hxxps://drive[.]google[.]com/file/d/1p9W4DkP8ex17EYxCK2S5SsTeq11GzO3I/view

Analysis

max time kernel
55s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1p9W4DkP8ex17EYxCK2S5SsTeq11GzO3I/view

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Kur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	IDM1.tmp

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
5984	Kur.exe
3872	IDM1.tmp
6132	idmBroker.exe
6136	IDMan.exe

Loads dropped DLL 8 IoCs

pid	Process
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
5220	regsvr32.exe
1012	regsvr32.exe
4632	regsvr32.exe
5632	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023de2-562.dat	autoit_exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_es.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.json	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_gr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_dk.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_style_3.tbi	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc.xpi	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_tr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp64.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_kr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_pt.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ba.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ar.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_es.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_jp.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_am.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_sk.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmfc.dat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_it.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_smallHot_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmftype.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sk.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libssl.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_mn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_nl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmvconv.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler7_64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_vn.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_large_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmbrbtn.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi64.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ar.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ge.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libcrypto.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ge.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_it.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmfsa.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\scheduler.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_tr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_src.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Brotli-license.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cht.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_mn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_be.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMFType64.dll	IDM1.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc7_64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_id.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmnmcl.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\oldjsproxy.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\defexclist.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmindex.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\openssl-license.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cz.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng	IDM1.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Kur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
3468	taskkill.exe
2368	taskkill.exe
3892	taskkill.exe
3004	taskkill.exe
6080	taskkill.exe
4452	taskkill.exe
5284	taskkill.exe
5396	taskkill.exe
1968	taskkill.exe
5820	taskkill.exe
4020	taskkill.exe
5292	taskkill.exe
3944	taskkill.exe
5536	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDM1.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop	IDM1.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppName = "IDMan.exe"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\NumMethods	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ = "ICIDMLinkTransmitter"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\Programmable	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\ProxyStubClsid32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\ = "VLinkProcessor Class"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\HELPDIR	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\ = "IDMan 1.0 Type Library"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib\Version = "1.0"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID\ = "IDMIECC.IDMHelperLinksStorage"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib\Version = "1.0"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\ = "IDMHelperLinksStorage Class"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ = "IV2LinkProcessor"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM.dll"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM.dll"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ = "IIDMHelperLinksStorage"	IDM1.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2512	msedge.exe
2512	msedge.exe
3808	identity_helper.exe
3808	identity_helper.exe
5788	msedge.exe
5788	msedge.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
3872	IDM1.tmp
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	whoami.exe
Token: SeDebugPrivilege	5284	taskkill.exe
Token: SeDebugPrivilege	5396	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	5820	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	6080	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	5292	taskkill.exe
Token: SeTakeOwnershipPrivilege	3872	IDM1.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
5480	Internet Download Manager 6.42 Build 19.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe
5984	Kur.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 5044	2512	msedge.exe	84
PID 2512 wrote to memory of 5044	2512	msedge.exe	84
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 4676	2512	msedge.exe	85
PID 2512 wrote to memory of 2592	2512	msedge.exe	86
PID 2512 wrote to memory of 2592	2512	msedge.exe	86
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87
PID 2512 wrote to memory of 2600	2512	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1p9W4DkP8ex17EYxCK2S5SsTeq11GzO3I/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbcbc46f8,0x7ffbbcbc4708,0x7ffbbcbc4718
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1784 /prefetch:8
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,6900218718185743239,9514044854592346734,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  PID:5424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\Temp1_Internet Download Manager 6.42 Build 19.zip\Internet Download Manager 6.42 Build 19.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Internet Download Manager 6.42 Build 19.zip\Internet Download Manager 6.42 Build 19.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5480
- C:\Kinghaze\Kur.exe
  "C:\Kinghaze\Kur.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Kinghaze\Fixer.bat" "
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c whoami /user /fo list
      4⤵
      PID:6076
    - - C:\Windows\SysWOW64\whoami.exe
        
        whoami /user /fo list
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKU\S-1-5-19
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMan.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IEMonitor.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMGrHlp.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "idmBroker.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMMsgHost.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "MediumILStart.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMIntegrator64.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
      4⤵
      PID:4920
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5584
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
      4⤵
      PID:5772
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:5852
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
      4⤵
      PID:5872
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:6028
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:5156
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3768
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
      4⤵
      PID:5532
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5556
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:5812
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:5844
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:5788
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
      4⤵
      PID:5996
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      PID:6016
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6116
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5156
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
      4⤵
      PID:5532
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5556
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4104
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:5864
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5832
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:5792
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4632
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:5964
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
      4⤵
      PID:6028
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:6016
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4072
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1388
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      PID:5496
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
      4⤵
      PID:5396
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3684
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5532
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5556
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5800
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      PID:5864
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:5792
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
      4⤵
      PID:5964
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5684
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6028
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
      4⤵
      PID:5288
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:5496
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:5396
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4740
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5164
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:5528
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:4672
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:5540
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:5280
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:224
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5772
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
      4⤵
      PID:5796
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      PID:5836
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      PID:5792
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
      4⤵
      PID:5688
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3468
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:5292
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:652
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      PID:5208
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      PID:5500
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:5164
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:5524
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
      4⤵
      PID:5544
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:5536
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
      4⤵
      PID:5176
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      PID:5192
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
      4⤵
      PID:5804
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5852
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
      4⤵
      PID:4264
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f
      4⤵
      PID:3468
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:5960
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
      4⤵
      PID:5872
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3776
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:5496
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
      4⤵
      PID:5180
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      PID:5204
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5528
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5536
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:5560
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:5768
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
      4⤵
      PID:5584
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:5836
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:5812
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
      4⤵
      PID:5844
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:5792
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      PID:3468
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:6016
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5124
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
      4⤵
      PID:5156
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5284
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:4980
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      PID:5592
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5632
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:5208
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}"
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
      4⤵
      PID:5236
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:5548
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
      4⤵
      PID:4236
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:5272
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f
      4⤵
      PID:5280
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:4772
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:5856
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
      4⤵
      PID:4264
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"
      4⤵
      PID:3300
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5860
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
      4⤵
      PID:5292
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:3872
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}"
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4980
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
      4⤵
      PID:5592
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5632
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5500
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5784
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:5236
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"
      4⤵
      PID:5548
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:4236
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
      4⤵
      PID:5272
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      PID:5280
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2216
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Internet Download Manager" /f
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Internet Download Manager"
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Internet Download Manager"
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Wow6432Node\Internet Download Manager" /f
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Wow6432Node\Internet Download Manager"
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Wow6432Node\Internet Download Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5816
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Download Manager" /f
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Download Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3964
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Download Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5832
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Wow6432Node\Download Manager" /f
      4⤵
      PID:5856
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Wow6432Node\Download Manager"
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Wow6432Node\Download Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4264
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\DownloadManager" /f
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\DownloadManager"
      4⤵
      PID:3300
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\DownloadManager"
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\Software\Wow6432Node\DownloadManager" /f
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Wow6432Node\DownloadManager"
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\Software\Wow6432Node\DownloadManager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6076
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Download Manager" /f
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Download Manager"
      4⤵
      PID:5572
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Download Manager"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Wow6432Node\Download Manager" /f
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Wow6432Node\Download Manager"
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Wow6432Node\Download Manager"
      4⤵
      PID:5292
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\Wow6432Node\DownloadManager" /f
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Wow6432Node\DownloadManager"
      4⤵
      PID:3872
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Wow6432Node\DownloadManager"
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Download Manager" /f
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Download Manager"
      4⤵
      PID:4980
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Download Manager"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Wow6432Node\Download Manager" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5592
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Wow6432Node\Download Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5632
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Wow6432Node\Download Manager"
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\DownloadManager" /f
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\DownloadManager"
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\DownloadManager"
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager" /f
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager"
      4⤵
      PID:5208
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager"
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM" /ve /f
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM" /v "MData" /f
      4⤵
      PID:5524
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM" /v "Model" /f
      4⤵
      PID:5544
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM" /v "Therad" /f
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU" /ve /f
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU" /v "MData" /f
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU" /v "Model" /f
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU" /v "Therad" /f
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "FName" /f
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "LName" /f
      4⤵
      PID:5884
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "Email" /f
      4⤵
      PID:5768
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "Serial" /f
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "tvfrdt" /f
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "LstCheck" /f
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKCU\Software\DownloadManager" /v "scansk" /f
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\Software\Wow6432Node\Internet Download Manager" /v "LstCheck" /t REG_SZ /d "12/12/60" /f
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\reg.exe
      reg import none.reg
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\reg.exe
      reg import none.reg
      4⤵
      Modifies registry class
      PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      reg import none.reg
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\reg.exe
      reg import none.reg
      4⤵
      PID:5856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMan.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IEMonitor.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMGrHlp.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "idmBroker.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMMsgHost.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "MediumILStart.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM "IDMIntegrator64.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5292
- - C:\Kinghaze\kur\IDM1.tmp
    C:\Kinghaze\kur\IDM1.tmp -d "C:\Kinghaze\kur\" -skdlgs
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5220
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5632
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      PID:4632
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        
        PID:4888
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1012
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        
        PID:5164
  - - C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
      "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
      4⤵
      Executes dropped EXE
      PID:6132
  - - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
      "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr /onsilentsetup
      4⤵
      Executes dropped EXE
      PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Kinghaze\Fixer.bat

