bd0ec067966423f5033330248744c63f8ffc43fe1094215293b971cfa723d5c2

Analysis

max time kernel
153s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skiioh_x_D1_v2.exe
Size

171KB
MD5

9ff1de04e106f0df15712475909ec182
SHA1

54b86e79c27fb0741f9e2fc6382707f2deadac6c
SHA256

bd0ec067966423f5033330248744c63f8ffc43fe1094215293b971cfa723d5c2
SHA512

cb87b62591f257555301cc6587333481fbfbece01a62d6a01d0eb30003eaf3d46dffa1803efc7562b88cb953e2fc7f09569c5fdfb33967ea23eaa08b451519dd
SSDEEP

3072:27DhdC6kzWypvaQ0FxyNTBfprWyzTtP8wrHOsN2Ee4Ew8Urt4+ns8Dh+W:2BlkZvaF4NTBBnTNze9wLuyZNZ

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
83	2300	powershell.exe
85	2300	powershell.exe
88	2300	powershell.exe
121	5432	powershell.exe
122	2868	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4884	powershell.exe
4840	powershell.exe
5188	powershell.exe
4944	powershell.exe
2300	powershell.exe
1140	powershell.exe
5432	powershell.exe
2868	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
864	choco.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	OneDriveSetup.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2352	powercfg.exe
5280	powercfg.exe
2292	powercfg.exe
4776	reg.exe
6116	reg.exe
4664	powercfg.exe
5212	powercfg.exe
2140	reg.exe
5204	reg.exe
3328	powercfg.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
4120	powershell.exe
5280	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileSyncConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skiioh_x_D1_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2284	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4936	timeout.exe
2292	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3508	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER\CURVER	OneDriveSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}	OneDriveSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\BannerNotificationHandler.BannerNotificationHandler	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\FileSyncClient.FileSyncClient.1	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1112	reg.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
4884	powershell.exe
4884	powershell.exe
4840	powershell.exe
4840	powershell.exe
4360	OneDriveSetup.exe
4360	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
3820	OneDriveSetup.exe
2540	msedge.exe
2540	msedge.exe
2648	msedge.exe
2648	msedge.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
1320	msedge.exe
1320	msedge.exe
4104	msedge.exe
4104	msedge.exe
4844	msedge.exe
4844	msedge.exe
5432	powershell.exe
5432	powershell.exe
5432	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
4640	msedge.exe
4640	msedge.exe
3824	msedge.exe
3824	msedge.exe
4300	msedge.exe
4300	msedge.exe
1380	msedge.exe
1380	msedge.exe
2188	msedge.exe
2188	msedge.exe
5188	powershell.exe
5188	powershell.exe
5188	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
4120	powershell.exe
4120	powershell.exe
4120	powershell.exe
5280	powershell.exe
5280	powershell.exe
5280	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4364	explorer.exe
3568	explorer.exe
4688	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeIncreaseQuotaPrivilege	4360	OneDriveSetup.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeShutdownPrivilege	4364	explorer.exe
Token: SeCreatePagefilePrivilege	4364	explorer.exe
Token: SeBackupPrivilege	2300	powershell.exe
Token: SeBackupPrivilege	2300	powershell.exe
Token: SeRestorePrivilege	2300	powershell.exe
Token: SeSecurityPrivilege	2300	powershell.exe
Token: SeBackupPrivilege	2300	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
4364	explorer.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
2648	msedge.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
4364	explorer.exe
4364	explorer.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
2648	msedge.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
776	StartMenuExperienceHost.exe
4152	SearchApp.exe
4364	explorer.exe
5376	StartMenuExperienceHost.exe
2816	StartMenuExperienceHost.exe
5184	SearchApp.exe
1760	StartMenuExperienceHost.exe
4712	SearchApp.exe
1776	StartMenuExperienceHost.exe
5888	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4560	4528	Skiioh_x_D1_v2.exe	93
PID 4528 wrote to memory of 4560	4528	Skiioh_x_D1_v2.exe	93
PID 4560 wrote to memory of 872	4560	cmd.exe	94
PID 4560 wrote to memory of 872	4560	cmd.exe	94
PID 4560 wrote to memory of 1548	4560	cmd.exe	95
PID 4560 wrote to memory of 1548	4560	cmd.exe	95
PID 4560 wrote to memory of 1848	4560	cmd.exe	98
PID 4560 wrote to memory of 1848	4560	cmd.exe	98
PID 4560 wrote to memory of 4884	4560	cmd.exe	99
PID 4560 wrote to memory of 4884	4560	cmd.exe	99
PID 4560 wrote to memory of 2160	4560	cmd.exe	101
PID 4560 wrote to memory of 2160	4560	cmd.exe	101
PID 4560 wrote to memory of 4840	4560	cmd.exe	102
PID 4560 wrote to memory of 4840	4560	cmd.exe	102
PID 4560 wrote to memory of 4972	4560	cmd.exe	103
PID 4560 wrote to memory of 4972	4560	cmd.exe	103
PID 4972 wrote to memory of 2292	4972	control.exe	104
PID 4972 wrote to memory of 2292	4972	control.exe	104
PID 4560 wrote to memory of 984	4560	cmd.exe	105
PID 4560 wrote to memory of 984	4560	cmd.exe	105
PID 2292 wrote to memory of 4416	2292	rundll32.exe	106
PID 2292 wrote to memory of 4416	2292	rundll32.exe	106
PID 4560 wrote to memory of 4360	4560	cmd.exe	107
PID 4560 wrote to memory of 4360	4560	cmd.exe	107
PID 4560 wrote to memory of 4360	4560	cmd.exe	107
PID 4360 wrote to memory of 3688	4360	OneDriveSetup.exe	110
PID 4360 wrote to memory of 3688	4360	OneDriveSetup.exe	110
PID 4360 wrote to memory of 3688	4360	OneDriveSetup.exe	110
PID 3820 wrote to memory of 2620	3820	OneDriveSetup.exe	114
PID 3820 wrote to memory of 2620	3820	OneDriveSetup.exe	114
PID 3820 wrote to memory of 2620	3820	OneDriveSetup.exe	114
PID 4560 wrote to memory of 3508	4560	cmd.exe	118
PID 4560 wrote to memory of 3508	4560	cmd.exe	118
PID 4560 wrote to memory of 4936	4560	cmd.exe	119
PID 4560 wrote to memory of 4936	4560	cmd.exe	119
PID 4560 wrote to memory of 1624	4560	cmd.exe	120
PID 4560 wrote to memory of 1624	4560	cmd.exe	120
PID 4560 wrote to memory of 4140	4560	cmd.exe	121
PID 4560 wrote to memory of 4140	4560	cmd.exe	121
PID 4560 wrote to memory of 2308	4560	cmd.exe	122
PID 4560 wrote to memory of 2308	4560	cmd.exe	122
PID 4560 wrote to memory of 2292	4560	cmd.exe	123
PID 4560 wrote to memory of 2292	4560	cmd.exe	123
PID 4560 wrote to memory of 4364	4560	cmd.exe	124
PID 4560 wrote to memory of 4364	4560	cmd.exe	124
PID 4560 wrote to memory of 4480	4560	cmd.exe	125
PID 4560 wrote to memory of 4480	4560	cmd.exe	125
PID 4480 wrote to memory of 3860	4480	msedge.exe	126
PID 4480 wrote to memory of 3860	4480	msedge.exe	126
PID 4560 wrote to memory of 2648	4560	cmd.exe	127
PID 4560 wrote to memory of 2648	4560	cmd.exe	127
PID 2648 wrote to memory of 888	2648	msedge.exe	128
PID 2648 wrote to memory of 888	2648	msedge.exe	128
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130
PID 2648 wrote to memory of 1668	2648	msedge.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2308	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Skiioh_x_D1_v2.exe
"C:\Users\Admin\AppData\Local\Temp\Skiioh_x_D1_v2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B57A.tmp\B57B.tmp\B57C.bat C:\Users\Admin\AppData\Local\Temp\Skiioh_x_D1_v2.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:872
- - C:\Windows\system32\mode.com
    mode 1000
    3⤵
    PID:1548
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:1848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Enable-ComputerRestore -Drive "C:"}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /V "SystemRestorePointCreationFrequency" /T REG_DWORD /D 0 /F
    3⤵
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Checkpoint-Computer -Description "Skiioh's Free Performance Enhancer"}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\System32\SystemPropertiesComputerName.exe
        
