Analysis

  • max time kernel
    115s
  • max time network
    214s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    04-11-2024 22:08

General

  • Target

    kreo q zi.7z

  • Size

    922KB

  • MD5

    ec516db688f94e98d5141f4bade557e9

  • SHA1

    198ffbae5eed415ac673f5e371774759f1a53de1

  • SHA256

    282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

  • SHA512

    ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985

  • SSDEEP

    24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 19 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 8 IoCs
  • Opens file in notepad (likely ransom note) 16 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3820
  • C:\Users\Admin\Desktop\kreo q zi.exe
    "C:\Users\Admin\Desktop\kreo q zi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3144
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4900
      • C:\Windows\system32\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\CompressResolve.dib"
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:236
      • C:\Windows\System32\fontview.exe
        "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Roaming\CompressTest.ttc
        3⤵
          PID:5084
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:2340
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1704
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DebugCopy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:464
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FormatTest.vbe"
          3⤵
            PID:1872
          • C:\Windows\system32\mspaint.exe
            "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\JoinExit.wmf"
            3⤵
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:5400
          • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
            "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureRestore.pps" /ou ""
            3⤵
              PID:5520
            • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
              "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureSwitch.ppsm" /ou ""
              3⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:5580
            • C:\Windows\System32\notepad.exe
              "C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Roaming\MergeUnprotect.ps1"
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:5672
            • C:\Program Files\VideoLAN\VLC\vlc.exe
              "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\SendInstall.rm"
              3⤵
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:5352
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\StopLimit.mhtml
              3⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              PID:5632
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff805a746f8,0x7ff805a74708,0x7ff805a74718
                4⤵
                  PID:5836
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
                  4⤵
                    PID:5588
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5652
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
                    4⤵
                      PID:5172
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                      4⤵
                        PID:4520
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1417792300327238791,15799818021476200431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                        4⤵
                          PID:5232
                      • C:\Windows\SysWOW64\mshta.exe
                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\SubmitOptimize.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:5524
                      • C:\Windows\system32\mspaint.exe
                        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\SwitchBackup.bmp"
                        3⤵
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:6000
                      • C:\Program Files\VideoLAN\VLC\vlc.exe
                        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\UndoDismount.au"
                        3⤵
                          PID:5360
                        • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                          "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\WatchGroup.dotm"
                          3⤵
                          • Checks processor information in registry
                          • Enumerates system info in registry
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of SetWindowsHookEx
                          PID:6620
                        • C:\Windows\system32\mspaint.exe
                          "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\CompressResolve.dib"
                          3⤵
                            PID:5496
                          • C:\Windows\System32\fontview.exe
                            "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Roaming\CompressTest.ttc
                            3⤵
                              PID:6188
                            • C:\Program Files\Internet Explorer\iexplore.exe
                              "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
                              3⤵
                                PID:6236
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6236 CREDAT:17410 /prefetch:2
                                  4⤵
                                    PID:7068
                                • C:\Windows\SysWOW64\mshta.exe
                                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DebugCopy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                  3⤵
                                    PID:6524
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FormatTest.vbe"
                                    3⤵
                                      PID:6500
                                    • C:\Windows\system32\mspaint.exe
                                      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\JoinExit.wmf"
                                      3⤵
                                        PID:6692
                                      • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
                                        "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureRestore.pps" /ou ""
                                        3⤵
                                          PID:6760
                                        • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
                                          "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\MeasureSwitch.ppsm" /ou ""
                                          3⤵
                                            PID:5956
                                          • C:\Windows\System32\notepad.exe
                                            "C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Roaming\MergeUnprotect.ps1"
                                            3⤵
                                            • Opens file in notepad (likely ransom note)
                                            PID:6044
                                          • C:\Program Files\VideoLAN\VLC\vlc.exe
                                            "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\SendInstall.rm"
                                            3⤵
                                              PID:5144
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\StopLimit.mhtml
                                              3⤵
                                                PID:6724
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x108,0x134,0x7ff805a746f8,0x7ff805a74708,0x7ff805a74718
                                                  4⤵
                                                    PID:5492
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
                                                    4⤵
                                                      PID:6852
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
                                                      4⤵
                                                        PID:5612
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
                                                        4⤵
                                                          PID:6976
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
                                                          4⤵
                                                            PID:6860
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                                                            4⤵
                                                              PID:6644
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
                                                              4⤵
                                                                PID:7632
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                                                4⤵
                                                                  PID:7792
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
                                                                  4⤵
                                                                    PID:7400
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
                                                                    4⤵
                                                                      PID:7852
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                                                                      4⤵
                                                                        PID:4656
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
                                                                        4⤵
                                                                          PID:7408
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
                                                                          4⤵
                                                                            PID:8340
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12687087772462353754,17404542514366741478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
                                                                            4⤵
                                                                              PID:8348
                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\SubmitOptimize.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                            3⤵
                                                                              PID:6156
                                                                            • C:\Windows\system32\mspaint.exe
                                                                              "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\SwitchBackup.bmp"
                                                                              3⤵
                                                                                PID:6288
                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\UndoDismount.au"
                                                                                3⤵
                                                                                  PID:5156
                                                                                • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\WatchGroup.dotm"
                                                                                  3⤵
                                                                                    PID:6548
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x64.log.html
                                                                                    3⤵
                                                                                      PID:7540
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xc8,0x12c,0x130,0x108,0x134,0x7ff805a746f8,0x7ff805a74708,0x7ff805a74718
                                                                                        4⤵
                                                                                          PID:7568
                                                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
                                                                                        3⤵
                                                                                        • Opens file in notepad (likely ransom note)
                                                                                        PID:7636
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x86.log.html
                                                                                        3⤵
                                                                                          PID:7676
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff805a746f8,0x7ff805a74708,0x7ff805a74718
                                                                                            4⤵
                                                                                              PID:7700
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x86.log-MSI_vc_red.msi.txt
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:7744
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:7816
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:8048
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:8092
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:5356
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:7952
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:8020
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:8168
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:7188
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:900
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:5420
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:7196
                                                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log
                                                                                            3⤵
                                                                                            • Opens file in notepad (likely ransom note)
                                                                                            PID:6820
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                        1⤵
                                                                                        • Drops file in Windows directory
                                                                                        • Enumerates system info in registry
                                                                                        • Modifies data under HKEY_USERS
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                        • Suspicious use of SendNotifyMessage
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:3020
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff811b0cc40,0x7ff811b0cc4c,0x7ff811b0cc58
                                                                                          2⤵
                                                                                            PID:3612
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1924 /prefetch:2
                                                                                            2⤵
                                                                                              PID:3220
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2396 /prefetch:3
                                                                                              2⤵
                                                                                                PID:856
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2428 /prefetch:8
                                                                                                2⤵
                                                                                                  PID:3496
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
                                                                                                  2⤵
                                                                                                    PID:4668
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
                                                                                                    2⤵
                                                                                                      PID:1404
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4600 /prefetch:1
                                                                                                      2⤵
                                                                                                        PID:4420
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3692,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4724 /prefetch:8
                                                                                                        2⤵
                                                                                                          PID:1080
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4532 /prefetch:8
                                                                                                          2⤵
                                                                                                            PID:236
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:8
                                                                                                            2⤵
                                                                                                              PID:4708
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4572 /prefetch:8
                                                                                                              2⤵
                                                                                                                PID:4928
                                                                                                              • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
                                                                                                                2⤵
                                                                                                                • Drops file in Windows directory
                                                                                                                PID:3600
                                                                                                                • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff71fda4698,0x7ff71fda46a4,0x7ff71fda46b0
                                                                                                                  3⤵
                                                                                                                  • Drops file in Windows directory
                                                                                                                  PID:1916
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4424,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4440 /prefetch:1
                                                                                                                2⤵
                                                                                                                  PID:1420
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3280,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4052 /prefetch:8
                                                                                                                  2⤵
                                                                                                                    PID:3928
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4580,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3348 /prefetch:1
                                                                                                                    2⤵
                                                                                                                      PID:1016
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5420,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5388 /prefetch:1
                                                                                                                      2⤵
                                                                                                                        PID:3000
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4016,i,9664971663459300272,8810769469283417849,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5184 /prefetch:8
                                                                                                                        2⤵
                                                                                                                          PID:7944
                                                                                                                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                                                        1⤵
                                                                                                                          PID:2548
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                                                          1⤵
                                                                                                                            PID:4900
                                                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                                                            C:\Windows\system32\AUDIODG.EXE 0x4a0 0x464
                                                                                                                            1⤵
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:4248
                                                                                                                          • C:\Windows\system32\OpenWith.exe
                                                                                                                            C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                            1⤵
                                                                                                                            • Modifies registry class
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:752
                                                                                                                          • C:\Windows\system32\OpenWith.exe
                                                                                                                            C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                            1⤵
                                                                                                                            • Modifies registry class
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:4656
                                                                                                                          • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                                                            "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
                                                                                                                            1⤵
                                                                                                                            • Enumerates connected drives
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                            PID:3832
                                                                                                                            • C:\Windows\SysWOW64\unregmp2.exe
                                                                                                                              "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                                                                                                                              2⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:3816
                                                                                                                              • C:\Windows\system32\unregmp2.exe
                                                                                                                                "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                                                                                                                                3⤵
                                                                                                                                • Enumerates connected drives
                                                                                                                                PID:2820
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                                                                                                            1⤵
                                                                                                                              PID:2436
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
                                                                                                                              1⤵
                                                                                                                              • Drops file in Windows directory
                                                                                                                              PID:2180
                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                              1⤵
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:5716
                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                              1⤵
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:5932
                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                              1⤵
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:5160
                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                              1⤵
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:5324
                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                              1⤵
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:6036
                                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                              1⤵
                                                                                                                                PID:6344
                                                                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                1⤵
                                                                                                                                  PID:6544
                                                                                                                                • C:\Windows\system32\OpenWith.exe
                                                                                                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                  1⤵
                                                                                                                                    PID:5812
                                                                                                                                  • C:\Windows\system32\OpenWith.exe
                                                                                                                                    C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                    1⤵
                                                                                                                                      PID:5820
                                                                                                                                    • C:\Windows\system32\OpenWith.exe
                                                                                                                                      C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                      1⤵
                                                                                                                                        PID:5340
                                                                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                        1⤵
                                                                                                                                          PID:5856
                                                                                                                                        • C:\Windows\system32\OpenWith.exe
                                                                                                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                          1⤵
                                                                                                                                            PID:6076
                                                                                                                                          • C:\Windows\system32\OpenWith.exe
                                                                                                                                            C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                            1⤵
                                                                                                                                              PID:1616
                                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                              1⤵
                                                                                                                                                PID:6580
                                                                                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                1⤵
                                                                                                                                                  PID:5244
                                                                                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                    PID:7008
                                                                                                                                                  • C:\Windows\system32\OpenWith.exe
                                                                                                                                                    C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                    1⤵
                                                                                                                                                      PID:7448
                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
                                                                                                                                                      1⤵
                                                                                                                                                        PID:8980
                                                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                                                        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                        1⤵
                                                                                                                                                          PID:9096
                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                          1⤵
                                                                                                                                                            PID:8272
                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                            "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
                                                                                                                                                            1⤵
                                                                                                                                                              PID:9196
                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
                                                                                                                                                              1⤵
                                                                                                                                                                PID:8208

