hxxps://gamejolt[.]com/games/the-jumpscare-challenge-2022/759629

Resubmissions

06/09/2024, 12:02

240906-n7mhrsvdqr 8

05/09/2024, 12:56

240905-p6mmtasblf 8

Analysis

max time kernel
1050s
max time network
650s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/09/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gamejolt.com/games/the-jumpscare-challenge-2022/759629

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3860	the-jumpscare-challange-2022.exe

Loads dropped DLL 13 IoCs

pid	Process
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe
3860	the-jumpscare-challange-2022.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\the-jumpscare-challange-2022.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	the-jumpscare-challange-2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1500	timeout.exe
1112	Process not Found
2892	Process not Found
2132	Process not Found
1032	Process not Found
2964	Process not Found
5944	Process not Found
4156	timeout.exe
1036	Process not Found
2336	Process not Found
2044	Process not Found
4708	Process not Found
2520	Process not Found
3136	Process not Found
2844	Process not Found
4268	timeout.exe
2868	Process not Found
5304	Process not Found
4868	Process not Found
5632	Process not Found
1972	Process not Found
5204	Process not Found
4888	timeout.exe
1804	Process not Found
4312	Process not Found
3944	Process not Found
2272	Process not Found
5132	Process not Found
5992	Process not Found
5416	Process not Found
3756	timeout.exe
392	Process not Found
5708	Process not Found
2520	Process not Found
5544	Process not Found
2528	timeout.exe
2888	Process not Found
5360	Process not Found
1524	Process not Found
5468	Process not Found
3492	Process not Found
5200	Process not Found
6052	Process not Found
3312	timeout.exe
5128	Process not Found
2900	Process not Found
5236	Process not Found
2896	Process not Found
2768	Process not Found
3492	Process not Found
6056	Process not Found
4828	Process not Found
5860	Process not Found
1988	Process not Found
4244	Process not Found
3148	Process not Found
2016	Process not Found
1444	Process not Found
3820	Process not Found
5288	Process not Found
1888	Process not Found
748	Process not Found
2044	timeout.exe
5200	Process not Found

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	Process not Found
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	Process not Found
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 07010000010100eeebbef3000400010000005500000031535053537def0c64fad111a2030000f81fedee3900000005000000001f0000001300000070006100670065004300680061006e0067006500500061007300730077006f007200640000000000000000004d0000003153505330f125b7ef471a10a5f102608c9eebac310000000a000000001f000000100000004300680061006e00670065002000500061007300730077006f00720064000000000000004d000000315350538727bf5ccf480842b90eee5e5d4202943100000019000000001f0000000f0000007500730065007200630070006c002e0064006c006c002c002d00310000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "6"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = ff000000f90000eeebbeeb000400080000004d00000031535053537def0c64fad111a2030000f81fedee3100000005000000001f0000000f0000007000610067006500410064006d0069006e005400610073006b00730000000000000000004d0000003153505330f125b7ef471a10a5f102608c9eebac310000000a000000001f000000100000004d0061006e0061006700650020004100630063006f0075006e00740073000000000000004d000000315350538727bf5ccf480842b90eee5e5d4202943100000019000000001f0000000f0000007500730065007200630070006c002e0064006c006c002c002d00310000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1 = 03010000fd0000eeebbeef000400000000005100000031535053537def0c64fad111a2030000f81fedee3500000005000000001f000000120000007000610067006500520065006e0061006d0065004100630063006f0075006e0074000000000000004d0000003153505330f125b7ef471a10a5f102608c9eebac310000000a000000001f0000000f000000520065006e0061006d00650020004100630063006f0075006e00740000000000000000004d000000315350538727bf5ccf480842b90eee5e5d4202943100000019000000001f0000000f0000007500730065007200630070006c002e0064006c006c002c002d00310000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{7A4921D5-A0EF-48D3-BAD2-5E5F0E542036}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 459832.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\the-jumpscare-challange-2022.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3596	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4172	explorer.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1132	msedge.exe
1132	msedge.exe
3904	msedge.exe
3904	msedge.exe
2320	msedge.exe
2320	msedge.exe
3296	identity_helper.exe
3296	identity_helper.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4828	msedge.exe
4828	msedge.exe
2272	msedge.exe
2296	msedge.exe
2296	msedge.exe
392	Process not Found
392	Process not Found
5848	Process not Found
5848	Process not Found