        "C:\Windows\System32\SystemPropertiesComputerName.exe"
        5⤵
        
        PID:4416
- - C:\Windows\system32\reg.exe
    Reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:984
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-2392887640-1187051047-2909758433-1000
      4⤵
      System Location Discovery: System Language Discovery
      PID:3688
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
      4⤵
      Modifies system executable filetype association
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- - C:\Windows\system32\timeout.exe
    timeout /t 2 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4936
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Desktop" /t REG_SZ /d "C:\Users\Admin\Desktop" /f
    3⤵
    PID:1624
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop" /t REG_EXPAND_SZ /d %USERPROFILE%"\Desktop" /f
    3⤵
    PID:4140
- - C:\Windows\system32\attrib.exe
    attrib +r -s -h "C:\Users\Admin\Desktop" /S /D
    3⤵
    - Views/modifies file attributes
    PID:2308
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2292
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Enumerates connected drives
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/SkiiohTweaks
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:3860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7806866039325594856,16290978759342610261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
      4⤵
      PID:4152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,7806866039325594856,16290978759342610261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      PID:2936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/D1lmao
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:1668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
      4⤵
      PID:2124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:3732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
      4⤵
      PID:4052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
      4⤵
      PID:3040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:5060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13699290446031996216,17243031665287332315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
      4⤵
      PID:2216
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "SafeSearchMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:5308
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
    3⤵
    PID:5356
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
    3⤵
    PID:5464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
    3⤵
    PID:5400
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v "StartMenu_Start_Time" /t REG_BINARY /d "0DB474C61FFDD601" /f
    3⤵
    PID:5420
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
    3⤵
    PID:396
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:456
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
    3⤵
    PID:5576
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Punctuation Input" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Inline Candidate Swtch" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5704
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Warning Beep Feedback" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5744
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Left Shift Usage" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Right Shift Usage" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5800
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Default Input Mode" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5716
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "UI Font Setting" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Output Big5 Only" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Include Extension A Characters" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5796
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Include Extension B Characters" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Allow CNS Input Sequence" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5848
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Include HKSCS Characters" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5864
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Show Ballon UI" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5888
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Show Phrase Input Ballon UI" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5832
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Phrase Editor Main Sort Type" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5996
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Phrase Editor Self Learn Sort Type" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "UI language" /t REG_SZ /d "0xffffffff" /f
    3⤵
    PID:5988
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Plugin Lexicon" /t REG_BINARY /d "00000000000000000000000000000000" /f
    3⤵
    PID:5916
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Intelligent Auto Input Switch" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Auto Input Switch" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Sentence-Final Conversion" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:6004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Punctuation Auto Finalize" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:6024
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Input Status Feedback" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:6052
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Leading Key Setting" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:6100
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Fuzzy Input" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:6084
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Z Key as Wildcard" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:6116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Use ESC to Finalize" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:3884
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable New Phrase Learning" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:6124
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Personal Regulating" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:4172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.New Phonetic" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:3648
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.New Changjie" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:3548
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.New Quick" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:4088
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Fixed Candidate Order.Cantonese" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:4352
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable User Defined Phrases" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5168
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Phonetic" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:5172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Changjie" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:2096
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Quick" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:3992
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Prompt Associate Phrase.Intelligent" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:4596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Simplified Chinese Output" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Toneless Input" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:4428
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable Toneless Key" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:872
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Enable PhraseInput Key" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "SIP Prediction" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:4380
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Toneless Key Setting" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:3536
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Inline Candidate Switch Key Setting" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:4548
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "PhraseInput Key Setting" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:2820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Keyboard Layout Setting.New Phonetic" /t REG_SZ /d "0x00020010" /f
    3⤵
    PID:3840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Keyboard Layout Setting.Phonetic" /t REG_SZ /d "0x00020010" /f
    3⤵
    PID:3832
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "Reading Indication Setting.New Phonetic" /t REG_SZ /d "0x00000000" /f
    3⤵
    PID:5020
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "ConfigMigrated.New Phonetic" /t REG_SZ /d "0x00000001" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.Phonetic" /t REG_SZ /d "TCEUDCPH.TBL" /f
    3⤵
    PID:3440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.ChangJie" /t REG_SZ /d "TCEUDCCJ.TBL" /f
    3⤵
    PID:2232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.Quick" /t REG_SZ /d "TCEUDCCJ.TBL" /f
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDC Filename.Cantonese" /t REG_SZ /d "TCEUDCCT.TBL" /f
    3⤵
    PID:2700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDR Filename.Phonetic" /t REG_SZ /d "TCEUDRPH.TBL" /f
    3⤵
    PID:8
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\IME\15.0\IMETC" /v "EUDR Filename.ChangJie" /t REG_SZ /d "TCEUDRCJ.TBL" /f
    3⤵
    PID:3772
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:668
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
    3⤵
    PID:3596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
    3⤵
    PID:3936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility" /v "DynamicScrollbars" /t REG_DWORD /d "0" /f
    3⤵
    PID:2188
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Cursors" /v "ContactVisualization" /t REG_DWORD /d "0" /f
    3⤵
    PID:404
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Cursors" /v "GestureVisualization" /t REG_DWORD /d "0" /f
    3⤵
    PID:3328
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\ScreenMagnifier" /v "FollowMouse" /t REG_DWORD /d "0" /f
    3⤵
    PID:2072
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\ScreenMagnifier" /v "FollowNarrator" /t REG_DWORD /d "0" /f
    3⤵
    PID:3376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator\NoRoam" /v "WinEnterLaunchEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2152
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "IntonationPause" /t REG_DWORD /d "0" /f
    3⤵
    PID:2124
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator\NoRoam" /v "DuckAudio" /t REG_DWORD /d "0" /f
    3⤵
    PID:116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "EchoChars" /t REG_DWORD /d "0" /f
    3⤵
    PID:964
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "EchoWords" /t REG_DWORD /d "0" /f
    3⤵
    PID:2476
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "ErrorNotificationType" /t REG_DWORD /d "0" /f
    3⤵
    PID:3464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "PlayAudioCues" /t REG_DWORD /d "0" /f
    3⤵
    PID:5264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "ReadHints" /t REG_DWORD /d "0" /f
    3⤵
    PID:5300
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "NarratorCursorHighlight" /t REG_DWORD /d "0" /f
    3⤵
    PID:5272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "FollowInsertion" /t REG_DWORD /d "0" /f
    3⤵
    PID:4056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Narrator" /v "CoupleNarratorCursorKeyboard" /t REG_DWORD /d "0" /f
    3⤵
    PID:5296
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f
    3⤵
    PID:3456
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "34" /f
    3⤵
    PID:1140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "2" /f
    3⤵
    PID:2868
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "2" /f
    3⤵
    PID:4348
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility" /v "Sound on Activation" /t REG_DWORD /d "0" /f
    3⤵
    PID:5316
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility" /v "Warning Sounds" /t REG_DWORD /d "0" /f
    3⤵
    PID:4104
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
    3⤵
    - Adds Run key to start application
    PID:5336
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f
    3⤵
    - Adds Run key to start application
    PID:2436
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "3293334088" /f
    3⤵
    PID:5308
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "3293334088" /f
    3⤵
    PID:5356
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableWindowColorization" /t REG_DWORD /d "1" /f
    3⤵
    PID:5372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4282927692" /f
    3⤵
    PID:5464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "9B9A9900848381006D6B6A004C4A4800363533002625240019191900107C1000" /f
    3⤵
    PID:5400
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4281546038" /f
    3⤵
    PID:5420
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4282927692" /f
    3⤵
    PID:5588
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d "0" /f
    3⤵
    PID:5844
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "HideRecentlyAddedApps" /t REG_DWORD /d "1" /f
    3⤵
    PID:6108
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideRecentlyAddedApps" /t REG_DWORD /d "1" /f
    3⤵
    PID:6140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d "0" /f
    3⤵
    PID:5224
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "EnableAutoTray" /t REG_DWORD /d "0" /f
    3⤵
    PID:3808
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
    3⤵
    PID:3788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "MouseWheelRouting" /t REG_DWORD /d "0" /f
    3⤵
    PID:3640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableInkingWithTouch" /t REG_DWORD /d "0" /f
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PenWorkspace" /v "PenWorkspaceAppSuggestionsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5164
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v "DisableAutoplay" /t REG_DWORD /d "1" /f
    3⤵
    PID:5176
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Shell\USB" /v "NotifyOnUsbErrors" /t REG_DWORD /d "0" /f
    3⤵
    PID:3572
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
    3⤵
    PID:5152
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
    3⤵
    PID:2996
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "LockScreenToastEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1012
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f
    3⤵
    PID:4360
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4228
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.WindowsStore_8wekyb3d8bbwe!App" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4300
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$windows.data.notifications.quiethourssettings\Current" /v "Data" /t REG_BINARY /d "020000008CF9FCB790FDD6010000000043420100C20A01D214284D006900630072006F0073006F00660074002E005100750069006500740048006F00750072007300500072006F00660069006C0065002E0055006E007200650073007400720069006300740065006400C21E0000" /f
    3⤵
    PID:4496
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$quietmoment1$windows.data.notifications.quietmoment\Current" /v "Data" /t REG_BINARY /d "020000008592FEB790FDD6010000000043420100C20A01D21E264D006900630072006F0073006F00660074002E005100750069006500740048006F00750072007300500072006F00660069006C0065002E0041006C00610072006D0073004F006E006C007900C2280100" /f
    3⤵
    PID:3804
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$quietmoment2$windows.data.notifications.quietmoment\Current" /v "Data" /t REG_BINARY /d "0200000094D2FEB790FDD6010000000043420100C20A01D21E284D006900630072006F0073006F00660074002E005100750069006500740048006F00750072007300500072006F00660069006C0065002E005000720069006F0072006900740079004F006E006C007900C2280100" /f
    3⤵
    PID:4068
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data" /v "418A073AA3BC3475" /t REG_BINARY /d "E202000000000000040004000102040000000000110000006B507E001600000099CBDC00F4030000A19F5E000F000000DBB4EF0007000100000003000000007D75003D0A000056737D008B0000006B507E00070000008A8385002A00000090D5D000600000009829B7008B000000E6C53100010005000000020000009FC8CA00010009000000C90100008A8385000700650000000B0200001C955C004B02000065A69E002D00000090D5D0000F0000009CA6B4001C0D0000A20506008E080200E6C531005D590000F0E0B6000200660000004007000065A69E0035030000A20506000200670000002800000065A69E0083060000A2050600020068000000010000009CA6B400B8060000A20506000100690000005CC4000065A69E0001006B0000007200000065A69E00010070000000F300000065A69E000100710000001000000065A69E00010072000000ED040200A20506000100730000002D05000065A69E000100750000002E00000065A69E000100760000004A00000065A69E000100770000006300000065A69E000100780000002C00000065A69E000100790000003A01000065A69E0001007B0000002E00000065A69E0001007D0000004B04000065A69E0001007F000000B904000065A69E000100810000004A00000065A69E000100970000000D010000BEB3EF00" /f