                                                                                                                                                              Network

                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                              Replay Monitor

                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                              Downloads

                                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                                                                                                                                Filesize

                                                                                                                                                                471B

                                                                                                                                                                MD5

                                                                                                                                                                e7f30ea0d4abadc537ad833327d33750

                                                                                                                                                                SHA1

                                                                                                                                                                3d251a1aba0a1b91fa5f13f8b800b5915fe3267a

                                                                                                                                                                SHA256

                                                                                                                                                                4a72fe98ba64c84956c9198f0e57ef0c3bd7252fc1ee90ebd4b95d3d2c0bf060

                                                                                                                                                                SHA512

                                                                                                                                                                b010f3138775819f691d4e3f47dc4bae798a3c32432f47d12e16a286897e04764cf68a79d70d71e476a1ff1cacc72698652e5b3fa80211fef6b2ef9452bc0602

                                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                                                                                                                                Filesize

                                                                                                                                                                420B

                                                                                                                                                                MD5

                                                                                                                                                                1de8e9a83c4383b33d5a6f5d5083dd2b

                                                                                                                                                                SHA1

                                                                                                                                                                c95612528e5e530fe6129bae1a77345cd079e066

                                                                                                                                                                SHA256

                                                                                                                                                                ee6a4a1faf8a8ceecbd3403905335a36bf66630307dda31181ad7183e2c46ccb

                                                                                                                                                                SHA512

                                                                                                                                                                384e2deede23034652b3cc1432c4d9c53ada07d5dd29147162ce7715f61f96276e172d230b3f854f256765e8dcf278924408899b645424b564d2678cfc6ac31e

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                                                                                                                                                Filesize

                                                                                                                                                                649B

                                                                                                                                                                MD5

                                                                                                                                                                a06bd7899313bd6d7d80245bc1f3489f

                                                                                                                                                                SHA1

                                                                                                                                                                a379bc36e7991a0c47fcfd388f7e6d3062fe682b

                                                                                                                                                                SHA256

                                                                                                                                                                0bac12b361d9a780ebb2a37c7bd9cee699ff9076bc3f33664c4191aeb3782dac

                                                                                                                                                                SHA512

                                                                                                                                                                80fec1aaa95cacc67d0cc5a8db0a2341889870a8996c90916b7f8929f7839b84585ed5dfec77fc5492acc217881cee3bd609c05b8c75268d9a3be8ae5497f1d9

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                Filesize

                                                                                                                                                                120B

                                                                                                                                                                MD5

                                                                                                                                                                70197b581103e441f1da6418908f8852

                                                                                                                                                                SHA1

                                                                                                                                                                cd0b59216748444414f25b56655c10fc976878dc

                                                                                                                                                                SHA256

                                                                                                                                                                75517a05f42246767568236bc535eb7b0290874fdbac9a8c5d40c09650d1f9a7

                                                                                                                                                                SHA512

                                                                                                                                                                105aa4561205cde07a8860c75b350fd9a6ed4798a036bfef03a3741b86334ce959f1c85ddf33270d90d491b33e8dcdf301e1dd40dbee541a0266b85d3b1105fc

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                Filesize

                                                                                                                                                                936B

                                                                                                                                                                MD5

                                                                                                                                                                5125503aca0c33bbf5372e1dd5dbe4a1

                                                                                                                                                                SHA1

                                                                                                                                                                1978cfe490dc1c2bc19b9e8a19b743b57de1b77f

                                                                                                                                                                SHA256

                                                                                                                                                                d38f8516e759065b866bbe7a232bf572e90b87a6ee9eeac0491b687278718ea8

                                                                                                                                                                SHA512

                                                                                                                                                                4bc7008cff4469ed6889a5b75e15751ca0cd1a962d927adff77a0336ab674d11812781b0a271a35cfc0d305d723537ac4d94c39e7b1a9987f28e897a516558e1

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                Filesize

                                                                                                                                                                5KB

                                                                                                                                                                MD5

                                                                                                                                                                4a18e3a48a96e68fb11f2a267fe74aa3

                                                                                                                                                                SHA1

                                                                                                                                                                2071a236eb6c480984f26f654d70dfc0838039a9

                                                                                                                                                                SHA256

                                                                                                                                                                40e52d13997a58d43b822c98b14f158a3876f6844f547383d1057ed587a91386

                                                                                                                                                                SHA512

                                                                                                                                                                7ef1f5fae9ead9409bd8bd537b20126637c86849fa2cc278e1cb590efeaf2b2caef029ac3813de56859db7f916d6665661e4d2ac116b474d3b34fdb8fe5c6d27

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                                                                                                Filesize

                                                                                                                                                                2B

                                                                                                                                                                MD5

                                                                                                                                                                d751713988987e9331980363e24189ce

                                                                                                                                                                SHA1

                                                                                                                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                SHA256

                                                                                                                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                SHA512

                                                                                                                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                Filesize

                                                                                                                                                                356B

                                                                                                                                                                MD5

                                                                                                                                                                f5b877c0c783fc45e801c14da934fcbe

                                                                                                                                                                SHA1

                                                                                                                                                                0fef52c24ec9f99d0ee427388dd3673533a616a2

                                                                                                                                                                SHA256

                                                                                                                                                                63117f6e10818c0ce00e965ae680090e81af45d47416a336deccfbd98e3dadc3

                                                                                                                                                                SHA512

                                                                                                                                                                b75b2df15212a87757aad8014f400fe3551ebe48b42017ca870b973326a4bfa9fe0c10d522c57a6e5915e5b7784906d4a975cf61ebc17b45445bbae8ae3e91ed

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                Filesize

                                                                                                                                                                691B

                                                                                                                                                                MD5

                                                                                                                                                                ce4bdc0165d6baf2af641205fbc46789

                                                                                                                                                                SHA1

                                                                                                                                                                326a20cd2268c18947b39fff5e0677333b455508

                                                                                                                                                                SHA256

                                                                                                                                                                8f9d4124178dffd8fb7aac08220a290d5e5cb050248f0735a1097ba0c42a84a1

                                                                                                                                                                SHA512

                                                                                                                                                                81df1d6139a74b85dd16722e9ebb36d025cd4dbd56593db8e6a30cd870ce5d76ea1972aefe39fd85bd28e09a7b6a4067016da4b60736f08be9c32fceaa09b0fc

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                Filesize

                                                                                                                                                                691B

                                                                                                                                                                MD5

                                                                                                                                                                047b0646f1871e1fcfcb4c075520afd1

                                                                                                                                                                SHA1

                                                                                                                                                                93fca3e62c614d5fbe4f0cdaf6f28c2825541e9a

                                                                                                                                                                SHA256

                                                                                                                                                                9f36fe604d2293b8a6944f70a21db5e68200de1bd92859de647367367c341c2f

                                                                                                                                                                SHA512

                                                                                                                                                                33860c7f06cbf5b95a65565d47c3485e8f27a9e96986c18dd802c8993e6c5b5f42d1652faac338e56e17d384bc231e97d7d2fbb6db11b4dd2e6effee4e895c89

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                bff8bbdce35ab73b9515effd7aba30cc

                                                                                                                                                                SHA1

                                                                                                                                                                bb45438eebf55432cac539845f8ee9986a0ec3f3

                                                                                                                                                                SHA256

                                                                                                                                                                24cae338854ddfa17527e6fe86f523941bd0978b6a86481e0384df6c4ff19a41

                                                                                                                                                                SHA512

                                                                                                                                                                76074fe861ee5418908f8ae8001fa42cd8635692de6fe6bd2d58d45b768993ba3bec0e38e0d8f2b451f5b4e04da3bb5ab421d01bf5f444d2f328419b4a40ff21

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                3174b799bc2055dd135a625322b76d26

                                                                                                                                                                SHA1

                                                                                                                                                                fe288ae266049487d8f551af55b76e0487aacbdb

                                                                                                                                                                SHA256

                                                                                                                                                                fdb22554d184ae5ccc31d4964fb2c9ed10d92f1002c0421fdb3601ec0ead6007

                                                                                                                                                                SHA512

                                                                                                                                                                8f3fbd1d30a7a642ef85178e2e15186c7d239fb50a51ce02a5b640efabaf1468aeb0020d70a4f7b287df76c41c1d0ef14dd086a06a90fa2eb08a253bf12269c4

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                9KB

                                                                                                                                                                MD5

                                                                                                                                                                65bd48cac619208dc4b280bfb5c20ecc

                                                                                                                                                                SHA1

                                                                                                                                                                554aa7070619780d72052b7fc5ae91b10cc6f3b3

                                                                                                                                                                SHA256

                                                                                                                                                                b37bd9a8579c1d87516ae8fc4d40a7cf788c70c8c82116792ae2d290c77c66d3

                                                                                                                                                                SHA512

                                                                                                                                                                c09b647d8b12ddd241d16ed18969d42543bbbb29494d875b7628b02c3562895ebd70c593194c7923ab4a6dd717f16d6b7778dac82cc8049e1f7bcd856bf42fa6

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                9KB

                                                                                                                                                                MD5

                                                                                                                                                                876a1b186f071f08066245ff45d1120a

                                                                                                                                                                SHA1

                                                                                                                                                                377ba1bed1d31ee25ae6d33a9f50820662be8940

                                                                                                                                                                SHA256

                                                                                                                                                                f0758567610c01a37f3f2968e6c128e97e2e62cbd342912a952ae3abefef2f20

                                                                                                                                                                SHA512

                                                                                                                                                                5ac3c525660062518cd650e1f7e8b4f64ca75e1b0722c94f7183e95cd6ba4ad520040414e05a8e075771e87508e45034aa9929a293852ab0adeab12d1cdc8aca

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                9KB

                                                                                                                                                                MD5

                                                                                                                                                                7edcb01eb51b266fcc2ceb50197fb365

                                                                                                                                                                SHA1

                                                                                                                                                                8f1d5b689305b1f353b5712dd0f963dfed144efd

                                                                                                                                                                SHA256

                                                                                                                                                                359d082e52dd2177e08d1e61b81d69af6be50702b8a0c6f597a214661ef71603

                                                                                                                                                                SHA512

                                                                                                                                                                65997945d0ba64867297029c75c505ad2339b43ce9665836af9e618ce884341b04849a6f0aa69db018bd2f5469f5174b69ad06462ce15e8c2f1baff141d99d52