4448	Process not Found
4448	Process not Found
4040	Process not Found
4040	Process not Found
5652	Process not Found
5652	Process not Found
6088	Process not Found
6088	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3860	the-jumpscare-challange-2022.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
5848	Process not Found
5848	Process not Found
6088	Process not Found
6088	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4172	explorer.exe
Token: SeCreatePagefilePrivilege	4172	explorer.exe
Token: 33	2568	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2568	AUDIODG.EXE
Token: SeShutdownPrivilege	1004	shutdown.exe
Token: SeRemoteShutdownPrivilege	1004	shutdown.exe
Token: SeShutdownPrivilege	2408	shutdown.exe
Token: SeRemoteShutdownPrivilege	2408	shutdown.exe
Token: SeShutdownPrivilege	1792	shutdown.exe
Token: SeRemoteShutdownPrivilege	1792	shutdown.exe
Token: SeShutdownPrivilege	952	shutdown.exe
Token: SeRemoteShutdownPrivilege	952	shutdown.exe
Token: SeShutdownPrivilege	2896	shutdown.exe
Token: SeRemoteShutdownPrivilege	2896	shutdown.exe
Token: SeShutdownPrivilege	1448	shutdown.exe
Token: SeRemoteShutdownPrivilege	1448	shutdown.exe
Token: SeShutdownPrivilege	2604	shutdown.exe
Token: SeRemoteShutdownPrivilege	2604	shutdown.exe
Token: SeShutdownPrivilege	3140	shutdown.exe
Token: SeRemoteShutdownPrivilege	3140	shutdown.exe
Token: SeShutdownPrivilege	1336	shutdown.exe
Token: SeRemoteShutdownPrivilege	1336	shutdown.exe
Token: SeShutdownPrivilege	4368	shutdown.exe
Token: SeRemoteShutdownPrivilege	4368	shutdown.exe
Token: SeShutdownPrivilege	868	shutdown.exe
Token: SeRemoteShutdownPrivilege	868	shutdown.exe
Token: SeShutdownPrivilege	4872	shutdown.exe
Token: SeRemoteShutdownPrivilege	4872	shutdown.exe
Token: SeShutdownPrivilege	3916	shutdown.exe
Token: SeRemoteShutdownPrivilege	3916	shutdown.exe
Token: SeShutdownPrivilege	4808	shutdown.exe
Token: SeRemoteShutdownPrivilege	4808	shutdown.exe
Token: SeShutdownPrivilege	1328	shutdown.exe
Token: SeRemoteShutdownPrivilege	1328	shutdown.exe
Token: SeShutdownPrivilege	2496	shutdown.exe
Token: SeRemoteShutdownPrivilege	2496	shutdown.exe
Token: SeShutdownPrivilege	748	shutdown.exe
Token: SeRemoteShutdownPrivilege	748	shutdown.exe
Token: SeShutdownPrivilege	1040	shutdown.exe
Token: SeRemoteShutdownPrivilege	1040	shutdown.exe
Token: SeShutdownPrivilege	1584	shutdown.exe
Token: SeRemoteShutdownPrivilege	1584	shutdown.exe
Token: SeShutdownPrivilege	1852	shutdown.exe
Token: SeRemoteShutdownPrivilege	1852	shutdown.exe
Token: SeShutdownPrivilege	3928	shutdown.exe
Token: SeRemoteShutdownPrivilege	3928	shutdown.exe
Token: SeShutdownPrivilege	864	shutdown.exe
Token: SeRemoteShutdownPrivilege	864	shutdown.exe
Token: SeShutdownPrivilege	2748	shutdown.exe
Token: SeRemoteShutdownPrivilege	2748	shutdown.exe
Token: SeShutdownPrivilege	4084	shutdown.exe
Token: SeRemoteShutdownPrivilege	4084	shutdown.exe
Token: SeShutdownPrivilege	3552	shutdown.exe
Token: SeRemoteShutdownPrivilege	3552	shutdown.exe
Token: SeShutdownPrivilege	2908	shutdown.exe
Token: SeRemoteShutdownPrivilege	2908	shutdown.exe
Token: SeShutdownPrivilege	3312	shutdown.exe
Token: SeRemoteShutdownPrivilege	3312	shutdown.exe
Token: SeShutdownPrivilege	2536	shutdown.exe
Token: SeRemoteShutdownPrivilege	2536	shutdown.exe
Token: SeShutdownPrivilege	2704	shutdown.exe
Token: SeRemoteShutdownPrivilege	2704	shutdown.exe
Token: SeShutdownPrivilege	1792	shutdown.exe
Token: SeRemoteShutdownPrivilege	1792	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
4172	explorer.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
5848	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found
6088	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4700	MiniSearchHost.exe
3860	the-jumpscare-challange-2022.exe
5292	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 1248	3904	msedge.exe	81
PID 3904 wrote to memory of 1248	3904	msedge.exe	81
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1764	3904	msedge.exe	82
PID 3904 wrote to memory of 1132	3904	msedge.exe	83
PID 3904 wrote to memory of 1132	3904	msedge.exe	83
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84
PID 3904 wrote to memory of 4344	3904	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gamejolt.com/games/the-jumpscare-challenge-2022/759629
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffaa653cb8,0x7fffaa653cc8,0x7fffaa653cd8
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6000 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7760 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,8109591131296456602,15646866407274047495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7492 /prefetch:1
  2⤵
  PID:1988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1380
- C:\Windows\system32\control.exe
  cONTROL
  2⤵
  - Modifies registry class
  PID:1436
- C:\Windows\system32\control.exe
  control.exe
  2⤵
  PID:2416