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "TabletMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "SignInMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:2132
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "ConvertibleSlateModePromptPreference" /t REG_DWORD /d "0" /f
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAppsVisibleInTabletMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:4304
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAutoHideInTabletMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:2700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "VirtualDesktopTaskbarFilter" /t REG_DWORD /d "1" /f
    3⤵
    PID:3228
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "VirtualDesktopAltTabFilter" /t REG_DWORD /d "1" /f
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "4218" /f
    3⤵
    PID:668
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "130" /f
    3⤵
    PID:3596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "39" /f
    3⤵
    PID:4564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f
    3⤵
    PID:3936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "FSTextEffect" /t REG_SZ /d "0" /f
    3⤵
    PID:884
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "TextEffect" /t REG_SZ /d "0" /f
    3⤵
    PID:4944
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\SoundSentry" /v "WindowsEffect" /t REG_SZ /d "0" /f
    3⤵
    PID:4952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\SlateLaunch" /v "ATapp" /t REG_SZ /d "" /f
    3⤵
    PID:5092
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Accessibility\SlateLaunch" /v "LaunchAT" /t REG_DWORD /d "0" /f
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d "1" /f
    3⤵
    PID:2072
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowFrequent" /t REG_DWORD /d "0" /f
    3⤵
    PID:2620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
    3⤵
    PID:4080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowSleepOption" /t REG_DWORD /d "0" /f
    3⤵
    PID:1136
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v "ShowLockOption" /t REG_DWORD /d "0" /f
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f
    3⤵
    - Modifies firewall policy service
    PID:3196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f
    3⤵
    - Modifies firewall policy service
    PID:5260
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
    3⤵
    PID:984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f
    3⤵
    PID:3432
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4848
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
    3⤵
    PID:5836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "JPEGImportQuality" /t REG_DWORD /d "256" /f
    3⤵
    PID:1340
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Mozilla\Firefox" /v "DisableAppUpdate" /t REG_DWORD /d "1" /f
    3⤵
    PID:4624
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}" /f
    3⤵
    PID:3204
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}" /f
    3⤵
    PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
  - - C:\Windows\System32\setx.exe
      "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133700118817273935
      4⤵
      PID:4952
  - - C:\Windows\System32\setx.exe
      "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133700118818893974
      4⤵
      PID:2540
  - - C:\Windows\System32\setx.exe
      "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133700118820094056
      4⤵
      PID:2152
  - - C:\Windows\System32\setx.exe
      "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133700118823343967
      4⤵
      PID:932
  - - C:\ProgramData\chocolatey\choco.exe
      "C:\ProgramData\chocolatey\choco.exe" -v
      4⤵
      Executes dropped EXE
      PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/SkiiohTweaks
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:4844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:3736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
      4⤵
      PID:5280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:2560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
      4⤵
      PID:2188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
      4⤵
      PID:3464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1155216764913200518,3279905486968559468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
      4⤵
      PID:5296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/D1lmao
    3⤵
    PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:2004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3564496988036447874,17016501073444463294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3564496988036447874,17016501073444463294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4104
- - C:\Windows\system32\reg.exe
    reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "perflevelsrc" /t reg_dword /d "0x00002222" /f
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "powermizerenable" /t reg_dword /d "00000001" /f
    3⤵
    PID:2072
- - C:\Windows\system32\reg.exe
    reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "powermizerlevel" /t reg_dword /d "00000001" /f
    3⤵
    PID:1060
- - C:\Windows\system32\reg.exe
    reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "powermizerlevelac" /t reg_dword /d "00000001" /f
    3⤵
    PID:488
- - C:\Windows\system32\reg.exe
    reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "enablecoreslowdown" /t reg_dword /d "00000000" /f
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "enablemclkslowdown" /t reg_dword /d "00000000" /f
    3⤵
    PID:3732
- - C:\Windows\system32\reg.exe
    reg add "hklm\system\currentcontrolset\control\class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "enablenvclkslowdown" /t reg_dword /d "00000000" /f
    3⤵
    PID:5836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableCudaContextPreemption" /t REG_DWORD /d "1" /f
    3⤵
    PID:3928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisablePreemption" /t REG_DWORD /d "1" /f
    3⤵
    PID:3536
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "DisableWriteCombining" /t REG_DWORD /d "1" /f
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm" /v "RMPcieLinkSpeed" /t REG_DWORD /d "4" /f
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\FTS" /v "EnableRID61684" /t REG_DWORD /d "1" /f
    3⤵
    PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1056765092093509695/1056765381122990161/Base_Profile.nip?ex=6588ed74&is=65767874&hm=19ec53aceb532a262915a74d0a1562e1d0a2c73c7d0479c85bcbd42e2bcd85e3&' -OutFile C:\Windows\Base_Profile.nip
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1056765092093509695/1056765357488091136/nvidiaProfileInspector.exe?ex=6588ed6e&is=6576786e&hm=70ab82155cd9e8c040c5bb3a5fbd0349d32150b23d483348db4e46912872424a&' -OutFile C:\Windows\nvidiaProfileInspector.exe
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/SkiiohTweaks
    3⤵
    PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,4425700580976659776,17824095333039544590,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:4556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,4425700580976659776,17824095333039544590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:3636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/D1lmao
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:5264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
      4⤵
      PID:3684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      PID:5416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
      4⤵
      PID:4060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
      4⤵
      PID:5844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2237511535654766043,13671178120804144429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
      4⤵
      PID:5400
- - C:\Windows\system32\curl.exe
    curl https://cdn.discordapp.com/attachments/1035435552847183872/1165393552973512815/Skiioh.pow -o "\Users\Admin\AppData\Local\Temp\Skiioh.pow"
    3⤵
    PID:4856
- - C:\Windows\system32\powercfg.exe
    powercfg -import "\Users\Admin\AppData\Local\Temp\Skiioh.pow" 1b933c57-3389-4661-b5d3-d9bb693bab48
    3⤵
    - Power Settings
    PID:4664
- - C:\Windows\system32\powercfg.exe
    powercfg -SETACTIVE "1b933c57-3389-4661-b5d3-d9bb693bab48"
    3⤵
    - Power Settings
    PID:3328
- - C:\Windows\system32\powercfg.exe
    powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
    3⤵
    - Power Settings
    PID:2352
- - C:\Windows\system32\powercfg.exe
    powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Power Settings
    PID:5280
- - C:\Windows\system32\powercfg.exe
    powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
    3⤵
    - Power Settings
    PID:2292
- - C:\Windows\system32\powercfg.exe
    powercfg -h off
    3⤵
    - Power Settings
    PID:5212
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\Processor /v Capabilities /t REG_DWORD /d 0x0007e666
    3⤵
    - Modifies registry key
    PID:1112
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
    3⤵
    - Power Settings
    PID:2140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
    3⤵
    - Power Settings
    PID:4776
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "DisableTaggedEnergyLogging" /t REG_DWORD /d "1" /f
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxApplication" /t REG_DWORD /d "0" /f
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxTagPerApplication" /t REG_DWORD /d "0" /f
    3⤵
    PID:6068
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
    3⤵
    - Power Settings
    PID:6116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
    3⤵
    - Power Settings
    PID:5204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
    3⤵
    PID:5604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
    3⤵
    PID:6092
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
    3⤵
    PID:1384
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
    3⤵
    PID:3796
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
    3⤵
    PID:2600
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
    3⤵
    PID:3568
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
    3⤵
    PID:5036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:1340
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
    3⤵
    PID:4440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
    3⤵
    PID:2584
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
    3⤵
    PID:3432
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
    3⤵
    PID:2620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
    3⤵
    PID:996
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
    3⤵
    PID:5432
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
    3⤵
    PID:3964
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
    3⤵
    PID:5232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
    3⤵
    PID:3732
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
    3⤵
    PID:1376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
    3⤵
    PID:5240
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
    3⤵
    PID:2276
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
    3⤵
    PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/SkiiohTweaks
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:2188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:3936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:3464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:5588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      PID:2868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
      4⤵
      PID:3516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
      4⤵
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:3180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15417204163918235554,6511950592836131551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:1852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/D1lmao
    3⤵
    PID:4108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffafeae46f8,0x7ffafeae4708,0x7ffafeae4718
      4⤵
      PID:1336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12597728055685556756,3578614237064602802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:4080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12597728055685556756,3578614237064602802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4300
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "Class" /t REG_DWORD /d "8" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
    3⤵
    PID:4556
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
    3⤵
    PID:3516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
    3⤵
    PID:2208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
    3⤵
    PID:2780
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
    3⤵
    PID:5196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NetBT" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:5036
- - C:\Windows\system32\netsh.exe
    netsh interface teredo set state disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5548
- - C:\Windows\system32\netsh.exe
    netsh interface 6to4 set state disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4140
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4432
- - C:\Windows\system32\netsh.exe
    netsh int isatap set state disable
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2132
- - C:\Windows\system32\netsh.exe
    netsh int ip set global taskoffload=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5340
- - C:\Windows\system32\netsh.exe
    netsh int ip set global neighborcachelimit=4096
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2080
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global timestamps=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Time Discovery
    PID:2284
- - C:\Windows\system32\netsh.exe
    netsh int tcp set heuristics disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5232
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global autotuninglevel=normal
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5280
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global chimney=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4596
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global ecncapability=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:404
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global rss=enabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5468
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global rsc=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3408
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global dca=enabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:8
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global netdma=enabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2412
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global nonsackrttresiliency=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:884
- - C:\Windows\system32\netsh.exe
    netsh int tcp set security mpp=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3604
- - C:\Windows\system32\netsh.exe
    netsh int tcp set supplemental Internet congestionprovider=ctcp
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:6092
- - C:\Windows\system32\netsh.exe
    netsh int tcp set security profiles=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4440
- - C:\Windows\system32\netsh.exe
    netsh int ip set global icmpredirects=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4304
- - C:\Windows\system32\netsh.exe
    netsh int tcp set security mpp=disabled profiles=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4060
- - C:\Windows\system32\netsh.exe
    netsh int ip set global multicastforwarding=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Disable-NetAdapterLso -Name *"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-NetOffloadGlobalSetting -PacketCoalescingFilter disabled"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Disable-NetAdapterChecksumOffload -Name * -IpIPv4 -TcpIPv4 -TcpIPv6 -UdpIPv4 -UdpIPv6"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell Disable-NetAdapterLso -Name "*"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name $adapter.Name -ErrorAction SilentlyContinue}"
    3⤵
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    PID:4120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"
    3⤵
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    PID:5280