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                9KB

                                                                                                                                                                MD5

                                                                                                                                                                da61b8fc060d3c4595946695b39e8589

                                                                                                                                                                SHA1

                                                                                                                                                                0db564bf283dc008f73b0168d0db1c8315b5aa80

                                                                                                                                                                SHA256

                                                                                                                                                                fb6a9ad785972e23c15b337b9d038e1f14b08d9dfac18f6e3460e648e16b9222

                                                                                                                                                                SHA512

                                                                                                                                                                b52ee82fd87476a155767637892d9416ea11c02b0a8dc6b798e24f191add182813ed5804c91091d25ddac48f8f8b797f6a79738403c455018d994dbf83464789

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                543d3307852a4286f764b054e8de492b

                                                                                                                                                                SHA1

                                                                                                                                                                e37431d7d442662614bbc288859bf5c16ecc2121

                                                                                                                                                                SHA256

                                                                                                                                                                efbee8655698540e2e4f48234989c9e13a491a9685098104130cb751f6f91b3d

                                                                                                                                                                SHA512

                                                                                                                                                                dd41d61022c790dc5d60f9373cc97ac47c18ee75cfc233d153c9ac9116d5bf4ed89131d234e28ca35e89b68847e77beb2aacccfb3a54a3b32fa70061ea67c361

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                95e018f71864e5a39d49250977c8569d

                                                                                                                                                                SHA1

                                                                                                                                                                c4e5c017ca1758fad08990073d664c1354df3934

                                                                                                                                                                SHA256

                                                                                                                                                                b9f5f5aeb119891ad84a33f248e01512eda15cd5d68086efe439c67df6a4075b

                                                                                                                                                                SHA512

                                                                                                                                                                dd9289452c77ff7a330ed373eb5377b91e664531a4e4ae75ddd1f54b9f900f8d6015fa430d8b3263df0a0303866893614bc56a38bd383ff36df4a63b552b7c3f

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                a88e7fdb770496c1034705eda1485596

                                                                                                                                                                SHA1

                                                                                                                                                                a86c7d3e993c4c50ce44cc50a7f0c714d9c3c500

                                                                                                                                                                SHA256

                                                                                                                                                                d1f405c7e2e5aeee9f2ab8a6b2fdd1b3002b2ef02d285921fe108b9adfbfecef

                                                                                                                                                                SHA512

                                                                                                                                                                5af783eec5780b2973b3c8442b56044129326f02403f88fef766863166ea6ea6b19b54115d9748435a0b355d731ac5d00274fa97da84b2af92d208ae31aee706

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                7d7342763db87fb549171994cd4ca651

                                                                                                                                                                SHA1

                                                                                                                                                                a9a33dbc592558f07717ce553c17c5d03edffb24

                                                                                                                                                                SHA256

                                                                                                                                                                0571ffeb022325e1cc7a5c83d741ba6d032b57fb680da56b720eaf3e546257f2

                                                                                                                                                                SHA512

                                                                                                                                                                95868cf076a5152a7bb3d55753f212351be7442564121839e30b52af6cb2dd1c39145298f9ffd3b924a1766d1d195d3d3b7655385bd00d2fbfa1cf755120cf3d

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                eae6dc67fe69da1e3ac50656a21b01a4

                                                                                                                                                                SHA1

                                                                                                                                                                bf637b48a324c7d4d32bb7fdea7faa7b9b3d3b1d

                                                                                                                                                                SHA256

                                                                                                                                                                ff25e3c46028439bc8b2cd99d8cdcb4dc69c3dc51833b399b92b50430b4633b5

                                                                                                                                                                SHA512

                                                                                                                                                                a35b400eb7b90bcbb1f27af55ce9e1025b9e929ba93a5a863c9647bdc4fbaa43c4508d1a750ee4b9b98f397b85708d7eb9adb4e0e1475969ea05bcd48d449139

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5a692b.TMP

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                e10596b0a2b61cfd587d4fcf01d3f4fd

                                                                                                                                                                SHA1

                                                                                                                                                                37b1720f107ceec6b8ca6dc4d7c8b2e80694b7d0

                                                                                                                                                                SHA256

                                                                                                                                                                a89a2ce15547660e1ca81c57c6d5074f43c96b529445c418d3678c909c357ba5

                                                                                                                                                                SHA512

                                                                                                                                                                9e418eab0e25fe82411846c7a999e30559424a4b9a61b6e0ac6478a8d97b3ad4bdbc8f431fe5113d363b5751bff55ece719c6685b872e9ecb97e5e030103fc62

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                15KB

                                                                                                                                                                MD5

                                                                                                                                                                eca0a91f01f956c02299d008be40bbb6

                                                                                                                                                                SHA1

                                                                                                                                                                1e13cb21b97f0ff998132116ab484cc007dcd7d5

                                                                                                                                                                SHA256

                                                                                                                                                                8c887c0233a8100153da878510804ffe8f3aae83d4bac176e095cdf44628e674

                                                                                                                                                                SHA512

                                                                                                                                                                eff6aad87d7e4ba42f528d2d28e9881de2442fc7b498aab17a68fee2f5fd5d9696b1c16e8f7eaba5c5ea67076f1a7feaa8d60925099fce07f02448510642391a

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                Filesize

                                                                                                                                                                232KB

                                                                                                                                                                MD5

                                                                                                                                                                aaa3c54176b3ece0e1bf31bdf35c3145

                                                                                                                                                                SHA1

                                                                                                                                                                50d2cd41490a329d404edb5733f93ef90194a5b5

                                                                                                                                                                SHA256

                                                                                                                                                                fbeabab9d35b1c0c8d5f0aa376eb844924d0467aabab0dffc77f5ead849addcf

                                                                                                                                                                SHA512

                                                                                                                                                                c6f7206c0e77118ea55c944664a34d9fefb43802627a84d45ce6e9f36a76eec296a4ebc909b8d6b2043b6a0a689747112503ebf72016df1cff59f6cd91b001b8

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                Filesize

                                                                                                                                                                232KB

                                                                                                                                                                MD5

                                                                                                                                                                56c6089453b246e1ce12181804b8c49c

                                                                                                                                                                SHA1

                                                                                                                                                                680e94c5c3dd5cceaa92d1aeaeacab8ac3f8923d

                                                                                                                                                                SHA256

                                                                                                                                                                0c1c6e6bf4a88ee877f74ab855b092c34ca885723586af576e197f87a6f5980b

                                                                                                                                                                SHA512

                                                                                                                                                                ed0d22d288ecc6989f69ef80a10660ad3406cd2606ccd9b53719cff5256478f6d4779005825647e2de23e50185313b476f7f612b60facda6645897462a811da5

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                3a64c98dc7daad5ad686b126bc41fc2b

                                                                                                                                                                SHA1

                                                                                                                                                                63ac1632e77c36bec84bdb0155f299040a409119

                                                                                                                                                                SHA256

                                                                                                                                                                d485dae02e838f24b027b13ea300898a64b8773c27cc95f9e3bfb49beebe694b

                                                                                                                                                                SHA512

                                                                                                                                                                3f2d5146750452c323e87296384e8492e2d43fcfc89d570f5a091973a05bb9593390014480258115ce784e586c17fa3a30ef19668006d75b4675b9f469d9dea9

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                6752881d65e75771ec1bcad0c25fc5cf

                                                                                                                                                                SHA1

                                                                                                                                                                9fc9c7e4cced40b2b42a87485cc181b1eff6f41b

                                                                                                                                                                SHA256

                                                                                                                                                                6e3837a43f1a40b3f87500a437e71ffe5880a8a0ec7bfd1e6aaf1ddd30677cbd

                                                                                                                                                                SHA512

                                                                                                                                                                bedbfce436aad2d02bd6a8d7d338c628bc330dadfc521554de188991f80ea389f01784f1f7ad29bc5b12ac7c1ee022450260d472ee97f23c6672079366fd3b32

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                e87625b4a77de67df5a963bf1f1b9f24

                                                                                                                                                                SHA1

                                                                                                                                                                727c79941debbd77b12d0a016164bae1dd3f127c

                                                                                                                                                                SHA256

                                                                                                                                                                07ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e

                                                                                                                                                                SHA512

                                                                                                                                                                000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                5d9c9a841c4d3c390d06a3cc8d508ae6

                                                                                                                                                                SHA1

                                                                                                                                                                052145bf6c75ab8d907fc83b33ef0af2173a313f

                                                                                                                                                                SHA256

                                                                                                                                                                915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d

                                                                                                                                                                SHA512

                                                                                                                                                                8243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\31f72edb-a55f-45dd-88d8-8b51ae157ee3.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                1B

                                                                                                                                                                MD5

                                                                                                                                                                5058f1af8388633f609cadb75a75dc9d

                                                                                                                                                                SHA1

                                                                                                                                                                3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                                                                                                                SHA256

                                                                                                                                                                cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                                                                                                                SHA512

                                                                                                                                                                0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

                                                                                                                                                                Filesize

                                                                                                                                                                70KB

                                                                                                                                                                MD5

                                                                                                                                                                e5e3377341056643b0494b6842c0b544

                                                                                                                                                                SHA1

                                                                                                                                                                d53fd8e256ec9d5cef8ef5387872e544a2df9108

                                                                                                                                                                SHA256

                                                                                                                                                                e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                                                                                                                                                                SHA512

                                                                                                                                                                83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

                                                                                                                                                                Filesize

                                                                                                                                                                264KB

                                                                                                                                                                MD5

                                                                                                                                                                f50f89a0a91564d0b8a211f8921aa7de

                                                                                                                                                                SHA1

                                                                                                                                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                                                                                                SHA256

                                                                                                                                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                                                                                                SHA512

                                                                                                                                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

                                                                                                                                                                Filesize

                                                                                                                                                                8KB

                                                                                                                                                                MD5

                                                                                                                                                                0962291d6d367570bee5454721c17e11

                                                                                                                                                                SHA1

                                                                                                                                                                59d10a893ef321a706a9255176761366115bedcb

                                                                                                                                                                SHA256

                                                                                                                                                                ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                                                                                                                                                                SHA512

                                                                                                                                                                f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

                                                                                                                                                                Filesize

                                                                                                                                                                8KB

                                                                                                                                                                MD5

                                                                                                                                                                41876349cb12d6db992f1309f22df3f0

                                                                                                                                                                SHA1

                                                                                                                                                                5cf26b3420fc0302cd0a71e8d029739b8765be27

                                                                                                                                                                SHA256

                                                                                                                                                                e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                                                                                                                                                                SHA512