Filesize
16KB

MD5
78abe55d9c080e77673d3606084638fe

SHA1
4e3d110f5b74274a6c03057a4935d7283aad095d

SHA256
d97ce135813a9518da60b431010d1ca9a2c6da619e5c8b33aeae841eda75a1f2

SHA512
8ca6da899001022cf5e9bca41c765d5d2bd3cb09c2ab24588ba70ae261a095ad09bc460b9b3a583e312d10dd8ea35597c0bcbfb4e13e18a3d23decd6db220b96

Download Submit
C:\Kinghaze\Kur.exe

Filesize
1.1MB

MD5
f5a214b29e460f81a03e239a51261ad1

SHA1
928441ec859ab94cc739805fc0dfceb165e1117d

SHA256
9054b8f220da092c45a996b2669b0b318ebb5fdfbe15073104f9ba875822284c

SHA512
c25e641bf4c8966aaf2aa74b39b8d0faeb0f201622128173daf6590303b1f3324fa391bbf1979eaa22919841990a9fa413beeb3f22572f729446214ed669f0f1

Download Submit
C:\Kinghaze\Kur\IDMSetup2.log

Filesize
4KB

MD5
95603374b9eb7270e9e6beca6f474427

SHA1
2448e71bcdf4fdbe42558745a62f25ed0007ce62

SHA256
4ff66e3c1e781d92abb757f537af13b1fb3fa167b86d330b7ed302728c7da53a

SHA512
d3987f207ad05e142d864b3ffe4ff6758d22b56f75d60ebcd79e0c760cf27106d7ff74bfbc7569389710e50602d3359b4ab20ddc14fbafcf526478dc85bfe593

Download Submit
C:\Kinghaze\kur\IDM0.tmp

Filesize
22KB

MD5
72f74dff454c0699064affb0c83f2c4d

SHA1
11a6509ae5863a5b7a6fcfa1694068591ae831fd

SHA256
5d33c887646e950545772f37bb8a3518b1929b435655303d9dd22d5f936a5cd1

SHA512
ff328f1a87a2a64bdd6ae1a3e98e11517ba7c455cb4b02f4f956b0909e9432db15a8faeebf19cd8117ea5eaf8b4b47169969e1bca6952e7e362bf2f2a5b2f7e8

Download Submit
C:\Kinghaze\kur\IDM1.tmp

Filesize
162KB

MD5
1229943ec58e8bd8cf3b1673dcbd4760

SHA1
65d8b26a4b9b5762241f7d5393101f8b43065298

SHA256
ff3ce8900cc246ab15bbf6e2b418c08de39845735f47b724a59765ffeed66643

SHA512
fc2f5d4ee2e2498b0df5bcb6cef355dc8a11e37eed58dd88b0a306648639b47a3e5a4ea758c0911f9dd8e93c51f0c90938ca64f985a5c5dd8e5f62d946df6f42

Download Submit
C:\Kinghaze\kur\IDM10.tmp

Filesize
283B

MD5
648e7b2602158d2ff9197d664f59b28b

SHA1
6ff2653314ddad254ad252b1867d0925b30bb196

SHA256
47937f8f34ba56718d4bd3b97bfd9e42468d6b7615c745b7841272a2e3d39e57

SHA512
c24d7059acf8d5a8ca5de77a165f95e4b6a685a62ddf8a3446ed465c4064d33a057c9f8e985bb73d41f1b0984cf8065c0c5d1a7e9123521d962befaf49edc3a0

Download Submit
C:\Kinghaze\kur\IDM100.tmp

Filesize
427KB

MD5
09959ee223c5d34c82f1efb8bc8233cb

SHA1
2b320bbc34583a3dd2129ffc161e0ec3cc643c3f

SHA256
1fdb0d5b31e080084c82e0b773dafc7860fa860938b8baef6a4d7f5bde659f73

SHA512
318246f0b01adce2028236f509f636d98dfe7166035470d06835c3ee0d3c634d3678b88f22bc510fdf1e5356c8d16ba1373b7c374c936ac03ce43f0a754050e4

Download Submit
C:\Kinghaze\kur\IDM101.tmp

Filesize
5KB

MD5
f50acf2f4af9ea575b643576f3a190ef

SHA1
515bcc8fd01726534a21039f3f124e2f5c7e461d

SHA256
ea297e912d0cf36f2d973b9259bf8fabf622195d5481a11e7bd30967f213d950

SHA512
f9e6bd3c7fe1bd10946795c48cd4ab8c6f05930fcd904b9ec0840eeb664da9259935373ce91e45e62f5ce148131b5fb04223de465eaea12f928179965f060896

Download Submit
C:\Kinghaze\kur\IDM102.tmp

Filesize
6KB

MD5
a5f24e957e1c79ae5f0edd0bb932a3d0

SHA1
83747040391424c024ea2f867f9f7daf953c2e33

SHA256
f02e6c6f71d07d992ff20f8e74a28aa5f89c8deb6244b796dc897529bae9edf6

SHA512
f77926b1efe6a448fcd60daa8c38a6a1c889bcbd5282997789c324f2968e14efcf4c70f1ce461de60013998f332cc255fc535dab74bd87699f194e6b3cf0a01f

Download Submit
C:\Kinghaze\kur\IDM103.tmp

Filesize
7KB

MD5
16e2dab5d2473c59dea2b2bd316517e8

SHA1
5836b13628657a592e24f40276b0992b43a063be

SHA256
07c8896550fbaa6e8fec792e15d240ded0bcffa258a928c1efd8542ff0385511

SHA512
b911182c2b560614f0c70a814845961bf1a464a7dcf4481b847a45d2bc265386fc9cfc3cb3a625a6ed8ba48e80d0553e44968a22fc1ff90eecd924ce494aceb7

Download Submit
C:\Kinghaze\kur\IDM104.tmp

Filesize
6KB

MD5
e1c1ef12fd935e72f2e676a593ad8e68

SHA1
405753d45f58aece3256eb252c85c83c22176b07

SHA256
da36c077ec7c96128d0e5ee5941fad1f779a58a33652d7190e814a75f8bc29ce

SHA512
a90e65308906b2c7fcddeea58a124a7f94cbd9e1d835b45278cc7ea72d32fd92693c79439fd520d98edc13c89c945c61ca233b5976394f586d1f44b4ba8c6945