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3712

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4220

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4840

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:2448

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:4040

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:4084

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:748

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:3012

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4172

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4228

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3560

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\d.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\d.bat" "
1⤵
PID:1476
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1256
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2496
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:748
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1040
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4900
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2436
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4440
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:916
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1704
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1632
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1360
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3100
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1004
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2408
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1792
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2896
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2848
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3572
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1096
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2876
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2296
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:732
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1184
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:748
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:952
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1040
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2896
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2848
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1852
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3572
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3928
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4444
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1704
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2196
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1632
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1452
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3276
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2836
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3100
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3916
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3332
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2760
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2528
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1696
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3912
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3480
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:892
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4888
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:628
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3792
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4824
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:248
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3328
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4440
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2164
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4860
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1928
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2876
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3480
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1672
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4804
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3928
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1096
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2196
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:396
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1092
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3916
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2112
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1600
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1328
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1256
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1184
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2780
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4604
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2704
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2436
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:248
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2684
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4440
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1592
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4860
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3552
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1360
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1452
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:560
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2888
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2536
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2836
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:732
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2760
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2528
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3912
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2608
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:892
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3332
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:952
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2848
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:248
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2684
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4440
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1592
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4860
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:396
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4808
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2112
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2836
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:732
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2760
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2528
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3912
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2608
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:892
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3332
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2436
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3572
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3140
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2164
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1704
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4872
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:396
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2244
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:560
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1508
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1880
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1256
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1660
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:748
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2780
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4604
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2704
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2848
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2604
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2684
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3928
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4444
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4860
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1632
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2908
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1452
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3916
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1328
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4376
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:732
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2760
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1040
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3912
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2608
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2968
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3332
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2436
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:248
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4800
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2684
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3928
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4444
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4860
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3552
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1632
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3312
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:560
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4808
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2836
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1256
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3480
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1012
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2408
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4604
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:456
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1852
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1020
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:248
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3648
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2196
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:868
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3552
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3984
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3780
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2900
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1092
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3916
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1500
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1600
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2836
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1256
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3480
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1012
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2408
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:456
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1852
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1020
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:248
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:916
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4872
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3344
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4636
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4420
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3988
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4156
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3936
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2908
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:396
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3312
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2536
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1880
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1184
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:732
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2760
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4888
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2608
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2872
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3140
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2164
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1548
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3648
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3344
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4636
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4420
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3988
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4156
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3936
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2908
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2888
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1500
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2836
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1256
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1708
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4428
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2780
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2608
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2844
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3784
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2872
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1020
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:248
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1360
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3336
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4984
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4268
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3780
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1452
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1800
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2156
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4576
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1600
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1500
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2836
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1256
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3480
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1012
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2028
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4888
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3440
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3332
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1116
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4688
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1676
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2072
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3140
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2164
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1868
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1548
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2196
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3336
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3984
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3944
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4268
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3780
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3772
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3936
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2908
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2888
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:560
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2536
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2528
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:748
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1660
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4816
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1040
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3756
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2704
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:892
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4832
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2436
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4364
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4052
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1672
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3328
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4804
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1020
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2184
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2036
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2612
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3624
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3344
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4988
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3336
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3984
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3944
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4776
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4156
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4044
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3916
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1452
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3312
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2156
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2496
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3912
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2836
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3480
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2408
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2848
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2608
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4812
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4832
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2436
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1116
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4688
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1852
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1676
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:916
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3140
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2164
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1360
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1088
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3648
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3344
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4988
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3896
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2920
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2908
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2156
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2496
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3912
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2836
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3480
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2408
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2848
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2608
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4812
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4832
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2436
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4052
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:656
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:248
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2184
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2612
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4984
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3336
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3984
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2100
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4776
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2900
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2920
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:72
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2908
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2112
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2536
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4856
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1152
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1500
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4712
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1256
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4428
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1012
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2780
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4888
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3332
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2488
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1116
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3572
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4804
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3140
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1868
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2612
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4420
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3068
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4268
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4156
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3772
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2044
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:72
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2908
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2112
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1880
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4856
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1152
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1500
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3912
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1256
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4428
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1012
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2780
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3440
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2844
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4364
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4052
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1852
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4652
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4440
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4872
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2036
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1548
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2196
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3344
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4984
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3896
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3944
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2100
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1632
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3936
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3916
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1508
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1372
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3312
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1184
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2528
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3956
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2836
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1708
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2028
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2704
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:456
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2780
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2844
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2872
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3572
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1672
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1852
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4444
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4440
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4872
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2036
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1548
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2196
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3344
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4984
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3120
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4420
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3068
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3780
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3132
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3772
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2840
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1176
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4576
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4788
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4280
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1804
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2112
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:732
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4856
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1152
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1500
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3756
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2968
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2408
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4888
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1520
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3332
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2488
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1116
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4052
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1676
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4652
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2604
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:248
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2184
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1088
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3604
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3424
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2196
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3344
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4984
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3120
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4420
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3068
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3780
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3132
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3772
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2840
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1176
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4576
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4788
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2156
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1880
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:748
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2528
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1660
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3956
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1256
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1708
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2968
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2408
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4888
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1520
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3332
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2488
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1116
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4052
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1676
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4652
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:248
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4872
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1868
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3624
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3648
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3632
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:864
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4552
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4776
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2900
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1632
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3492
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1452
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4716
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2032
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4900
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2520
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2536
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2112
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4712
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1500
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2704
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:456
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3652
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4832
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3784
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3572
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3328
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2072
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1020
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1360
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3140
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1088
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1548
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3424
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3552
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3344
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4984
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3944
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2100
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3068
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3780
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3916
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3492
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1372
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2384
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1432
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1036
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4180
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2536
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2112
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4712
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1500
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2800
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2704
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:456
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3652
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4832
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3784
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3572
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3328
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2072
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1020
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3932
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2036
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4692
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3604
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2612
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2196
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4988
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3336
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3876
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4420
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4268
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1632
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3936
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2888
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:72
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2228
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4576
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4788
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2496
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:748
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4856
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1660
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3912
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2848
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4800
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:248
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3424
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4636
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3344
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2176
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3944
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4932
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3104
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3772
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:72
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2384
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2032
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4900
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2496
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1600
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4712
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:960
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1256
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2848
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1084
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:952
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2072
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1096
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2612
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3552
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4636
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3344
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2176
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3944
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4932
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2244
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1508
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2888
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2908
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4716
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4280
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1804
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1880
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2112
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2876
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4712
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1256
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2848
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4652
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2748
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:248
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3424
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4988
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4984
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4776
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4420
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4268
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1632
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3936
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3492
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1372
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1036
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2520
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4900
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2496
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4808
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2112
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1600
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4712
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3276
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2844
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4476
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2072
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1992
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:248
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3424
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4988
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4984
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3876
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4156
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4932
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3780
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2888
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2908
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3312
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2520
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4900
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2496
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4808
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2112
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2876
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4712
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3276
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2844
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3244
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2748
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3120
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4636
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3344
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4776
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3944
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2920
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2244
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4044
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1556
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3492
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4716
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1036
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1804
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1880
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:748
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2528
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2836
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3480
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3756
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1116
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1676
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4800
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1096
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:864
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3120
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4584
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4636
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4420
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1632
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1508
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:72
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1452
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1372
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4576
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4180
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2536
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4808
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2112
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1116
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1676
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1992
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3552
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3424
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3988
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3344
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4636
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4420
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1632
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1508
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:72
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1452
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1372
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4576
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4180
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2536
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4856
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3956
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1988
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1500
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1660
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2836
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1116
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1584
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1676
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3984
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3336
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2336
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2100
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4776
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3916
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4156
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2244
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3772
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1556
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2888
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2908
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:456
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4808
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4812
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2748
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3424
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3988
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2900
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4636
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3944
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1960
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2244
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3772
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3936
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3492
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:2528
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1372
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4900
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1500
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1660
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4476
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1020
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3896
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3068
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:2176
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4636
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:3944
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:4156
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4044
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:3556
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:1556
- C:\Windows\system32\shutdown.exe
  shutdown -a
  2⤵
  PID:1036
- C:\Windows\system32\timeout.exe
  timeout /t 0 /nobreak
  2⤵
  PID:4716

C:\Users\Admin\Downloads\the-jumpscare-challange-2022.exe
"C:\Users\Admin\Downloads\the-jumpscare-challange-2022.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://c.tenor.com/ZO1_WS7f-4YAAAAC/fnaf-freddy.gif
  2⤵
  PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffaa653cb8,0x7fffaa653cc8,0x7fffaa653cd8
    3⤵
    PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://i.pinimg.com/originals/ba/83/1a/ba831a533953e7f7d757a26c31225ef0.gif
  2⤵
  PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffaa653cb8,0x7fffaa653cc8,0x7fffaa653cd8
    3⤵
    PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-970747758-134341002-3585657277-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg

Filesize
62KB

MD5
6cb7e9f13c79d1dd975a8aa005ab0256

SHA1
eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

SHA256
af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

SHA512
3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
43bf42662c58c2b1315510acf2ea30f7