                                                                                                                                                                e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                                                Filesize

                                                                                                                                                                111B

                                                                                                                                                                MD5

                                                                                                                                                                285252a2f6327d41eab203dc2f402c67

                                                                                                                                                                SHA1

                                                                                                                                                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                                                                                                SHA256

                                                                                                                                                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                                                                                                SHA512

                                                                                                                                                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                8ce82dddd55b3a90eed2eb296fd46f27

                                                                                                                                                                SHA1

                                                                                                                                                                a89e5d8ff102b9495835d1edabd674e9142b08d2

                                                                                                                                                                SHA256

                                                                                                                                                                c5e10b0ff51b6d2a14823a5019996911db04fdc8faf98bf3c463a3c2ec7469ae

                                                                                                                                                                SHA512

                                                                                                                                                                1cf0d0eaab489e914790db43d689555b718de2ff74116a4446349b7a70f82e4716f8b1cf06977dcbe1e8a904855be68e01f1b5f1024eed8833a99fcebfd0b117

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                eda2dbde6c417857f25ee2058c974065

                                                                                                                                                                SHA1

                                                                                                                                                                9c461fc1034f5ccc2af7c4654c086fdb36b516f5

                                                                                                                                                                SHA256

                                                                                                                                                                080d6c7bfe4782ab12c7cb7651910804421384502000741865e16b9710750d19

                                                                                                                                                                SHA512

                                                                                                                                                                1fa6f620e45a32c167a0caa8b12926378d9a249dece7472c81f22623ab22b8a0c8e06b08dd854c9f514a7c037147db9592eda38fc59d5334c00e06012bef8f43

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                                MD5

                                                                                                                                                                c8f2ab16317eadc44966286e716f3356

                                                                                                                                                                SHA1

                                                                                                                                                                d91c7c131a8ac6a9454628e054106b463100cdab

                                                                                                                                                                SHA256

                                                                                                                                                                29fb1edc8e7a12aba4511941aac39962ff4298d64ea8b4d041a1f55e59986e15

                                                                                                                                                                SHA512

                                                                                                                                                                c5cbadbd253d50822630d5809e67d4213d8a0d03e49b043f8e07e1eaab8a10837b9882db86b0de28598806cf75bde7c3290ade2c86ec3117ec215cd8f4ba399f

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                f77894b95498f83759b05c926db4c0c0

                                                                                                                                                                SHA1

                                                                                                                                                                b705220a9c59dfb3e8ea4124c57e5523ed06f7c9

                                                                                                                                                                SHA256

                                                                                                                                                                ade7f04b31bee4bdd37266f7fdd9d2f68d6bc2851a1ab105ddcac74f68108511

                                                                                                                                                                SHA512

                                                                                                                                                                37915df71b757baab3b85dd38eee58eff36a27434ca4f4ee15c3e590d13a80a54de480b3025fbf5c8e998f727bd0ac00b5d76c50467405b4a202862280f36124

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                5KB

                                                                                                                                                                MD5

                                                                                                                                                                c9d2f6438da9d01af0c15818aa34839a

                                                                                                                                                                SHA1

                                                                                                                                                                9deb0d53d3197fef5a6067f6acc0bbce9c637772

                                                                                                                                                                SHA256

                                                                                                                                                                7954bf03e1a612f65674fd34265d94e5c45263ce6a4b40223d2b6e223dd8454b

                                                                                                                                                                SHA512

                                                                                                                                                                bf5f6763c98486fa78d1223138106b818e9b402cb4d8b4102243d69f598a960c30a2c1b9b584c6540e0a88fe6cd46387b72b65d0ccb742bd2beeedb92222c0f7

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe5a693b.TMP

                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                e18e159bb895831305e19cbecc5ff032

                                                                                                                                                                SHA1

                                                                                                                                                                07870e3643bcac557d26e5b3f0cd122830ce4f17

                                                                                                                                                                SHA256

                                                                                                                                                                1cdcd3a430f4e962f5b79f29cc8788902127189faeb1c7c65c379250035d2007

                                                                                                                                                                SHA512

                                                                                                                                                                b7ee7f0f70ecdf0c9c2c3bcd0d82e339cc39d9650406d1b2681282f4db843365ff92d99279f1d9a918ec08dffab17cf0e8d0945b3bc4be539a53a5626f13ae9f

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                24KB

                                                                                                                                                                MD5

                                                                                                                                                                137094a3453899bc0bc86df52edd9186

                                                                                                                                                                SHA1

                                                                                                                                                                66bc2c2b45b63826bb233156bab8ce31c593ba99

                                                                                                                                                                SHA256

                                                                                                                                                                72d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44

                                                                                                                                                                SHA512

                                                                                                                                                                f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                                                                                                Filesize

                                                                                                                                                                24KB

                                                                                                                                                                MD5

                                                                                                                                                                794620ec1e79ac9bc9a27ebbeecb08ac

                                                                                                                                                                SHA1

                                                                                                                                                                cf365eeeb64a25fe763ac078edfa5ab9c321d789

                                                                                                                                                                SHA256

                                                                                                                                                                b3356f0ddc460c6b00366420f51c6bb83c286362f073e7943a1271b4a2c3e58d

                                                                                                                                                                SHA512

                                                                                                                                                                613096da233853fd5116a0b94d2bcce62ae83900a23d3e64e4b0b9ad315a173eda178a288611e37c37d6b9e2a5af3af14b25c36c70eac78149846822fb3d012a

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                                Filesize

                                                                                                                                                                16B

                                                                                                                                                                MD5

                                                                                                                                                                206702161f94c5cd39fadd03f4014d98

                                                                                                                                                                SHA1

                                                                                                                                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                                                                SHA256

                                                                                                                                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                                                                SHA512

                                                                                                                                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                                Filesize

                                                                                                                                                                16B

                                                                                                                                                                MD5

                                                                                                                                                                6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                SHA1

                                                                                                                                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                SHA256

                                                                                                                                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                SHA512

                                                                                                                                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

                                                                                                                                                                Filesize

                                                                                                                                                                41B

                                                                                                                                                                MD5

                                                                                                                                                                5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                                                                                                SHA1

                                                                                                                                                                d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                                                                                                SHA256

                                                                                                                                                                f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                                                                                                SHA512

                                                                                                                                                                de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

                                                                                                                                                                Filesize

                                                                                                                                                                16B

                                                                                                                                                                MD5

                                                                                                                                                                46295cac801e5d4857d09837238a6394

                                                                                                                                                                SHA1

                                                                                                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                SHA256

                                                                                                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                SHA512

                                                                                                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                Filesize

                                                                                                                                                                8KB

                                                                                                                                                                MD5

                                                                                                                                                                06c545848b613d3e7acc253d7350bce8

                                                                                                                                                                SHA1

                                                                                                                                                                4dea75d127428ad335aab8f7d8f58c3e21017525

                                                                                                                                                                SHA256

                                                                                                                                                                a3c1b49590361f46896c676109a4b74784b190d113f26a9fe1cb666975a06599

                                                                                                                                                                SHA512

                                                                                                                                                                015e0320b705d234676528a4ba430cde0cd4ab44d03f9d52497db33f6316ddd3ad49fd4673e2278724e369b37e273cb0374513cd9611b9cc69a3848ef445e3f6

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                Filesize

                                                                                                                                                                10KB

                                                                                                                                                                MD5

                                                                                                                                                                6d79d24a33fd5f70dba69880bb45bad6

                                                                                                                                                                SHA1

                                                                                                                                                                bed1a6ae58b0602b37c3ca793cee4ae28a2397e8

                                                                                                                                                                SHA256

                                                                                                                                                                02e143b122d87a5755ae1344e25be85227b157a84959741673824f988557fb0d

                                                                                                                                                                SHA512

                                                                                                                                                                dba1234ad959dceacc32db4eaa8584200dfad4c8c6bfcac94108fbeb20ce95b87bcaad1111d1eef519e8602a0ac2658fc2c30455159f4ad865175687abb92e02

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

                                                                                                                                                                Filesize

                                                                                                                                                                81B

                                                                                                                                                                MD5

                                                                                                                                                                f222079e71469c4d129b335b7c91355e

                                                                                                                                                                SHA1

                                                                                                                                                                0056c3003874efef229a5875742559c8c59887dc

                                                                                                                                                                SHA256

                                                                                                                                                                e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

                                                                                                                                                                SHA512

                                                                                                                                                                e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

                                                                                                                                                                Filesize

                                                                                                                                                                126KB

                                                                                                                                                                MD5

                                                                                                                                                                6698422bea0359f6d385a4d059c47301

                                                                                                                                                                SHA1

                                                                                                                                                                b1107d1f8cc1ef600531ed87cea1c41b7be474f6

                                                                                                                                                                SHA256

                                                                                                                                                                2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

                                                                                                                                                                SHA512

                                                                                                                                                                d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

                                                                                                                                                                Filesize

                                                                                                                                                                40B

                                                                                                                                                                MD5

                                                                                                                                                                6a3a60a3f78299444aacaa89710a64b6

                                                                                                                                                                SHA1

                                                                                                                                                                2a052bf5cf54f980475085eef459d94c3ce5ef55

                                                                                                                                                                SHA256

                                                                                                                                                                61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

                                                                                                                                                                SHA512

                                                                                                                                                                c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

                                                                                                                                                                Filesize

                                                                                                                                                                29B

                                                                                                                                                                MD5

                                                                                                                                                                52e2839549e67ce774547c9f07740500

                                                                                                                                                                SHA1

                                                                                                                                                                b172e16d7756483df0ca0a8d4f7640dd5d557201

                                                                                                                                                                SHA256

                                                                                                                                                                f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

                                                                                                                                                                SHA512

                                                                                                                                                                d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

                                                                                                                                                                Filesize

                                                                                                                                                                450KB

                                                                                                                                                                MD5

                                                                                                                                                                e9c502db957cdb977e7f5745b34c32e6

                                                                                                                                                                SHA1

                                                                                                                                                                dbd72b0d3f46fa35a9fe2527c25271aec08e3933

                                                                                                                                                                SHA256

                                                                                                                                                                5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

                                                                                                                                                                SHA512

                                                                                                                                                                b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD5C5.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                15KB

                                                                                                                                                                MD5

                                                                                                                                                                1a545d0052b581fbb2ab4c52133846bc

                                                                                                                                                                SHA1

                                                                                                                                                                62f3266a9b9925cd6d98658b92adec673cbe3dd3

                                                                                                                                                                SHA256

                                                                                                                                                                557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                                                                                                                                                                SHA512