Download Submit
C:\Kinghaze\kur\IDM105.tmp

Filesize
5KB

MD5
748c5590939571e92a7c16ac702a74ca

SHA1
9caac9b093d87aab8f87998d48ad98047f71bc53

SHA256
9145cfe47d32cf3e45840ce0344da1d29810ef9d756ecddaebb803c59869e945

SHA512
cc5aefe77ebf1f447c16bf914e89f3ecd5a4b18495cbc0454d717130f0e66e9b8e5531114091bbc3c847ec7ce387bb3ed6746bd64afa7326a5eed21c995db5b6

Download Submit
C:\Kinghaze\kur\IDM106.tmp

Filesize
736KB

MD5
97569d4e2f159b0cb1b203d510749104

SHA1
1e3b830e91e676d2d3490a61450718906f99a0a5

SHA256
58fd2d7b428640395d09778394231ee5aacc74726580c67a69020b698865b5c9

SHA512
261094a9ff8a1f3b3e3c5a30af768dc0cceff691ddef41630fa49b2d516028795f467cbccf6ededb5bb769a2fc4f025923a7b18c1637b25a606a30ac1010e964

Download Submit
C:\Kinghaze\kur\IDM107.tmp

Filesize
6KB

MD5
21e7664f87e16ab82452d6f01713d54e

SHA1
7f7c2b25cae1a1f532affb378b1ff61d0c18f92c

SHA256
84c92bd8ae5a90294d836851385fbf054b7af4d78744f4542147ac436a2a2644

SHA512
8681a9ca9aa8ad51dbe012cf05fd1b870444bc0dcef57b17cdc5be897445b5741c3be5daca514c43631a0195a78d64fc1e2b295129c406dd17acca3fe48908b3

Download Submit
C:\Kinghaze\kur\IDM108.tmp

Filesize
7KB

MD5
3da98a953bcbcc9f1e9d143542437c20

SHA1
7e41d0b27f213a57e3d5ef0b1fff290b18e7f3e5

SHA256
14d51e3b9f5e68e97ed01a6bb1c598e3e09f9e330a90dbe363d6659ac725f679

SHA512
c86bac296aa5d965307cc86c7a411756beecd7f188943fc8c3566fb020c6b03afd9a0f397f11a1d1fc3830b6269b17b0d91da268ed5c0afe2b59d5250d1085dc

Download Submit
C:\Kinghaze\kur\IDM109.tmp

Filesize
7KB

MD5
07a324e23bb33ce824a539cfa499bda0

SHA1
cd44930dc6619af7961d7dec1d3c9b9f5007472c

SHA256
9619f587e3ef863b7fd69650dcbc1d655d6062c3f73eaf52aca59754ad856b83

SHA512
f10c387fb7188f702654637ce057d2b0e090989fbfd2f6e63e27587cc35f4b7e0b068174d4e4b8475780828614cb200d84020de6dad6f1e8d4f178f6b13f6e3a

Download Submit
C:\Kinghaze\kur\IDM11.tmp

Filesize
111KB

MD5
e7a9f01178b8f6ceb1d02333d6916b4f

SHA1
464392660e07ec6d86241d3dd0b1617293d1568a

SHA256
92f60cda7a7395d5d4cace82c7270afac5d1b68a2b7714bb1510058fac23879f

SHA512
364cc91bba54d7f1c07aeb4faec98d7b9fff5b093dd6f6ce0574ecfdbf09a30e39dea1edf35a62d10b2d3f31d1927239911b4cf42932b0f50a80385590721249

Download Submit
C:\Kinghaze\kur\IDM110.tmp

Filesize
27KB

MD5
3114bb1630e44cfbd48b09e0d6057c8f

SHA1
5caf14ce25509c9a16e5b8d4b44fe45413431eab

SHA256
1621fd14dd72dcce8bba2e7f46d656744d2975f8ad94b36d2ade01415f48022a

SHA512
41a952c13b7bfc7e3b4c224a0347dac21e663404e1387694c9bea02b1fa966f54ad1ed6424b7a51461f8dfa9dc111801e9e85251f7d2076f196db16274bfe787

Download Submit
C:\Kinghaze\kur\IDM111.tmp

Filesize
104KB

MD5
a91988279340b7c8ad008fd9bc95ff63

SHA1
b86f9c6fb5126800ef9e40c0ab19b18e6cd2b3b0

SHA256
c44fd11a6973f028cff24b016e3cf0ea8af76c4f9f73c7848cbb0deed37218b9

SHA512
34e5acdfeba556a7591ff4c42fe4434f26885d7589f506c3f27a614b26b24f73a0c069651d034971a21ae30c652e61752c83f4e8ac55154962a3b7ad283dab42

Download Submit
C:\Kinghaze\kur\IDM112.tmp

Filesize
395KB

MD5
53856b10a9679bbda9c662e43b89f720

SHA1
795cd86515ee49d82c9eea205d44bf53480a7461

SHA256
e1a4dea06f184be2357be4c72ac5315776f0dce251c0c7fa5f1fa927da69b9bc

SHA512
7980505abf123835284ce8eb6fe6261008f9368243afe2647a4ba40c4a63a74506fe555f268c791a5ce3ae7f21892f32ae8b5db2cbcd699a2b167b8418a01d7d

Download Submit
C:\Kinghaze\kur\IDM113.tmp

Filesize
736KB

MD5
c0a6fb25175d79b6da9b9b8c390166c2

SHA1
43bc5c4dad7e04206ed011e1f74618d2be53d788

SHA256
d464e8e7c84cb2fc62eacf932e841bbd73c3294a37812ccee7ffbbb9e01572a6

SHA512
c50205681d3069f7fd1518d34eb124e8cefee879131fb4ffd967b71ac920bab486148d86e94e2c00f251cc34aa8c00e38f8eb61d69b7cdb6518f59e298a3a8c0

Download Submit
C:\Kinghaze\kur\IDM114.tmp

Filesize
29KB

MD5
10d9220ea4e455276734e884e830a0d2

SHA1
7c8dbbde28f5a2d7624f67fa487cb4a4f099b875

SHA256
e691ebadd8c6e7a07d9c8c931f4760f9aadd2b151019e4f17a76a1665057c9cb

SHA512
92e864d4eaba57046eb85da311f888290975752f9e0542452d4d486a7d5fcf66f16a5ae89dfe7ab90a4ee9fa03065b88ad9540e487ac4b434878a955bc2ecc0e

Download Submit
C:\Kinghaze\kur\IDM115.tmp

Filesize
7KB

MD5
5a23c19a88c035283ca65506f213d1ec

SHA1
39d96b424c53a49aed3f90431e029a4d6507b953

SHA256
0fcdc63880b2eca559d7840874b1fa06f614bc29950ac0698b9e5b0abda150fa

SHA512
96e1717c6331df7da438c02131fe04fa0358db6cdee08725428243bc52de32d7e513fc0869b61a740effa7dbde501d52ac1c83f691a40245a6060657bed6976f

Download Submit
C:\Kinghaze\kur\IDM116.tmp

Filesize
7KB

MD5
315404dc4d8e2a26fef80989e5f43c86

SHA1
759438c21cb50133e42ccbc96c7b3cf6ecc41c40

SHA256
4fa3de0d3cc3c4bbba684124d895c0f9398b4bf53284d41fdfb4665a78364542

SHA512
9a174ea7308814155bde3c61b12f926d15ffbbdd88af5fcc146209916bd6c4d896c09194191b4a1bd1947b2551cbd761183f2be7dabe4e523533307a2db389f9