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
- System Location Discovery: System Language Discovery
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5376

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5184

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chocolatey\choco.exe

Filesize
11.0MB

MD5
76d8fe544353fb6dfc258fcfbe9264d9

SHA1
6bc15a025ab989d20e6c9b9a42344d42c688d5e3

SHA256
9a058764417a634dcb53af74c50f9552af3bc0b873a562f383af36feefc1496e

SHA512
01111dc18641c6fd4177b71d733b3b39d31f69bac6d0ff346a9b0ebcb72e6e34cc35a5a710e291ca9e4c0d2d4ae64dab398b879a84a457458c130460c1a6c604

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.864.update

Filesize
8KB

MD5
a3f016f5f2bd742ff1591950260f6f75

SHA1
7feabbcc2e2d51c09065071f58da23990e215b72

SHA256
6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3

SHA512
ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
21KB

MD5
8feb9f84cfd079bf675f4c448eb62c27

SHA1
f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2

SHA256
4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e

SHA512
34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

Filesize
15KB

MD5
c1e5f78407a38c0f2bef0839274a30d5

SHA1
2e5d91ff054720b94e7795474e23fbe202635165

SHA256
d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb

SHA512
81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
25KB

MD5
32fdfad78eecf1a6936525069d0eda09

SHA1
bf1f751146e73887de2c54a183d70a005a7453ab

SHA256
0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9

SHA512
e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
15KB

MD5
7686ed92bc6bc3606d914ac3d6555d73

SHA1
6db9151efb0c2d693ac2acb8099967a7c32fe47b

SHA256
83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b

SHA512
df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
16KB

MD5
1235a3a21c64fe5563c06f65543d7d77

SHA1
204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2

SHA256
18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5

SHA512
b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
25KB

MD5
37ce9d39ab4ab1d9e9d9373173152e1c

SHA1
a0e06df561391156ac3623f56afa824173a6e34f

SHA256
bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25

SHA512
9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
31KB

MD5
5c544f7d387ca56993a00e0a132a2e93

SHA1
8214c283a1cda735803e8e2b76db9715932b150a

SHA256
5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e

SHA512
2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
22KB

MD5
be4288d0cf3bf6203139f32b258a2d2a

SHA1
5deeb81fd84ee5038e08e546e7ee233dde64c0fd

SHA256
a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43

SHA512
86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
16KB

MD5
96ce9de89c3e9d3afa2107ae3d30630a

SHA1
0856953bf3b426be54f6759ab1ec9be6a35c631b

SHA256
30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77

SHA512
4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
21KB

MD5
847e9548a2e02e2e4d73f7fa08467e67

SHA1
022e03be3a51aad9b3c0ef950c3eff14d09343e1

SHA256
d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9

SHA512
4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
17KB

MD5
8e6fa8b04f177d447f161517548f4d47

SHA1
b39f9c37d1db563aa25298b60bcd5129bc6614c4

SHA256
10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48

SHA512
44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
15KB

MD5
4346017feb0a9b795191efd686b789c3

SHA1
b58d82c54a00fa402199b5efec3bae97c40c0d15

SHA256
3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91

SHA512
680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
19KB

MD5
5d9a27ae842c05255f5a6e7f2465ffe3

SHA1
59066ff2d8da1a2f552cf61c484400affab5aa2b

SHA256
573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5

SHA512
b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
15KB

MD5
4aacdca3061553326f51b0938232d897

SHA1
6df122a2c6d7d5954915a871494a5333601e5f9c

SHA256
73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74

SHA512
c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
28KB

MD5
101b16272234051204428a4e53b99113

SHA1
f1a08992c63f405838838c26d309a1f918ba312c

SHA256
2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e

SHA512
bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
23KB

MD5
22a06bb57eeae0b3c1d63f0b23c83541

SHA1
a2dda0d44ff38b0b248cde072c95707b183c40ef

SHA256
db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a

SHA512
c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
20KB

MD5
5540d1bea1c41384c0a44be773820695

SHA1
adbb11f9371154d5bb440fc522ea68c3730d684a

SHA256
1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683

SHA512
1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
20KB

MD5
78e046bd9c5524eae4c290c5f1d8d090

SHA1
0200b5c106effb26fab84e8b432725f626cea9ca

SHA256
767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6

SHA512
073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
18KB

MD5
b7412f3a46a112d74783b105c5cb0638

SHA1
408a73cdf57ced4256526e5c699699a2fa089086

SHA256
223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000

SHA512
afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
18KB

MD5
cfbc57e6f8b07ab19d0a2658cf790306

SHA1
4f90b9c43645e2370040f40e88ccd48628a7012f

SHA256
1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049

SHA512
f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
17KB

MD5
564e96072345c9f3f4e96e32d95108ec

SHA1
4f83114c167c77253870f837b83db806ffbcccdf

SHA256
a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586

SHA512
80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
28KB

MD5
5e189d783f6f603161b85c157ac6c0d4

SHA1
4303565e26f06b5ff9f6cbcc889ac5ababb8d930

SHA256
09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7

SHA512
2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

Filesize
30KB

MD5
5e6faf3925a572faab69a45cb05e8352

SHA1
bab071428238635e6290fa2741bd63cc803d73d5

SHA256
16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e

SHA512
453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
16KB

MD5
bf5ee790510b3a2980412675d29a293c

SHA1
164b0bf972cc0c4ff56c47641a047af4743f598c

SHA256
671fed8b51891ab5e1639033e4477f4311d2b139b4eccd4248e84b0c9028d0d0

SHA512
659ef4cf6e973448469c21507ef67902bbd8a8fe11a92c699c3a782b8b68eed1690246652f93731fce1a6147777965773c1c3a8246a19caa73763a26e5524a07