                                                                                                                                                                bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                MD5

                                                                                                                                                                987a07b978cfe12e4ce45e513ef86619

                                                                                                                                                                SHA1

                                                                                                                                                                22eec9a9b2e83ad33bedc59e3205f86590b7d40c

                                                                                                                                                                SHA256

                                                                                                                                                                f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

                                                                                                                                                                SHA512

                                                                                                                                                                39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                                                                                                                Filesize

                                                                                                                                                                1024KB

                                                                                                                                                                MD5

                                                                                                                                                                9ba7eec1a0ef66b2a1d77f9d4a4f9148

                                                                                                                                                                SHA1

                                                                                                                                                                c2fb078357abba1d256ffa997d175b0145b342c2

                                                                                                                                                                SHA256

                                                                                                                                                                4d60190954afc2dabdb90eaddb764c444681dbbd9abe09264270ae94d3b01b8f

                                                                                                                                                                SHA512

                                                                                                                                                                dbe21461443f1fba56375e6b8ce679ca5687be2fc70eda4c3adf4865d31cff8823d280f39bb8e9ad517a3295cd851eb582f0caf8fa54c8768517cf78e0808758

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7F45C47E-4D3B-496F-8338-96241893DA79

                                                                                                                                                                Filesize

                                                                                                                                                                174KB

                                                                                                                                                                MD5

                                                                                                                                                                2ca8eab8b94c85dd227c240523ca5a4c

                                                                                                                                                                SHA1

                                                                                                                                                                bae3df058ba3fc0691b4a30f107685f33bf84cf2

                                                                                                                                                                SHA256

                                                                                                                                                                30fec4f893f2b9ceb0e80075c1a06296c456085b8324f37caee89d8fdc310230

                                                                                                                                                                SHA512

                                                                                                                                                                9b5a62efa10f63309667601485e25cceb619c7aa1ea97ccba52ed9c069cb2533c40d2993f352c51db016524a4204f57e21c39844e8fe1ef7ed2be799af3e9dd9

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                                                                                Filesize

                                                                                                                                                                2KB

                                                                                                                                                                MD5

                                                                                                                                                                c12d9afc7d3cab604390ec3caba1e9b8

                                                                                                                                                                SHA1

                                                                                                                                                                d21bd1cbb679cb18176b34c6334ed8312bb6f808

                                                                                                                                                                SHA256

                                                                                                                                                                68c1c8bc4661ae8cef4892015589c32c2d555b950fb86f5d9cd9ed1a2e3e7c6a

                                                                                                                                                                SHA512

                                                                                                                                                                e18d9f2b96e76102583fdf1a28541e90d31f21a39d1019e002c7d61fd764f800eebf2dfc002686e7ec73a3739a5d3caa6a5ee1f5aca5dbb36c1b960754a62a68

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

                                                                                                                                                                Filesize

                                                                                                                                                                2KB

                                                                                                                                                                MD5

                                                                                                                                                                fa7eed51df213c96be21ce7dff5faf72

                                                                                                                                                                SHA1

                                                                                                                                                                05a45d88b15652d5c9e96c4aa3efeed64555db99

                                                                                                                                                                SHA256

                                                                                                                                                                1dd61269a99bcdcf5045d2b075e70facbad663543095242c3abf9be1526febdb

                                                                                                                                                                SHA512

                                                                                                                                                                f0be83cb177e8cd44e9cf69e209ecce84c048d6f3be285270b5e0aed6734490c970e7a525ee2b8c4505842a3825dac4131d12199e3d8f147ae6e4f8d816253f3

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                                MD5

                                                                                                                                                                a0669a91fda9685fcf408aa61d65670c

                                                                                                                                                                SHA1

                                                                                                                                                                198e40953f2f7c63a1f56365710912efd9cc925a

                                                                                                                                                                SHA256

                                                                                                                                                                5ceeef62ff0eb9c39f102d7f831ad88448c52777325b2ac809cad7dfabbead15

                                                                                                                                                                SHA512

                                                                                                                                                                f0b8c9fc4c05dfb08dc0feede8e73af58a63a8ef8b1cb8b7818b4f63c575b318f2f4b289dca5e11240043b950134f3578a66983a0e7935fbb1a76aa88d79ab41

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                                MD5

                                                                                                                                                                a77d7b36b82f2d854c32f6d332cc70be

                                                                                                                                                                SHA1

                                                                                                                                                                d6f782d9cd0a507c61f99e2999f804da4ba3d163

                                                                                                                                                                SHA256

                                                                                                                                                                b6c69c1d92803ef753cfa832fcdc7319226e04058a5ce34d3d3e9c0e9914f36a

                                                                                                                                                                SHA512

                                                                                                                                                                6943e356b162196dd5f1999e70be256f6f5b9e66988c6f0af25fd4e7015906297ee352bf7f2e655654a88eb8a13becf64ae2fa069400007c7d6580307475b3fd

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

                                                                                                                                                                Filesize

                                                                                                                                                                498B

                                                                                                                                                                MD5

                                                                                                                                                                90be2701c8112bebc6bd58a7de19846e

                                                                                                                                                                SHA1

                                                                                                                                                                a95be407036982392e2e684fb9ff6602ecad6f1e

                                                                                                                                                                SHA256

                                                                                                                                                                644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

                                                                                                                                                                SHA512

                                                                                                                                                                d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                                                                                                                                                Filesize

                                                                                                                                                                9KB

                                                                                                                                                                MD5

                                                                                                                                                                7050d5ae8acfbe560fa11073fef8185d

                                                                                                                                                                SHA1

                                                                                                                                                                5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                                                                                                                                                SHA256

                                                                                                                                                                cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                                                                                                                                                SHA512

                                                                                                                                                                a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LJVA2E1W\suggestions[1].en-US

                                                                                                                                                                Filesize

                                                                                                                                                                17KB

                                                                                                                                                                MD5

                                                                                                                                                                5a34cb996293fde2cb7a4ac89587393a

                                                                                                                                                                SHA1

                                                                                                                                                                3c96c993500690d1a77873cd62bc639b3a10653f

                                                                                                                                                                SHA256

                                                                                                                                                                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                                                                                                                SHA512

                                                                                                                                                                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MLCJZEP1\microsoft.windows[1].xml

                                                                                                                                                                Filesize

                                                                                                                                                                97B

                                                                                                                                                                MD5

                                                                                                                                                                aa62b4fd04cd733971e64f76e26da9d5

                                                                                                                                                                SHA1

                                                                                                                                                                de13193a8ae2bbd9b6c0caa29ba6f2de0209b61d

                                                                                                                                                                SHA256

                                                                                                                                                                18f34a370d6a5beeeca1c341e834a0e72d0629556b3e318100a3a674913bed3c

                                                                                                                                                                SHA512

                                                                                                                                                                2a9bfb8679e34c2a42b99461e815aaa44d2064fa10274c017b106f738029316d0af20a482743e1e100f140b04e53beff679a6c264f3500e56a22fce415b14d5c

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0953e579-3b34-4ccf-8a95-c6b6f2c9f44e}\Apps.ft

                                                                                                                                                                Filesize

                                                                                                                                                                1KB

                                                                                                                                                                MD5

                                                                                                                                                                6c78adbcc2f3ba7a2ad306983176414c

                                                                                                                                                                SHA1

                                                                                                                                                                484787d9aef671594b4d91b6c7d2d5c215f46260

                                                                                                                                                                SHA256

                                                                                                                                                                8f2abe81c4d834b96b5e39b504949cd04aef23e290309b413f501b396efd381a

                                                                                                                                                                SHA512

                                                                                                                                                                69bb126822ee7008d30135f7c216bf364e8e70ec5ca09cff58671d3c29081f467719bedb172cc14962aeeef22c34fb7e4c4a6aed26c26691a4cfef3816138c69

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0953e579-3b34-4ccf-8a95-c6b6f2c9f44e}\Apps.index

                                                                                                                                                                Filesize

                                                                                                                                                                879KB

                                                                                                                                                                MD5

                                                                                                                                                                5e4ec42046e35b20c1b8d97c17926572

                                                                                                                                                                SHA1

                                                                                                                                                                d0f371a97b676240bd90f9fa1a0b14f97f9b1016

                                                                                                                                                                SHA256

                                                                                                                                                                6a8c0c8cc58a866d0b874926f0ff1e2034a60bb18a2c584dd7f100be49c0febc

                                                                                                                                                                SHA512

                                                                                                                                                                d8bc115f3e0632aa6df6d1ca949e53a5724eff26c9d42d90686df0aea777a00b6c3d1738adf7807c7c752f5f702c4bce1bee158d1f9e765a0148c960ea0113af

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{dc1a9cbe-c4f4-42d5-bd29-d3ab508dd04f}\0.0.filtertrie.intermediate.txt

                                                                                                                                                                Filesize

                                                                                                                                                                1KB

                                                                                                                                                                MD5

                                                                                                                                                                8609241ac301971b563b8864447f5fbc

                                                                                                                                                                SHA1

                                                                                                                                                                81b1e9382f7012f2441efcec40a5aabf46f34397

                                                                                                                                                                SHA256

                                                                                                                                                                94d0c4ea1f705b557a8dd983931ecab83f4d19e691669f2723781d406d38a282

                                                                                                                                                                SHA512

                                                                                                                                                                e536d2ae24ee17df34e28bcd1220f20901ec9b19a6f69b0c87f82a6535c813737681496927d9bea0b90e33b7c8236c77790a55d9a8514f5084ed3ad16d71c554

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\apps.csg

                                                                                                                                                                Filesize

                                                                                                                                                                444B

                                                                                                                                                                MD5

                                                                                                                                                                5475132f1c603298967f332dc9ffb864

                                                                                                                                                                SHA1

                                                                                                                                                                4749174f29f34c7d75979c25f31d79774a49ea46

                                                                                                                                                                SHA256

                                                                                                                                                                0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

                                                                                                                                                                SHA512

                                                                                                                                                                54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\apps.schema

                                                                                                                                                                Filesize

                                                                                                                                                                150B

                                                                                                                                                                MD5

                                                                                                                                                                1659677c45c49a78f33551da43494005

                                                                                                                                                                SHA1

                                                                                                                                                                ae588ef3c9ea7839be032ab4323e04bc260d9387

                                                                                                                                                                SHA256

                                                                                                                                                                5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

                                                                                                                                                                SHA512

                                                                                                                                                                740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\appsconversions.txt

                                                                                                                                                                Filesize

                                                                                                                                                                1.4MB

                                                                                                                                                                MD5

                                                                                                                                                                2bef0e21ceb249ffb5f123c1e5bd0292

                                                                                                                                                                SHA1

                                                                                                                                                                86877a464a0739114e45242b9d427e368ebcc02c

                                                                                                                                                                SHA256

                                                                                                                                                                8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

                                                                                                                                                                SHA512

                                                                                                                                                                f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\appsglobals.txt

                                                                                                                                                                Filesize

                                                                                                                                                                343KB

                                                                                                                                                                MD5

                                                                                                                                                                931b27b3ec2c5e9f29439fba87ec0dc9

                                                                                                                                                                SHA1

                                                                                                                                                                dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

                                                                                                                                                                SHA256

                                                                                                                                                                541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

                                                                                                                                                                SHA512

                                                                                                                                                                4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0c659d54-271a-4305-ba10-9f17baea6525}\appssynonyms.txt