SHA1
0b983d4fe6a6bed9f8d62e85b07e206325f76ff3

SHA256
9687343f123104eb73c3bd06d09e6c17d391d3bff8aa44baf41ab0662478eeba

SHA512
49574f04cb6da49aba5f8c9851c79f227f7e835e676fb9840df4a915a22a66478d7141416b55330377e6642049990f8ef7b177fb55a2808a903d41b02c7581e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c201655bdafeb5fbf83f5aa06fd64d14

SHA1
a7d98dc13553f716f4eb3a0613096aef1008102d

SHA256
3441512780bcefff115289cbd4bddd160940ff47592403dc5a5cc14075eb4bb8

SHA512
4689a6eb23448c55e419278c77d47eb1186b48a388d8a451abb8812c3c4891c35312b7e8500054e40509888d26a9e82e94e046029c86100c79fdf3fe2528b73b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5c8b2a34-7da0-4844-83d8-b2bbdf1c3db6.tmp

Filesize
7KB

MD5
3b751351af37a879c4b8b83c32a82f60

SHA1
4d0118d736575db4177fbb5f9dc28737eb7b6bda

SHA256
d43f95500b0f80329b61df6b1345db1bfbf56d252b3bd8f62d84cb1aa7b9ab6a

SHA512
2a31d67fa44396109b958d4c103a2fe88c6f1d7c607deca90daad818b28d72fc0fefcf3b964d4c188f26ef3e28fead987f7d80986b54d57465b724e8a8f0f68a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7d78c218-9dcb-41b5-b627-e214640e3935.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
70KB

MD5
4058c842c36317dcd384b6c2deaa8b95

SHA1
1085ddb12b29b79ffe51937ba9cd1957e5e229b4

SHA256
0e562969cad63d217848a5080273d1745dc4277d210b68a769c822f2fbfd75f6

SHA512
435a67024811360b12339e3916945b0639e2d9319e9d540b73e093848a467b030e91e01917b7fb804eb756dabce2fe53c2d7ea586554ee6cfee70e652a85924a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
41KB

MD5
9101760b0ce60082c6a23685b9752676

SHA1
0aa9ef19527562f1f7de1a8918559b6e83208245

SHA256
71e4b25e3f86e9e98d4e5ce316842dbf00f7950aad67050b85934b6b5fdfcca5

SHA512
cfa1dc3af7636d49401102181c910536e7e381975592db25ab8b3232bc2f98a4e530bb7457d05cbff449682072ed74a8b65c196d31acb59b9904031025da4af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
38KB

MD5
bff21faca239119a0a3b3cf74ea079c6

SHA1
60a40c7e60425efe81e08f44731e42b4914e8ddf

SHA256
8ea48b2ac756062818bd4ee2d289b88d0d62dc42a36cb6eee5bdd2ff347816c7

SHA512
f9e5baefacae0cdb7b9c93afc43ad6ec3902b28c0cdf569e1a7013f4e5c8dfb7b389b5e2bc724b4ddfe554437320f4f2cc648642944c6f48ad2a78815acd9658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
1.2MB

MD5
32139f48f78db664a075c5d39e28ce97

SHA1
a25e15b34f0782d6c8a9dc369634ff926f740a0a

SHA256
fe0f999d998460777abbbd062e27e7e88c9648afeab8db0cbd20a6218b656e8e

SHA512
167e6537edffdcfc3d89834e7adee03aaaf50f567f24b5da32a704e9279b0781995eb6e28f0a1b64f8f2f5ab508b4d090228c57d9b4cbf3ada5d3bdc29a33d65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
27KB

MD5
ac4c4890fa7b92d5f076e94b226f42af

SHA1
15af973f75d3440b01f9b849d8a2ab7de4dd7bc4

SHA256
a2f3c4f186f667d67c725d82bf27ccdcb0f760447fb3ec2abed61f2107105051

SHA512
cd38b78aab26318c948e583ed3db13c21c76c9d83141f3ce5c45a3c74733e6e9e1329ca5afd4fd8910bc9f9536143ef491e74c04e10a5a38734d4c56d26e5c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
99KB

MD5
c1811454018d0f35bceb3ecb4f0ccdde

SHA1
185465b14e413e7229bbd202e1db269c46bf247b

SHA256
66c6171963274d5c654b0547cd4b1a7a1f7e6ed96a3765a84f30310f1602f6f9

SHA512
c30c2ba7b879c676f61ec18363fdda82ba4cfd8d2ff1a3e2dfd4ca9c12b8622ebc9ee284cba2dd1e2ddb6858744d003169426bb2de9381f23b8083ac73364f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
18KB

MD5
86276f0360fd5e5c1127804ebaeb0214

SHA1
7a80b593b21972783129ae9baa0633fa9f967d26

SHA256
1704e96949f65373069c3a72f537fb95dec78d41c6068574979512aab9610e31

SHA512
b7c0bc678f5271b6457f6380a6b4efe8b1e23c1680e8f96c55ba494f052b8a3e5b904acac526d4aee6840af364dc8ebe80dbbe0f85128575b7874fdc101ed5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
540f44370aa3cf674e81dda74280f534

SHA1
febd07c4e252c684f2c21b7a1d9ac2f2b59de213

SHA256
84acb6f3f1803f42270d29d748cf94ccc26e841b1b271a988a932251d744c455

SHA512
f0a86e0e77d97daa09744d73ec52b64c5649c7156788acd4312b3c49e21a6a9b9810aba863e19e8bc08d551eb63eb2c0c66c53059cf511a46e4a3e7dcacaa9b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6d290e9cd6e35a5887cbe9325eec384b

SHA1
c9d786d5f565c42d7d998d12de06cbdc127ae2c0

SHA256
4969c43026bfa0d8d1a03118e31150dd63491442c3276376b2476b02e71d685d

SHA512
eaf4d453ddc8f7d33823f99885597f42bf70edb56047dc1538a6ba64ae170805bfdc9698a69cca10e357064e30ea2f12ac0afcf092879f7fcdfe5cbd987cdff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
bf5915ea07b5f1816385dc7864c05781

SHA1
edf09bedff9061bb0f1e548d970e36504a520010

SHA256
d614c179a3355cfc5dacf28401643360a33d11ad8cefcb2c102e9263b86c5290

SHA512
27f963f0620973d2e35fcf50bcfbbd88640b71bb0df9b4968583eeef161576a847ec2df39f5cbc2c427f80aba43ea2ff1c9a67c824834cab9771b5b9d6213dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
86a52d4ccebf0d3152504a8b2b2de651