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
23KB

MD5
5e5319e30be55a660e75a5bb04219ad5

SHA1
8d7457acddf8257c6c9651e3480bf4ee72699361

SHA256
aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d

SHA512
80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
22KB

MD5
65469f9f27a5dbdef060a0560aa0db7c

SHA1
fe49184d2db322a919513c9667625efa9009a632

SHA256
3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b

SHA512
8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
22KB

MD5
e0e54825bf32d160b62c691d2f314611

SHA1
6e89de9aec3f94c6e046fbb04be28e33a8fc8732

SHA256
4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620

SHA512
6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
23KB

MD5
7cb49e4054a7cc234f428faee99d0ace

SHA1
86acfd18a8a274fb4bd0d745a23b501016851b6e

SHA256
ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b

SHA512
86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
16KB

MD5
05ee41715ae0ccd260cb385c3727d607

SHA1
afdbd2d4a0fd050d20af8e107b2dadddc45ac49f

SHA256
dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4

SHA512
1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
15KB

MD5
a917ff0cdf22fe0543dc06713d9cb160

SHA1
efad7626fdf18230a8f9a2e6e0e9df7639d3b600

SHA256
fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f

SHA512
505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
31KB

MD5
1de230e139174065c73a46f5917f27b5

SHA1
80e19d04dd84da6904b696e4a1caa93953eeda86

SHA256
694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625

SHA512
93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
16KB

MD5
bce016992a8576f7a481c6d2962e0879

SHA1
4a7a84db35e3a2d43d7aa0980c0342dd164a16e7

SHA256
599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc

SHA512
4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
17KB

MD5
56afaba9f733028dc1d8e03e21be15dc

SHA1
fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4

SHA256
f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc

SHA512
54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
16KB

MD5
f3d779698e09e13fbd55f0a5c6914616

SHA1
44eef7c9b8563cb5d7489abbe6f5158484aefb64

SHA256
c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e

SHA512
ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
20KB

MD5
bbd9b99d0ab44f6e4a9fb80d6f3a7afa

SHA1
f3a980d5493597144fdbbaad86f5207c2e39e08b

SHA256
07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb

SHA512
06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
15KB

MD5
7fdc886cd1db91065a017a76c9096aed

SHA1
6029f809be8ab12cbe0f25552b25fcfc757dfdd8

SHA256
117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b

SHA512
d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
2KB

MD5
4e001af51449bc6ef571bb198f38d5ab

SHA1
7adf155d744c0c2f52b34d412f48103043f7f904

SHA256
4d45281a4323c51deaa11c2d76fdcf0aff99498fdcfe1fda7475a0109f008401

SHA512
716ec8f490f4d46db03503122097a14f71680c388dc9ac451403bd5e631ac498b60a9103a56396cb1060ca2ca32bbb9dceacc963f3ac6cd681e3190009bbe21f

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
3KB

MD5
272710d2fbcdb4008a4e9de8b09059a6

SHA1
64948dc9b8e1259f72da302c758561888950fa6d

SHA256
a7dc39cf39c7b5c52ef763a1b1eeb24217f631ad9731455a88ff4f4bea5e062d

SHA512
1fcf2b2178857b5ec43e8c9df0a2c8be998638dddd03a787f91f86bb8c8ad6ead24982a60463f140327ed394326b38cd806791546883a806353c1ef140cae6df

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
a7a60c8c98d853b0e6d3f4f2a76fac9e

SHA1
6d025154e1c1a1277abfad60a58ee623d1caf954

SHA256
284d1ce4e5c74343e6b3f3ad42955ade48e090965639a011a30179f8becc593c

SHA512
79d86f4f5fdb9b2086e433058346003b03f82f39d921ee85fe22c158c320646220b61de06c1b12efcd621839a79e0700f9a1e10c85581556b2809f7daf03d00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e06832c43005ba7306bd4d1b011a369

SHA1
0792466c10f35ed203a514e116a89bf2b80dcadb

SHA256
c84589102ea33c42aba8484ee48fd5bc1fcaf6d8ae54ea6eae0ab5d3af75308e

SHA512
36a28e0633a49bd317f8786d67523ac88f19ff8b005957fb4da33196788827e6d350d13ea05898d6b15b715ede8c74066982a0d014c167511a54486c16f84696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8961458d3d3372cc5def22cf19e95da0

SHA1
d1df9f87245df25b342b56729f11dbb393de5001

SHA256
db47f71e816dc1a1018f9dff5a8566be5279f53eb810425468c0d5c40a44a9e1

SHA512
96fd145066086e9f29997d80399967c413d2544a8b8e9f2be8b0a895ce699eecc5a370ab8e1805760f034eb81a935bee3943d9da3d07aea797b08f38a31b6f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaf1146bb5e90143a1924e3aac8bbce1

SHA1
2280ee43be856e9b5d6d2f5eba75f3cc602b5308

SHA256
70a61d70387c32da2c47e49a2b1f44c277c78314605b7344be9355a6e7b85d81

SHA512
446c675a4266765b9ed5eb5c333aa8d91940bde17a97299f7af592a2b62f8fe571d15b20074a613e10420fd32b711a22da1482b13dc4b2ebb6a0c237931dbc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a65397f7b800c326175c61c34e7d9840

SHA1
5a717468dfa63cce71aeff4ae88346303b005077

SHA256
8955e9978c57589fc469ac9785f5183b4d62b46f7416354e43e921d37538f70b

SHA512
e2ba31758c26c01361714eb0c997026b8983b9c979bee124d01c0a22bb97b924423fc4324904b52f7a0d6b85babcef7d5133d796bd74318247d07b998d55a9a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3d43c459-4782-4231-a51b-656e214a71e3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4bdd34ad-8346-4b8b-b0d6-97fde7909eca.tmp

Filesize
7KB

MD5
d53ea13aedad90d4b12e2f374c787906

SHA1
6a3f93b1c665cc05f728e7d729bb00caa29f76f5

SHA256
d975f25f05461c75a5e76f6c93d516e7e7cc45047eed1312ec16633ad30c8ffc

SHA512
b5c3bc29a798142357a95149cb0e4ed2ceb415db5ba8d3a7560bb35adc404770d4f931c64f7bc50b1fbbd0e3ed039c2bd5a947b3b6a90213c2e3e9b0461c7721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
509741b6b7b66e20f5062e3314094490

SHA1
bfec3ee500ffb3b68ba8bf5fadc2a2e958f175fd

SHA256
f5958ec55973a5fa454e99f8abb11dcc06def713875cb190c2433378bef1e346

SHA512
df674aa5f70a2e43c7403181e94a4587f06d01bad27025bbe0e2275020093df7ec115caf84b87510a25229d3aa45b5fcf8a65a77e95b19b0aad0df3e8cc20f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
4de05460cb60f8d853c3fc2488a1eb62

SHA1
c62bfdf1112c09f574c0d1968b1faa5139dae011

SHA256
5ff07e86292a68c0d25f7d88ba1718ea6b505d0dbfbe67776927bd6db501cf18

SHA512
ad960256a95b751cec4b05d7f5ce78220eb1e53b1f5dcd7285c816842fe28138613fa3e0783826b5a9eb558b530cd953e84db9c2de9b74900196bf5617bc8396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a6c921739f9bdb46f8a79f520a817ed8

SHA1
cf6191d00f82a5faa23bc70c0e9cb84c512790ad

SHA256
b0557da3c7764cdd1afaddf34313c1ebaa2c806944df3e3b41540b2fc5869223

SHA512
60fc781bdf8b943985cc870f7fc9c8df25afd66fcfa321c8e1209382bd841c2e394ed33b27604991468c397d17ebe1c8e86679ef17718ae9d3c1e8e973b984d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
82f0327c35e381d4ea8cc9c4dfcd7006

SHA1
40f716bdfcfec895e85677bc6d24aeaf18409638

SHA256
25c8092beb89847b0278733c33f0a30d39dd659a95370196dd7fdf88180aa435

SHA512
bbf70a594f32f5ac2a974ef5bb145e75bc8ff47292241f6aab1b021fbf963dd7a5cd26d98a39d84e5ba0666c1d196230a43a7c6e78573f0a87d6f13c7ea7c7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
47eed49d908d0d56b650a50ddcef07ef

SHA1
fca693ac36974468acaf298c6f6453439fedbdaa

SHA256
198a9794ab0e3b993b666388782ffe930b34473c3d7be172f3343c51c1739e2e

SHA512
228a6b928e2e033550baa485d93503b1277ab1c6c057733b08952a1f1bd1c855cf075ea99e4a2e2b47aa75b4db57ff3623767e672d8965069f98847025779a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
5521a603df247898e08a50ee3541d864

SHA1
efaeef4873618f69ab9effdf576ae9043817eeb0

SHA256
1d80f0efa18c4938de35f2af6543bb5cd46e353fe5332a58e5a1796c7ecb3ba7

SHA512
c7c3801143c7c423f6bdbd42ce0d56ead36af0083cad37f084f7e95341b5dcb4d695264690ab2ed4e90d7829292993749f83067f621a7e3acbafea1c281b2fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
38a44a356f00dc78d410119486f117d6

SHA1
a60e7aca85344928faecf8419660f6a61299eb31

SHA256
390835d6a8611a459d8012a4c9f9eb22173b2749a37047f959db204226f0af05

SHA512
61997129d252239581aeb6666ef6d37a0a950e31b1d833515a394f529c405995faf12b926b29d91201e721e78e7458367e648a1094aecb94f65c2870b29cf9c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
bab11716a9f0e2496e0fadfa644d32fd

SHA1
1b18e62901850b601b42b3dcb369437fd61be331

SHA256
fecf5e8edeb18f4ee4480d9d388a8153f4a2e331a3c059abbcddc38c1e868baf

SHA512
370c8faf50d98195a47420a6b9c31d26bba55b7490444d08b05c72c4fb0faab1fd32b9512298c7f0ff5c555c10787b3a3ba5a345ce084f85bc570c205734f6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
5d15c7292fc6b4712f207d0cb8a2a120

SHA1
d6b6d2fc43055ab84e8e8dcff02c9be0f8b88f0b

SHA256
99260942768255493634a1419d8c777bdf7b79a253773ad304619f72940a13c9

SHA512
f28ca4fa4ca2f23eb70efa3ebff5584e7f35d40e40e01899516a3bd2073f462525d8a93949afb438534435eae69e0844c7b1bed890c684318ffd485eb0ee75e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
297ba0aafa299a26d330bbdcac42fcd9