Download Submit
C:\Kinghaze\kur\IDM117.tmp

Filesize
106KB

MD5
5c2412edc35d40f8bd56eded1c556941

SHA1
a8b5b11cf2c7b7dfdc8fa2bade4f3db3bb5d89f4

SHA256
ce68ead1138ab21072804ec43a094156efe04243e061bd32af080bec90c1da9d

SHA512
1bb2634b66e08d4ec9b9ca62e900dbec2b5037f6c423ff03d4e5c858fda65a7b2ac27b5efadfb2ab1dde3db1b7d676b0a90a4b5b1a4ec7dfdbeb0089941831dc

Download Submit
C:\Kinghaze\kur\IDM118.tmp

Filesize
79KB

MD5
f73ae7784af481309660eace10bfd71c

SHA1
90c9b4532875c20c798a89b9e7fa8849afb955c5

SHA256
27f596781405a5e8813e064982c9996f77859bb6b27f9d555971fa8c1a23e088

SHA512
bba737a6ed8ccc68ff74f3d0b141bb2d16fa93052a9a5b06265e691f5748bf27b754df455bac739ec0c9dcdfe08ec6109f8c77c2f851ccf3f9485dc6be3073e2

Download Submit
C:\Kinghaze\kur\IDM119.tmp

Filesize
77KB

MD5
643ebbdb2adb8a68a2b0bf2cac93c409

SHA1
8837f7433dea6eb6fd1e16fe6be86e38719ff802

SHA256
cc4d2f3698d5b48f3bcecf3a69019a1f26a0f59355a438bd12081398477f1c28

SHA512
9fdbe69d5ca5e3684a592d71d8391715b45aa43621aa2e35d922349bd05c9edfcc0bb10c4658a68d754887c6f629e5e995e1bb7a789e6cb8d0e5026c4f8613c8

Download Submit
C:\Kinghaze\kur\IDM12.tmp

Filesize
17KB

MD5
bc005f4ca90e10e9d206f150bf9a0962

SHA1
8d3b9a7556ae5abb36901b12205129177d8f9803

SHA256
2d7bd6f8453c179516c5b322ae7bb95953c20cc7fba229750da0f3ae9da6e90d

SHA512
1e55273b28e170d88567b73a4d2d5e70b43611119bb42d9eed46e176d1d96b32a18e0114c2d9aa09077cd072053abed7677e95a7317e7b07ffa10a7ee65a5e2a

Download Submit
C:\Kinghaze\kur\IDM120.tmp

Filesize
14KB

MD5
4531c527534dab3a8350a7612a3555c2

SHA1
0a252ddc3e80f58702d813abbd773c6123f1acf9

SHA256
2ecb7d7069585538f7b3e3a0387ee5c61a80d2e693eae189850fccd80f27a640

SHA512
cfdfd7f255798f2641c7c48d3b9fb8c8d6d67d64a5e3e711acb180be082cb660552fee309b18c3f68fd823061efb43b1d587a8ee51c5677305bd7e03392c9ba3

Download Submit
C:\Kinghaze\kur\IDM121.tmp

Filesize
107KB

MD5
0bad5ec5d39de002eb7c225e0d840f7f

SHA1
1c0874e9e8b218a7d70cde10cdfc8727113651a2

SHA256
db65ef51d8abda581c13994d13186e1efb3c16879e6475720c841d72d41ebe15

SHA512
9ca1616bb941ccc3265c132a4e2585892a7ce4202f499a97e71b8f2d51d1bce5b3d9c88900a71a03b9c59e4c27345bcb454706304cdfe357dbae130906daad4f

Download Submit
C:\Kinghaze\kur\IDM122.tmp

Filesize
2KB

MD5
4bf008f318e503c88ece49f612343f3b

SHA1
f3c46f61bab50a55672c88432a62d1240e0128bc

SHA256
e2222852811b0329b0509a907e91d3014cc2f04b14738f7b243c5a658c926d76

SHA512
2c9ae78d40e2c0de27b8c984bbf0793ab82e563f04139571324d3b58d2a11223cb99a3733d40aea1a02d5d98a8fa626bd887a50be45946a7b6c68197b9aaca43

Download Submit
C:\Kinghaze\kur\IDM123.tmp

Filesize
11KB

MD5
a6af356c272c8ca00a1642a3c36d96eb

SHA1
1777e2f786e15618ce0a814b9aa760751dff8ace

SHA256
7cbcd19ec17184459c2cacf7b5faa70b22625072f753e0061e9dfc358971d0cf

SHA512
5a9ca74af6bd16c9d9a45edfd3597c4bb806db558e39f3bc6fcc9b57f40e741b28bdfff10198212b4b0a7bb80c42f941eb2c70b50fd3250faf5f7431ceb2990a

Download Submit
C:\Kinghaze\kur\IDM124.tmp

Filesize
100KB

MD5
3e5462e655fd43743f506865400a7f06

SHA1
25f1d4ee7dde6170ba789b9d73125baf2466565d

SHA256
5163fb25c922618452c17f66cea4d2c70fb9f52346070a2c5852c7599357e556

SHA512
6d395473b8e9799aa82a44079ad016c9fdd77903fc13d607a81616609238fe43836262e7c32c25a9d9b1c148e7778cc0a2484185799498d4c8d1ba79a7ff9e22

Download Submit
C:\Kinghaze\kur\IDM125.tmp

Filesize
2KB

MD5
96b1fe730f29f1ef43359f2728748a6b

SHA1
e2cc85ae70fc6a75dd949a9238bf08c18a0bd53c

SHA256
0ac59422dc451304111e6b37283d92298345a377c66d72ca6e100a330261323d

SHA512
28369a28090f99e94d6e1d35906d5ccb4f4f24ba2ed0467fa1a7c3dafb1bfb7827a517314bbad3060cd55b646d463012deec986d9460f10e501ac437a200d8cd

Download Submit
C:\Kinghaze\kur\IDM126.tmp

Filesize
38KB

MD5
0df14c520291989038f242a4a39ae22b

SHA1
17ac0f3dcae8cf71b35e13702c3c03b987ac853b

SHA256
dba25a49adb88f675db26d2dc7a0fa9d4a5db2326858cb9d2515f6f34b8e0b65

SHA512
6d7f5e3ade351d094437d2d41a69b476cc5b3b600d8a3b841c16f1a7219999a6787221874e632dede324f940b50c283c4099e9239dbbbfc2d779e9a545042013

Download Submit
C:\Kinghaze\kur\IDM127.tmp

Filesize
351B

MD5
05b97bb7a5cdd449c401d0bdb4b588e7

SHA1
25ad746379f2b8c160f408b0944d5bba4006ecc5

SHA256
f3af82662cd90b90ce0680bbb1fb8a4b998d63d0baf9bba8170723f53de1650c

SHA512
644d9f4640d53de7879a16fd0589b12b11d7aad2bd91d014798b2c763890b66517a96c8ecf1df1588f5a2a4c6e5b800e067928dc21192c317769e28332932d38

Download Submit
C:\Kinghaze\kur\IDM128.tmp

Filesize
282B

MD5
1d527897b893bc09ee34fd15ba6a16fd

SHA1
833cccb2e8fd6fe86682878edb61f503fdb8cc59

SHA256
67d8c83b0f7dc40c8987cacaee984fa4646f6d72b9daaae0fe6885687c5e08e1

SHA512
6b4cb8bdf5c5786eafa539f7104e98fcaa9645280309320b9c3f2cb1868f109f275befc7e188ce37ce199eed9152dc771d64069bbe00f28cedf7260479853a5d

Download Submit
C:\Kinghaze\kur\IDM129.tmp

Filesize
116KB

MD5
e3b62d3ce0e7156a52abb2a98eeaee60

SHA1
fb1d1d40886288b7db6a0d690ed3892ad36b511e

SHA256
225fdf1269be2b83549c9da018c1b340b4b4973b6dfcd576ed15424762e0b816

SHA512
805c9cc75b21dc505bc035ad384764f342e11ddd4f527c081b9fd01051c7374066e9bd3bd83820032c69175db3adc8c3e6765e6afcbcfd929e6955f2d11d2ca1