SHA1
5b1c9df4c4dc318505d92ef0ee554e37bcbd0d4e

SHA256
f217d984248fb47eefd75781137992e15826cf433d03856aabe6251e8bbe3ece

SHA512
b845f402e1219adae23c8f5578e50ddbc18ca3fdb26da04af0669fd265c6207cf770f54585aea5baf74e9441f50011b368f26abf47fbd48db13141a4a6900266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7a2724dfb9a7c1c60cbf33a7c2719f5e

SHA1
29af4c9597339f41371a4e9a84c8f6c1fa89648b

SHA256
951edb4b59b625b4fb15d2d0f63fdeb394f291cf36fae6f499f32560eefea4b5

SHA512
c841b447795df5dd1713a15fb583398232e82c11b6d77f9d52d847002086a0355ed268622d1c37db5a0848c2ce16155401d2113a8d64fccaa5dc14f4bf2e43ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
093b600340d3d9393cd7ddabb6d1a59e

SHA1
10b4651eb39fe543b5dd33a1a5244888b3821826

SHA256
7f797790b56deb48bbe0af0e71624defd8b0b1e8282d69486861c51cc2f1bd44

SHA512
42c97bff79be85279d614932de28e945bbe0fed05acfbaaad90c89c0b90fb5ede7341709beae59c3fe911eaba7f16602dcbece6acedcb82c171642cb5a94ff43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
5946a2b13c11a91c6654204f6f706a8f

SHA1
170a216f506d2c2cbef797ad5c69b3ab5aba98ce

SHA256
07d5ebcfafc2d067d4c65c37932c04beeffd65ffc195bfd206a5a5062e72a519

SHA512
4ce8c9af1fe42e0691e5e8ee130aa27920a1d61e092577b470d15d4ad11ca8abc5f949c25be6dee14378e6e942c9107e3bdb616504a3c883fd607a5906888921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9a498829882cfeb94bc073d04b39794b

SHA1
ea9b9d1a39beb51455348c4382e903e7a2277d43

SHA256
595dd89613ffa33b43f0b14e95cad41e6477817ccca0029a8a5606e812e6a3a2

SHA512
6aca5189a4f6872f2b7fee6a9c8171d47561d1a7665dcbf58ab043bf9ef32b96564515d437573f48e085403ab68fba80d1d3ad0eb08aa2282f60b65aef74d702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
36451690abf2f036ca227598eddcbd83

SHA1
7d4df8e4aaa09dd35025a4d6a7b5a5896790e63e

SHA256
510551213d59df67d8be4ac275d5856ed9be3523c17b8c3f5f2e187059466f8f

SHA512
65d0304d01675714c7578886c43f6579c3d62c9441c37f9e79341a7fbe610888f008d41c2104f7e01bce94e4f8554c8615281c05529bd87274eeee84785d75c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
dd759621794bb6ab0a6e91884db8b554

SHA1
84206f5877e8d5f379d62f058bd1bef513d10036

SHA256
13948a7ae8b27b076cf7eff4ec1423612e3ac48d1420d33667e4871fc3b99de2

SHA512
99f612b9961682140da9b305d6793b5b8ca19512819d51e64503cac653f6c65f144dc970379e59921ba6dfbde5925ce0e782a15ac668b10cfa7b08bedfe5aab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6584a820d78c9f83626581702a56204d

SHA1
a64e837e0e47b7f3f87bd15f59c705e1baff6634

SHA256
5862916a1dbcca43d922e92bad1a76daf9038f2f9de0f7e127678b73f9a463dd

SHA512
d13d1f5f04bb38700e7284cd0b90caf8b8bfdfb33f4fea5c8379bdf238465478f7bcd3f4764ff32b173dbe5c50fb0a5771cff75a9199842ca6d468d7aa157a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e72bac9a8002d392ad82f9ad0945e5e

SHA1
b5c6cb9c6c71aa1761410209a3eec4d2553e5b31

SHA256
0bf02cbea8a9e106cc45023b386354ae20e7feab046401a49ca5abaea68e456e

SHA512
2628b6718593674fa19d6feba73fa1291146de815ff7d92d0bdeaabf8495b2a7fc7028fea39a77f1222e42e8e04275b3bd923d3dcc9ff2c5bc0a35a670eef44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8db623d64577381078a6681021e049e4

SHA1
a92e44d5c3962c40c78ebef5a2563aeb67d4e7cc

SHA256
782371fcdafc641e017a0b99fdb8e953b935f5b7a8425614fa6bca24ca8aed73

SHA512
587549dd6a3f9f08575cab9ebc12aa9e9fac5e84735faeaaf80daa207f7d57d7f49a517f5a01cc9792933aa213e881a59808d9ede011a9c416eb873ce076f776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
090755f9e2f84e26c0e0809c6f410563

SHA1
760fe038bb5b7210d11d053145cc2054dcd3927c

SHA256
1563856320bef6ea476989deaae3de4368f595b65eb8e4edef992ecfab619b8e

SHA512
5fe1c2c04f73b9c782f836d33bd6283a6b039ce10e036a0b6659fa80ef793981f43a34e6138fd5244448266b79c54a7fd91dd2419e069a7c4b6828996ec6249b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
709d282a471406964a08e83f6de723c8

SHA1
d258f3ce2eecefefcf359ecf6f27a4dcea74635a

SHA256
10de0a686a3ceb432132ea2444a7fbda84fe5e70a2fa47b02741e6ce184eff35

SHA512
448bc2a728075c11fabc8edcb58c55006d8228a326bc702aafcfc949dff600d60bf259d4a548dcb0c345472ce90d096e0caf0b49de6752a55c318d773b356bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
37a743d33f4d60e37fd0d4b41b4f8e78

SHA1
ccf985fe000e7820750cc58c546cda0d02b501c9

SHA256
e42452b10e4e428756a02e5cdd3d97779ad750c60f306f00ee2fcf641b61b25c

SHA512
cfbcaa3646166d4d38f56f2d00cb27d160a07757eaac8626a631e251d8999e7f0d8336f3a11d87ab15885f93a911cb31195d9ec357a906c4f1c23d9b769997d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bc559eee11c9df5856a095ba08766f14