SHA1
5eabe796270fa9837640ad1d0c15f324c455edd7

SHA256
ff62929fb1e0bfe8b8684b99ed615878318ba179eed63a0e925cb5426e66de94

SHA512
6d321bc89b86af77eeb98d85c5bf6d59c256d3ea8fb49beb39b763ffec9a57c7873cc1ce6c00232322b2c55de7c1b1b2ebb21fe0dc41e235f61581da1adf2b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
179B

MD5
d616aef5e4234b743304fcfc1a7ceb7a

SHA1
173d98d75d9e34d4a108bf08e487b899db32e528

SHA256
dc17e968043f26321c7d27d193683f9331de69a5960a02cfd700c8ee6d8e3436

SHA512
947c48e88753d038a6f9523a1c1cf5dac8277f83758e9c8d7b5888372a6b50a6a74035788d655d57ff6eb2d7677a2f7448aa60b17d837a3b811b47ba5fde977b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
773B

MD5
b9200856f24ecfb461cc6b821156e4a2

SHA1
ee26619e271fdd862d8773b2e7366e43bdcd833d

SHA256
8c85fc1cb9ea83ac63cc64549178f542a16b0dfc440a749d9e54f5ec5d665a92

SHA512
eacffca1d73a76c4acff45210bbfe202659e17e0be260645ce46e732e0520fc7bee1dfbf31abd7f2b5ce61d0709aeeea975d25ec0769e44fb7ab3b422958215d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
773B

MD5
787cc32f12f785dba04ec0c9c0599aee

SHA1
fc57c2326f53d1d2a6773d4d01290242b6ceb8f8

SHA256
6b649fb36970f9aa2effb41703ec6b2945dcecdd29211bff78a0188a7d15e7d2

SHA512
710274848f80d072e54e4c0fdf55317d79c71fcf272eebbd102450e37d48f17fa998bb1d5c35f83e34a344e0f64f236725fb4dcf497a048abc229c1ce81230bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
844B

MD5
9b3b0ba575eb91c1dbeb2739c0f7e904

SHA1
5ba17bd854afc47e232e56552929890ac520a119

SHA256
eced8e3194a9dfa4a3d90a47ed785e986d54bf426a54304422d6298e035b37c1

SHA512
19aa0181375c5e79148eb32095cf57630b18d184863bb8120fde76a929e6f67400d04fac6f9a82484e771694f1c1b13b776c55f77689aa383234b5e34511e4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
555654a7ace74380c67538b7f472bae5

SHA1
1c7ee17d410dd2315af83c0ef53bda1369fb573d

SHA256
a48a2d3b0d9b3eff8da256b24a4a64994a919cf11e74e74ac4d856587c578179

SHA512
cf8202aa16e018de7bee7dcdb4ce84430b57bb58cd4a8bcdd1aa76eb59c7bf88a754979d63a0225828630f8c59833785782a5ae4d6b5e713590ab0aa611dfaaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e40e8f4c47856e88ba45ce4e83afa4a

SHA1
a440aef6451ca1563416630ae0c49f1682e9dc8b

SHA256
888872224fa7de98366fe6e14754c6a2f127f31f12d078ae273015f0a98d0848

SHA512
764221db865401eb44b2fdf6063094ee341df342355be9d9584c4e1446a858d9eff81249d2a8507f5100dc09c8a8f19af359f5a086be73d657851d82b1968b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e9313a904ed7055852ffc2912f0c63c6

SHA1
897b57b5d97c5d2d6deebe6d1fcfa87f977c2a08

SHA256
99d6532da406df5cc9a75033dba04d8009495e928de6bfa02c0a86b3bebadf8e

SHA512
9dda02a231ca3f93bdf7326d63401e8f35a5f9c0b3292e57687099b6c26ba48c967e1370b6549544f8ae3a45ef87d3d0627a809ffa52d6178903cf54f6face87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d9fc867774e6ad2723703ac9be2ba748

SHA1
8ed7c9f83aac00ade55fc92223063a3082f73a1f

SHA256
bff6a2d42ab71c0d25899a376a04d22c6fbd18a01ad763bc3f453dec81c153ca

SHA512
81471cba0d47f1567593fb320f0e85201e98ca2964bf8e38066948ffe9541c913393137fc5cbf799fe0f4854e0c7c84617656a5834f73fe08716de4168f1cdc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9974fe6fcef7b55f2ffd5084eb16fc61

SHA1
1d50bc95b310d96731516d635a4bf9fb0fe72b12

SHA256
c278c754f4ec456b95c200303d13e9464325e8b516614435aaa46ed89e6562a9

SHA512
0b28c537244d626538003f891312ec658dc09f787adee0864deec9035f884e306f88167523c87b915c307c7a8e9c7c58faae5fa48e053ef2420916e45a2de24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
44877f687c4d462601d2426b7dd57000

SHA1
472b9138114b64e1929b50be343d676993dc6014

SHA256
11723b0393ef3011de4753ef3a10c2235985a54656574f759433ce1bf0e697a2

SHA512
14b905df6aeccd485794d48b0be97b51ef6c37a0e7358215a82e4cf1631c1d4cc2c74cde34ef0928567b964cc079f792f2c0ce7e9d5dc10ce2a6ee185d1976c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
077d396bbc29caac3d622293d99c8d8e

SHA1
aea669dee5d0fba7b76da18560a273718d2b6efa

SHA256
d6d6b294c710cf9a04b2fba4f0e34e1d9ab40beb33beaa8c47e3378ee60b8f0b

SHA512
9198fa0ff9ba56a8ffd5fb54c57b987894de83504fa656f273ee08f715189c7e02affdfa33375a11dd0cc8b95d7af10ab4db5c68a1c18effeb1fc07e8e2eb242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
b210eb8af0c3c562fee72b1fc359410d

SHA1
598a892f5ac7cbafc7ff85c3387927ec6c619c00

SHA256
936e455a3be08e6da476eb6f7d8e6888d2e75197fa7d8185c49cbd18346a4dd0

SHA512
af2fafea58ff5f9cca55617534a80d96895db7378f7c90df247ea0a8b08f7538c02ab59afaccb4c14e092d56d4ba86d9c81a1f11bcc1bcea47ab9784d790d119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13370011862877476

Filesize
3KB

MD5
1c43780263a3e10ee931087aad1d77b9

SHA1
71df547dbf239aa8fe367074cc4bc36611de0755

SHA256
4a855a5e1d097fb0c711d0c7d0d2e380e36cd578f87662c64dc844221984a36d

SHA512
20553a6c311b399906a34dd2f9a1ad407282a1323d77127ce32dbe5cd0d4e3b92ffa4e50ceda5855ca01a0715ef40c2790be8b51aff778006c51218cbdbc3b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
f77b6b08eef0167d6c1b5ae281bddd4d

SHA1
ac966ef9bc144c26a8a6f6551e5eab78a3a5d15b

SHA256
222dc2d4812581ed4c3247942a0e70f30e7edb4fe5fa7fcc9c26a4ec0aed2619

SHA512
30132ebd74c9612e3fecd5792da41aeb469c5203ba74df003a7c46d3809ed4638a8997bdc3895faa94d400a275901e36878e4281eba21c61eec1dc0a426c8b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
91edf026b3e46e75c5f55ef4e03f87c7

SHA1
88b5c4610cf7e3e26383d4390c2237d1bca12f26

SHA256
77d56bb4fde0f2757dfddb1afd8140e496fffd0442566db9a71df3e0f2945f81

SHA512
0ba2a964b31ddb76f14d27c56d27bf5113af64d9ff85ab53c3103c553f976d73909a22359726a468fc9de327de30ebdde5961bc356e2c2de58168f6bf17e5c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
5460b698be0721411bd325fcdd596085

SHA1
0306935eb72a3af7b4787287ed1e54af97d77d82

SHA256
dab369bf2aa2730dfec55d19100639b0a20c6a2f852a69740ab8563cd1c697fd

SHA512
8117257697728b624b58ff4c79083f9201af3628bd03114fb171e2ce621cdad1045b32195254804cf524556a6cf20fd873fd5dc5045994ab87d0da10598e45d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
39be7e4c02510e854765ec6076a531a0

SHA1
c0168675cfbd74282f49ffd6c05abca866530684

SHA256
a585fc5954e9ca9b577e141929e099064eeff951a1867cdcc902ae458340c703

SHA512
2c4afccb202a5b4b66ad474b5daa0fc8c3469ecb11ed4e8eb0c4f670ce930e0c870de0e697b0bdc64952581a557d91aa624d5246b6b01a4f5cbdbfb08731d31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15a6fe86a95de270f63c1dfeb519aca4

SHA1
a0bff7df33dff1ae217209d8b505b686500aa405

SHA256
b65d83e43ae9384ee10177e46aaeb9a3f286877b6775e310ab13812ebf26b10e

SHA512
f048e0c7ebca046665fec9a17cd89bbf9880de012d71031dec5fb1ce925edda2c459288f029b7cc94d5e86d7f161d3aba425e248f23d07f9e96ebb39a11b47b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
5a71ebdddbd6999b5dcdd4886c25464a

SHA1
6113c5135c404dadf9b7b8364cad7aa87bb227cc

SHA256
2b0f9a063a83956ede93a7374ba9d915627e251000a530037ee09b7d78846d34

SHA512
c80795b56cb1575c1f0ac66252c112f3e758f461c6f219fc57e9a4e5f2e16cbcca79f5009296fc662481e1662edaa9a06bee832867cea64ef63e8f5814ca961c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
aaf7d589e832a8c9e77f0bf24b97aa73