Download Submit
C:\Kinghaze\kur\IDM13.tmp

Filesize
2KB

MD5
bada3a913ebd74c3e1f6a226caf33219

SHA1
8bca7c405a9c383b804d8e39ba930da2724490a0

SHA256
f637a5cba06120ec6c298418510912548f46d2ca0d5d456aa1a7de15abc3292b

SHA512
0a46d09288807f44d065854ea71a0f8fb3c46375521edf64c011ffb8821e6ec80a2ccf4d50fa5eb56d6b6ee62f84b85f3e3e1233dc0c768d3da48bfb5e30e5b1

Download Submit
C:\Kinghaze\kur\IDM130.tmp

Filesize
2KB

MD5
e06774c6313f4f5abdf60196cc0ebd59

SHA1
b58f03e232703141c96ab14983141c911b5527a7

SHA256
c32b8827748a47e157a19327d109b47ca63fac76e95e0774fd8a2f8a3c6d8918

SHA512
937de03a7c017d34d195d23b1966956577ecd4726f6d4b31e911815aebd1dbca9d6989bea8e67e6e813e758310a82e73d6f289c33876cba18f7787b8b1b82a44

Download Submit
C:\Kinghaze\kur\IDM131.tmp

Filesize
107KB

MD5
c6ebbfa4dfb862e634a1ed8a8a63f075

SHA1
1322df337e2248923db109700333cf6c66993698

SHA256
1425f4ee30f57ed854248fba10621f4aef9b40cf109a31f46bf635e252010113

SHA512
861a6a66438bdb93d5fb2f905fd71c4e9ef90a09f9a052219fbfd54d542def22a7dc57077212d3cf23cbc8070fd4660ecd959eabf2e18359eaecbe3b77de40ea

Download Submit
C:\Kinghaze\kur\IDM132.tmp

Filesize
2KB

MD5
29408778a5c37f6c924e36cf28257c81

SHA1
60fc728c252c93b9cac87fe0c4f7ce5239021cd8

SHA256
0dcc35a27b2e96d641d0db051baa9792de6f8190cb6e274ffb2fe81b8750c4e3

SHA512
75cd6fe03d22d4189cf1aec4e3d434261bb41c6fc68f994ded7a77043ee6110de3552d51922806436371390c2d0259be08790b9d9afa97a6792967eb006dc445

Download Submit
C:\Kinghaze\kur\IDM133.tmp

Filesize
118KB

MD5
cd4d559e7a343abc6809f1105f442a47

SHA1
3d39b94b666a201bcb32b7c924fc8f1eea35d9b6

SHA256
808477c0017cd5fd61f23566cf4fad3510574576996b1452b433e36f32948358

SHA512
4fe990969944c55dc0e312097c5149e75ff9fa79bf611c9f07faefec8cdbdd1ba8799938479c4320c5dc5e128e69cea59f9bf08eb644db73c5856f086d44beca

Download Submit
C:\Kinghaze\kur\IDM134.tmp

Filesize
3KB

MD5
04f3a70d39778fe45f4f843c3a29f7fd

SHA1
58e9091c862d23253daf7d1a727772fc823569c4

SHA256
83ee6eadcad35ba8f4940522b41091c99b9ff32a4f4ccbc5a87aeb9a7d434465

SHA512
ffc8c96e8f30816188720bf0572ebe17ec60f9091e8fac20f7d47be50d7835b69dd83be12bf4ec6bdb14c2027ae22bb51866b72cc72a8751f6d34d870a34a885

Download Submit
C:\Kinghaze\kur\IDM135.tmp

Filesize
98KB

MD5
47220123da512c99d58fcb0c4b9fba78

SHA1
799c6f3e665076a4964585700f34904baeb2afe8

SHA256
35469c7f7d4c6e877a0101091f39ab4dd5abe81b2f6ba200d2c12c3f51614ac3

SHA512
5bae79a8e8bfa6c26a5449f06a2aafa7e3fe808f3bfe82fb38626364f4d41b551782113b4994a777609741d1381740c39f1f93996bdca9f55c565e2208a0432b

Download Submit
C:\Kinghaze\kur\IDM136.tmp

Filesize
3KB

MD5
a963affefd74a0016595f9353617104b

SHA1
343991f6cee65f079d77fe3c0332c86ebeb36a22

SHA256
2e6a262ece276654637daf6469c025ec6bb1c9037cbcd2fa62dc7f7602da570e

SHA512
ff386df8a08707040e0a8a62a02f63b34afdd5e47720ba51165b07c8b36297d39aaf0e40cd5bc756dd4a2a40aed8c0e036ec4e0142e7f8b05f737b82e04f0302

Download Submit
C:\Kinghaze\none.reg

Filesize
254B

MD5
b0c6e428ed305e3746e3d645dde25dce

SHA1
da343144b6373eff688c3a862f570c13875b18c6

SHA256
d84682d9f64af201e8f640f76c22a1428beac567ff2ea5abfe4f5eb48c124759

SHA512
bdb491175beca4bf38e9b568471067e8e5d0122763fdd28c86f8e145001695387ff2dd4b61c585d2ca002bdee1c50fe1e458cd947eacf49eb16349eec2580dad

Download Submit
C:\Kinghaze\none.reg

Filesize
303B

MD5
a103a85812072ea02a496104a725fef6

SHA1
2abdb0806cadf925ef75698eac175077927b46d8

SHA256
e2793c8f43097756e0934b0c9fe2d045ea7958641edfffb26bf1423d28f06ec1

SHA512
6fb81f25f018acfaff9377b9e03af4c10468032c0bb3ef7091e1e2d7f1ddf506ea880bfd5703a6d2f2872028bcde8e397eb40515ea88525b7bc825bbc6b5eddc

Download Submit
C:\Kinghaze\none.reg

Filesize
304B

MD5
2eb780a891db359c76e4c72938682270

SHA1
43b592fb9fbea66e1f1f0be76fff8fbb7955ea01

SHA256
d7e77186324b6932810f55bb6f7bda9d858f750ed37f3bbc105078eec5f535bf

SHA512
3d8ed6cbfa788d32a9966ed1a8bcc637cf018be59d6505d9fb475b1dd09e5b9a561719a29b37ad8483aed782fd4f28223740d6ba67487ad35cb65104bc1b1c86

Download Submit
C:\Kinghaze\none.reg

Filesize
277B

MD5
824bee3a1f58353f6d37aae8a1655c19

SHA1
0fba0b6ecbc1ba561d233b5afff2e3825f7018f6

SHA256
5956cbc6871c2ae460ba6b85d6b6933b38cfbc67c4fed7b3e1cb0cd7e2fb8cc5

SHA512
acc23eb623bcdf494a7db88e0facd7f0cdfe73dd14b579df277177287699201e17cd1babdde5cd7075f3489eafac53b395a3ce7a38155bb22f516ad70facc9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4e1688d8-d5fb-4961-bc0f-25959297f17d.tmp

Filesize
5KB

MD5
71b1f529cf643be5ebb16eb23d9ef46b

SHA1
925f08d9cf361e2a06fc349f776a8769b6bfc489

SHA256
1de8bf569142fd6c0ff1795ea0e84c0820c6d5bc18f61159f07b3ec92930f3fa

SHA512
c87dcead709792244511903b485cf29904e86ec6781935398cf70ab87d3bda1d4b3654e321a39e3f5d60ead1de19f6a7d17eb1d45cfe30e4ab82cceab0db7eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
5a3e5f7ca2460d7af96c8f452f5ae80e

SHA1
48f52c33060c557b122791286997103a33fdd29b

SHA256
84fb4ef79f07869044c22275e991e5aac6e11520d5d8fda58be428a69b900051

SHA512
7a87bf9f44195b3251d819d52931c931b70d120d490e3a99bee0285d74c0fb79296b8c398f346a88cb2b609ab7aa3e4d3a96096557edc5f870c06485f4f9854c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\ar\messages.json