SHA1
26c543df60b68687c2021df227201bab64de480d

SHA256
1b0369c3d4bb14ae6225704c6558f5a7ad78223155cdb7f5f8a83e30bdcf106f

SHA512
61359c6d15f52cd664aa48cb38b9401ca0d6af07f768216485f7e25e6abca56332722f25b5dd940cffcb28c75845ae88e4641e6c175b1ad7e1f4a480233c8185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
696a8f2dd5da747f83f68fd31f75e0c0

SHA1
4fef6e90fdd9bd00967e7035578d846277f3ae4a

SHA256
535cc4fc4f005bd06e891abfdeeb658e94d1c4c827b3e2b79b4205195f46e153

SHA512
d0f0e97e05114b4b59d2b1d379b43a3bdc082a8f19d8a379ab04eaee546d2b07a84b8f94ad09a12c4ceee8d82592a5b4b12918df1b733c9a6b15b8e9b3268cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
851dfedbccf8e31c542ba8d3c436dcd2

SHA1
b86aab0d539de02bbee06e260a4fe81e8fcab982

SHA256
74b806ce022b94a1b53e519e9444494d024cc9b918bd6e9379a455268f3d64a0

SHA512
4f05b2810ddbbf65623cf2b2a7d207fca02d581609c2beadc6c5d48ba6ed1076fc5add7ffc0cfea5a7c67a2337db00f7e18ba7f9d2995160e737b150af49f320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
f51bde100539644af926000c189d1b15

SHA1
bb6262ea2583d8dfcc19aa471bd66bf1cf33c9d5

SHA256
dc293c06a6944ccf84b4baf30356bb6c83aafd9694a530ff9db016d86701210d

SHA512
13273865439e8df32e20d4314b2c30df12012c1a0f8c0d96c9daff336f10ea0fed753b6071d4f8a21638a363ef4a5d9ad1bbac57b3e1b6f88a85790714acb042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
72433465d118d6610414ef2d42a77449

SHA1
e1ec4e098cf26b23d319eecd9a274d115262b624

SHA256
b53237705c7438545b8eb4d03728bd890aaea181ae6aa32b9ed1a7f7616f0440

SHA512
3640b2ef59755961f0a3f58578cfd9e2513b65ca596384e8635e0dd5c07103f85a831a413b4141d309383d99059539e26894753f0b0e744e32e597b2598827ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a8a2ccfeba912cf508ad0a070bdac2aa

SHA1
3776ac12b65e53c40ccab44d1c61fcd8979aba06

SHA256
ce72085e65625b7998e59b24f3a0eb91f5c458a931428697a51c065aee6e54df

SHA512
10f48ac6ff2fa201e8dd30a7f753075ef293adbd07fbcc5098f1244896af4331d2f56cb9f378ac70402c87efd612af8ad9195784e617ab2b0eaa17e7d01c6469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97c0a22e3713d3396f7e35cb83fda5b1

SHA1
4e7495d2b7ee4b3c5268d9a7bff06309cf999b00

SHA256
2b14bf86201132ec49ddb89653bb18d7577a5c23868bb6bd614d4d70ae84845a

SHA512
60b4f1d690431fa41f4be6e875cf37cc2d5bdd45de7db82eaf2db62e2acd7bd3dcc962a1f6ed7c54bf0ee7013717af76789d36dc36b0f7b7a996a310e1fb047a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9340f87a6b729ec0f0c67aae50bba47c

SHA1
bf5e66b9b0c3b5b7480928d3a0716c2244c242fa

SHA256
1b0d2cba3144ed62333b1aef0b5d9611a847503592afc101d956e6172a334c08

SHA512
7f1f501d78b99ffd4f1876463f845a5d1a70791a5b193693210a85c23d93aa9fd2234f26ecb7cc91d0e68d4ac5213cf8fb8292fe4af6c32995ce578586c49052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3fa47607698bc615a8ea2a5b11e07300

SHA1
ef9c1fd3baa4c5cd5982c8e22b6410c74463ed99

SHA256
2d26424fe208b265b3d5a8db9e5c6cd0dcfc88f276284ddbb3d9f7c4c5e9a3e3

SHA512
b6cd9d51718af3f1a4d1a8488fc2cb76b2bff5871e7517d5f2dc55ebfd6dca73e784d86ef92aa2c9083230886c346d4e0fc5d5f3ea2d1f474c840983fc5b7b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f5604151dd8f9182d8b9946ea479232d

SHA1
0a90d3bb03a9b92cba4cdce9bf0bb57db4ebdd66

SHA256
9d70889f74ab6c12797569660f06300604bbc094e9369b14d89dc667c4c3c8ef

SHA512
6cfc556caee10b3822c61bafbbc6ffc1c9f7d5cebaa2a30c92840ba63983cda9b483a34edc82e3e2ea6af0ab83ed3fa593728f623b8c8b9c59a853d868861a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4afd399de37d1a8cf7c5e5825fd95c9f

SHA1
5ebf39603ec455c0bfc73bf7e3f45a39f4c89a7f

SHA256
a1827be318c66c0391e7785a805a81e8cfe1344805f88eb95e473e3123d59496

SHA512
2e74568be3c320da79ce2e39830ea32695f50b3a4c6abc51364820863c2b3a4925bf2176875ce58883070c0dca97404860f21f41337d94a54458f3003bf11d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a15eb.TMP

Filesize
539B

MD5
ac34c99cc164e8162d2f102f3e851c4d

SHA1
34f1f2c72ac8149280a210e226e91c261bb0578d

SHA256
bc82262d9921932e7d83e1cf1e67546ab0d5efe9840a83add457e1dd9bcc55ff

SHA512
b3540885a7a4de7b88a45495e66aa94b9313a07204bf63ed04c48425447d85e217f428c874eafd60eb8ed63f4e94b114aac26ca1928ba66e85b78c52a981855b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
201de1a9936254a0852bbcaa09ec9ce2

SHA1
e75a07d59e0a8adb307a4665303a2595d4cea180

SHA256
e46c6125ec3672f9cdfd23a7eb82d28e95c4174eff80f2a026299407723b50a7

SHA512
8ebabc3ce208adf3bfc23c0e2b6b0877789a143146144015f8bf3174177d47ffac2434cb6c44aa49daeea1e88ac0d998833cb7446eb852db0532b1b89a7c7e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
66251e5be2f22ed7b623bc283a4c9dbb