SHA1
9d20054f2fce5ff87318a79625dfa23e42f08fe8

SHA256
41efcfeb891fdcc58ebf7c4641f6bbfd908ee5b0fdd725984b98b5d58700dd0e

SHA512
1990cdb870f97861de3132ff37503cd4755ec3e0b0d497795bad4c12374af400d50b88b64c9e5dcbbf2f6a5b623a00b891de4b4bdfd44cfce9c2aa81360085b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
1bd831240f2abbbb686d7cc35399b9f0

SHA1
48658207b06585cbd3242009a8a69367b745566d

SHA256
b403f7862e5fbeacb1a25c9efb88dc33e3a382ba59e4860cee5222ca85c311ed

SHA512
1c0aa62bc5a16442f8f0c44c8f96fb74370d5379b92e3115f8920c520b8054d4c6d85f2afa9224d136ccbdb5b79f39df36913137d71352c39218b824c21d7c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
a8540873a522fa3c40a533787fcbe012

SHA1
f59c8b86cd4204f4ee46eb3bec16deb3b05a816e

SHA256
efecb8137de7aae5bc194b8c25aa9e346d9909af16ae7c9e8d5251d31db2d8cf

SHA512
aa507e27497eba0d73c4bea2275d3957d531ba643d86936c7d3721a335c5a46bed4fca88192ea8abea3f03cc0718da204f22ea222382984cbf7d24bc3e95060d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
efdf9ed7a58a4b82d48aae64f7ea7381

SHA1
9f821bb1bcb696b12355d563d504d766139fb343

SHA256
ea502858cbe857efe48506ec7ca5e1045ed3c3fe95de3166bb23504109797b4f

SHA512
723caa4cd6b59f67a9c762eebeecc52f26b0fc2c4f0b418ba513123fa7a8253a95d665af1ad1794c42a67ebdfd1b1a6eee7732c3596eab01f712f5166995d6f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b79573efdfe75f9c330694b034700b54

SHA1
477946ba1fa389a9968c9d3fba91aed35a5b1a37

SHA256
9190b3cc85139a0b2cd7266ef34f7265a5e7f3a03621b81b7845c43571fba41f

SHA512
b573b03088a5d3af76086d3620fcd66e34d406ac9d2b0386e5588896eebb117d75b8f5f09fc434db0a04bf953c7880321202244ad0063072f5dbd8cb52664813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
863545d297d288d09e15f85d31d50718

SHA1
78c2046e11746a63bec4997090671573d91456f9

SHA256
a3b153833effad5b4862470c6e5ab0909056bc7aae657b5725c9365bfbfb709a

SHA512
531a2d4d91ac2c3dc9d6e2b70330d7516e544094f923cf9f8669493e9c35e61dab7a531c7f4c5fb0d66a532b647ded24d859a894a13b401e19a82730273bd2b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e56c61af7fb53df830c9f6ee8a1cb954

SHA1
08d122c925af16857cf872521f009b72f890dad7

SHA256
16ee73bb37dde4e40050ba3c454c532d2db5b228b4d2464d8b78b5315a69012d

SHA512
abbcc898498f27a984f585692160d91658865ac23d969c3e3650b1054a648d588b9ad93e567743253a5388f513c827a1c881f4333ddef694ae220a22006a5998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a9881963d696e44b05e417f8c9b3f4d7

SHA1
918316569b0721e3abf40896e29f80771a8c4c79

SHA256
7bc7b924f1e0e19cb9230294cf50193d6f091f5528843daa6009eb6d1016a1ae

SHA512
bdd48c95d59b7db2b8201cb02407b20bd750a237eafda0048ed7578a7fe7925dca4498d3a540d7ba5a6da36a4ed9d79ab22ffb58e21f31c8008cf4bef6767ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
10c64850ee38f7227b2166aa9008cba9

SHA1
f9c6c10e1ac6ec5d3277267a6f4bbeafc1b68792

SHA256
d8093343e8af90b39442b8527207962ee2a5c214b9c80cbe2f938dc48ea1a4d3

SHA512
0af2baae116b517e3c0d7e138cf916084cf09cab2bbf655953b8c6e4edb00ba2e6f43a24750e162485c658a4ce4284a0690763f7c8343f2b57b3304624383510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
73d7865dd354ad6821cec3894d10020c

SHA1
65c26f50ee66aa23eb8ded2e596489ee9b83ae1e

SHA256
72f5f2df4ef7c11b779b4203773620187e4cc82a2e92864c24c8f291c5740cb8

SHA512
572ec11f93ff3d44b4ad12f00e958f6bb92e38ff088a7380c6dd1f253e055869894df54d11595b9c0703113d74e59e2c2d5321d05bc767dffef921fcd6e04198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1e9871858cf3f5ccc3ad88c32471f801

SHA1
95a19c326edd99295ab5270619b462d17dddf0a8

SHA256
972d101633b35e72bd0066b7c0787fae869bdfb8e1be33405f25699322d02c58

SHA512
64434c7d76ca97415feaee3ecb3fa4bc245d33af6df616cf78d093563b5f64ec201d10f46adfeead788afdea98a89fbdff156fa394cc7f848e933cdc4e756bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
fd7abe59014dd2b9c9ac20e089474a9c

SHA1
c82445fb136fead64ea248ee36ecf399714a7a6d

SHA256
079bda462aca231f32b0c89660d10df0ad38764c0ecb9573cf82138d313ddd70

SHA512
cf088e4b304760fc3bef5fd2eb5bb45cd004dc9d32125cdb24d84d270a4a7514e28535b13b636dd652c7579bb524ff72d3dc98c789dd8b2291cf99c7e0da01c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
158a72355ea99a8bc04d0b6a380cc97c

SHA1
750fff9e378ca754a4534371e54624f7e90b796f

SHA256
c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c

SHA512
0f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Y25IPP08\microsoft.windows[1].xml

Filesize
97B

MD5
d07a8eeeb6da833c3c127ff207daead9

SHA1
cc8a12f7c600ac6ad8211f50045ca376f88f3cb6

SHA256
113038e3d15cda4a50c0980cb7075456d00b0770a1c436b68cea36b435363392

SHA512
84bac1ea9a2bac093a6356933b08c841d1ef922937d05db05b388b6b107d77a7edcf6431db083a89e611c86c2ed9e8e83207e798edb08e3e056045780a432800

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133700118636302770.txt

Filesize
73KB

MD5
ea094ef7605e5df0b46878f7cc32bc5b

SHA1
194e5a1b70de7275e9c27993934263ca1a601765

SHA256
9d40b2b0c8856831042f1051b098252ae263723c4351fb3327fcdc86526d35d4

SHA512
f31d8447c49d7cd9302033bf3335603fdcc7ec707ee3c10295e4f0d1874c0847a58bce9690ba11edf62893835930ddf1e18328a7c7eb10a77b4c0856102739ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\B57A.tmp\B57B.tmp\B57C.bat

Filesize
77KB

MD5
cb27f6dcc1bf64ca561678bf6898a410

SHA1
811858a3c50c4ebfbf7367caf6be5c987a46da72

SHA256
b22afc913b6da925f886d5c06f18f8199bf86d7f3c0c8e0b55d882330b7b0bca

SHA512
4ae815e24a0ca302c8178d7dec47e5792e12b0a6633120dfdb419833864ff7063ebb4cffe4db0f91f037c209bb8d9e4609b995c6d349f3d34fcc81791d3612cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5si0vms4.3oh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3688.log

Filesize
470B

MD5
cd6a038205ca1c0461caf20a5ead504d

SHA1
7eb8f777af59b1f09021d1cc4c5f77adb3ef36e1

SHA256
0ccf476ca6b44ccc747496b7eaaaa106d677cc6d875d34771170afd7d7f00d2c

SHA512
968c8190c070a88150d1a7dd9d5522de8cb0111dca7dfd676819351ce13c5da86d3c6f6802619c8a2cde9abe169e557e65b51ec2aef7ce2a58acb445ecdbde14

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3820.log

Filesize
470B

MD5
ee12a5e6f3bf45a81b975eed3c97ac0b

SHA1
c689b53e58a1590e9c50f024eea98735e6ee55a4

SHA256
8f03734ebac8d3d2fb202c7efb20c80bbe8eeb8edcb39c03e2069922a28dea50

SHA512
76fe3594f79b9787954e507cfd319edf9e2b1153a6ceece81b88f75f5523871a6bb16e76984e35e9f84bf597f12b0362d075604c69d6c9696d7816651187637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
5.1MB

MD5
95231e41829f1c3a5ae890b71bcef1fa

SHA1
6fbda9446ed3d182f6680e06d4fd3f27d346cd7b

SHA256
c73d4eda9ab5ca89583ef90838c4b819a304c9ac5a8ad5a89dcb7edb15ab5fcf

SHA512
8c035dc01cde656c4d0e5b7b14355b3e8e45f6e54cdd703d817a1c547faee6eeff5299b31da6f6dad85be166417078eb7b256c6fcb895e94ec47049f53facb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
50KB

MD5
7677758586925baf4e9d7573bf12f273

SHA1
2f54bd889a52ccaca36df204a663b092ad8ab7b0

SHA256
4387f7836591fd9b384d5a11c22685d5441ed8f56a15dd962c28174f60d1b35b

SHA512
a425d55248b052810ee861fa75eb5c9c139f73aa70dfee406d59b7f1cf86fed5656d24b36db4f10a606be89a073305bc32bec822bf88ed53881323d6718fc001

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll

Filesize
30KB

MD5
fd3cac756296e10b23acb8b9f9a0fead

SHA1
287d3f5e0315a9fd5f6327d35c76571ea7d569d6

SHA256
b0915eb7f0d7fdbe4dcf6756d163199c80e49220f3fec9270c8e75ccd4349c30

SHA512
4d303bcb0ec769124d368da5142bd35c862b2da43c900bdbefe57778df9d286a80c5099d8e7e751a08ca6bddbfeccf3cb11cf182887472c1a6b0b43c62a0fc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml

Filesize
48KB

MD5
b01ce7945b984a7d4577948805bdc514

SHA1
1fc6bcc433bef5f5ac7f89f94fb7e792a1639f48

SHA256
6cfe6aaf300b0447eabad6f801dcc38461b0802f75f433dde2c642e52bc9d36b

SHA512
a6cd52038d37a1eedd780d60cb1cf18fbd96c33727dee14895e6781154b25de7a3a3d2fdf31aa60ac156200026f475194cf6261dc230bec8023aab0cf6110047

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
28KB

MD5
e7e5066e40b28d8258e840b6e1594d12

SHA1
d2f3caf9755d0b7746ae16936dbfea4acb3f44f5

SHA256
9dcd26d37f492d76816f17529ae33851416dd4d7841dde7af505b9edee50baf3

SHA512
5534cdc3c7fcbd6ac07d13b95aed8c1d2c8d007641c5184b8053c98dc0723ae3e7321722d443b68da68184d7f73ff347a988718f83f767bb6b5266a3af72fccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
15KB

MD5
2d821e986cc3d5baed2b35fd7c98291c

SHA1
6838f726ef41a3fef1878af6e1b5d88dfc148ae2

SHA256
91b8605fafba35d44f4352aa96f8d8fb366d0970e68bd194326f80eca67bf6d3

SHA512
37695fe351a5ee1c7326f77f653a49cad9c9a3a2dce3f3761d2baaece77f927691ac47a81ba8d0ac2f89c868d72f0e9751ab0f78375dcec936566c6c87297d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
17KB

MD5
0870ae75b1d8f0823ad8bb05bbdc90df

SHA1
9f6a23ac198321235d3d0b1ef1547863fe7c680d

SHA256
859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944

SHA512
3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
143KB

MD5
9ab70fc7ce569afeb61472fecfcff233

SHA1
6e3572be787d452219fa86deae45bff98b5733d7

SHA256
2e8cee54c264ec344ca3049fa361bd2da721232162bfd5bb75a30bf0130c6a69

SHA512
8dddadd28e6ff07f2aa4115e430fdbdfdfcf4d8d83546099dcc229310e0986b551e457eb64e842d9aad1b606719913dcd444def9ef83b726a9ab5049a69dc7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

Filesize
1.2MB

MD5
cd479d111eee1dbd85870e1c7477ad4c

SHA1
01ff945138480705d5934c766906b2c7c1a32b72

SHA256
367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d

SHA512
8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
335KB

MD5
76a0b06f3cc4a124682d24e129f5029b

SHA1
404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0

SHA256
3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6

SHA512
536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
38KB

MD5
76231f812a77727eb4bdeb2409cf942f

SHA1
c39fb549cfe092dddddb59536d565e55a89c93a5

SHA256
7c29a172e6b9c466afeba7148ad9ce6a1a89a7e538200a6c43ad86a279a66dd4

SHA512
f540c657807312c5890fbabed6ac16a62bab962f308ddb23a15c913075afa68fdc7636648eeb50d5b4a1e26d497cc17031bd80d6d8e9d7e86fea16037a0097f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
555KB

MD5
1a3808e1be6302f046aada94ac685402

SHA1
9c815f53ed1085a59c345fabc6e826d992b58066

SHA256
e07ddabc0a414799d090fe36d4196e8cd5471dd9718649e545410f14ef7ca251

SHA512
5e6e879b0fd3fa038bc5e7ede14231399450f12311728bbc97256f548ce6f2b72fbe88c048507d2766a09ae42d2f5b3aaf49e2a32b07426558867e9452b2eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1127.tmp

Filesize
25.9MB

MD5
bd2866356868563bd9d92d902cf9cc5a

SHA1
c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

SHA256
6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

SHA512
5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

Download Submit
memory/864-935-0x000001FDEAC70000-0x000001FDEACE6000-memory.dmp

Filesize
472KB

Download
memory/864-936-0x000001FDD21F0000-0x000001FDD220E000-memory.dmp

Filesize
120KB

Download
memory/864-898-0x000001FDEAA00000-0x000001FDEAA50000-memory.dmp

Filesize
320KB

Download
memory/864-885-0x000001FDCFAE0000-0x000001FDD05E2000-memory.dmp

Filesize
11.0MB

Download
memory/1540-3623-0x000001BBEB620000-0x000001BBEB640000-memory.dmp

Filesize
128KB

Download
memory/1540-3654-0x000001BBEB9E0000-0x000001BBEBA00000-memory.dmp

Filesize
128KB

Download
memory/1540-3653-0x000001BBEB3D0000-0x000001BBEB3F0000-memory.dmp

Filesize
128KB

Download
memory/2300-480-0x0000011C78E30000-0x0000011C78E3A000-memory.dmp

Filesize
40KB

Download
memory/2300-479-0x0000011C78FD0000-0x0000011C78FE2000-memory.dmp

Filesize
72KB

Download
memory/2300-653-0x0000011C78E40000-0x0000011C78E4C000-memory.dmp

Filesize
48KB

Download
memory/4152-258-0x000001F9F08A0000-0x000001F9F08C0000-memory.dmp

Filesize
128KB

Download
memory/4152-253-0x000001F9EF940000-0x000001F9EFA40000-memory.dmp

Filesize
1024KB

Download
memory/4152-255-0x000001F9EF940000-0x000001F9EFA40000-memory.dmp

Filesize
1024KB

Download
memory/4152-289-0x000001F9F0E80000-0x000001F9F0EA0000-memory.dmp

Filesize
128KB

Download
memory/4152-288-0x000001F9F0860000-0x000001F9F0880000-memory.dmp

Filesize
128KB

Download
memory/4152-254-0x000001F9EF940000-0x000001F9EFA40000-memory.dmp

Filesize
1024KB

Download
memory/4168-3616-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/4272-3456-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/4364-252-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4688-2007-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/4712-2422-0x0000019F3BD60000-0x0000019F3BD80000-memory.dmp

Filesize
128KB

Download
memory/4712-2433-0x0000019F3BD20000-0x0000019F3BD40000-memory.dmp

Filesize
128KB

Download
memory/4712-2453-0x0000019F3C160000-0x0000019F3C180000-memory.dmp

Filesize
128KB

Download
memory/4884-2-0x00007FFAF5CA3000-0x00007FFAF5CA5000-memory.dmp

Filesize
8KB

Download
memory/4884-17-0x00007FFAF5CA0000-0x00007FFAF6761000-memory.dmp

Filesize
10.8MB

Download
memory/4884-13-0x00007FFAF5CA0000-0x00007FFAF6761000-memory.dmp

Filesize
10.8MB

Download
memory/4884-3-0x0000020339B10000-0x0000020339B32000-memory.dmp

Filesize
136KB

Download
memory/4884-14-0x00007FFAF5CA0000-0x00007FFAF6761000-memory.dmp

Filesize
10.8MB

Download
memory/5184-2044-0x000001D72A440000-0x000001D72A460000-memory.dmp

Filesize
128KB

Download
memory/5184-2014-0x000001D72A480000-0x000001D72A4A0000-memory.dmp

Filesize
128KB

Download
memory/5184-2045-0x000001D72A850000-0x000001D72A870000-memory.dmp

Filesize
128KB

Download
memory/5432-1404-0x000001E079310000-0x000001E079AB6000-memory.dmp

Filesize
7.6MB

Download
memory/5636-2959-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/5652-3463-0x000001F1BE390000-0x000001F1BE3B0000-memory.dmp

Filesize
128KB

Download
memory/5652-3459-0x000001F1BD240000-0x000001F1BD340000-memory.dmp

Filesize
1024KB

Download
memory/5652-3458-0x000001F1BD240000-0x000001F1BD340000-memory.dmp

Filesize
1024KB

Download
memory/5652-3487-0x000001F1BE760000-0x000001F1BE780000-memory.dmp

Filesize
128KB

Download
memory/5652-3475-0x000001F1BE350000-0x000001F1BE370000-memory.dmp

Filesize
128KB

Download
memory/5888-2966-0x000002340BFC0000-0x000002340BFE0000-memory.dmp

Filesize
128KB

Download
memory/5888-2997-0x000002340C3D0000-0x000002340C3F0000-memory.dmp

Filesize
128KB

Download
memory/5888-2977-0x000002340BF80000-0x000002340BFA0000-memory.dmp

Filesize
128KB

Download
memory/6132-2414-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download