Filesize
280B

MD5
316729234a3ac2cd022c7e14afa21bf2

SHA1
29a4ac4e32d413a7976ba43de7119274f78e9468

SHA256
5973951d6113e9419f006895978465117f0ce04b13bb0a40c97c37c403b9d6d1

SHA512
ccb898b4f7ae09456d3149b0b49ac46eaee34199f99faaf7d76265c815e67f279b6c285304dfbfa4544eea547a1a2c25d7f9241a63abba3dd1aae7e7036a3f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\de\messages.json

Filesize
524B

MD5
a37cdfdbd6e8681688e8881a58450e0d

SHA1
5d4396cc85db229a957cb9f251f307f70b344af0

SHA256
3c3560309e09d5cd91d53a946c943f7e4322e825cb16de27c4d5d1c050319d36

SHA512
9a25b11b53c512b06d57a74a15c62d9099606a805f6408841f542c1c383192f69a980243ba373958528fe713c8f03ec380cd39e47c30a4ed9f11fe6d206953e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\en\messages.json

Filesize
1KB

MD5
b8e6bcbcf876da1bb693d8dfe401034a

SHA1
1d23b94d68d06be519579fcf21b19e77f3b8218e

SHA256
4bde9375572bea04b287d9811d02ab5cc93ae8f2118f6b803275899644bb5dc4

SHA512
598bf44814f4a8edc8de7402c81e7aa0e92e3922c92deea913035974f573ccaa2b192b412c3fd0cf78d2f03e916aa3929421837b09ee2e2fc45b366e2319be5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\es\messages.json

Filesize
226B

MD5
ad5865b4f0521ba33c9f1d407206604a

SHA1
8511009ecf4b6ea05c9bbba7b40f2105e5a8792b

SHA256
dfa2def6ebbf1ccf735edafa507bce95ed624ecccd91717949e96f58d40898db

SHA512
f2c3203a4c25a892e8dae509ffd4913600032a45d4e79a4545bd3f3d21da4b9fe87d690af27d96634012cfa6b402f5d7ee1684accd6019f815a144fccf714315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\fa\messages.json

Filesize
685B

MD5
124c759a6b544aeaa3ddccaae1f664da

SHA1
b8e862bb661481505f739d6ea9be26ebd323cc5c

SHA256
70145621753a3149757fcc320c567ddccc61f1ceb833720acdadc4fb09c6253c

SHA512
2fcbef0627320765e4d4574732bfa7ce11c3ea16acc25d4940dc1db2a58c0064fc052e7c05c83643f2bc9b7fda6fd140ffd9e6d4228be9ae731a2b54871d2faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\fr\messages.json

Filesize
339B

MD5
4c2fd7bd9cb993c04431f837fdbe5625

SHA1
4ba7a6db75aa09463c4ef1f7d3bc99577f536cf0

SHA256
8b1136aa83c0958c70b5a97494be380807a1cf5e45662d2d0c74b7073075bc9f

SHA512
e6f6520f9e00f3278bb0d9fa2df091625d484845abf04fabeecfea53d1fd37e222ec4fceb9591ea0f872fb97ee531256dd09172f898c65997563d0a9a3df5984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\he\messages.json

Filesize
594B

MD5
031e9d83ceb124f494825619516a366d

SHA1
4452f54252ba866a0fe967b3993facf878312a19

SHA256
b41d5287c8d6b1bad251235e16ed223ad31fd008990d9359ad50358d77a5991d

SHA512
740027bfc6009acf759f48bd103785b39cdf85d3c0dc42dce21e287d8866fad95ab02a0057fccc5431663cb5024a9ab5ff7456094a78f4d48a2c080720a59840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\it\messages.json

Filesize
1KB

MD5
45d6943781f9e3beccd977a4d38b2933

SHA1
e04edcaee5dd7e37f58460cb59fe92f69e4b440b

SHA256
624bcfd864df9675a08084de664bb73650a88d7e81f9c27208e872bb4ed3605c

SHA512
3d0de76d92cb31d97b1f53715d2bdb42bc3206159de248dc51df75b81f71a1547330e85292af8a73daa48453b8ab39067138a608adb3bff61412c35711921a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\nl\messages.json

Filesize
215B

MD5
86b261d778578167451c624dc1059433

SHA1
b7a4733f71798f2dc16d7ccdc1ef8698d6e44ae5

SHA256
8e4959947f9781f8aaf253049b60ee0ba341571a745fd20c6a6c0033ca7991d9

SHA512
82ea33b09bf5753d2f0e8b9f3fccd92d4ac10d6031d485d6b5ff64f5b33f8687eccd24e72afb10b2d4b669f07e8baf8ca37fce7d78865615962864690bc5d69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\pl\messages.json

Filesize
563B

MD5
5fa7badad40df7eb7c06ad09236b5879

SHA1
a34bf283d450b24859c4440cc96845af01775991

SHA256
7162e18acd5f67a3e321fcde0dc75290c7c73c551732d733c74e377bf46fcc75

SHA512
9c5e6a4afbae3a2900e6bb1f1a555ceb9f576609aa7f0355b186038e7c50544f2e165bacf7f192a9ce2629f0bd6ad8b63997317b6050c5af5c023bcde7bb1a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\pt\messages.json

Filesize
556B

MD5
d2d89ca6b8ae9de14095638a7bb5420b

SHA1
3218700dc976a1d4b8d573e3cc058e2e17ac7912

SHA256
d1bb1e348b413035ddd754e1dd8fb5fac215ad8bcb6c91bda2e80ff738725e59

SHA512
2582b7af7f486bd9f61eb73d152daac7a95a2f7c1113d6304abf00454225dec8d5dfc5203cab4875dd5d46b67b711d63afe4a7d6cd9d8207f9c917c7fa483153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\ru\messages.json

Filesize
1KB

MD5
0ac84c85f1d33150420cd13c867638d2

SHA1
606f4710a91315a624fec867dd610ba367a6ff54

SHA256
140208963c850e7d3d5e4ec7099f56c866e32a16894432f28ff873f431f4f95b

SHA512
a5f8ab879999550fb636bfe8fe36f471108086cafd821d23b944f5ae1974f4a7f0922cb7e25ec1982f86a1d8666ef86862bf7422ef5584bcc2c6541ee560f3c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\th\messages.json

Filesize
293B

MD5
e83a81a3231e50662ddfef250df24419

SHA1
4a78cbf15b850f666b78b49f530aba05ebfd0d69

SHA256
e306358b32d1211dcbe7cc76768ef253810a97637bb6543b97c8e2a77154afa0

SHA512
16d47906e1403847fe9ceb14352b022f9b8859f65ed25e7198e5efaabb5d41911f2843eb3438128052c434da390118994629c40486975e01c0f9bd6b794a5c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\tr\messages.json

Filesize
829B

MD5
ceb790fba4deef44621daf55db59ccca

SHA1
cbebd28e055eb0f6f7dabb43f216da66f7f9126f

SHA256
fc7d9163f43427466fcca3e616a1a79bd0cb106ef4feb351d3d69c3a756d47fd

SHA512
f5920994902b693d5cc702c8f0dba359a6b5a4856e3f6cb46e06bd844f9d7b26e2fbe315abd4b55f873b8e0c3b2ab9ade99bdb3f5c169a5a35642fbf0e051137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\vn\messages.json

Filesize
234B

MD5
5ea23e07638b34e63349b05bc9beeab9

SHA1
58fc80e95eea688a1ce7d8102037e9b269f830c7

SHA256
7ea73da3bd6130c6384e3e6fef25254dde6553a2977ab6e2793fc79ba137f672

SHA512
87b5333609446d7c54ddfb54d8de1fe2b46d4b106625c2edcb29589e8bc62d314031d17e7675c0c0f037d33c79a938588b098a63a521b0fe463d986eb8663535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\zh_cn\messages.json