SHA1
a6618ebf00b101b72b4e060b602acf2fe45b195a

SHA256
2d3ad25c451ea6d5fc80a32d704391688a858ee16a2992424b02712027644c37

SHA512
274d96700ee5fab5a89be281b631ebc069f06b4668914c8b9a19a9d0d59144d1ab602a74e6027f1074289cf6c176315a92452b77a551e8fa147983002074f3bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f30dcf0acb3792136200464cf007e742

SHA1
5a31f1108d5fc4623dc2e7ff1f508eb9d4109ab9

SHA256
e83b47a8a50c4dfd1c1fa9f0d840e1a9efb9125d1480e0d0624fa4b20b0bfc9a

SHA512
aaf5e3773a8a3ce86c907873b1c46db6896058a73abf7356e14f23f27884e3619d08558b708f3a57d0150ff15e9a2a248f0d9ef3cf3f0116fb2a8e2e0e4aa624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
98f5f54f336b75b88d4c6077e5d893f1

SHA1
fcad41c24d836416c0c586255f5fec4f2d500fed

SHA256
914f2297825122674d44621cb5185132f08f3cc3912cbdc5893e244af905c97c

SHA512
2372a09d4e9af561fadd72c6c010ed4a39d3afdba1ccf2ddf4e1841aa1edc5b51716092ba3b3ac38b2bedd99702a477085ad2eaf4951e04ad960c6f9e1ce5963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7b81bfc7b994169229646f883ce3716

SHA1
46568b53c536436a70b421fd3f1ebfb1e1233d97

SHA256
b09f653cbed1079adeef34ca83fd5b34d3b1263675c1796f34270bf9077101ca

SHA512
5733699bc8cc74078943b1fd03ce1416cf9b8f705ddff14dab804d748c17eb089977b0bab1a3129f65ff9f7721a75dd644de5063251838ce477827961c340a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b236ba1dbde98fcfcf1114d8527381c6

SHA1
051fd6d23ac7fdf2f208f9138e1937bb62146939

SHA256
1d3f9cc63bb339d27b9b2daaac6cc812970f20d163e11bb65625221bd283b643

SHA512
ec2f8935b57a174730f0b9e7330122b323bee1b98aa0bab459453fc637900eb15963f567168a9f87f0a1fc2bf2555a507a0298d15c439922d99b0250aaf1885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2b0353613625c9e498f3855741ba2345

SHA1
dedc8fe11a2e67d54b3e5cf7f0849df42c847274

SHA256
b5d36fabee1e1eb5009b86cfc82657c6aa671283a03397bd8d8f416e179c9cf0

SHA512
9cd15634f0944f3d6bd0fb1510aa4bb73a796918a94c03474d7a53dc267898cd90f1892b1a092a88fd53bcf122663868120658faff1769870dce51aa23af3357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c40fb87ec79e836196305288adc168f

SHA1
a04635b39dd79031d6d13fcfefe657db4286cf12

SHA256
3a70244c1a60e91b8c513adc894524a8287e7484f600acb8f0ab96a6a1721499

SHA512
a15a1dac6a66f96ea070b9cfbb28a41a4ce5160b2333adccb19b97c9e70b98154b356ad0ed15d499669b16ddf6f19f6876ed5a830038abce0915bcfc2ca17a3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9fe60a7872830bc2eaaffff27282bc78

SHA1
8b53c74d1266deee0aebac78218c81d3812761d9

SHA256
05c09b639772ffe2505dc5a5484d7193b048bc810bc5d5a5a05eba8310a98096

SHA512
9add1f049fe35fa25fd3d6ad13960bec1de386711c9d080afc2472e3900927931bee0e3b418bc500a988a52f09f43fb27a888bc7c19269d03296e2855ae4021e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e27e3b7e1b385fba4e8038403e258d3

SHA1
82e43ee162a2659bb84eefdfa94b3a92da1577f8

SHA256
1f4736e50d0fffe99ef362e8512039e3492a60cfacfd3ad685dd444a6fe78d45

SHA512
514105490b9c6096faaad0aed052c183d6930028b861ea2c900205895618a4c9e3db9862fc35c5a1db0866095e124d135b8488618641e68daa2bce18712c4967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0be45f008fdd4d69188769218128578b

SHA1
d72a6880ff7b66eaf3684110f695c7e0a860e858

SHA256
869413137080f0cf148f2738ba277d55be9444e633a171d86caaa9812964217c

SHA512
4faf0b7eeb337dc94cd563ab85baad3d799bc47b26532c410366f10821bb17abd9990baf9381fdc75e2204f26cb0e4ef149f0fbbed88731b7b38fd4270c953a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c3251eed3e92d33fb4ab3912a204b1d6

SHA1
028b4f2548630457d98ac63abdf33f8d1d23045c

SHA256
fd0130d36bf74624091b67aed05c7b17fd39165aa546bef8533603eeb816cbba

SHA512
8157105ed4a5c8324045d91e949ec296568f00d3c14509a1b64d39880ccda9ad1309eece3d6d9c915d141848e1422cf3368faa40437c1a97270151425ecd88c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-9-6.123.4840.1.odl

Filesize
1KB

MD5
07e30ce41c7ffdb94eeff0595fcab051

SHA1
15edc3d2cae1a6240695e7e22313aca84c9381d9

SHA256
3a43b1c7056588562add3ad41c545a323354aecd7cab242eb147bc7e1e099e4f

SHA512
6ba69bbe5558e9f800b446ffb3d2c11b0e6d91f16d1a0c04b0ac0cfa144697316408aaee1675bce26c6309a11bd4576be8f6612ea187726220123897db22aad7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
cd6829f53a60318a54648f4ff9d694c2

SHA1
eda672c23f219a9cdbe740079412f5fbe04a157d

SHA256
5410184dfd5ef071de14c78cc7e9488049a85e313a3454250d53e974251ac906

SHA512
25a54ac013419868211b704a9b1f4cbc7c0a5b1a0e10cec09cd8eee3fbde7497e36c8e35f0506622eb9a47939c2c6b9590bf9bbf8d43508be13d7f85f7838ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\KcButton.mfx