                                                                                                                                                                Filesize

                                                                                                                                                                237KB

                                                                                                                                                                MD5

                                                                                                                                                                06a69ad411292eca66697dc17898e653

                                                                                                                                                                SHA1

                                                                                                                                                                fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

                                                                                                                                                                SHA256

                                                                                                                                                                2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

                                                                                                                                                                SHA512

                                                                                                                                                                ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{0148f9ba-60fa-40cb-ac2e-6ae381bdb26c}\0.1.filtertrie.intermediate.txt

                                                                                                                                                                Filesize

                                                                                                                                                                5B

                                                                                                                                                                MD5

                                                                                                                                                                34bd1dfb9f72cf4f86e6df6da0a9e49a

                                                                                                                                                                SHA1

                                                                                                                                                                5f96d66f33c81c0b10df2128d3860e3cb7e89563

                                                                                                                                                                SHA256

                                                                                                                                                                8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

                                                                                                                                                                SHA512

                                                                                                                                                                e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{0148f9ba-60fa-40cb-ac2e-6ae381bdb26c}\0.2.filtertrie.intermediate.txt

                                                                                                                                                                Filesize

                                                                                                                                                                5B

                                                                                                                                                                MD5

                                                                                                                                                                c204e9faaf8565ad333828beff2d786e

                                                                                                                                                                SHA1

                                                                                                                                                                7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

                                                                                                                                                                SHA256

                                                                                                                                                                d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

                                                                                                                                                                SHA512

                                                                                                                                                                e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133752318719665808.txt

                                                                                                                                                                Filesize

                                                                                                                                                                3KB

                                                                                                                                                                MD5

                                                                                                                                                                6c7c5879f1c75b60ca6fe7048fdf88b6

                                                                                                                                                                SHA1

                                                                                                                                                                e3faf0e19132003dfc8617a40933f760ec6b64c4

                                                                                                                                                                SHA256

                                                                                                                                                                5391afca6e19b795f4790c36b762d967859b8dcab7f34f40cd3e9d02fb8ab74c

                                                                                                                                                                SHA512

                                                                                                                                                                23a865f4b8d9b04b85d85c7e81a24ca6e28b12ad74acc9256ac564b437adeb0c64cb5fdfc723dde91f38a6c9363e63350791eba9d9217d67b9b387ea8ec209bb

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

                                                                                                                                                                Filesize

                                                                                                                                                                689KB

                                                                                                                                                                MD5

                                                                                                                                                                2dee0ab82c5db228dee2de2fe0d82eb3

                                                                                                                                                                SHA1

                                                                                                                                                                c6231ad00bd775537fb422a86bfe2b5754e9b91d

                                                                                                                                                                SHA256

                                                                                                                                                                0e01a47917642eac553b6d0feb6e97b398f7af84c5ffc74ba35ca66d7a341d39

                                                                                                                                                                SHA512

                                                                                                                                                                c46ae09aab1f240ba384044ef46240a4cb02b6144b0403d690ff7ddcf79acc67da345c98254ef5436a4008fb419c889af43489fedf86e8ba822128365f30763f

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

                                                                                                                                                                Filesize

                                                                                                                                                                2KB

                                                                                                                                                                MD5

                                                                                                                                                                767b4debf46e2dcb8ca28c07294057c5

                                                                                                                                                                SHA1

                                                                                                                                                                a2a51bee91d17bc954da1d87cae9bec094ca976f

                                                                                                                                                                SHA256

                                                                                                                                                                5c0ae6308bc6c268748f4ef5184d9ac193b18a6a62e297a7cece6ed438c20e4a

                                                                                                                                                                SHA512

                                                                                                                                                                975e38c31499ffcc032da2bde9ebe0b23f49a09a3ed2e20fce1e8d66cce2ed92e06a5a0f23a4b8bbd78fe18a577239ce5ced0a8e852de7139a0bdf68b242fe3c

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

                                                                                                                                                                Filesize

                                                                                                                                                                2KB

                                                                                                                                                                MD5

                                                                                                                                                                659b2d1d69ac048565f10c3d60820c14

                                                                                                                                                                SHA1

                                                                                                                                                                592e3faa7aa94098fd3f4a9e5598a7ab91722467

                                                                                                                                                                SHA256

                                                                                                                                                                3678ea3676b95c9b009ce3268f631f98ab2c9b85f3cd37adb4a414e14df0849b

                                                                                                                                                                SHA512

                                                                                                                                                                0057c9d83e3e11fb1cac20783101f2bfebacbf25fdd8601f4e6fe6ee043f404917a2b7401153e292e768ffbbbd96ea8e2909c4be3372a8237b03cf53df39984d

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\590CACD.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                90B

                                                                                                                                                                MD5

                                                                                                                                                                eb357a32fa98b8a098bcbe03580b0479

                                                                                                                                                                SHA1

                                                                                                                                                                151f10748dde74ff80b83f291ec957b2103c99f8

                                                                                                                                                                SHA256

                                                                                                                                                                96f064b1aaad486de3eed97967c826a3dad4e9580b156678b30111c970b8286f

                                                                                                                                                                SHA512

                                                                                                                                                                ffc324e9e1dae07e439afe324d5d0c74c15bd485d8e9c55758dacb6e6d360d08bb9298ce6a1df21260391ab12ef7ae95c3b12fc5a4b5bcf7f2726d52cf5dce03

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\744675B.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                90B

                                                                                                                                                                MD5

                                                                                                                                                                ec6bbdaa414e14d65700e8d21e70cabb

                                                                                                                                                                SHA1

                                                                                                                                                                b325989fa1335058c489ddf9ab6e881b1a8bd79e

                                                                                                                                                                SHA256

                                                                                                                                                                0fed7dbff7d61df7a58fc998d208bc7c02e432ae53ac7af9c44be129135163bd

                                                                                                                                                                SHA512

                                                                                                                                                                d716ac4182da15b41974397eb7e74142c4c71ec7c62356bf31c0f219300999bbcd14cefabd286f1e9b9c3584d6630d7ce10c456bd90ee283f2d1edc5795a77f2

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\TCD2D75.tmp\sist02.xsl

                                                                                                                                                                Filesize

                                                                                                                                                                245KB

                                                                                                                                                                MD5

                                                                                                                                                                f883b260a8d67082ea895c14bf56dd56

                                                                                                                                                                SHA1

                                                                                                                                                                7954565c1f243d46ad3b1e2f1baf3281451fc14b

                                                                                                                                                                SHA256

                                                                                                                                                                ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

                                                                                                                                                                SHA512

                                                                                                                                                                d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cab34A3.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                255KB

                                                                                                                                                                MD5

                                                                                                                                                                65828dc7be8ba1ce61ad7142252acc54

                                                                                                                                                                SHA1

                                                                                                                                                                538b186eaf960a076474a64f508b6c47b7699dd3

                                                                                                                                                                SHA256

                                                                                                                                                                849e2e915aa61e2f831e54f337a745a5946467d539ccbd0214b4742f4e7e94ff

                                                                                                                                                                SHA512

                                                                                                                                                                8c129f26f77b4e73bf02de8f9a9f432bb7e632ee4abad560a331c2a12da9ef5840d737bfc1ce24fdcbb7ef39f30f98a00dd17f42c51216f37d0d237145b8de15

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cab34D3.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                537KB

                                                                                                                                                                MD5

                                                                                                                                                                1c12315c862a745a647dad546eb4267e

                                                                                                                                                                SHA1

                                                                                                                                                                b3fa11a511a634eec92b051d04f8c1f0e84b3fd6

                                                                                                                                                                SHA256

                                                                                                                                                                4e2e93ebac4ad3f8690b020040d1ae3f8e7905ab7286fc25671e07aa0282cac0

                                                                                                                                                                SHA512

                                                                                                                                                                ca8916694d42bac0ad38b453849958e524e9eed2343ebaa10df7a8acd13df5977f91a4f2773f1e57900ef044cfa7af8a94b3e2dce734d7a467dbb192408bc240

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cab4B58.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                625KB

                                                                                                                                                                MD5

                                                                                                                                                                f93364eec6c4ffa5768de545a2c34f07

                                                                                                                                                                SHA1

                                                                                                                                                                166398552f6b7f4509732e148f93e207dd60420b

                                                                                                                                                                SHA256

                                                                                                                                                                296b915148b29751e68687ae37d3fafd9ffddf458c48eb059a964d8f2291e899

                                                                                                                                                                SHA512

                                                                                                                                                                4f0965b4c5f543b857d9a44c7a125ddd3e8b74837a0fdd80c1fdc841bf22fc4ce4adb83aca8aa65a64f8ae6d764fa7b45b58556f44cfce92bfac43762a3bc5f4

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cab8142.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                19KB

                                                                                                                                                                MD5

                                                                                                                                                                e3c64173b2f4aa7ab72e1396a9514bd8

                                                                                                                                                                SHA1

                                                                                                                                                                774e52f7e74b90e6a520359840b0ca54b3085d88

                                                                                                                                                                SHA256

                                                                                                                                                                16c08547239e5b969041ab201eb55a3e30ead400433e926257331cb945dff094

                                                                                                                                                                SHA512

                                                                                                                                                                7ed618578c6517ed967fb3521fd4dbed9cdfb7f7982b2b8437804786833207d246e4fcd7b85a669c305be3b823832d2628105f01e2cf30b494172a17fc48576d

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cab8154.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                24KB

                                                                                                                                                                MD5

                                                                                                                                                                c47e3430af813df8b02e1cb4829dd94b

                                                                                                                                                                SHA1

                                                                                                                                                                35f1f1a18aa4fd2336a4ea9c6005dbe70013c7fc

                                                                                                                                                                SHA256

                                                                                                                                                                f2db1e60533f0d108d5fb1004904c1f2e8557d4493f3b251a1b3055f8f1507a3

                                                                                                                                                                SHA512

                                                                                                                                                                6f8904e658eb7d04c6880f7cc3ec63fcfe31ef2c3a768f4ecf40b115314f23774daee66dce9c55faf0ad31075a3ac27c8967fd341c23c953ca28bdc120997287