Filesize
495B

MD5
80cc71a810cb0428522ed833dd77033c

SHA1
8546622a02e78a963e3db81d4d12408ebf1e16a8

SHA256
3b24da8301abaf61b184f29b58d6f6b90191419e7eda40e292bb4594bbd46915

SHA512
e2e1c1aa0ba9a349847a96b745756bfe725e32d17994bba6cdc142c1d990bec19d23b708914bef428f4f11c49f9442c710f3205b7773ddd1b3f212d548aebb3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_locales\zh_tw\messages.json

Filesize
537B

MD5
80edc084829b7dddf5e573df1a786073

SHA1
78bc2089cefa71df213d0dd9ab4959c86ab242a2

SHA256
718af7b40e4238fd2f836a532fcd7e991e15ba4edba7feb6ac3ed851937c7c57

SHA512
485d35cd72cb4d1db095b9e82f1dcdf47026ca6b114c0abff2aa1dd228219679d0090e315b3fe80af25c98e3aafda44f0e3000e4167e50ce8ed91b4b85859014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\_metadata\verified_contents.json

Filesize
5KB

MD5
63031f600282d6208fcefb66567fc05f

SHA1
f55289f222fe637f21b4b14265e1c4315238acd7

SHA256
2bb4a74bd85d1e90382bddde0d248de37af1e6deb97a3daf1eb52b534c995221

SHA512
55f989bd6132f98e0116f4826f815d899f90968d752d1375089c56c8fa25b3a02e90f810d46387a587342a2a4c74924a2f37bcd980c2ad372709616b129165cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\background.js

Filesize
59KB

MD5
dfbde7ef8964282708457439df73049f

SHA1
73fd6c27f849749d370330a089d0aeb88f44b5f9

SHA256
81285c4884ee9f7302e4708eb3df818478d4f758e2667f774f3fbde8a7fdf647

SHA512
e386d6a52a063205c55f3d2644b0f20a7fc0a8b2b10f257d608bc8c45644bb42615e12f002dbe3426cf207ddb56f0e577ebb74fd1bc8b708fae1ceeff7e330cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\captured.html

Filesize
2KB

MD5
f35b53a857b516423ef2411e797fd966

SHA1
3b2261a6c72ab5325b8b6dc644154c0bb9cffcec

SHA256
2c387e39ab78ab8f283d623a16b946285cda96daf1ea86e20bc4baad68cfc49f

SHA512
10b0a8bfc957f6be3c3e54b3672938c7ec00dabe098ff751d4b36424dc76a2dcf1ccc02fc281e6d7d308376ad1288642125c8374cfff9511bc140b687c5dca55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\debug.js

Filesize
690B

MD5
b9f43ae3818dab9e0f274a0851de026c

SHA1
fe17a16d8af2a680f54be5580d1ffd92f9f41494

SHA256
7441679af0a3a676b705926ff078990e804a674e4459a56abf00e3b4eb70e8e0

SHA512
c996a3f17b32cd307e4906544a919f0d26d0772e99f8e5c9117916357195789d0a27a75bf5251f58ede55201e2ea0b9820250dc0678e951c0739ba6833dd676d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\document.js

Filesize
2KB

MD5
a0736f38adda9919c53fc757b4c31b2c

SHA1
14e5844d74a1e991fc35466be38b7a7043bb49a1

SHA256
86ae414b5cef3a0041ed3f7a4c2b26f79c64550fa3261b60b9400abc61e85eee

SHA512
262c18118067afd7535a39ee4e45064ce282fe911698f544561ba546b1a697c3d5155f0ebf8500e04be9bd762382679074a4e5a11f1e98b61676fb7f962dc963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\headBkgd.gif

Filesize
909B

MD5
60a7f0b520cf9984e66fcc2daeaa91d7

SHA1
217b1e8b0238f60ffc498e4d370d9032a4060919

SHA256
a022ded24e2e2b5e8c0388109f4617647b72a9a06540f438b0243985aa3fc43e

SHA512
a5ed7a0b109735610cffbddccabd0a376e26e823a73e4e23269a1b784cc1e0409f4a8ef092292b85ab92dee8c0c0df1158c7082d91653edefe9435c0a3e11654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\headTitle.gif

Filesize
15KB

MD5
e9af99a1872673931704fb5f3fb92594

SHA1
7cb8514946c779b1769bb30ec43c7ee67e010053

SHA256
46a531f88a1e5682b4f5f5eab6003a3e12e9bdaeb95e1d0421fc2f4c6553cecf

SHA512
1ef67094db4c3872d581b7de7676cec9749cc9d55f24bbfc97aebfd79c5614c7628d3646eff15e93b6cc186a0877a487583f83bfcea5459d7a8f5ebec9a2d189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\logo128.png

Filesize
19KB

MD5
427ccebefe1fb4d54646bf943ad425c8

SHA1
0265f9dc3877e047342e93b82b29f51b41207bc1

SHA256
335ea79ef3140c7d63cd43cd525162bb96191e68001e9cebfa5b697af6b1f371

SHA512
4b605dbc51565b56570f2b9b1821ccdfbcf672def2d358f4a0373cc4d98747d617381c85fbda41b57d67756cd0dada058a4c9013d729990589a568c753de05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\logo16.png

Filesize
852B

MD5
1d87ff5077134df7cec7aa8e93773348

SHA1
e0273177937d5a5a31c3f7d5b3de67d6b7928fca

SHA256
c44c37dc5c69959f778dae6eb3732bb10b25e2500dcd2a015932b1cce9989de2

SHA512
1961570758e34df0b2e922196b8ec9d19c59d2ec8d1824f581332dbaff4ab2f849be9a9f67062db24553003a234c9b5f9a139bf736d023f6c3f169b10de117e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\logo16x.png

Filesize
854B

MD5
d08e20877841e7e4ea062ce36be215f3

SHA1
5cfcdd563622c8e26d6bfbec4d2288a698a78235

SHA256
feb1f8ba850388cde225fc9d9a9bc6f27ce84eb399d3bf8b7422e0cb31ae467a

SHA512
fee0ae9e1c0b4adbd5d2e2bd9581d2df6cb290ff2f29d0f09636bb8fdb0c044d82b5488b3d58169cc2a23282bfb0713e82545da5a9709f39cce6b75d62b53c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\logo32.png

Filesize
2KB

MD5
bb9aea32e19d24434a230266ddfb57a7

SHA1
8415ba204fa39963bae23dd55e92f2189d814b7d

SHA256
10f14189da507005bafa0493783b56a8494782c6accf553edb706a26e771491e

SHA512
d1076f1edee2f9626243297dd3c255d707ca95d81d2fcaccbd43432b9bc3a26712943fdbff1f4f1bdca5a0b66bd9de91867753fda8bd889e6d98df6ef7c445bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\logo32x.png

Filesize
2KB

MD5
db77f12d007d66dc85410708e9322101

SHA1
f9a197b8212607080e8f20c2a19d03aa25a849a0

SHA256
16181b64e00841b68cf605a5e39d7fd56e24499825b404fe4fb3b477e56e84e8

SHA512
b4abc4b6c20b59a12a656d63bd5d0b3cc96f2e152bb143fa913fe667511cdd66382b62b959436d5f5a1511fa3bc1957eb9e4a61729b008ff5aba8286c8a8fde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\logo48.png

Filesize
4KB

MD5
db62e2d1fd58479a202a2960ec34324d

SHA1
de520c26686c91afcb761affcf86871ad64df325

SHA256
4212312c4f644bea0df9c087b050b1498ce4ba0d6638f17b9fc6de7c6989208a

SHA512
1ad847586ba0b8a2ec8868662f39b9064897f7a0a0713a29fff403b45c07a657f1c91378c6b625ed35e67446da7bb575282292a95e3a773450573d929fcb1935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\images\logoTonec.gif

Filesize
1KB

MD5
6e4056f446760596daedaf491677dc79

SHA1
d9feefea1026f3dbd4291c89e8ecacf3063c35f0

SHA256
4a7aa9148bffa220e01ea106dfaec432a42d8d55005ada6b6f47bc058dcc6a50

SHA512
b6e9e7dd8ae7f4f42930897749cb51a3533f3917d833ac5742c55321e1cefede5207065c5f8029a484a5daeab6b1ccb671a86cc637b99c4d0edc0ee82b6552c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
aac67847da57250faad0d5206902d342

SHA1
14aa72e73e13a4c0e84defd03ebe3e396e945759

SHA256
0306e81aa77807e3ba0dea75628326f360828edec9dfd5c40bde9c31731ca39e

SHA512
0cc1cf45120ec3cf0967d04c5f8040bef18be772a0fea6f71189b2e0080c195a756f938228fd53891a8e816e2a605334305f13fc2b626e121c98310fb95967bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\welcome.html

Filesize
8KB

MD5
48c6abc1b2dece374b10d04c8881b77c

SHA1
d4d12c0f579f4a2591815dc77afe481fd3ff23ab

SHA256
fa1309e0543bc0051057fd433c66b73905c8af7d90448a7b4c751926dc9b641c

SHA512
b197d86387781a01af1df1e81ef4bd0aae239eb8a9120c964417a5e57ddcc7a4d1fa5a1ae40dd3ee0a12874ce2ee3ef303999d8b845c39d5a0cb44659e413e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir2512_1393310933\CRX_INSTALL\welcome.js

Filesize
2KB

MD5
062a825e6c487370fff1cbf455fe5c3b

SHA1
feca60e69f21b8f5c13ad5cff6812ff211fcfbf9

SHA256
ed9b0f5afa38d5ecf3ad2e4f28adbb37a97219bddebcabee8808d4b4bb91fabf

SHA512
f3086c951f70177d9744426e402d7289208de442ffa233d603bd6ccef5ad54cd1226db9f7d7259921e49d6aea6a9ebefa989076a42fc14dd2701ec87a636b6b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
81e60766c21b4179bec86ac8dfee96c5

SHA1
fe2e7156c022f5600eaca83d175cc6d5a506eb82

SHA256
982d32beaad8c2476b5a2a48515e75422412ead7415fa122f870f868ede4ef01

SHA512
bc2bc2f6076efdb3192406af51df7cfb02fe9dd4a126c2b579e8231ccde09eadb549f9f71699912e2193a23f5b2c459597b15ec9b286401fc0b49350df228f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23ba11f5197c4f686abb8d9aa4e04aa9

SHA1
f09ae804737b600492a17d0b236c39b27dd64462

SHA256
b31025d259fcd6d7e342c01ec564a83278ef612758fcc39c5ac012396cd1f218

SHA512
444b2a5c3346ee8ddb19fccda8f36589483522c443f127ed64f7ca86e106fc1069d292d8062cc5346508c3510f72f6a04a492ec0a1b9c95a6f62d627bc1b223f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1c8945d589fee06435298b1b44f16d8

SHA1
646987aeaa358ee94f3441f1017c9c0ee4c00cbe

SHA256
9de1551ca7fad7fd2acdffd441528f67aa37b0192cb6d18a8a5b10ee6b2a2773

SHA512
367c37a7992bc3e0c1bc2d95669a240d6f30e65c9a2abc8ebbbbfc1967f217c36420b3ffeeedee10441abd967bbf000075a8b2e92cb0d7ae599c6496135c7624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8ad72b003df7f54c3a01295ac60caf79

SHA1
8d08dfde7b1c6d443508c0ddc6e26c8b3fbd8d0f

SHA256
9a0c37acb5a4f5ce22f541bfc3014273af777b0324c82388daafc1300d5c18fc

SHA512
71181b07a5eb3b7ffbcca2787de216689e6f1227931139f7201442bc672bd904e460ad07f2d10554073960e282eefcab8c61b137708ebe48938d1b65ab35c40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
27KB

MD5
faf1e515592f52c799617d02eb7ad1eb

SHA1
5ebde24aff6c43f6212f3052e6e22617ea23e9dd

SHA256
7e710e09c6b3cc35a381f91cbc836778a4ef04003dfd57afe29931aa034226bd

SHA512
b7644865d541c25a8d57ad5add5116524647967289fdf0b3feae2699f1bac0cc9b6c25346bedc8625468819989bcd35cad064e9ffb0c3e284795d03e2065da8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2831f34baee7d41b3f34d00a332a4b58

SHA1
7adef6351cbd15abf7a5d20b30fb704281e86769

SHA256
1d9153d05334704a79288ccbc0064dbb6132646fbad909d5780219463c4f3413

SHA512
acd7a9c6acbdf196a23315fa450b12de373724289e7dc8f62d92623f15ee22e9533702142a524a83d50bc9e150693143afe242b5bd2f064388659977a63c3284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe13cae5223b94138376c9ed9f628e82

SHA1
dae71e3d62670bf0dc5a1b8e39b9d83aeddc427d

SHA256
9ff780e02b39f9b6931af62545730e606c2a3f8699b5cca85f8c3d59dee77003

SHA512
e53d26639f371c81f186554bc684b1cccb5dc2dc9f4bcb3629f7418f058d05145014b264892bdbb68025099c78bfb1b30fae2991eeb54237d3668d70310d8745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ad82e28d-d647-4b81-932d-9189f0334ba5.tmp

Filesize
11KB

MD5
a17b52479da6e0827113496bac85fbad

SHA1
8847031530a57adbd567c417e38cfc8c16765497

SHA256
99b4c76fd79aa8191012a4405027f2aebbf2ff51c70d0da6e9d89fc8ffaa269e

SHA512
137268f6e3d73182e6216aa341a2e614535cde9fb9c71ca137f7e2e8de7d6494ca2bd161bbcd8323f9ec3844d4d225e8e74a78fe728ad1ee45073968a2b21887

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2512_807549047\5a0d34ae-a9df-4b8a-a06e-633af2d4e14e.tmp

Filesize
108KB

MD5
f3c87512ba6a6d2cfa6b1bcf5e1243e8

SHA1
4b99c4cbb255e6aca2524bf458c433872e935496

SHA256
9b8578bbbdbdf7f93e35b25b0e83c40af1eef3d1ad423a16f57674ba0d8ff188

SHA512
51c07bedc43b26eb53ebe87fa44751b233f162073fab41e81c356aa2428c867f30840099b919f6f5e87a7009750756e56747b0d77d6349ab51164b2e498e75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2512_807549047\CRX_INSTALL\content.js

Filesize
25KB

MD5
57e64271999094f7afce8d3c89943819

SHA1
8af4d8e8e9a3a3f0b9c69d7353fe378b7280b685

SHA256
60eb5bda0d440e197bff112f8dbdf7305be045251a88b40df12c9b6d6a527f99

SHA512
f635cdedbc13c9e69c78ec3993d1e532f0438ae8c226d9cb9d33f90f6c4cfb3a4a7920999d083538e63ac426649914079908a6d5f35474fd4b29adb05977f5a2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 848568.crdownload

Filesize
9.3MB

MD5
c2d8dece496bafa1f3b40128cced752e

SHA1
e7ec25e1bc7b7600e16b4f733b1e0feae669d362

SHA256
14d35e486ebfd9cce67b9d7a54c961147eb9e63703d4a26a24f1a7b0572597f8

SHA512
96f1e9ac94099be5fec877dfce710748bc45a651758105c8f4674b4dff2ddb3b2fa48279e1e2a1f57d43c6858fa64cd8550a8ed8f008212553dc4d1070314ebd

Download Submit
memory/3872-601-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3872-1064-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download