Filesize
40KB

MD5
de7680ba479d8c09bf8a2f9d6115f338

SHA1
e01f589a3812890b5f6ac28ec2eaa765d9ec9b3f

SHA256
166c1108c05c407fa81e6f567b94f8c72865e28ee772ed6a7d69538186a7f47c

SHA512
10d89895c51f3ab6a751c7b12d2f2ff2b7c56ec2994de9e41d853640c0bf5bc2b3baa909089c18dd7e6b18ca07108a9ff68087f7cd7070dc2a21e68538a6e057

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\PCShutdownOperations.mfx

Filesize
114KB

MD5
426ac6ce433939fb99a06c4924f374c9

SHA1
d35fdd69d7788dc4e75e615d0ca9ac011bce14f5

SHA256
7948de373521b28b905b0f543d8851272fa6259594aab4379abd5e330f0360ce

SHA512
6085240699168fea46df1210c85ac874a106fd1de0ecd2b1260a5ba05de6403d7bee48a75c2b6624f98afb55d5a392063cc73af8d2110d289ab9844942bbf7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\fcMsgBox.mfx

Filesize
63KB

MD5
99b871a03fc7a3e55f965c35670398ac

SHA1
d9c058fa6414aeef5c8aba262df8803335c7dffd

SHA256
a7078267ff7d905b45ed5496a03a14ca6b7f50f17f7a23c5e6e12dd2e7920bf2

SHA512
ca374f25b570aa2f53d4247fb411700163b9ecbaf332f06388d4fdfcafb4c65f9612ea39b7c1a5d39d0146d1a6111c3257f88e88ef20711188b5fdbf16b73ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\kcwctrl.mfx

Filesize
61KB

MD5
0f570c5e463884ae8c3d42561c79454e

SHA1
61f6d2f7c9d12078d86584ccfa5645ec75148a94

SHA256
1c446384baf31dd6dae36fd51618fe120b3097ac6771b894ae11924404d9b392

SHA512
ac2dc004665857c3b8e45fb13b318f15e592fd1e22cbd693e4bbdb9b8fb3352698633492c65c80aadd8a478b6cc50a73b20cf2cd605d1fa6659de2830c31a6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
ba4baf4220ede3a3bd32123e9c0fd952

SHA1
e1186c6746d67e42fc57f72a6ed07e600755305e

SHA256
a38d94169881d68a20c5031895492fa2bae58e70332b2f08fca79e62f4359edd

SHA512
55827a02e2617bc94b9990ff348d893eda39fdc6251abe506e0ac1f656ac2cd9bdae8197de437b277c434482e8a1c6782f7ab5b8993d1aa0b779d21b6349dece

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\mmfs2.dll

Filesize
460KB

MD5
4758d460ecbb307ed90d59643046f00b

SHA1
2bd87c39f97b73b9db6d205bb10ae37eb82f2372

SHA256
3293a93c6d8a2ce529538fbdd2a81dc623fc40464efdb5348c8e039788ad1b22

SHA512
970a44102539ed3116c125bfcf9075e3acb8f710a338ff8ba881bbebf5111d236b3c27bf325a77d83d295aba8e836439fb6fd54a899e3ef075e1e45b6e2a1fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\mp3flt.sft

Filesize
24KB

MD5
f0ebc8596156d8ebf6201a10f9864305

SHA1
0efd689d027d2d592369c3585cdd9a0b879e6562

SHA256
fcca0e08e8a64081d71f3ad7455cb5bea48e73f158f0773e856fa100914fe192

SHA512
7752fb5d3d114791c7940088b98c03252d6fb151ad11774a8fd8b4fdf2d289c66b5d54a56feddda2e2e4de125f7f6b75c1197eae276add1774e3290becd8bcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\oggflt.sft

Filesize
130KB

MD5
3c63ea4611008fbcf86435559e9dffab

SHA1
fdc9c6302fcc427530b2dbff63aad1b6d204125a

SHA256
9efb0b4cff5bb033cf1e04bdeabc581db7d787399c5238f4fb40a1e820aac6b8

SHA512
938c6ebbd0a7248f32bc83d2548791b35764417a74728b8b861d2bd539c182ced6f5168a604679e20c150dc6741fd6868768e7d1ffce224667546d3ea80787d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\ultimatefullscreen.mfx

Filesize
73KB

MD5
96059dbec69c3904e4d7ce734a4b38d0

SHA1
5169934f8d89b0dba963861dcbae55e78fc21dfc

SHA256
fd179783ff6e6eb0959185087f33ed4a1b256e58762d9817bcb16888e20f7058

SHA512
82977b2c249e47ca37d6fd62f416ed995b4b5f953bc5c18c84bfbdacc2c5b17fdc50c1e736fafcac242a3f8921b5000e0ec84302bc4e0077d6eeee3aa43cc520

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt7ED3.tmp\waveflt.sft

Filesize
8KB

MD5
5230a9c12b9829c9fd333cd8b0620011

SHA1
0becf7512f498c18af3b9943a4b2556a769cc8eb

SHA256
98134d326a09569bd5933ffcb026009575509a1bfc20384ef8eebb762aabcd38

SHA512
1a6a5a72fed0458152ca830941b3d07e448bb588fc61a24c97561833b882e23a529a0a78036732cca95013170a46cc5444a4d642bf05a4fa5a474d51d40789d5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 459832.crdownload

Filesize
12.8MB

MD5
d29b825b6108f22f27dcff9968316af6

SHA1
ef5a2ef3cb8136efcc11483de8e28d785a359469

SHA256
506a717cffcd024c25403183bde53a92898c37b663e1f2ab2faa46abe6002a53

SHA512
7a979a83f4d66bbe7a8f0efc2bd990f2ae4af9be857f315104757f4a3d0b6a8ebb96c3fad5c0c96471866ad245c005d31bba384c07877911f9bfec9cb07b47ff

Download Submit
C:\Users\Admin\Downloads\d.bat

Filesize
70B

MD5
1f8ecce3cbd26d709c3c25185f9a361b

SHA1
1654158259acddf03cf76b846431942ae9f45afc

SHA256
9ad1efb813deb34f71f2135ce48285920690db300d427ea109ddebedd75348d3

SHA512
f1cffcc3c39e62c31d2928ec45da0ac70dc825c5d67baf7f4f6bc87b7eb070ead2f28e13417a5c91e039ba734d3fb5827ed5b69011620019530383c2988aa7a4

Download Submit
C:\Users\Admin\Downloads\the-jumpscare-challange-2022.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3860-1345-0x0000000003300000-0x0000000003324000-memory.dmp

Filesize
144KB

Download