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cab8453.tmp

                                                                                                                                                                Filesize

                                                                                                                                                                300KB

                                                                                                                                                                MD5

                                                                                                                                                                0ebc45aa0e67cc435d0745438371f948

                                                                                                                                                                SHA1

                                                                                                                                                                5584210c4a8b04f9c78f703734387391d6b5b347

                                                                                                                                                                SHA256

                                                                                                                                                                3744bfa286cfcff46e51e6a68823a23f55416cd6619156b5929fed1f7778f1c7

                                                                                                                                                                SHA512

                                                                                                                                                                31761037c723c515c1a9a404e235fe0b412222cb239b86162d17763565d0ccb010397376fb9b61b38a6aebdd5e6857fd8383045f924af8a83f2c9b9af6b81407

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

                                                                                                                                                                Filesize

                                                                                                                                                                1KB

                                                                                                                                                                MD5

                                                                                                                                                                3295ec3eadbaae0d008567434d32e2ee

                                                                                                                                                                SHA1

                                                                                                                                                                2dd90f49daed5d0d5bf011ff29b5cefbe8ccacec

                                                                                                                                                                SHA256

                                                                                                                                                                c595bc2cd5e0658cd1e956d283c6828b1853e387d62dfcae0a18ea3efebeeeb6

                                                                                                                                                                SHA512

                                                                                                                                                                caa4b1a3e31a1dc4222c233124f7b3e915b0785471a671103548b0522101a82ed019776e0db138bfacda92345745239f48209ea084c01f9c258bc54dacb5b572

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                1.7MB

                                                                                                                                                                MD5

                                                                                                                                                                c5a07069ad7e82f3aeb099f346c4ff62

                                                                                                                                                                SHA1

                                                                                                                                                                39a58834fd8a25aed63fb83f0c00712afc3bd2f5

                                                                                                                                                                SHA256

                                                                                                                                                                eb7806d9dc3d2abf82a061709bcd9db8dd98fa060e66daf6820d1fa81bb5b845

                                                                                                                                                                SHA512

                                                                                                                                                                343fb8bffa01801eed7289a513564b55b0045ff3d0a842a819cece416c53c2398d0a0d9b55397bf2ead5393638085ab6ab83ecb2c701f532bd55c0fed4c98eec

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                768KB

                                                                                                                                                                MD5

                                                                                                                                                                bbacb56bbffa78cd4a21a9a6b331d84a

                                                                                                                                                                SHA1

                                                                                                                                                                5a854fb2fdfb3bd38dde1ac7c832ba0ffd46f4f1

                                                                                                                                                                SHA256

                                                                                                                                                                bd9de870d21c8a5336adc759ebfb740e105764810dd4b5b88bca6213c9133cd7

                                                                                                                                                                SHA512

                                                                                                                                                                59d798652e181582593b44015803a13f9838ee1c5971d2992f968d314cdb80b77a9869344d9d1fd26c2d8afc4574dd9145e795dcfda706e6cf1b49cab6402c7b

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                721KB

                                                                                                                                                                MD5

                                                                                                                                                                8ebd58005daf9c4ec15ac2530d3a4a30

                                                                                                                                                                SHA1

                                                                                                                                                                d11b9f2b85f20eb3db28c4d9c9fdd909848e3e05

                                                                                                                                                                SHA256

                                                                                                                                                                d3ab94fdc32b10903ad444f6f3518f93c3d7348fb945168dd8140c74bb7d7e26

                                                                                                                                                                SHA512

                                                                                                                                                                00a3a6f8a8d10f4bad87c3beae299d0e28931593ef0fb4145711b1d164a3351a8ef131da0f26aab9c3eb7ac214b69e1f03cb52e0e1ea95eb444664d5b0b998e9

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900720[[fn=Integral]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                3.3MB

                                                                                                                                                                MD5

                                                                                                                                                                ad1c52db4c29726b3a2d28dda1110f76

                                                                                                                                                                SHA1

                                                                                                                                                                46a0656c55202a4adfaac7e98e9e1340c4a1fd55

                                                                                                                                                                SHA256

                                                                                                                                                                7973c1386416c251569acc3cdbfe04da848262a9a2da998f915e000bfd6b52b3

                                                                                                                                                                SHA512

                                                                                                                                                                95c3f09611f977eb3f146c9844d7b96af3e8123cf3393884cd10efe7c250f446a565edafed1cf1fa6dcac4d7eadafacad134d2a75a8cfb74462f62f5ea8b7400

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900722[[fn=Ion Boardroom]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                1.5MB

                                                                                                                                                                MD5

                                                                                                                                                                407acaacdd935b4c82a2d4af73d07744

                                                                                                                                                                SHA1

                                                                                                                                                                e7ab195df6f9bfd7676c34503e337194dc7631dd

                                                                                                                                                                SHA256

                                                                                                                                                                ed85105c65f81ec015215b76ecbd46bee4caaa17ad716393dfd15d5dcd57a3e4

                                                                                                                                                                SHA512

                                                                                                                                                                03d30e2357319a8153d242eee035ddfda718ce93e00c0d99ecf82c1387d1fe1a436111e13ad1ce67214c87cf4709d68ff452c041772a43cb242786ed4090370a

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900743[[fn=Organic]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                8.3MB

                                                                                                                                                                MD5

                                                                                                                                                                476cf35ed8367eb98237b6428266d6d8

                                                                                                                                                                SHA1

                                                                                                                                                                37b320d5109d5fb41044f329187cfecaa8de2a9c

                                                                                                                                                                SHA256

                                                                                                                                                                71739bea66f1dee0789a7675add098123ec0e8e45eb74d707f6412b28fcbae81

                                                                                                                                                                SHA512

                                                                                                                                                                7280c51f2dc97871c8b959a971445e1ce1499d108204c025043a0b44e9a9d6ac03e1326bbe652ef2ef900bc6f3f5566a32dba5aa2eea6a84f1585323e9c9cae0

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900769[[fn=Retrospect]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                1.5MB

                                                                                                                                                                MD5

                                                                                                                                                                126269588dec71f54d53b563106d0500

                                                                                                                                                                SHA1

                                                                                                                                                                e4e27b005a9728617832f0f2645980cc2ce6ec52

                                                                                                                                                                SHA256

                                                                                                                                                                0c11107c6cf799125db9352e2f3a0d2b9ed5d55cbbeaed66d79464058598d94b

                                                                                                                                                                SHA512

                                                                                                                                                                667f9ca3929926397ed5b43df4859b8c52973f2603405763308d931c32c4da831a144ed7041096afc7cdd291b2978622ded5dd4c16c6bfb0f18235e05b212e5a

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457452[[fn=Celestial]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                3.1MB

                                                                                                                                                                MD5

                                                                                                                                                                5978107c3cb2a4a8427e643d0a5587eb

                                                                                                                                                                SHA1

                                                                                                                                                                a3a865b6d128e7c9c5821df03b9edfe136f53d17

                                                                                                                                                                SHA256

                                                                                                                                                                ddceaec2a8e652b60cfa4d5d4c7895d70ad25a214d70de884302c8fe18f53910

                                                                                                                                                                SHA512

                                                                                                                                                                d9e0b9d52665f4c1e4b6cc32e6deba4c0cbc9309728415ac9588ddd84cad47a90567192d24bf7ff2f5dd7836a559f396b5015abf3e085abc9b813ff365388d65

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                759KB

                                                                                                                                                                MD5

                                                                                                                                                                b30d2ef0fc261aece90b62e9c5597379

                                                                                                                                                                SHA1

                                                                                                                                                                4893c5b9be04ecbb19ee45ffce33ca56c7894fe3

                                                                                                                                                                SHA256

                                                                                                                                                                bb170d6de4ee8466f56c93dc26e47ee8a229b9c4842ea8dd0d9ccc71bc8e2976

                                                                                                                                                                SHA512

                                                                                                                                                                2e728408c20c3c23c84a1c22db28f0943aaa960b4436f8c77570448d5bea9b8d53d95f7562883fa4f9b282dfe2fd07251eeefde5481e49f99b8fedb66aaaab68

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                903KB

                                                                                                                                                                MD5

                                                                                                                                                                97eec245165f2296139ef8d4d43bbb66

                                                                                                                                                                SHA1

                                                                                                                                                                0d91b68ccb6063eb342cfced4f21a1ce4115c209

                                                                                                                                                                SHA256

                                                                                                                                                                3c5cf7bdb27592791adf4e7c5a09dde4658e10ed8f47845064db1153be69487c

                                                                                                                                                                SHA512

                                                                                                                                                                8594c49cab6ff8385b1d6e174431dafb0e947a8d7d3f200e622ae8260c793906e17aa3e6550d4775573858ea1243ccbf7132973cd1cf7a72c3587b9691535ff8

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                944KB

                                                                                                                                                                MD5

                                                                                                                                                                f03ab824395a8f1f1c4f92763e5c5cad

                                                                                                                                                                SHA1

                                                                                                                                                                a6e021918c3ceffb6490222d37eceed1fc435d52

                                                                                                                                                                SHA256

                                                                                                                                                                d96f7a63a912ca058fb140138c41dcb3af16638ba40820016af78df5d07faedd

                                                                                                                                                                SHA512

                                                                                                                                                                0241146b63c938f11045fb9df5360f63ef05b9b3dd1272a3e3e329a1bfec5a4a645d5472461de9c06cfe4adb991fe96c58f0357249806c341999c033cd88a7af

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033923[[fn=Depth]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                2.2MB

                                                                                                                                                                MD5

                                                                                                                                                                2aecc99b664f840799028a20703c3e21

                                                                                                                                                                SHA1

                                                                                                                                                                0018eab0ce4900220607f4f80b506aa2f7f89c17

                                                                                                                                                                SHA256

                                                                                                                                                                df93f14304e35e460eec7f8464ae2c2b0bffa84d860d4857f41e0f07a3f023e3

                                                                                                                                                                SHA512

                                                                                                                                                                e0bd3a86c7af6b7202e8fba42bca27fbb17a21ac94a685a38c8a45f5ae35f350ae18d6b107f553dc95774fae47f8bd8926f76ddd840bb7eb8e51e5cf2269aa1c

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                837KB

                                                                                                                                                                MD5

                                                                                                                                                                9a0b4cb63dd4e749ee4258f897ff42ee

                                                                                                                                                                SHA1

                                                                                                                                                                bd0f90aad36c7db69a57179b9702b13d8c83aabf

                                                                                                                                                                SHA256

                                                                                                                                                                9c5471cd01c213e94e699e12331194370d8e3f4fc37776caacdcf7ccb8949a2e

                                                                                                                                                                SHA512

                                                                                                                                                                407ab455623fd3911e6b00cf0a23333979d7e29e7dfb0a759a3ff162b12894c843c51eff6e1f99bb721851abb122052ed7f141053ff4f5d955d7842b3600aa44

