fcecf226346c194812b81c21e3e18b8efea7c51d6ec

SHA512
f0a185ee077dc75d5e2b4798146b4706f27937a0b1de3043f14f13866d076ef005454137bd9019cecd3a672fe76eff8cfbebb9dbeb3fcf9b2e866442adac4a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
56KB

MD5
e67734d66f385eb48c3d5bdd37ba1977

SHA1
a4254b2448163fe42d6bbd2c9ba6b55bd26a60ed

SHA256
d9551d2565ee072141192c973b8b0d446705f46e93843a245a9d08f90b0f799b

SHA512
5f3902967d7084ecf863fc6cb4cca88ebdaec81330ebe3317621bae1516d4034ebf1c8c38683ec7dd78e1ac6e2d45090500d2020b2dd250e76b06006d7246903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
69ef77257c7fa3a494a232f90b05d55c

SHA1
19dc83dc05f718e9693de231d48bf0307d8d29a2

SHA256
d1ec04bcd468208a30012d660d1e857bd9d4d937957d45bb10cc7483de435421

SHA512
1b95ee10d622e1468e04691dc47fcb59da6349ba8cdc0814ac8d27a0ebcb9c09692ef1b86533ebd59f2bca87f3340cbe032a011223afe4e7db018af47bab38ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
33KB

MD5
1aca735014a6bb648f468ee476680d5b

SHA1
6d28e3ae6e42784769199948211e3aa0806fa62c

SHA256
e563f60814c73c0f4261067bd14c15f2c7f72ed2906670ed4076ebe0d6e9244a

SHA512
808aa9af5a3164f31466af4bac25c8a8c3f19910579cf176033359500c8e26f0a96cdc68ccf8808b65937dc87c121238c1c1b0be296d4306d5d197a1e4c38e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
187KB

MD5
afd04a71a17df2b236ef84f7198aef2a

SHA1
11191cb10936064f7561d42bbe7dedc05ae4623e

SHA256
c1c3748311998ad8472007a6bafba107defbef250627e277662d9fdc617aca19

SHA512
c0b6ba5105d5307643f21158a2901e63a53c85c1482863803024df3e0522369dcf9295a87e57cc671367831f8ab147caf2b5b9d4d3b8a7b36e1772a900ea34d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
50KB

MD5
e1a8b86a5386f3c0d49f565d556e187e

SHA1
62f5b11b8a5ee933c33c2a6490dd7fee0f9a056b

SHA256
38680ecd7e2a34955bff772ff1b5a42a2c35dbbb6843e5bccc067c47bae5f4da

SHA512
54cffe356b6978341b7ac4189e3083e174eda97449cd31c11a1753bc96a2b09d70db48b85995e9c622444b8d364b8e15c89a7b0cb93fedae6f74266dffda94eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
33KB

MD5
67514d83474feecab3736acf471929a1

SHA1
8c6d3fc13b76a60b7b138c1353b255d4b7f60025

SHA256
5ec2b6bc77cc0c3dbcf5f94c6f523c9df8a5415feda23cda3bed37d027c4d47f

SHA512
9cca44b38b073694303431d4579868e264d519dfc385a4b6f809815b9e02892e1858bb91f3d1f9550ad16578e21198b5008f1b3f1655f2fde4dc46e8a2c30d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
143KB

MD5
f8faac82641a0ab2c9ba7b606ea4e3fe

SHA1
6783bfb16b603908df2505dcede68d024b1c9c6a

SHA256
370b6157ab1af2b870260e378ff846564e74d088dfe8225325da2578a04bff35

SHA512
555ef64a2868b8dd42b2a5bb3f41d629a4a2edff2c09e6864904d1cc34f5ac0624b68d4c4526b75c75f7c1d1fe46b72c2716726bda91b8c0c5d5d88c585590e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
92KB

MD5
6fcbd86e1d4fa2293fc5830a23bd3822

SHA1
4f7d1bb49f4acbc15eac190b99af05eb66d24865

SHA256
0afe9c9fc1a72aaf0854702f6eec5e8d81d6b945f6fc25e85a7050285d832749

SHA512
2d17659b1b6b8d4725317e8fc9ef5fdb555c8ba48d245d650aff4954a86f1ea3c5ce97627c692dbe2239179c83201fbdd788eb3f93e8d122dbe57fd0e541d146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
19KB

MD5
d546a874d6488dc7b2abd0843b4d02b2

SHA1
abc38412c078bb9ab9ff9757aeefa67a19ff2501

SHA256
c243c2a98c75631185c8d04ecfffc2765b0d3e3516c3ee7e2cd8d2b67660cf5e

SHA512
13c7bde4df056340a345dbf1473a01308fd2786be7a384411814afa8f005d34d2ea979a24cb2d7821b5bd928841ffc3c00944500a55c2f0934155ba786ae9c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000078

Filesize
64KB

MD5
d84862513956cbe61aeb4ebbfdd3355a

SHA1
14ab269df17cb0333b1556ce120d587324479f6b

SHA256
a18b26912ab9e034923cc64fbfdb59d682500f2c556456930e480b6bd69e33b5

SHA512
d04ca96d72595f1e291a6ce96f092c1707064800103cde733512a186c1b22e089b63690a0c53965c97248dd782731b22fa2d27b8ee3ae112647382f1c06d1a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007c

Filesize
29KB

MD5
506765c5708d241a89dfe7b139731e42

SHA1
150e865914568a0f2deca646fb2670b210435563

SHA256
521f1aa84dacf998911e1874ece5d240f4d2cbd71fb7d6eb3ef9b805b2a91aee

SHA512
04d0a03bda24792c584be4c87fc35c5877f832356335cb399448ecb6a5171daaee2f5c6d2f3ca41fab87f4d41831aa3dd843bdfdbe6d4eb39db6bc58541aae7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007f

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009e

Filesize
4.3MB

MD5
2e4662a3a9fac346fedb3a3040727a3c

SHA1
8247bb4b55578ab650ce29645d98b63c66c4b858

SHA256
de33c9f9b5657df6f703f34fe58309749571acfc66997e37f3e77dcde6996609

SHA512
fb908f4f50fc7c522169504f0fd8ed5b734fe65b5fa57e378516540ac75e8d4a0d77a2931a7e49850dd61e150345e5bd1d2059f72e8348d3b261f24eee042616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
a57423ceb6a62ecf1ba44b154e0a3b09

SHA1
4ce737831618a08ea3de84b0adab6c2e209a9905

SHA256
681a2b890c13e0e722528f97a1551e8b33e3ca8bb2500144b8fe3abbcfcd71c9

SHA512
cba5a4c4ac67a9cfdbbb035f6e122f3a36a69873f93b49f3e39efb7b50ae0b8dfedf007b746d3b544c48ad68dd3d501cd90de874826c52e2cc1f7f00e10ce8ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
a1689d7606deaef2f5e849727a99448d

SHA1
3f594ea5b2f68d1ffe7fb55da6d0b7c3315cda2f

SHA256
93e784a98eb05e81fa94671e74b02bb6d87b941cb92b013ecdecba3334296731

SHA512
381cb18b322abb7bb46a7694e68949753ea7277e55357a9d6dac21c54141432d64b14d2c403ab2ec1c976b577edec1078e40c1e962c47daf62036df549d7d194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
9564b6ccbd8bf0ebad79f30301871e05

SHA1
4366a70ce1776f29dc5ee0b50a4a9d1d4748774a

SHA256
f14f32c94a07d6ae9ff752a95582a41ee2dbe6a93e3f875170efe4322b65f4dd

SHA512
461b8a5b0471443d3696aa9ed37350634d808a32bdda5533b4fce996498d6b4f4def24af7af03ba287ec0e61dd4088bee39c92270458e4ba07a1444333178939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
be2fe856779deccc453796c2dd8ebb3b

SHA1
6bf05562e646730e74d373d9ad79ee86fd1f1ebc

SHA256
04ab32ae5f08c7e9f827ef9c0164f6a4a43206fb8582d8d7da96f0de77c3a337

SHA512
ee53863a87dcdebfc0cc7f1b65279cfd9bc07373c8c63b72ef42289294670fd393ddaad551c26d98944cc4c54acbdfbfa082fd7c8a6a67a9ec5f119a19aadb14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
99cdfcac967df16bd07c4fbeabbf3bae

SHA1
4502c754b4f65f17f34e39e3b4e2182c6c9537a1

SHA256
9f642b082a00bc937736ed1788e058596da4b221502357499fd1123ecb9b83fe

SHA512
7ab99d96cf42f98cbade683b6d58ca74933c05b294318fdbad9ccf4e66bae4d67b06a9161181167d8aff4b77d6437ac0ac3001d6dca5e2a3e68e67d259169d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
95ddfaad37f41b554e4d4bc3dbb96cc5

SHA1
768dc44c2168f3798a63156ca7d4d4e9a0706605

SHA256
dc7e234b2a250b52430f347b333251af1d12092c9d52572dfe679648ff25328f

SHA512
c9af3fd20f537bcd5ae9335a8ec407688dee73e269301e139d24ea9a3b48ca9d7245b0f3fb1a61ed82726d40d287d5a19e14380be8def6ac73f83f82ddf24844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
bd802fabb99e8ae8f953644d1d41c82a

SHA1
30430211c9364ee2a6d6535ab8688b95436d7fe0

SHA256
b7ce8f47f95f01e6e74eec5445b153cefb45cc0f7ae8de1a4c5f8bbd9bfcae84

SHA512
659e8c5da0c36da1257bf9f8dfbda65f468a94091463d1809afd82e1e6fd60b6e3cf66546f49feed8085ca99444cb6ca83e10bdb2164dee48a35937c7046247c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a167cd604f3db12e2d2cef0aba17878e

SHA1
62f5c2994652d64bb140c9dec73f78c430effbc9

SHA256
ab1f63e08441e9fc9dad32cd0de413cc8691af1fa62a172d1259427d9316db9c

SHA512
05416d538cbccdc5dd6a1c2c8a154a052654c61886b3ac123a53e649430381b27080a692e71962abca57f7f18cc935c1c642704dc3e1f2149f6fde83394e1efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
63e05ef3d4d43bb6d84f2b0c0731df13

SHA1
708c2c55d67f705c69359aaadc89b658342c719b

SHA256
7343f51c7153f9dee6864b498fb734a779fc2d01b9169852c19aca9978cd1f29

SHA512
4211d142ad52052b79ed3d7050e611a888803cf6026c944f5f90216e37a1d4fa70a404cff801d89ef171bbf4134ca06b5b93a04543a2f00d5b2ebff8c614eece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
95303fbaf5c9625d5c57e1b1da152bbf

SHA1
cfb0c116e0687f36b642ae4692e0d9a52d448755

SHA256
4541536c8ae34f0fe140b2d2e0e4a64468972b9acafa4e3c294802a4bc5b8b2d

SHA512
fadffaf231a02fedb84bc3a44636805c403e702494acc3548661a5b7a4a3f960470aa6d492960e8398f2cf4c17e999f7b4de57f9504e5680182d7bea0d8d27c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
849c3df3ed82e65b0e262e52328aa2ea

SHA1
9cfb75ddf657320ed435f0dd4580ea5efd8ac96b

SHA256
193ce1b88a48e384afe0e3b423b88bcbdf6acf22adde591fd2b3ed7077b348de

SHA512
b3454b0ce3812760594c0be6478a22559bed2f15636efe389de3496617342db19a717328a7e888b0f0c5ed0f3794bd524793372ff7c5983e01089723ece9f637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
e0a38f82f7f4540fd146959cb5779ee6

SHA1
29ec594357a5cc2211e6620dc9b3a800b75dff9b

SHA256
35f3a18b6f45674bd93a6cd10bf10a6508fe2840bf517a0856c20def52bc0e81

SHA512
97c70ec1d61938e85abb2c043faaf13db8d11bf0e248511c332eb3e77a13599a67fa5ade3f5429546d49b20a1d0ad729b08234faf5bcb8ada7ae4d8fda4b4cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_getfreecrack.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
315B

MD5
f14cf1a88a749f7335fb5216addc2771

SHA1
24ad3386e1cbc7d189f89142829d5d8978fe38ae

SHA256
b163b8738c51f72a3fee4124d4b2cefe7786769d3c5b75a3fa5f34b06dc3b629

SHA512
9196710ac7baee90bba6dfadb7130dc905588d92e480f4546ef6b9edfaa9e12bae6f01c6c1541386fe589eff3089dbe6ed73978bdaccbf2f03811dad86ba5064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
e3a75fd0d3fb35c8e1e21802700961db

SHA1
fd4320943e8688dab05ae33ba8aa99f355331a5b

SHA256
43547c2b3c1b124e60266fc7022c68d855bc5d334c695e5ec25030e13c46234f

SHA512
cc47f25afbbbb8c696c8f324474a33c5960463b1267e50aa94d9d5754d06496de73d98fead3ed05705068e79aeb4a8cbc5276cba70956afd6cb8433b071e2acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
e95f13806ad73f0f4683986f01eafb11

SHA1
fd90507846a269a9965a624dead3c7ae0d4118e1

SHA256
2198b5aa0a91fa19d364aa734bf94d6bb4c0aeb88952031a44cc8753a3f34d6e

SHA512
ffd61fe1ea4951b05ebfe608e1d04163fa6fb04187fc10ace45c68faea137d9d0f0d7efad5dd51e2dededd3d28d4a5eac4312de5997fff74d1ace8d4ee9a90db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
92ebe8134e78be758559a8b8271efedf

SHA1
0be9927e8c4764317f4291a1e02141340adeca09

SHA256
ecaf8d1ce09946392331b01ac75b426a0b81e8490ffe1c3f0abf288a6ccec339

SHA512
63fe4ca69fef2bc4ae6453c7a8ec078f5fc0f77d7091040d020ce3b216b5884803b876549bdf92f2b29377147d6b6b0602153c50f649e1de32bd1f3f824f64c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e7cbcd7fba79751341712aa8835112fe

SHA1
e6c62680536bf33f84c802513c0ec6749600856e

SHA256
1e662d1b980124253e45c99205a338cc2e21b1b48a69ea2d13b321de4ccd56d7

SHA512
3ee7894b4a9de682672d4b23dc131371bcb546baaabfc8eecb051355c5445320e74d4dd1353babe4b3185df6844fac9359ed8b0ab022af81c8f910940c98b4ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
b3310358cfd9dc8638c16dbcdc2e107a

SHA1
109b16dfc882ae25b3d7818ec8e0d23864ce6990

SHA256
4b68a7972b5373878edff1d2f041e35f29085afd305df5562eac5fcaddb9535c

SHA512
d512a6d00be06a14ba12cc22b91d6d78638b142b62a479ca7d6b17f8c29c4d1a292c5239fc926bb50d108ffcae0646c29a50a2d4ded36f50eecc03441b853978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
34ccf861b6b167f5700cab1a48b261fc

SHA1
5ef07b0dd4fa92fa06cd989dec3bbd150476a86d

SHA256
b5e19fa644d20b58859acbe0af82909d817b898f1906f4de3eaef2633b0e8874

SHA512
a3245034f3ed2d37b2412f51de87a51f15b20a27479bebb89878173787e96c59a15aaa6c446d25ed9539e84ad5e07cc348a0c080794b19f75773210323829639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6a49557acbbcc2328d32731192113c2f

SHA1
2c5bb5077261975d0e643c7fb71ec10e315b9509

SHA256
6999a11b317d73e345fbbf773c6c82f1da5c16b1bc3ef5bb65af9b01deaf4c11

SHA512
9f7e9a2675a127777b5f5d5e09669718a2bfc1039f433f82abd6dd10671801e8a41f346380674c0652bf73c6aea9029ce24a57af5ed6600ad641ad1154f4384a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
eebfd9d4757cb0de68d57aa797a1e2e0

SHA1
86dae13a4a708b2b06b1d232c417aae9f71407b8

SHA256
aa5cfdd692c2f78608a416c933b9ce75ec8c1353259be75f1db42e4820dcda65

SHA512
7cc93760ef5292195c48efb0e5157ffd4eaa08e271e88af23862b99716f3e7f5f21e7ea4124210448ffabba3a630b228ffaa8751bfc5530f2dc04f07dc4157e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a8517a5c374ebb453ce6ff0077492de5

SHA1
f13319f1efc0f6950c3b8901d5dd514c36ed319a

SHA256
740e0ebd2be7ee66f5b5accee8a45840fb56fe0e669b193cb4b899dc3c51d047

SHA512
b32ba1200abd20c2dc4564e12c1b052054f166043d4a17d284d82c96a94efa44725d595c8ec17760202bfbeac4b01480fb8480db565283a224268f870ac49b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
839c0e50b04c1063391e576deb8b4e38

SHA1
cf7ee32ca6032dbb019e8359cad57f5ff6352dcf

SHA256
dc045f3e00c4a44925d594abd7b1b5ddbea5101a13727dd92c76270a2bd07a89

SHA512
f5835c3a1a0135512825ea4226ac049358bec368978f9cf8869bf97153606ffa9e9169f2c39eb34299870bd75c8e7b8e8cba08a64cc6657f99a73b38ef6beb35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
adb28a3bda6e25e758d075e655b57c6a

SHA1
6b4b12a14a1f1cc5fb153791035f33357a87b809

SHA256
f709f9151b7ce19a64b80d3686d726461f136bde0199a93cfdeaef114151c8eb

SHA512
8af7983124b05f34e3c622563eb258c8ca710e15602c1d8f3d2dac6f2bb98c508ffab4a706e7876399bb1f35d68f47fdc48a1124e921a5e0f633d9df4ffea67d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b30dd4302c6a19351bbd10e5cbeb7ad3

SHA1
dae5104b2468118f94559af0f4c83a9a550b276e

SHA256
46bac48dce382ea61a22c8b97dd3b7a69ba2c8dbf72d7966338ba793b89067c2

SHA512
c7b5495e69708ccb681d5abcf2c3fef4fbb11179e1929ced504eb5ee60e1bb165df6767cd769d58227e726c7800616724817ec88e89ed48e58af2b669c633ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ef8c952f114f281befc1224de20d6e85

SHA1
5c51857268cf54f289185379194d85e54073b6c2

SHA256
09cfb7241773c9e3dde5fbd6606f1df6acefe4f52209cc6cb4d11f5be97a5cb0

SHA512
7093e056062b25a8c1a21ec8a0ca5cbce5266c68afbba80870d509f422d69324fd83d65651afc40b2aeab4c74cb5fd44a03801e8432d4305286addcae18e0b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ec02e64486261b432d330c87d6d4fe69

SHA1
2c35c97d808b6acb164ba0213b80a05f847c4dd8

SHA256
6d2dbbbf08053715e41b45ab678ac2c127800ad948cc2bcc1742d20abb1afad9

SHA512
edde45acbb5f2490977bb491393335f0ad13be2e2c4bf78ed4b31c7e8b2affb47958ff44547efeac88e9a0d839038b37aa445af7c1bafa2ed350e9fa07335cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
8b762e730c4b3b7aaae74cda6efd3eac

SHA1
687cd894d883328f55b45feff192532eeb8005cb

SHA256
1779461ec8d5554cc07d6d1354fa4df0af6329595603f24b247bd7b00f126b43

SHA512
ffdc39f2a55c56a64776a91751c27e1a534e7ebea08de7841d158adfba59f31cae818320d820c09ccdbb5db81697acb62196fa57064c698a1ddc5daa9689f4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
0255e0e145cef09df70555211b525b12

SHA1
790c32d8eba8fad7d99e3a678f5eb32541782fe9

SHA256
531aba9c57318df5183ef8eff77f3ff02ec2593bba2e4c91652d90da9084187f

SHA512
679fa5aaadf946f6d9da49e138d1575f536205e3e88fa2cf84e381810de647cd8cb0accb813552c951b1e7373f2695ff4026692a5c8ecf7f551e7e730757cd46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
224ebb874182cdb7aed3c47181d2ddff

SHA1
9b135c04a06be968d997c1236e955148ce026d78

SHA256
4210c7b5f385e74241149e41bde5a2ec95b873a8d59d17d7b7c01e89a798d6f1

SHA512
6245af886cc7a767da528d04b0ef6758aa01a32e2dc818598273305da497a8891bf7126ffe814b0e90c2cefc81d5194a2c9dd29c37ff741d16b1481655ecee0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f043cd1ae2fc80b31ba6c66c48f5fd3

SHA1
1ea8613fb5f2adea3b6da86d9546e980427dd62e

SHA256
653b67d3b46732edd5e56c50842445fff41bd77465753aed45d20087af879267

SHA512
71f165928e095fc73fc98fe48d708ed3e44dee51df7f62458724add3c5c2711252e463ea433296ef1dcaef5b18904cb8b4b93b085727d96e95e80239db69b16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
2944a7bf59e51c038e1d20f523ec78fe

SHA1
a8209353a5f804696feec96c5f58513c0b3257af

SHA256
6ee4909ec8e0f2c590b3ffe932ddfc5864ff3187489fce24a646296e0493dd0f

SHA512
b1add7feba80efce826851be3956aa97adbae3af1745a4e2f5473e6eb97c8f0e753eb1a36309219845201e43537f4666cafdc47f0d8b3fd33ff84483af349032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
45ebb69ad1272326beef5aa857a1bc44

SHA1
9e696b06005f01275f534f20c62209f76cd49b92

SHA256
b8cadf8d996aa47f6113fe916bdb5aa2aeb64631dcf29a72afd8960f6784bb1f

SHA512
dc2d3a2dea22109524d2b9732f60d354703658f4c65b6b5d444b9f73d25bad442e017616670cf1bc42be04c9a83593b3ceaacdeaa64b7b2ad6d3eb675f85d00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e7554b43dd68665e53ad5db821f074cd

SHA1
86e1408e984f49c8d126cc7ff28977c275590029

SHA256
b464336728be2734657c4f1c881a4c9131f33d0003e5e89dac5dab450bcf5349

SHA512
65e13c37bd3352d486c1e94d5ac63c17bf239a6ca39f4c263edc5fc4149875ccacdc3af056073802cbac7ea8f022326ba0f33612e912ad22d27b34d9da137e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
00eca18b7a6c4d4fa60d9d2fe9f86ad2

SHA1
840288af1884865ec46ae322a9ba125af87d29c3

SHA256
bcd75c1079e4b13c637a1ba973c33e9a89cb3045592cdc4d0509af8c168ed9f2

SHA512
d9d08126435704e6a2835aafc418b3d5035f4b3dfe820167fcb598e5389206509bb4e991ba2dc11f86b6cf96f2bbb2fb59920cae5d70676c2031ef3601fe0e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e9817b7b94c7c1c09d0f60cf06a498eb

SHA1
0ff20adf0a3b39075b1c0b602031a91967e6b1b5

SHA256
073bb31cdd97c2c7c1a3605fcb42af2b4c025a8bcec69b618ddd46fb48d4b595

SHA512
913e9110842324041d7ae668d59f264d61f6c2f207c3bfbd53e1495280e45a5163c5a273a00dd219c9327bb4e58719220a6b6c7af1e6aeee5d1afe6938b57ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
8f0aa612d8edf7fec429c93544707288

SHA1
91fd5e842e238c0f4334cd87a55486055c3c9882

SHA256
11710eb761a4964c94ad3c2dd97e6092556a6dbe89bcf505a6c08ff809e65887

SHA512
f631a2e0bb40e36ea9336828c28e8e333400e4dbc3c65ccada9b4db795452d05a723bb06e63225424ff9f3f99c94a31d14cde88d5bf482ab51dd3e3b652f2343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
149804aba26c8f498fd936628b608f48

SHA1
2431d0bdbf5bc893643472dfbb930afe2cbeb025

SHA256
ee36c2ab22b0ab24c33e11f83ff5bd10f9e634737b70087fd9f32d343556d0a7

SHA512
df5fb84c4b17bb00fbb5d3fb01b9541fbb975bd269b924a0b663498a0740ff015eb752483f438b8700050b0fc6d06fc1026ece5b76dd2f818855497270fbd5f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
ad81bfef38fa7b6100fad527e9514901

SHA1
6ad6d9346c59bb0cf7619ad7204270ab2a4dea7c

SHA256
2e79595c80cacb2da173116beba62364683a84b98e1d774579cbce44dba415ab

SHA512
4eefbebc5449499def4f6c0f52478f9b9da474f4de126e1b750b16328ccd082792c3dc2e796fb7de58414df62bfb1e507cf828aee84c43449fa604c57d46ef05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3979684ba2619eff5cbf03da84e6c35e

SHA1
d96bbce1f14fe245bef9738a95fa7b66cf5b289b

SHA256
c39b62616c5f763fb445b86ec88b8cd2c5bea5bdfc0f4113e1216bf1a91fc03b

SHA512
0de4d6bbbc3603ea4629e7afc0688c78a11a201422da35332d97d165031198f974d3f106ff7ed40854b8ed0efc9c04c4a51d7acfdf628d4bb5c73128bc4d1b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9d566829693377a00a10af017c2b8cd5

SHA1
8b151208ce454da87cca3aed79e00279fcfbbae6

SHA256
4f8505cdfef86b63f356b1ca886deec0574dc709c5ea8b7c511de03313f1ab4a

SHA512
669604ae627833b31a6069bae1a164bc800d9eac1c2861eeb66014b93447b57c1dcb7a7594510f667016e93f682ff19096ec1230317c5130b789acdda3d2ee1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
164235dbffd0b3cb507c87cc30fd0621

SHA1
531b1964864c1dcd9dc8bb7dd49f41e63731f2cd

SHA256
16713b3a7373036f1e2b9dcb60b38c99809adcac59ee6eddc4f8927efe2a1123

SHA512
e881570c3c1fb549567070aa2070ed745d8e1eed769331eb09d2bb194dddd42926df766043d0bbbd6676897d19c60c5216c514a77b0756bb17e2d89316dc1ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
a4e17e486d55c6fb15913fcca4a7699b

SHA1
e69f80ace16a64f30878f6435e38a9c10e898ac0

SHA256
1d90e52d2de13d5a83cb2849d0a0ce7cfd227485b9c4406f909dcf63aee4add3

SHA512
eb9a03db90ad613f78e23cdf4ea7a56098b169d479c8e48451922be4868a2f3fb4fe288e66505bdbbca0827f3595611498c8548eb3bba5e329069dc6f8276cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3fb33b1afcff214aaedc6861b5a2f079

SHA1
b1864ba6dea538bfe70acc6033b326f9baa4efb2

SHA256
d335db2d0375f32334ff32b0ebc92438e2ab033f7a4a61818e83e61fb2dd61f3

SHA512
3bd45519c9c19ba833c421f30b6adcbdd5a930fe97de0675774d9ae087571776eba0d24060d6dcae059709f76db83ac4ed0ce28112942c7d99522959f89672e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b3a5d73727ba98a421e2fcbade1ca1a6

SHA1
90c3c5308139ebe45b216fb0e75ed537a77539b2

SHA256
df475cb94d0f52ed41b94d5eadd0537606e53a45de7dce582a3348c83eaaba2d

SHA512
4db21d1873cfc340e32f55361ad9ea15e2b037b53f74ac79768bb28d7b43c7906b1b902000defd3eace82803d529829dd643050f8d7e7877a829307c1ae25012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7b671bd5461f174537adb2ffc13a7da2

SHA1
42b3f135b6986ada5d7f2dc425ab1b43e700d8fc

SHA256
80c6ffe1b9cee61c540420cf54534159064d097ffcf12fb0da7733aaa1dae69b

SHA512
1298a00206e6495d9ab3dc3c28d39113f4feb7d354eb73e3bc9a610e76e404e81d71dee0cbe6bbfe31733483eb84244e5a21f6cc1e14738db7514e0d0afd11d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
565a40a48598592bd687a2176b7755ec

SHA1
b0304eeeb5fc762578150d3e22cf9ca3c6403ee6

SHA256
8ef0f745b4c26a1ea2599c81c79e5377c73bac50d14c0e05d55e7e9664c3b3a8

SHA512
63e19d6ef6912b24fb721c60d1c7000b6191c3b2052ad4773d09dd4a884c1eaede030e76bee4c0386265ff0fadcec6ccca2a41c3c5f48832ee3aee319e547ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6feb47efa74392bd2de266da76196000

SHA1
8cdbf01132913eaf2ff0fea8e77219296694aa76

SHA256
511ed655b1d57cd475816de7722921145c4f7c01fed044749700e87157a9d11e

SHA512
a56f74aa15879d57944d928a567936413afe7c1a801e5119596a24165b33b50e9ddd7192dbfc2d16f304fc8f0ea120e602f92b42492b2af33d6322d364bb88d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c5f6b342ce45f23b4b95cd55a4ae7088

SHA1
193d832ea1ceadfbc9ea3cf2e329958e4fcb1aa3

SHA256
181c3358fcc342dd8d9e3452f11f92fd0f8541914d1b02487b5f65517c45648e

SHA512
88ab8a52f34bdbcab4ff3ba60f534b450a24c99f3509d5b2db63a300441864130feda610b100746769cb9b227f371953ddc972cd98bd4298123902119cb9ebb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
a96088062664e2421e55405c5e8d5c66

SHA1
85e9d32a208cf94ca1af09765114574bc5e43cb7

SHA256
2fcde76384adcdddd96376415c679673f96cbf83d12e0fef6f0af3acbf94d605

SHA512
c6733c5f5683e81d02d4718febc502a366760d4f4f898bb12fde5f42522197fc377cfdb9212ebb782a854e0fba12ef55dce53f10929de6aeb3117d9a437dddeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578bc5.TMP

Filesize
370B

MD5
358a8c48070c51555ae1ffca4d10c9dd

SHA1
69371046b92d9bb3f04a0d22c543a44a55cd5618

SHA256
a2580ee8441efaa8631d6964e573f8456e89f6a77e66c8d7cc7a5fc1adff7e93

SHA512
8b6adf53ecc8a1b91506d488978f3d9a51972130d843ba9fa4aa6d1ab8d206be2064aee29005d026bacab8e6079b717ca619af17e3ebc688e508910bb156cecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000008

Filesize
20KB

MD5
e8e1f8273c10625d8b5e1541f8cab8fd

SHA1
18d7a3b3362fc592407e5b174a8fb60a128ce544

SHA256
45870d39eb491375c12251d35194e916ace795b1a67e02841e1bbcb14f1a0e44

SHA512
ca77d40ec247d16bc50302f8b13c79b37ab1fcf81c1f8ab50f2fc5430d4fabc74f5845c781bd11bb55840184e6765c2f18b28af72e1f7800fe0bb0b1f3f23b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9e29425d69ba71c7410b35a5aa534629

SHA1
6cb65e7a4b87e70f9ebd708122b0701aafa5cbb2

SHA256
84a6e76c615b39e9a6ea1054edcc6ffc860f995dad49b622c8f88280bcf2fad3

SHA512
1eef8b99af88685bcacd03d65db28ae25f83d0b030a063606cedcaa4d8ef23fbd3adc53725c198fa139ad61ea66a2eb723a4e152078cae9050d4c2b062912c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c9b7a5b190619467864e37ee02cb7dde

SHA1
d230054bb195e21601d3bead8f006522d41eb2c8

SHA256
f917b84cdd570f1b23064a888ddb0c6a1b3b358a1c63d331b2c3c4b6bf655d4e

SHA512
e50e6ac45bb346507055ba188f48b96b62d29a20492b812009a4c4b599b6596d9e100e91d0baa50feb6cafbaa4305318f8d7bb97a9400574ae923794ad98931e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ef4e3d9d289d570adb7a10be580ebf6f

SHA1
e1b9a35705b3d6353fecae12160eaed8337f1bed

SHA256
b5b674e157a38dff3b330fd5611e9c652def699568d2110cc80a7c47d087ca17

SHA512
294783ae9e5c583dd1fc19af503589327ff9871b598857d38f410c79ec11b0484036b5b30b59c595d9ac4047ad9fdb039cc5fdd7a24d2d49bc70559d5b64e6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
593909a05f4ee742500f75556f36ded9

SHA1
cef699c4b5d9088d328b694f05961380b5622458

SHA256
f872db10c4919f1f24e4750dcb448bd35a990cdbb79d6f20d51f2a8f430e7c00

SHA512
525587a95b41741610fce046ac46c497d7876c913cc06c14531667bbbc68dd6763d089777a6391286cbd08cf32fcdb1505ac29ebc41b8a99e019b47a2be43e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ef2a09c303c5d1c7534b1eceec3c208b

SHA1
67f1eabb1a2ba2fe888fb1185909c6dd8feef8b4

SHA256
b998199970b63ac956bf9c960d028d5a529cebb51f70e0cbe6d669a116109bf5

SHA512
bbc43b29549654f988fb6c54c0235afee97aae917ec3bf88d6e8d8b12adf1a45c4dd5e5b47b5de175527fa041983e00d8bf51519b4899f15ba34bdd585bc5178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cb6ebab4249e4afc46bfec1d5c768229

SHA1
a0b02855f440bfb4b76346af8e39073583816a1e

SHA256
792e61927dc6137717e2cb2f2f82c63775ae68c87b1c964ccce3e869b9dc9fa8

SHA512
f9709f788af033811ff86917303cf53a25ff05441ecaa1354208870a62e0bbb8ed2b2db2d3e3eca899d778d20abddab9a1b03ae524bab1320f12fed9627b38df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
176b9729c4e84b0de4b3966ab52dc899

SHA1
02c7ade759e54740b155107b275ceda45e7f0938

SHA256
56aecfed5428967b4bceea9b6c70bed2e06b751c404fe3efd47023a1070e5f1e

SHA512
bcffd32440e906e674a005180ff32c440d6fd04bb0a35965156c32b7d84dead94d5d0c33dac8cfd9126e24a476bf716064a30dcad6ea652315c6564918917caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\1EAD4634-6222-4503-B605-9FFD9E35C050

Filesize
1KB

MD5
85ad173999ed440af6120f3b4fd436fa

SHA1
eebe3bae40b0c82db581b905e2a4c4a90055c9b3

SHA256
2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165

SHA512
3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\3FFB3F35-24F5-48EF-9836-00A0F9BA7550

Filesize
397B

MD5
2f82426450332b558a61ae9ca551abd9

SHA1
abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d

SHA256
57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52

SHA512
dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
ecee682f34fffbd133bc32bbe5a70388

SHA1
3068d9b51b3c86fe1e294453ebd3d4cd00f0916c

SHA256
9943a3c71d71ad6d021ec1b34459d88ee6caf680ad7c50e65649781521d0f3ab

SHA512
cecb17569b2ef7fd3f26e04453fcc3a97ee8deb77dcc568be454e8d3988003c180b15f1fce9c47dba7ec499b6e2e69332c2e23542a20d36bf078bb66c8990078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9f518bd49f52a8006af85bdb7bba8c95

SHA1
1cfa911178c3ec371a2d9b20e27faf08a3ad692e

SHA256
e3125b463da7c875f3d44012e632d83743ef46ef0d76b2898cbf1b5b3af32405

SHA512
b613a3e3264b117aba8a693f72dc8920858f135f93aec24ae06637bd7fcef6dbd3eca47cd11bd9d288553eefccfa260778a9fb843b5a298063b1b3c7d192df93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c636f86eb252af7fa7945f8bbdd2c493

SHA1
f20c0a1ebca88ca70fac182686e339dcf79ecde9

SHA256
64bc81e335201be1c07a2a2f222408c34a516931caec61b07730b40a2aef939b

SHA512
1110ceaf798c96140bc16eba88260194ff836c6cf9157cac7243a8ae4b5993fc833190242fe2a8905e65b205afb1717187f86d0fd3fbf55a6b9000bad1532467

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU4204_Debug.txt

Filesize
1KB

MD5
15c714d9c89ab293853d6665e43904c4

SHA1
12466788a65c7ba7c60de2acb18bda4231fa8da1

SHA256
1b32ef552743a45a2ae62e6d657179b216e4e7e6e179946c0fb51b4cc137ad46

SHA512
0c95b5685b98dc305cbaa40fb698aae63b6675631b8e025454de756a429b65482df5b62f926e0656099d368194cfa97585fa1c8212b7b749b3cd397c160eb6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU4204_Debug.txt

Filesize
2KB

MD5
d0a640c65c42d9eda4ea81aa67908eb6

SHA1
3726fa59645f8d3680ab72dfc55d2c9a727bcd01

SHA256
29a68db653aaf435f1fc895e7e9b02eb4b4cdf6e74ee612d04093228b162478d

SHA512
2a85a5eec2682d52f40228d8325a3958140583ea51cb3819fdb6c1062f5300abe7fcc68f721f9aa160f262f90cacbcbf6a9c0a0fe26f57063abbe30a62455a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU4204_Debug.txt

Filesize
2KB

MD5
fa7a3ebf655d8d7842e102e4e8114f50

SHA1
a6bb7860c0882fa45c7657ecfe223fa6b5773cde

SHA256
7bc41c30d5cfda0083e97f846ec12664c2396f0b92cb925dfb77568f11714f87

SHA512
55a17fb756fdc6bd3bde60e5ee1faa8ecaa20ac60b695fa7c2bd9ed638e2f96cf90b68a80070157e6868edafed7a1ff3dcb40d202e2a79166460b13f6aa56b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU4204_Debug.txt

Filesize
4KB

MD5
ef44c9eb23a27f5c61133ea8d76b490a

SHA1
12c989e9c4add951573659a5ec7b0a4f49cc7a0f

SHA256
a97149e838603f22352be24bbf59c79580bb3c5488ba7a735907c018ea5e4719

SHA512
81d336df5c1a6536576b899d727b090d5681b220f3d8ca06bc2f479ef6a73d313a5a0591a485215e9636a11259a930c8837d708c9b540ae409e5fa6beb123731

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dygf5gfq.0yv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_temp_heu168yyds\files.7z

Filesize
1.4MB

MD5
c7926c9b1dfe047575916f8016f36555

SHA1
88f149b25d40e4d124c45bef48a82d69fc5e7e34

SHA256
c02c302c2f9861b4120664ad32b74280a5f13dae54735ad858691837aa496888

SHA512
68e2efe32be775eff0c6c949ac5f3770be1ac9a5baabd85b73e6e0d987b4b593329d829a6cdd111379637adc81caf1cdc542d43c420c102405c239ee85cf9ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\autBB7B.tmp

Filesize
2.0MB

MD5
5b60373004017288d406050d29c812db

SHA1
6525558ade191174be0a149d8824db7d294731b6

SHA256
e226d7824b07f671abbe03e14ca75506bfe27e06a835611169541b0fc8116f9b

SHA512
047da5e0cb5c3c6d41469dc51bdcd3c7c2c887a743aa287280a2d3f596716a571ddd12390febacbce144151dae7799fd51226768df4cf4d2528c3af0dcb9729e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temD43E.tmp

Filesize
230B

MD5
62bb58da510ecb05194b2199ef7889ef

SHA1
8f0e4f6d9776cbde466a6f4b51f6b43a22b5af1f

SHA256
33d3fe617709057bdf5feec1df85a1f6ea33f2e2443c0f10a7819a78bb3abf31

SHA512
9a07668211c476e10636ee7f6f2cab9435e73a3c07b2e5ba54ab9fec28ae71c47c16a798a9e0733c6eb08d7e620806b2ef624fa984675a9aaa4bfbe574cae65d

Download Submit
C:\Users\Admin\AppData\Local\Win_and_Office_Mini_KMS_A\Mini_KMS_Activator_Ultima_Url_0ib4gzajrnislnh4ynhjc5qsq2gneg0c\2.0.0.0\5qt2z2hp.newcfg

Filesize
903B

MD5
272b8540c442f614b6d604262df0801e

SHA1
39d30c865ebe1a3be80d128ca914cf279871d805

SHA256
eb9750eb68ef0bcdec8e974f31947913a1d74fe35c9d781e19b7fdf104384b9f

SHA512
1156a3b71b5a6a3b6b6dcc19630871702c2ffa51c7eda209d571f13ace234d557e2c889ad62c3972b17fe9d336fab818b4f7ca7ceefc696e49df17e9b2a34c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
f0953632831cf3e585d205952e306e1d

SHA1
f2bdc98e60fd38b040b1d683bd4ca5c148b7470f

SHA256
b50657f48457a4ea7e95f84c3027e3b37b6536e78eaa80fd304a7c51356040f8

SHA512
67bd26ada26bd931c60b982d31fafb4cc03481b3d2037f95856ee44e395cd7ca2ec477a6b55fa31ead902b1bccb0635ca0f8653496e8d04a4ff433f1a3424db2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
653bc8daa6dc9132712292f386ed71e5

SHA1
7475bab3c50f8c75bc06ae939fb97891d7283c30

SHA256
4a70559ca176829c91dcb45a9fbf4aa846a5214ce54800e4952ab11186623366

SHA512
6b8efe6774dea12988fb3bffe5b5fa9b9e150c751c6e48b7a8eb9dc747ab363b8cacfbd4f54cd77a7e02624a210809406c8ad645b88f2387db88245bc4f22de9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
33857b99cdc06d33cd6cdd8a9da7ec46

SHA1
9d9a8030ba2b5a873f40e56a8fb657185eae305c

SHA256
9bd50d565ce06bf619023fbd56a8f75a5329a3c0e04eac73ab82a97fdf9a9bff

SHA512
183baf0ad7a629a72902531988aa0fa0d191b9c27193c0510c7c2e2cf27ed5ff9885e1745c84429e565b78dd976f93b07f63a52860f9c4a435600294d77dd628

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
1881b6d8f42d5c14e8442edf41936c0f

SHA1
243c025c2786edff6259424431b0adeb1ade448e

SHA256
bbbc764950153d1744841ab468f33e7a19c280171907e5b4716a80f685d99c0a

SHA512
fc498733759b0e14472983900b99d976a0e98aee9b988be08a8af8939e78d4719a5ef82c0daf1f9aba03af76712c7cc892354a70d005a8fdde7b02b83fc41edf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 559461.crdownload

Filesize
1.4MB

MD5
a141303fe3fd74208c1c8a1121a7f67d

SHA1
b55c286e80a9e128fbf615da63169162c08aef94

SHA256
1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

SHA512
2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

Download Submit
C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\GenuineTicket.xml

Filesize
1KB

MD5
67322dc59033991489c177ce0570bbd0

SHA1
dc5c03fb0a433c94f439f0091de47f87ca66fb70

SHA256
a455613c9a2bff7a0116a96d9b575645a1223d9e30a7c951eec18402c4ed00b8

SHA512
0958137f922fa83d9126697bc57a6a219a2f05dc5e8111e967ee25dfd9f879061c487c361992544cbbc85c24702a4122bc54f149aac4e44237667c3beecd5390

Download Submit
C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\gatherosstate.exe

Filesize
330KB

MD5
15ce0753a16dd4f9b9f0f9926dd37c4e

SHA1
fabb5a0fc1e6a372219711152291339af36ed0b5

SHA256
028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d

SHA512
4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

Download Submit
C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\slc.dll

Filesize
7KB

MD5
a3d60be84fb7fc1701f2518ad619bb19

SHA1
4937e478f33a1430a72f17fab2a6220bf9fde413

SHA256
653e61441d85cd74ba3fd4f50be204b47a32bce19a17451d87a2356bef87a321

SHA512
43abbf267c8326ca955bb9085d49f9ab108512c9cc8025ebc8523cab307cc1877f990f3174ab7a0498c38591eb1eee7fb04be91129ac7f9ab8422e271ca3f5ce

Download Submit
C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.cmd

Filesize
79B

MD5
8ae3f6a91c93c1ae12f2d60b036ec9a9

SHA1
835414da75a69d1dcd8f325f9bc377ade86e8fef

SHA256
fd4a51b5583c9cc46a03ff482761fa0b43ec9401ac0b8b28ad2bca40d56770d8

SHA512
826eec063de884c49787779dd06af19a2cf17b1a4b958c87ba8a1777f79d8dd735a624fd56461d3234474ddbbcb5d2fb4d8374ff6c9ce814817c5d8f14cdcd16

Download Submit
C:\Users\Admin\Downloads\winactivate-2.0 [FileCR]\winactivate.ps1

Filesize
12KB

MD5
a1141c044daf1ff205d18b5de14c4bab

SHA1
7be846f6e4bd007d2135495d70254b2df03bd931

SHA256
4f9633b554d4a65ccb18e31f30b8df7003d54b354634c89540c7f4df8abed50f

SHA512
a7561088b2e0e398cab86e3fa4b6c521a3a2a079ad0f623088f9e5f0cbe592bf52a821d0bc400ca358dfd90d2cff886ea3c93230a85fb31c6de44134b5211b86

Download Submit
C:\Windows\System32\SECOPatcher.dll

Filesize
5KB

MD5
8959116bca8c2f21b844991fe8f67e76

SHA1
9fdf55b59d9962b082922e43ea7f4fa0bcda6bcb

SHA256
6f55abf2ae175cdd883fb6ba957b5e740e633f07d00a20f053c6fe9f27b27cdd

SHA512
d9aaa585772c6a5f4753def8b943920a1b8b3240a4b1493ef5beeecd92cce4b903d07e3ee097763e15ca37a563b6e5a48e54dc160f345f5a568777cb6601b07a

Download Submit
memory/664-599-0x0000021B661A0000-0x0000021B661B0000-memory.dmp

Filesize
64KB

Download
memory/664-596-0x0000021B661A0000-0x0000021B661B0000-memory.dmp

Filesize
64KB

Download
memory/664-597-0x0000021B661A0000-0x0000021B661B0000-memory.dmp

Filesize
64KB

Download
memory/1136-2814-0x0000000066DC0000-0x0000000066DC5000-memory.dmp

Filesize
20KB

Download
memory/3032-565-0x00000250644C0000-0x00000250644D0000-memory.dmp

Filesize
64KB

Download
memory/3032-572-0x00000250644C0000-0x00000250644D0000-memory.dmp

Filesize
64KB

Download
memory/3032-566-0x00000250644C0000-0x00000250644D0000-memory.dmp

Filesize
64KB

Download
memory/3104-493-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-427-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-425-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-426-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-424-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-428-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-429-0x00007FFF2E540000-0x00007FFF2E550000-memory.dmp

Filesize
64KB

Download
memory/3104-430-0x00007FFF2E540000-0x00007FFF2E550000-memory.dmp

Filesize
64KB

Download
memory/3104-491-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-490-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3104-492-0x00007FFF30810000-0x00007FFF30820000-memory.dmp

Filesize
64KB

Download
memory/3624-1483-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/3624-1487-0x00000000054A0000-0x00000000054F6000-memory.dmp

Filesize
344KB

Download
memory/3624-1482-0x0000000000500000-0x00000000008F4000-memory.dmp

Filesize
4.0MB

Download
memory/3624-1484-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/3624-1485-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/3624-1486-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/4400-1469-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4404-567-0x000001A43EB00000-0x000001A43EB10000-memory.dmp

Filesize
64KB

Download
memory/4404-570-0x000001A43EB00000-0x000001A43EB10000-memory.dmp

Filesize
64KB

Download
memory/4404-568-0x000001A43EB00000-0x000001A43EB10000-memory.dmp

Filesize
64KB

Download
memory/4564-2829-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2843-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2825-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2886-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2884-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2870-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2720-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2831-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/4564-2684-0x00007FF629110000-0x00007FF6293D1000-memory.dmp

Filesize
2.8MB

Download
memory/5240-594-0x0000020BE9940000-0x0000020BE9950000-memory.dmp

Filesize
64KB

Download
memory/5240-601-0x0000020BE9940000-0x0000020BE9950000-memory.dmp

Filesize
64KB

Download
memory/5240-595-0x0000020BE9940000-0x0000020BE9950000-memory.dmp

Filesize
64KB

Download
memory/5344-540-0x0000022A7FD10000-0x0000022A7FD3A000-memory.dmp

Filesize
168KB

Download
memory/5344-541-0x0000022A7FD10000-0x0000022A7FD34000-memory.dmp

Filesize
144KB

Download
memory/5344-529-0x0000022A7F5F0000-0x0000022A7F612000-memory.dmp

Filesize
136KB

Download
memory/5488-2813-0x0000000066DC0000-0x0000000066DC5000-memory.dmp

Filesize
20KB

Download
memory/5540-544-0x0000018F1E790000-0x0000018F1E7A0000-memory.dmp

Filesize
64KB

Download
memory/5540-543-0x0000018F1E790000-0x0000018F1E7A0000-memory.dmp

Filesize
64KB

Download
memory/5540-550-0x0000018F1E790000-0x0000018F1E7A0000-memory.dmp

Filesize
64KB

Download
memory/5580-548-0x0000020B96FB0000-0x0000020B96FC0000-memory.dmp

Filesize
64KB

Download
memory/5580-545-0x0000020B96FB0000-0x0000020B96FC0000-memory.dmp

Filesize
64KB

Download
memory/5580-546-0x0000020B96FB0000-0x0000020B96FC0000-memory.dmp

Filesize
64KB

Download
memory/5588-2832-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2685-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2768-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2830-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2865-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2471-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2883-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2828-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5588-2885-0x0000000000AC0000-0x00000000013B1000-memory.dmp

Filesize
8.9MB

Download
memory/5716-1470-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5716-1451-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download