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401375[[fn=Madison]].thmx

                                                                                                                                                                Filesize

                                                                                                                                                                2.3MB

                                                                                                                                                                MD5

                                                                                                                                                                960696af7bbdf3a98f282fd51a641797

                                                                                                                                                                SHA1

                                                                                                                                                                d884a5875c64c8f3b011e0754bea633acacefbe6

                                                                                                                                                                SHA256

                                                                                                                                                                cbfac1ee697ab73485822088e25cedb92d495b0b9423464cebac2fe3989212fc

                                                                                                                                                                SHA512

                                                                                                                                                                9000dd85a0b2ebf5be41d6c9785d69462d4d1b097d49cf2a57a432ab5d784bb9c95ecf1eb9f7ccc88d0ce47c580014e038d7a716fd1f8c094d2e6a1a42f3f0a3

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

                                                                                                                                                                Filesize

                                                                                                                                                                1KB

                                                                                                                                                                MD5

                                                                                                                                                                6ecbc692693f1c8df250fcec7a890c31

                                                                                                                                                                SHA1

                                                                                                                                                                775952dbf47859f9d17eb5328e1c55c6a2b7edea

                                                                                                                                                                SHA256

                                                                                                                                                                19808a83a4a7448fd136e8301d47cb02453bc1ff285f92f19b7ca487cdec8ee2

                                                                                                                                                                SHA512

                                                                                                                                                                7963cacad2ec30d3fd0946c996f4ba828b0adb82cf95a7041e7407c009974146dbbc7addfb7175750627aa14a1ed31bc0859dec54f91023642ac0f5b31858a12

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

                                                                                                                                                                Filesize

                                                                                                                                                                3KB

                                                                                                                                                                MD5

                                                                                                                                                                d3e6d96a3b22a333ac98dcfdbd76eeb9

                                                                                                                                                                SHA1

                                                                                                                                                                5e618ea452a36ea65e555798d37ae27d1fe30e46

                                                                                                                                                                SHA256

                                                                                                                                                                2acd4944b10c1d26dec1fd305b638b20d80ad02b6504d219a1ca693f29d91063

                                                                                                                                                                SHA512

                                                                                                                                                                ff9f6f250d1dc17e87ff485459982d5c560655bd797d6a6cf26d5be71510898c9f1d972b763c1b18d4e7563781fad173cfa8059c21ffd9e6f2bd56d3f2eca7f8

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                                                                                                                                Filesize

                                                                                                                                                                3KB

                                                                                                                                                                MD5

                                                                                                                                                                2bee56722dc576170e300b45c8e646ce

                                                                                                                                                                SHA1

                                                                                                                                                                51283423bbba26c99e246b5836c1018dfc14e7ae

                                                                                                                                                                SHA256

                                                                                                                                                                36dceb4fcf44139fbc501172136cf1294709d1179f65d49094de8425ba98c197

                                                                                                                                                                SHA512

                                                                                                                                                                3ae54040af89c78f7d41a84f67e413c138fc8aa1ef186199a2b0b9afa25e3181f9c3b22d3b97e4b160c558649bd247afce9c2965c7cc5d43a7c2eb4b372ef334

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                                                                                                                                Filesize

                                                                                                                                                                3KB

                                                                                                                                                                MD5

                                                                                                                                                                a30df8f2f5717434a5699b1e629e5e9f

                                                                                                                                                                SHA1

                                                                                                                                                                a153e57bbd94121dddcf34fb2f111fa7dc012efb

                                                                                                                                                                SHA256

                                                                                                                                                                29b5a7449745f16e1a7e0554c22a77f1127802cc1339ebd57b35f593de610d3e

                                                                                                                                                                SHA512

                                                                                                                                                                7ef2aeb8dc84d75e54d1916aa25432d754bccb9db45a4c9945cf57b90e440edc7a6ecba7082b49d00aeb3696b59165efb4247bcdb08524cdb33d2e3d466ef27f

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\vlc\vlcrc

                                                                                                                                                                Filesize

                                                                                                                                                                94KB

                                                                                                                                                                MD5

                                                                                                                                                                7b37c4f352a44c8246bf685258f75045

                                                                                                                                                                SHA1

                                                                                                                                                                817dacb245334f10de0297e69c98b4c9470f083e

                                                                                                                                                                SHA256

                                                                                                                                                                ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

                                                                                                                                                                SHA512

                                                                                                                                                                1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

                                                                                                                                                              • C:\Users\Admin\Desktop\kreo q zi.exe

                                                                                                                                                                Filesize

                                                                                                                                                                3.1MB

                                                                                                                                                                MD5

                                                                                                                                                                28ac02fc40c8f1c2a8989ee3c09a1372

                                                                                                                                                                SHA1

                                                                                                                                                                b182758b62a1482142c0fce4be78c786e08b7025

                                                                                                                                                                SHA256

                                                                                                                                                                0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

                                                                                                                                                                SHA512

                                                                                                                                                                2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

                                                                                                                                                              • C:\Windows\Debug\WIA\wiatrace.log

                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                1ad8d4cb7d60513ee609cb193da00472

                                                                                                                                                                SHA1

                                                                                                                                                                855ebbde7a0ab4e0e13a54f100a93a1911a588e5

                                                                                                                                                                SHA256

                                                                                                                                                                a52cbf59db0d67b2feae10e8bc0dbebc86da12d69f74347b46620c415c91a7b4

                                                                                                                                                                SHA512

                                                                                                                                                                8aaf8f8b2c2c8f0c11b02960c09098dfc84170090c05d40da592858abb4cd2ce3769b5648cc9c34a0b6d6daee3da68a659ef7a3c19745e2b16933a6cdeaba1ac

                                                                                                                                                              • C:\Windows\Debug\WIA\wiatrace.log

                                                                                                                                                                Filesize

                                                                                                                                                                7KB

                                                                                                                                                                MD5

                                                                                                                                                                d4ceeefc28c9ac783dbbdbe2a3d67939

                                                                                                                                                                SHA1

                                                                                                                                                                ab6c33c555e4d4bca89f7083187fdb267c3eaae9

                                                                                                                                                                SHA256

                                                                                                                                                                1677ee40041da49042570b6d75cf58e1bad2871f13dfa6e63d57c073f578286a

                                                                                                                                                                SHA512

                                                                                                                                                                a596e1b7a5328669e7a78d85688d5271eb83eb4df01e728cd6eaf8c19f4ee9889b7a18def75583f0367e8e85c1b855a7230b98930d53a741ab99d05bb4ef342d

                                                                                                                                                              • C:\Windows\Debug\WIA\wiatrace.log

                                                                                                                                                                Filesize

                                                                                                                                                                9KB

                                                                                                                                                                MD5

                                                                                                                                                                81e471d4abec25c2653ad71378f46434

                                                                                                                                                                SHA1

                                                                                                                                                                c669f38feac618724e99a2f22203eb1ba41d11d9

                                                                                                                                                                SHA256

                                                                                                                                                                0175010a5ea712dc9e81b9d974e3cdc8d63a43ce4e6e0cafeb3b28c3057968cd

                                                                                                                                                                SHA512

                                                                                                                                                                e74de324d6f75a21337c8c30ca7db9665f4936661cdd15de96e321f0c0663a9556874f2f1b854462d4d2aaedbc3b9bc89e91fc33854280d00a07aa52b208fd81

                                                                                                                                                              • C:\Windows\Debug\WIA\wiatrace.log

                                                                                                                                                                Filesize

                                                                                                                                                                4KB

                                                                                                                                                                MD5

                                                                                                                                                                969a5d4b95735ed53c71578eba70dacf

                                                                                                                                                                SHA1

                                                                                                                                                                578dba2d58ac42b20382b8b93123d712df88ab9a

                                                                                                                                                                SHA256

                                                                                                                                                                a27d85b8f57b33d91dc93dbde37b44d1b787047f244b3991bf9cb200747e6769

                                                                                                                                                                SHA512

                                                                                                                                                                a7adb1adbc141951d79dabf861e20f579b3a1517bb00b1f195dfdc3c81c7a761269d2dba2b39a5c2d40ff94121dac14172536a1bf7f0ed4c61b2dda7c6aaf2b8

                                                                                                                                                              • memory/3832-423-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-431-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-407-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-405-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-406-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-404-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-403-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-401-0x0000000008C90000-0x0000000008CA0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-402-0x0000000008C90000-0x0000000008CA0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-409-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-410-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-412-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-413-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-411-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-414-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-419-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-418-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-417-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-415-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-416-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-420-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-421-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-422-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-408-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-424-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-426-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-425-0x0000000005DF0000-0x0000000005E00000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-427-0x0000000008C90000-0x0000000008CA0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-428-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-444-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-445-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-446-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-447-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-448-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-433-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-439-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-432-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-372-0x0000000008C90000-0x0000000008CA0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-437-0x0000000008C90000-0x0000000008CA0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-435-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-430-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-429-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/3832-436-0x0000000005E80000-0x0000000005E90000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4656-4-0x00007FF817273000-0x00007FF817275000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                8KB

                                                                                                                                                              • memory/4656-5-0x0000000000F90000-0x00000000012B4000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                3.1MB

                                                                                                                                                              • memory/4656-6-0x00007FF817270000-0x00007FF817D32000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                10.8MB

                                                                                                                                                              • memory/4656-9-0x00007FF817270000-0x00007FF817D32000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                10.8MB

                                                                                                                                                              • memory/4816-399-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-392-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-10-0x000000001CB80000-0x000000001CBD0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                320KB

                                                                                                                                                              • memory/4816-11-0x000000001CC90000-0x000000001CD42000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                712KB

                                                                                                                                                              • memory/4816-14-0x000000001CC10000-0x000000001CC22000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                72KB

                                                                                                                                                              • memory/4816-15-0x000000001D790000-0x000000001D7CC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                240KB

                                                                                                                                                              • memory/4816-397-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-400-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-398-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-394-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-395-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-393-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-396-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-40-0x000000001E000000-0x000000001E528000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                5.2MB

                                                                                                                                                              • memory/4816-391-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-388-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-389-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-390-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-387-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-386-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/4816-385-0x000000001DE30000-0x000000001DE40000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/5520-440-0x00007FF7F70F0000-0x00007FF7F7100000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/5520-438-0x00007FF7F70F0000-0x00007FF7F7100000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/5520-443-0x00007FF7F70F0000-0x00007FF7F7100000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/5520-442-0x00007FF7F70F0000-0x00007FF7F7100000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                              • memory/5520-441-0x00007FF7F70F0000-0x00007FF7F7100000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB