hxxps://158[.]69[.]36[.]15/files/estrouvinhar[.]js

max time kernel
1626s
max time network
1628s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://158.69.36.15/files/estrouvinhar.js

Score

8^/10

defense_evasion discovery evasion execution persistence phishing

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
29	2316	WScript.exe
111	2544	WScript.exe
112	4852	WScript.exe
113	4976	CScript.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 28 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SETC76E.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETC7FC.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp2.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET757C.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\BdNet.sys	firewall.tools.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET752D.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp2.sys	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SETC81C.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp1.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_elam.sys	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SETC7FC.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETC81C.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp1.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\BdNet.sys	firewall.tools.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET74BE.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\drivers\BdSentry.sys	SentryProtection.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETC76E.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\BdSentry.sys	SentryProtection.exe
File created	C:\Windows\system32\DRIVERS\SET752D.tmp	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SET757C.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\drivers\BdSentry.sys	SentryProtection.exe
File opened for modification	C:\Windows\system32\drivers\BdNet.sys	firewall.tools.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_elam.sys	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SET74BE.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\BdSentry.sys	SentryProtection.exe
File opened for modification	C:\Windows\system32\drivers\BdNet.sys	firewall.tools.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: wpm@ddf235a8wb39e0e63pa2ae5d69mfd50b9e6
phishing

Executes dropped EXE 33 IoCs

pid	Process
4268	ShieldAntivirusSetup.exe
4036	ShieldAntivirusSetup.exe
4488	InstCtrl.exe
1888	InstCtrl.exe
2016	InstCtrl.exe
4976	InstCtrl.exe
924	InstCtrl.exe
4792	ShieldAntivirus.exe
4576	ACSSigned.exe
2940	endpoint-protection-installer-x64.exe
4864	endpoint-protection-installer-x64.tmp
2768	acssigned.exe
4848	endpointprotection.exe
2424	rtp_setup.exe
4956	unins000.exe
3024	_unins.tmp
1080	rtp_setup.exe
420	endpointprotection.exe
4984	SentryProtection.exe
3556	firewall.tools.exe
3764	ShieldAntivirus.exe
3376	ACSSigned.exe
2876	endpoint-protection-installer-x64.exe
4740	endpoint-protection-installer-x64.tmp
1580	acssigned.exe
1704	endpointprotection.exe
764	rtp_setup.exe
816	unins000.exe
3956	_unins.tmp
4952	rtp_setup.exe
3788	endpointprotection.exe
2332	SentryProtection.exe
3964	firewall.tools.exe

Loads dropped DLL 40 IoCs

pid	Process
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
4268	ShieldAntivirusSetup.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2096	MsiExec.exe
2544	MsiExec.exe
2096	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
4864	endpoint-protection-installer-x64.tmp
3024	_unins.tmp
4740	endpoint-protection-installer-x64.tmp
3956	_unins.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\E:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\I:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\K:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\O:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\Y:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\A:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\T:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\W:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\H:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\S:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\Y:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\Q:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\Z:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\W:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\L:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\K:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\V:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\X:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\G:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\P:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\R:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\A:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\X:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\R:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\Z:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\M:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\T:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\U:	ShieldAntivirusSetup.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-RPMQQ.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00233.vdf	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\is-S4P04.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00205.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\launchelevated.exe	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-HCOE5.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00038.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp.dll	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\drivers\firewall\Win10-Legacy-x64\is-0HU3A.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Shield Antivirus\fr\ShieldAntivirus.resources.dll	msiexec.exe
File created	C:\Program Files\Endpoint Protection SDK\legal\engine\is-NJCBT.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\endpoint-protection-sdk\LICENSE.jsoncpp.txt	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\avcp\LICENSE.zstandard.txt	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\aeoffice.dll	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00080.vdf	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\is-6OT8P.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\aerdl.dll	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00045.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\endpoint-protection-sdk\LICENSE.fmt.txt	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-NNVH9.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00053.vdf	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-QO9S3.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\engine\LICENSE.uthash.txt	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\quarantine-sdk\LICENSE.gsl-lite.txt	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\telemetry-sdk\LICENSE.zlib.txt	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\legal\mixpanel-user-tracker\is-CBKHG.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-3O7J9.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\remediation-sdk\LICENSE.luabridge.txt	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-FMAVM.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\certificates\urlcloud.crt	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00024.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00244.vdf	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-C50AB.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\aebb.dll	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00171.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00185.vdf	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-9C8Q7.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00035.vdf	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-HR4Q8.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\legal\engine\is-MU9FN.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-A42BU.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-HESA1.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\quarantine-sdk	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\drivers\x64\rtp1.sys	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-JFPOO.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\aeml.dll	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\is-GJCBR.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-PQO14.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00223.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00238.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00096.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\aesbx.dll	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00009.vdf	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\legal\base-scan\LICENSE.magic-enum.txt	_unins.tmp
File opened for modification	C:\Program Files\Endpoint Protection SDK\remediation.dll	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\legal\engine\is-OK4RK.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\is-SIQP6.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Shield Antivirus\legal\amsi-sdk\LICENSE.zstd.txt	msiexec.exe
File created	C:\Program Files (x86)\Shield Antivirus\legal\telemetry-sdk\LICENSE.cxxopts.txt	msiexec.exe
File opened for modification	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\xbv00177.vdf	_unins.tmp
File created	C:\Program Files\Endpoint Protection SDK\drivers\x64\is-OFTG1.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\legal\engine\is-IO8R1.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\is-K2BP7.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Endpoint Protection SDK\coresdk\avcp-engine-1\is-K0A9A.tmp	endpoint-protection-installer-x64.tmp

Drops file in Windows directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFEEB386A6F51F8E4A.TMP	msiexec.exe
File opened for modification	C:\Windows\ELAMBKUP\SETC77E.tmp	rtp_setup.exe
File opened for modification	C:\Windows\ELAMBKUP\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\ELAMBKUP\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC71080CEB2D29BED.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C75.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6467CDEF-9937-4297-99E7-EA4001B1D025}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12AD.tmp	msiexec.exe
File opened for modification	C:\Windows\ELAMBKUP\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	rtp_setup.exe
File opened for modification	C:\Windows\Installer\MSI1426.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6467CDEF-9937-4297-99E7-EA4001B1D025}\icon.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFBD16CC3E056B2A2.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1155.tmp	msiexec.exe
File created	C:\Windows\ELAMBKUP\SETC77E.tmp	rtp_setup.exe
File opened for modification	C:\Windows\ELAMBKUP\SET74CE.tmp	rtp_setup.exe
File opened for modification	C:\Windows\Installer\e660ead.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1007.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1144.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1406.tmp	msiexec.exe
File created	C:\Windows\Installer\e660ead.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD7.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF797C22443E36E3E2.TMP	msiexec.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	rtp_setup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1037.tmp	msiexec.exe
File created	C:\Windows\Installer\{6467CDEF-9937-4297-99E7-EA4001B1D025}\icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{6467CDEF-9937-4297-99E7-EA4001B1D025}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\ELAMBKUP\SET74CE.tmp	rtp_setup.exe
File opened for modification	C:\Windows\Installer\MSIFE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10F5.tmp	msiexec.exe
File created	C:\Windows\Installer\{6467CDEF-9937-4297-99E7-EA4001B1D025}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\e660eaf.msi	msiexec.exe
File opened for modification	C:\Windows\ELAMBKUP\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\Installer\MSI1077.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AiFilesRemoveNoImpers_6467CDEF_9937_4297_99E7_EA4001B1D025.bak	MsiExec.exe

Launches sc.exe 34 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4616	sc.exe
5068	sc.exe
3080	sc.exe
2792	sc.exe
2132	sc.exe
3148	sc.exe
4952	sc.exe
2068	sc.exe
864	sc.exe
4128	sc.exe
3820	sc.exe
2900	sc.exe
3056	sc.exe
1028	sc.exe
4916	sc.exe
2948	sc.exe
4080	sc.exe
2112	sc.exe
1156	sc.exe
1580	sc.exe
784	sc.exe
4964	sc.exe
3468	sc.exe
3304	sc.exe
2728	sc.exe
2880	sc.exe
2060	sc.exe
1376	sc.exe
3584	sc.exe
2404	sc.exe
2132	sc.exe
3384	sc.exe
4628	sc.exe
740	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ShieldAntivirusSetup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Embeds OpenSSL 3 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x001a00000002ae81-3048.dat	embeds_openssl
behavioral1/files/0x001a00000002b06d-3971.dat	embeds_openssl
behavioral1/files/0x001b00000002af32-4013.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_unins.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	endpoint-protection-installer-x64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShieldAntivirusSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	endpoint-protection-installer-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	endpoint-protection-installer-x64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACSSigned.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	endpoint-protection-installer-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShieldAntivirusSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_unins.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACSSigned.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\110B3DF6A2CD6C849ABA496494583B66\FEDC764673997924997EAE04101B0D52	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AvInstall Shield Antivirus\\ShieldApps\\Shield Antivirus 5.4.0\\install\\1B1D025\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\ProductIcon = "C:\\Windows\\Installer\\{6467CDEF-9937-4297-99E7-EA4001B1D025}\\icon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\PackageCode = "8287E327D6B76CA4C97B712B36E7D2FA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FEDC764673997924997EAE04101B0D52\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{E4BA4655-58DA-474C-969A-6C45ED9B3AC3}	_unins.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FEDC764673997924997EAE04101B0D52	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\110B3DF6A2CD6C849ABA496494583B66	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{E4BA4655-58DA-474C-969A-6C45ED9B3AC3}	endpoint-protection-installer-x64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\Version = "84148224"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\ProductName = "Shield Antivirus"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AvInstall Shield Antivirus\\ShieldApps\\Shield Antivirus 5.4.0\\install\\1B1D025\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{E4BA4655-58DA-474C-969A-6C45ED9B3AC3}	_unins.tmp
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList\PackageName = "ShieldAntivirus.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{E4BA4655-58DA-474C-969A-6C45ED9B3AC3}\telemetry = "8752de429c0d49f3a56caad1a862405a4ea606dc"	endpoint-protection-installer-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{E4BA4655-58DA-474C-969A-6C45ED9B3AC3}	endpoint-protection-installer-x64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEDC764673997924997EAE04101B0D52\Language = "1033"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	endpoint-protection-installer-x64.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	endpoint-protection-installer-x64.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	endpoint-protection-installer-x64.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	endpoint-protection-installer-x64.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	endpoint-protection-installer-x64.tmp

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 500948.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\estrouvinhar.js:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 950930.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ShieldAntivirusSetup.exe:Zone.Identifier	msedge.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	113	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	111	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	112	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
2248	msedge.exe
2248	msedge.exe
1868	identity_helper.exe
1868	identity_helper.exe
1080	msedge.exe
1080	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
652	msedge.exe
652	msedge.exe
1772	msedge.exe
1772	msedge.exe
4932	msedge.exe
4932	msedge.exe
5096	identity_helper.exe
5096	identity_helper.exe
2060	msedge.exe
2060	msedge.exe
4524	msedge.exe
4524	msedge.exe
4860	msiexec.exe
4860	msiexec.exe
4864	endpoint-protection-installer-x64.tmp
4864	endpoint-protection-installer-x64.tmp
3024	_unins.tmp
3024	_unins.tmp
3024	_unins.tmp
3024	_unins.tmp
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
4740	endpoint-protection-installer-x64.tmp
4740	endpoint-protection-installer-x64.tmp
3956	_unins.tmp
3956	_unins.tmp
3956	_unins.tmp
3956	_unins.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2424	rtp_setup.exe
764	rtp_setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4860	msiexec.exe
Token: SeCreateTokenPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeLockMemoryPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeIncreaseQuotaPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeMachineAccountPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeTcbPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSecurityPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeTakeOwnershipPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeLoadDriverPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSystemProfilePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSystemtimePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeProfSingleProcessPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeIncBasePriorityPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreatePagefilePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreatePermanentPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeBackupPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeRestorePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeShutdownPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeDebugPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeAuditPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSystemEnvironmentPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeChangeNotifyPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeRemoteShutdownPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeUndockPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSyncAgentPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeEnableDelegationPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeManageVolumePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeImpersonatePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreateGlobalPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreateTokenPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeLockMemoryPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeIncreaseQuotaPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeMachineAccountPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeTcbPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSecurityPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeTakeOwnershipPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeLoadDriverPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSystemProfilePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSystemtimePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeProfSingleProcessPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeIncBasePriorityPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreatePagefilePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreatePermanentPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeBackupPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeRestorePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeShutdownPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeDebugPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeAuditPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSystemEnvironmentPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeChangeNotifyPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeRemoteShutdownPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeUndockPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeSyncAgentPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeEnableDelegationPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeManageVolumePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeImpersonatePrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreateGlobalPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeCreateTokenPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeLockMemoryPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeIncreaseQuotaPrivilege	4268	ShieldAntivirusSetup.exe
Token: SeMachineAccountPrivilege	4268	ShieldAntivirusSetup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe
2080	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 4008	2248	msedge.exe	77
PID 2248 wrote to memory of 4008	2248	msedge.exe	77
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4288	2248	msedge.exe	78
PID 2248 wrote to memory of 4572	2248	msedge.exe	79
PID 2248 wrote to memory of 4572	2248	msedge.exe	79
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80
PID 2248 wrote to memory of 2708	2248	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://158.69.36.15/files/estrouvinhar.js
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3bd03cb8,0x7ffc3bd03cc8,0x7ffc3bd03cd8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3340 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15388604339493069844,8121401896006142915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\estrouvinhar.js"
1⤵
- Blocklisted process makes network request
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3bd03cb8,0x7ffc3bd03cc8,0x7ffc3bd03cd8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Users\Admin\Downloads\ShieldAntivirusSetup.exe
  "C:\Users\Admin\Downloads\ShieldAntivirusSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- - C:\Users\Admin\Downloads\ShieldAntivirusSetup.exe
    "C:\Users\Admin\Downloads\ShieldAntivirusSetup.exe" /i "C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\ShieldAntivirus.msi" /L*v "C:\Users\Admin\AppData\Roaming\\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\installlog.txt" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Shield Antivirus" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shield Antivirus" SECONDSEQUENCE="1" CLIENTPROCESSID="4268" AI_MORE_CMD_LINE=1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3082898419945422444,10027442950804192819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 482E60C396002A5FE1B27DCE06DD1ED8 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3872
- - C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe
    "C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe" afterinstallrun "C:\Users\Admin\Downloads\ShieldAntivirusSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:4792
  - - C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\ACSSigned.exe
      "C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\ACSSigned.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4576
  - - C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\endpoint-protection-installer-x64.exe
      "C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\endpoint-protection-installer-x64.exe" /License="C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\avira3000000156.lic" /VerySilent /SuppressMsgBoxes /LOG="C:\Users\Admin\AppData\Roaming\Shield Antivirus\innologs.log" /NoRestart /WscAppName="Shield Antivirus" /UiPath="C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe" /LogLevel=Information
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\is-EIGPR.tmp\endpoint-protection-installer-x64.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EIGPR.tmp\endpoint-protection-installer-x64.tmp" /SL5="$602A2,237712944,868864,C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\endpoint-protection-installer-x64.exe" /License="C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\avira3000000156.lic" /VerySilent /SuppressMsgBoxes /LOG="C:\Users\Admin\AppData\Roaming\Shield Antivirus\innologs.log" /NoRestart /WscAppName="Shield Antivirus" /UiPath="C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe" /LogLevel=Information
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
      - C:\Windows\system32\fltmc.exe
        
        "fltmc.exe" unload rtp_filesystem_filter
        6⤵
        
        PID:1608
      - C:\Windows\system32\fltmc.exe
        
        "fltmc.exe" unload rtp_filter
        6⤵
        
        PID:2816
      - C:\Windows\system32\fltmc.exe
        
        "fltmc.exe" unload rtp1
        6⤵
        
        PID:3588
      - C:\Windows\system32\fltmc.exe
        
        "fltmc.exe" unload rtp2
        6⤵
        
        PID:1644
      - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_traverse
        6⤵
        
        PID:2404
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_traverse
        7⤵
        
        PID:1488
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_traverse
        6⤵
        Launches sc.exe
        
        PID:4616
      - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp1
        6⤵
        
        PID:1492
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp1
        7⤵
        
        PID:1988
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp1
        6⤵
        Launches sc.exe
        
        PID:5068
      - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp2
        6⤵
        
        PID:1900
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp2
        7⤵
        
        PID:412
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp2
        6⤵
        Launches sc.exe
        
        PID:3468
      - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_filter
        6⤵
        
        PID:3260
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_filter
        7⤵
        
        PID:3564
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_filter
        6⤵
        Launches sc.exe
        
        PID:4916
      - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_filesystem_filter
        6⤵
        
        PID:5008
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_filesystem_filter
        7⤵
        
        PID:2492
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_filesystem_filter
        6⤵
        Launches sc.exe
        
        PID:4128
      - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_process_monitor
        6⤵
        
        PID:4652
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_process_monitor
        7⤵
        
        PID:844
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_process_monitor
        6⤵
        Launches sc.exe
        
        PID:3304
      - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_elam
        6⤵
        
        PID:3736
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_elam
        7⤵
        
        PID:1704
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_elam
        6⤵
        Launches sc.exe
        
        PID:2728
      - C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter
        6⤵
        
        PID:2788
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter
        7⤵
        
        PID:4268
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter
        6⤵
        Launches sc.exe
        
        PID:2880
      - C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter2
        6⤵
        
        PID:4560
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter2
        7⤵
        
        PID:4572
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter2
        6⤵
        Launches sc.exe
        
        PID:2948
      - C:\Windows\system32\net.exe
        
        "net.exe" stop EndpointProtectionService
        6⤵
        
        PID:3372
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EndpointProtectionService
        7⤵
        
        PID:4972
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete EndpointProtectionService
        6⤵
        Launches sc.exe
        
        PID:2060
      - C:\Windows\system32\net.exe
        
        "net.exe" stop EndpointProtectionService2
        6⤵
        
        PID:1004
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EndpointProtectionService2
        7⤵
        
        PID:4584
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete EndpointProtectionService2
        6⤵
        Launches sc.exe
        
        PID:4952
      - C:\Windows\system32\net.exe
        
        "net.exe" stop BdSentry
        6⤵
        
        PID:2312
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BdSentry
        7⤵
        
        PID:2716
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete BdSentry
        6⤵
        Launches sc.exe
        
        PID:784
      - C:\Windows\system32\net.exe
        
        "net.exe" stop BdNet
        6⤵
        
        PID:1932
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BdNet
        7⤵
        
        PID:3568
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete BdNet
        6⤵
        Launches sc.exe
        
        PID:4080
      - C:\Program Files\Endpoint Protection SDK\acssigned.exe
        
        "acssigned.exe"
        6⤵
        Executes dropped EXE
        
        PID:2768
      - C:\Program Files\Endpoint Protection SDK\endpointprotection.exe
        
        "endpointprotection.exe" check
        6⤵
        Executes dropped EXE
        
        PID:4848
      - C:\Windows\system32\sc.exe
        
        "sc.exe" create netprotection_network_filter type= kernel start= system error= normal binPath= System32\drivers\netprotection_network_filter.sys DisplayName= netprotection_network_filter group= PNP_TDI tag= yes
        6⤵
        Launches sc.exe
        
        PID:3820
      - C:\Windows\system32\sc.exe
        
        "sc.exe" create netprotection_network_filter2 type= kernel start= demand error= normal binPath= System32\drivers\netprotection_network_filter2.sys DisplayName= netprotection_network_filter2 group= PNP_TDI tag= yes
        6⤵
        Launches sc.exe
        
        PID:4964
      - C:\Program Files\Endpoint Protection SDK\rtp_setup.exe
        
        "rtp_setup.exe" install /drivers-path="C:\Program Files\Endpoint Protection SDK\drivers\X64" /license-path="C:\Program Files\Endpoint Protection SDK\sdk.lic" /client-path="C:\Program Files\Endpoint Protection SDK\endpointprotection.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: LoadsDriver
        
        PID:2424
      - C:\Program Files\Endpoint Protection SDK\unins000.exe
        
        "unins000.exe" /VERYSILENT /LOG /Rollback=on
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Program Files\Endpoint Protection SDK\unins000.exe" /FIRSTPHASEWND=$50286 /VERYSILENT /LOG /Rollback=on
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
        
        C:\Program Files\Endpoint Protection SDK\rtp_setup.exe
        
        "rtp_setup.exe" uninstall /drivers-path="C:\Program Files\Endpoint Protection SDK\drivers\X64"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1080
        
        C:\Program Files\Endpoint Protection SDK\endpointprotection.exe
        
        "endpointprotection.exe" uninstall
        8⤵
        Executes dropped EXE
        
        PID:420
        
        C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter
        8⤵
        
        PID:2060
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter
        9⤵
        
        PID:340
        
        C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter
        8⤵
        Launches sc.exe
        
        PID:3080
        
        C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter2
        8⤵
        
        PID:5016
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter2
        9⤵
        
        PID:3292
        
        C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter2
        8⤵
        Launches sc.exe
        
        PID:2112
        
        C:\Program Files\Endpoint Protection SDK\SentryProtection.exe
        
        "SentryProtection.exe" -uninstall drivers-path="C:\Program Files\Endpoint Protection SDK\drivers\sentry"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4984
        
        C:\Program Files\Endpoint Protection SDK\firewall.tools.exe
        
        "firewall.tools.exe" uninstall --driver-path="C:\Program Files\Endpoint Protection SDK\drivers\firewall"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3556
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9EE893F2E05097E5D8AAA96C44435C2A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A8C66CE549D6F66D78A5F0648B8F29BC E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe
  "C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe" xtend
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe
  "C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe" createini
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe
  "C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe" skipuac
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe
  "C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe" installstats
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe
  "C:\Program Files (x86)\Shield Antivirus\InstCtrl.exe" installpage
  2⤵
  - Executes dropped EXE
  PID:924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://shieldapps.com/post-install/shield-antivirus-successful-installation/?lnT=PostInstall&ipA=181.215.176.83&mcA=406173045EBC&osN=Microsoft+Windows+11+Pro&osV=10.0.22000.0&lng=en&bdV=5.4.0&scR=&lcA=&lcE=
    3⤵
    PID:760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc3bd03cb8,0x7ffc3bd03cc8,0x7ffc3bd03cd8
      4⤵
      PID:4520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\estrouvinhar.js"
1⤵
- Blocklisted process makes network request
PID:2544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\estrouvinhar.js"
1⤵
- Blocklisted process makes network request
PID:4852

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\estrouvinhar.js"
1⤵
- Blocklisted process makes network request
PID:4976

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2080

C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe
"C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe"
1⤵
- Executes dropped EXE
PID:3764
- C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\ACSSigned.exe
  "C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\ACSSigned.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3376
- C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\endpoint-protection-installer-x64.exe
  "C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\endpoint-protection-installer-x64.exe" /License="C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\avira3000000156.lic" /VerySilent /SuppressMsgBoxes /LOG="C:\Users\Admin\AppData\Roaming\Shield Antivirus\innologs.log" /NoRestart /WscAppName="Shield Antivirus" /UiPath="C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe" /LogLevel=Information
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\is-HFUO7.tmp\endpoint-protection-installer-x64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HFUO7.tmp\endpoint-protection-installer-x64.tmp" /SL5="$9026A,237712944,868864,C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\endpoint-protection-installer-x64.exe" /License="C:\Users\Admin\AppData\Roaming\Shield Antivirus\MotifLib\avira3000000156.lic" /VerySilent /SuppressMsgBoxes /LOG="C:\Users\Admin\AppData\Roaming\Shield Antivirus\innologs.log" /NoRestart /WscAppName="Shield Antivirus" /UiPath="C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe" /LogLevel=Information
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4740
  - - C:\Windows\system32\fltmc.exe
      "fltmc.exe" unload rtp_filesystem_filter
      4⤵
      PID:1828
  - - C:\Windows\system32\fltmc.exe
      "fltmc.exe" unload rtp_filter
      4⤵
      PID:2780
  - - C:\Windows\system32\fltmc.exe
      "fltmc.exe" unload rtp1
      4⤵
      PID:2860
  - - C:\Windows\system32\fltmc.exe
      "fltmc.exe" unload rtp2
      4⤵
      PID:3404
  - - C:\Windows\system32\net.exe
      "net.exe" stop rtp_traverse
      4⤵
      PID:3968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_traverse
        5⤵
        
        PID:912
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete rtp_traverse
      4⤵
      Launches sc.exe
      PID:1376
  - - C:\Windows\system32\net.exe
      "net.exe" stop rtp1
      4⤵
      PID:2160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp1
        5⤵
        
        PID:3472
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete rtp1
      4⤵
      Launches sc.exe
      PID:1156
  - - C:\Windows\system32\net.exe
      "net.exe" stop rtp2
      4⤵
      PID:1504
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp2
        5⤵
        
        PID:2412
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete rtp2
      4⤵
      Launches sc.exe
      PID:3584
  - - C:\Windows\system32\net.exe
      "net.exe" stop rtp_filter
      4⤵
      PID:3120
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_filter
        5⤵
        
        PID:4132
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete rtp_filter
      4⤵
      Launches sc.exe
      PID:2068
  - - C:\Windows\system32\net.exe
      "net.exe" stop rtp_filesystem_filter
      4⤵
      PID:1968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_filesystem_filter
        5⤵
        
        PID:1888
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete rtp_filesystem_filter
      4⤵
      Launches sc.exe
      PID:3384
  - - C:\Windows\system32\net.exe
      "net.exe" stop rtp_process_monitor
      4⤵
      PID:3276
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_process_monitor
        5⤵
        
        PID:2032
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete rtp_process_monitor
      4⤵
      Launches sc.exe
      PID:2900
  - - C:\Windows\system32\net.exe
      "net.exe" stop rtp_elam
      4⤵
      PID:1384
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_elam
        5⤵
        
        PID:3712
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete rtp_elam
      4⤵
      Launches sc.exe
      PID:2404
  - - C:\Windows\system32\net.exe
      "net.exe" stop netprotection_network_filter
      4⤵
      PID:784
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter
        5⤵
        
        PID:564
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete netprotection_network_filter
      4⤵
      Launches sc.exe
      PID:4628
  - - C:\Windows\system32\net.exe
      "net.exe" stop netprotection_network_filter2
      4⤵
      PID:3732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter2
        5⤵
        
        PID:1612
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete netprotection_network_filter2
      4⤵
      Launches sc.exe
      PID:740
  - - C:\Windows\system32\net.exe
      "net.exe" stop EndpointProtectionService
      4⤵
      PID:752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EndpointProtectionService
        5⤵
        
        PID:5112
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete EndpointProtectionService
      4⤵
      Launches sc.exe
      PID:2792
  - - C:\Windows\system32\net.exe
      "net.exe" stop EndpointProtectionService2
      4⤵
      PID:3464
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EndpointProtectionService2
        5⤵
        
        PID:4884
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete EndpointProtectionService2
      4⤵
      Launches sc.exe
      PID:1580
  - - C:\Windows\system32\net.exe
      "net.exe" stop BdSentry
      4⤵
      PID:2984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BdSentry
        5⤵
        
        PID:3768
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete BdSentry
      4⤵
      Launches sc.exe
      PID:2132
  - - C:\Windows\system32\net.exe
      "net.exe" stop BdNet
      4⤵
      PID:764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BdNet
        5⤵
        
        PID:3008
  - - C:\Windows\system32\sc.exe
      "sc.exe" delete BdNet
      4⤵
      Launches sc.exe
      PID:864
  - - C:\Program Files\Endpoint Protection SDK\acssigned.exe
      "acssigned.exe"
      4⤵
      Executes dropped EXE
      PID:1580
  - - C:\Program Files\Endpoint Protection SDK\endpointprotection.exe
      "endpointprotection.exe" check
      4⤵
      Executes dropped EXE
      PID:1704
  - - C:\Windows\system32\sc.exe
      "sc.exe" create netprotection_network_filter type= kernel start= system error= normal binPath= System32\drivers\netprotection_network_filter.sys DisplayName= netprotection_network_filter group= PNP_TDI tag= yes
      4⤵
      Launches sc.exe
      PID:2132
  - - C:\Windows\system32\sc.exe
      "sc.exe" create netprotection_network_filter2 type= kernel start= demand error= normal binPath= System32\drivers\netprotection_network_filter2.sys DisplayName= netprotection_network_filter2 group= PNP_TDI tag= yes
      4⤵
      Launches sc.exe
      PID:3148
  - - C:\Program Files\Endpoint Protection SDK\rtp_setup.exe
      "rtp_setup.exe" install /drivers-path="C:\Program Files\Endpoint Protection SDK\drivers\X64" /license-path="C:\Program Files\Endpoint Protection SDK\sdk.lic" /client-path="C:\Program Files\Endpoint Protection SDK\endpointprotection.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: LoadsDriver
      PID:764
  - - C:\Program Files\Endpoint Protection SDK\unins000.exe
      "unins000.exe" /VERYSILENT /LOG /Rollback=on
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:816
    - - C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Program Files\Endpoint Protection SDK\unins000.exe" /FIRSTPHASEWND=$C0216 /VERYSILENT /LOG /Rollback=on
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3956
      - C:\Program Files\Endpoint Protection SDK\rtp_setup.exe
        
        "rtp_setup.exe" uninstall /drivers-path="C:\Program Files\Endpoint Protection SDK\drivers\X64"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4952
      - C:\Program Files\Endpoint Protection SDK\endpointprotection.exe
        
        "endpointprotection.exe" uninstall
        6⤵
        Executes dropped EXE
        
        PID:3788
      - C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter
        6⤵
        
        PID:1020
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter
        7⤵
        
        PID:2600
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter
        6⤵
        Launches sc.exe
        
        PID:3056
      - C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter2
        6⤵
        
        PID:1120
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter2
        7⤵
        
        PID:3372
      - C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter2
        6⤵
        Launches sc.exe
        
        PID:1028
      - C:\Program Files\Endpoint Protection SDK\SentryProtection.exe
        
        "SentryProtection.exe" -uninstall drivers-path="C:\Program Files\Endpoint Protection SDK\drivers\sentry"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2332
      - C:\Program Files\Endpoint Protection SDK\firewall.tools.exe
        
        "firewall.tools.exe" uninstall --driver-path="C:\Program Files\Endpoint Protection SDK\drivers\firewall"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e660eae.rbs

Filesize
4.1MB

MD5
b057b68bf069dfeb505ca6c9fe6d4b82

SHA1
4c82370ccdd0bce7584d8522d01fda2e3ab1e34f

SHA256
8ff2c63c0bb7a48ddb57df4682d71f97f48bc24c2b9bd2300329c684dce8cc37

SHA512
379209a48e7f2e1f8d60787e367a8716a8e96638f33b2b6ce5754f52844ebdf8d12a287e055a16609acbc317a42b72b9ac50cc270a89424e16c3139ed6d1b25a

Download Submit
C:\Program Files (x86)\Shield Antivirus\ShieldAntivirus.exe

Filesize
3.6MB

MD5
c7365ed055d75735ef8b4a5c4ed87314

SHA1
5ed2d29b033cecd3bca2a4734a5d15828843d97f

SHA256
e6bb4b50f8e34ee71f25fb5c80c47c6e56ef63376a089e1dad8838e76e0fafcc

SHA512
e7bfdf2c6a0423bf288dc0fe9bbbd549d8df30234b6579428339311c2dae6efba4b8f9e8190ade6d8f735c957e07689a5456066dfa8d335de3659115b7676f49

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
607B

MD5
9c7e910c17383fcc8b99f48d53f243fa

SHA1
0b979392fe3b543d60137a66589e65a69b72741a

SHA256
0ea278418b1e6d17732836e06d9217d318fc69b88a891b2c6b141ed4aaff521e

SHA512
3f6759ebd559f0d689d1dd7311237830e8883fad2d84b198605b5bb7e8f03217401e78424db86412c01dd5fd18c63b695f85c9032fd4627992da7d41dc5ce5ef

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
688B

MD5
a96bc036c4d45129e0d26a3ff9c3e1a1

SHA1
6453e5ca20367edf2f7c81fbef89967fc30ee721

SHA256
41a280d22c17dc5e0c580561965174bc98a8d6a7209f2fff2babe65f4f9ae5a6

SHA512
eade0388ad4df812d4a1bbe96ed07f19f3f2bfd5c276027ffb045abc06fbb80eef5e2bfdd29995895db7284d6ad6a56ceaf5ae7e459acd02bfcfbd11df97deb0

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
730B

MD5
c867e55ae27b281e67114a177087ad86

SHA1
3ca4d4527b161a9cd6553e9bdf2c3bbd8d78735f

SHA256
215e1c035683ca6fa7c72e868671f4ec4a48921b1c033e50c6ccbf433f7b2637

SHA512
84e6939695ae3a869571cbf93188322ed409edd1219e8a29adf162a6331e5d8760bbe4003a879544f4153304424b5c6da91ea4567dcaf385623bbe849cfc180a

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
587B

MD5
e3630c006a4dfa5b1243a87d6bc086e5

SHA1
8a9fa7ecd21013f7de29b4ff4da00ffb5babc683

SHA256
225409862d621a71fa17151fdbd43eebfaf5dd6d14cbca60a611802dc45f6c6f

SHA512
6777e01d775bd93ab00900300378674907a2344f9e54e8c6dbc6b539dd411da6eaa239259ff302e91744636e304d815e8094d4dd560fae7d096ad2adbe667e91

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
567B

MD5
56ccdcf57e350337abcaee3aad577819

SHA1
56007a039a9869ac17850aa84b208f99f360b368

SHA256
5ad4fb6389df1c2923e345567a8cc12c66cfeebae81ea2076a5065bf4c34b9dc

SHA512
d2b490908b26a6e1d2f4e50815136f2f49ae78629dfbd51a51db894333c82d90723c18280445bae3f6290c17c155dc7e8da3bf0f8ba53616b26dabf92cef400d

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
567B

MD5
18974da9c42d669317af56aae7b71e58

SHA1
1679828bb6d3cb76e7e94e6957c14e869cae8a80

SHA256
24af546a7e0639a7d229fa32247881da8859f33542bccbbc502406a59451b8ea

SHA512
972c39a3fe7563c413efff97e0f51daa51adbb3d4fefd11648595587b7cef4c6468cce62e6c1aabb3468ed5b913072566ef4246b89a66f0c91aec523f894ce27

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
607B

MD5
9f7afb6a33454b05fbef512768f551e1

SHA1
1eb1be9493c8a38ec20e72162ded56e542a5f5f8

SHA256
522952bb010d55b8329e4b06f99a8b35becede5ef08d7d4477a662a480480207

SHA512
5d83dcb5935d32565f1b053d933f1b178e3bd75b4c461364d165de6a7bc3b786293bd3adb4b7a610910ff06c90d8363279d9aea52d58316c07b227b1e7c5369d

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
669B

MD5
c0c4bcf1fe0e6db51631f4b46d14e6e2

SHA1
21171202a5e02f5167e687cce8f7f89e50197246

SHA256
a7ac9219d77d8372c74926412d4aa57e210894d33aec72871bf5bae53fc19e5b

SHA512
ccdeb6ea08f8feb164f765fde33586684cab0d4940cb000832ca94cb4164e9fe7409b9990f025514767462ce5fcab2b17fc88f17fb98c0bb2e7761581ccb295a

Download Submit
C:\Program Files\Endpoint Protection SDK\EndpointProtection.json

Filesize
730B

MD5
5cc7910e2768ab51998ea3d1fc11ba4a

SHA1
f4973032172b9f70b78c0303c195bf936b0ee6f7

SHA256
84a023405aaaad4eedcdf758cce6b9aaf4f7b842d80aef89561a8db0176fbb8e

SHA512
c37f7a365f2df0b651a851a67c0a32d45ffa999f6e8a41cefbd187333ebca837a0a0d5b6f24f24231c8afd2840e36f9d5bf31b5553ca0b6bd6a5742126b411a5

Download Submit
C:\Program Files\Endpoint Protection SDK\SentryProtection.exe

Filesize
430KB

MD5
c230b6d344e6011fc165cf3ba3830fdc

SHA1
f101a7e9a348d5a33a3bc27b1f9580ac1265cd2a

SHA256
4454e14f30d30f0ea7e8c193430ff3e54c8f66d623666a4bee4b041a86bc293f

SHA512
e7095589c4b0de7b0483733fd18a843d5e9c82fe1465ac4780b0c296b445beeaae9d2a0d4324258760686b64b3c61a67886a7d341c9fe490d384eb6729455a61

Download Submit
C:\Program Files\Endpoint Protection SDK\acssigned.exe

Filesize
208KB

MD5
80e6790855998b8e40db4c8853571e2c

SHA1
51134fda944be15d0b53abf191209627bebe3c39

SHA256
e3dd27c1c6c18fcd7487451499b776b8dbbcbff2134458c72645f9a44869f0af

SHA512
065e5ee16e7f27ba1afa865a3b765d614a6708e0933a39acf97de60cf442f76a697219978c70f1d922a4f3f9328a9790b59f0d3630db7a996658da769ea4e517

Download Submit
C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-729JJ.tmp

Filesize
2KB

MD5
da1126b95dc0d77a0c7479cceaa9fd9c

SHA1
825ea99cafd8cb249714bb0ad406d8e1a4974da7

SHA256
43d1404bb027fee0f0b8e09d5c1c829e833c3cc0639b9f9578722494bcbac241

SHA512
f287e02fcd40faf4a7e4c7097be2a3979246bad6a3cc67177adc62317b771525d0706c38fbe3f7b6325a0d3ad82f42ec48783dbddcc8f83fadb01dfc7310e226

Download Submit
C:\Program Files\Endpoint Protection SDK\coresdk\avcp-vdf\is-AQB87.tmp

Filesize
2KB

MD5
41030d85f47790be7c3bfc63c336d849

SHA1
61d8e2478305f52a3d1b63b140df52ebe23bb1bc

SHA256
a2003328f05583e04a8b72040d199a4e94b825b1ec47a41b53b392d8e2b8f03f

SHA512
88441e81aca47c1de791a03079511f54ee792db604019bc71c78439fdb5a7e0da6cedc0739cb92f05bee12c8658c6cc8021debdac6a62459b0a2d2727e4bb82b

Download Submit
C:\Program Files\Endpoint Protection SDK\drivers\firewall\Win10-Legacy-x64\is-J2L0C.tmp

Filesize
2KB

MD5
0b56bd44d39f3b1f0a5296e3306fd860

SHA1
e05c46ca012a0443a4d31c3145400eb09d16060e

SHA256
f644fc935e5b6e56a466cf556325fc14da244cbd365fcf82873b4b6412b36d0a

SHA512
46886f2367de6b5f92d11f6e015a2f663eeddecf7351625f42e0663f136445e7e1792f14d713d4cafead68c2a51d35671ad712805182fc639b632764923ec443

Download Submit
C:\Program Files\Endpoint Protection SDK\drivers\sentry\Win10-Legacy-x64\is-HNQRR.tmp

Filesize
2KB

MD5
29634a68d723fca94f3d0335e52be117

SHA1
a6bb06518d6da69e2d154c789d87e7c921cdf3a3

SHA256
af0f208f40683eaf7c5d479c7eb65d1f3546eda0f428e00c0e7e53531442002c

SHA512
6c0577a7fe2c7070a68a32cb6ebc1a338cec9a8fc2d0fe46582939e73e908d98997fa3831cb6ff789878bc6020ccc914fc0c3ea1211ff2cba62bfb9bfd67869b

Download Submit
C:\Program Files\Endpoint Protection SDK\endpointprotection.exe

Filesize
11.4MB

MD5
1fc2a05e94d271b9f190ddfbf9c37bde

SHA1
4dbf673428e7e6a87463095f0d6c24cfcf7b0089

SHA256
69c4a033dfef46f452a83b886a5fe65120c27b089e5c25c2136ecc90e621dac0

SHA512
4e72fabe3dfdc9615d3bac0c43ad469ed25c2cec002010c85aee49b4b3187985886f904dd28ba136dabaedb2b6a2a0618d5fca31d9e78ea0f356da4d31c221e7

Download Submit
C:\Program Files\Endpoint Protection SDK\firewall.tools.exe

Filesize
695KB

MD5
9fbd652a5597e0f58c51c474676f789e

SHA1
1f2833b66e71bb31ae0938b754b907eb570ba595

SHA256
e49cb032f4c19b5f5e9f20d5f718d68aa9b32cb3ab62a2ac955cb486a5082034

SHA512
bb9828ab118a7882e974908263d391e1b96b9ed2ae49cdaec0db2aa0b54eb1e983fc1910f90bbe71daa7303449ffffaaec4cb25716e7febe7741898a7dfd50f5

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\amsi-sdk\is-2E4M8.tmp

Filesize
5KB

MD5
ba04aa8f65de1396a7e59d1d746c2125

SHA1
47ab05791f28173ad2b82f25c2b5c7fc06252b4d

SHA256
a140e5d46fe734a1c78f1a3c3ef207871dd75648be71fdda8e309b23ab8b1f32

SHA512
4c7bc4d3d51a410aecccfc3d64c99c0768eb9810f5d828468139cc45d74923fcce030e0cf1e65d75832f0bb7b2a2268e0e34eab4bd9d80d5b116889ac42cdc2b

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\amsi-sdk\is-B3NOK.tmp

Filesize
1KB

MD5
d8a9d2078f35e61cf1122ccd440687cf

SHA1
cacfcacf93466610f196733d660beace4a91f80e

SHA256
01c022eca6d566e2e8792fd0f091a28653b2a608319922bcd4de91c49d1438e1

SHA512
05504fbfe93cc01413676f19ec0c845dc95e7a3a39b5ad3c4ae180bc7a1a90d847c714a5b7e9fb28a5bcdf2006c4de151536fa7ea5663b04921e0298f27d4a04

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\amsi-sdk\is-CBH27.tmp

Filesize
1KB

MD5
541962f9dacf27c928f57e3a7ba9e1f2

SHA1
90838dbe7cd144671c3ede0900d14f1c5e6ae041

SHA256
efdabc1c1f655528b8c3a59b03668d446746d87273fab76f8af800b6e8891bd2

SHA512
4200d83dd104d24b3759cecaf2036868242fd4b484f4939956dfe9f01b6851b232e80a3b6c91de6bb7e9854635ea3c473e638cc7f7d5774f05f73d174f2e9982

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\avcp\is-AEK44.tmp

Filesize
1KB

MD5
68bddaed9a0bcc41a54a5b65d17e6fe9

SHA1
7131c88ee48b228af9ae251aace38e8e3d643539

SHA256
2bbc78776d14e295e15e9e6c63ae946b8f76567af992c0ac7320d153a0611830

SHA512
a801e2fdaec88bd9d111625c928768139cdea8bc837fdbcd200ea0a5f3c528f572f1c5bbe7febbde1eef892916fc52a37517667782faf40ab287cc24701ec90d

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\avcp\is-J555P.tmp

Filesize
1KB

MD5
22681e307fc7207d3823387d823af60f

SHA1
f39758dda00281db4eefbe95ee61c3cc225c7102

SHA256
8b7bc50ec3ecee27224e17d4d316a939fa2ddda9c88e0ddc2f059ce432edbfb9

SHA512
57717e28d0d4dbf64ef7bb303a709a5619db03d466c9a9c62e6c1d886abc18ab310b19d017ea9b6856f7cb03b39f9d1201ebb2f5271eaee48d831987198a3e32

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\avcp\is-K5JN1.tmp

Filesize
2KB

MD5
20be37bc5913b26c82fe599c6d6ffadc

SHA1
9d895fbc1ef710d2612908ce38b077def7157619

SHA256
f5588825626199bfd051141eb31345e6e6e0ac00b95751e05da9142767109098

SHA512
9742895c681c019040a87cbf902b8ac49a7acd30a949ec6851231d6cd4e89db757ee14ce6e42cc4b65eca100ea356f34f45193986210d66388ec95470325aa81

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\avcp\is-PKT1P.tmp

Filesize
1KB

MD5
2e9fb35867314fe31c6a4977ef7dd531

SHA1
0a31fbdd5090bd461236bca4b1a86c79fd244d7a

SHA256
db3c4a3b3695a0f317a0c5176acd2f656d18abc45b3ee78e50935a78eb1e132e

SHA512
8ae8b98b89d35dbc350b27e477e50d668114139371adbe59e29c584f7bad7271b1c2cc65bd29d19a15ea9cd7f58ba11c2d25f0fd2b7615a6457119c7e9d57f2a

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\avcp\is-U3R2L.tmp

Filesize
1KB

MD5
87d2e2d2e25c326bdacec532d1f833a7

SHA1
be80adb0872e910d3487626f0ca1ed39297eec90

SHA256
217db2add3b8302ac15ee5035fb2c54a6b77d6682d0d858ac362bf7a8ff9432b

SHA512
d73f5c0e7df8ee302936ece2332f6c6e9985472ad150b1b17391aab66649bda5a9147cac311d0c413dada7234a00f8b3b09b984168d1d925d448c08136428ef8

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\base-scan\is-VHQ63.tmp

Filesize
808B

MD5
135624eef03e1f1101b9ba9ac9b5fffd

SHA1
409ff756b1f0bb05818f6ac0996facc6de1dc7d1

SHA256
9332252e9b9e46db8285d4a3f0bf25f139bf1dca6781b956d57f2302efca6432

SHA512
e063cc0bea3e3a4a8f79641fad09ed7c829bff23a89180e0bf4b91dffad941a56cd669b5efcc7058d17ef018742ce87f13e70fc2a745c9689ea33e0c53841fc8

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\endpoint-protection-sdk\is-33C1I.tmp

Filesize
1KB

MD5
7e7717cf723eb72f57e80fdb651cb318

SHA1
fef04ec8d9741c2b9eb4f1a6db687b96a90186c4

SHA256
bd227b8a5586dc73012262abfc0fc4eb84c2a91ad3f93b3591f8148fe17324d3

SHA512
2a24624c9fd94ddb6a24608a4c0b1c1898eefea673131696391182d6f6cd71131bc6becaf67a09ddb98bc7852edf909d1e72e57dd99a951054f168867509bf68

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\endpoint-protection-sdk\is-8KJNB.tmp

Filesize
71B

MD5
3e2561878a157b3444c4c761660c7080

SHA1
557520cd765a8a6325c6102af905458d9b74241c

SHA256
3cafdd9b568b924b234b91f4a24649d509f02643ae727eac6a4e33818288c9c4

SHA512
a1b898769ecd765bcad6e1f7af9aad3720fd81f5edc687f88bd5b156f342b9d69a3949f782d86830921ef187c9025b514c871b2abddb1778a9a18c57bcab6222

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\endpoint-protection-sdk\is-FQ6TI.tmp

Filesize
1KB

MD5
b9257785fc4f3803a4b71b76c1412729

SHA1
1606b4a09dd264124a044831841a83c68a2b9126

SHA256
07580f2a3b35709ce703d523f447b242f6dfec7582a8c0df102c7fa2849375f8

SHA512
797c66d1416b15b73ab6234e427c17b437e04c2bc36d34ca71116f2a1ba2feb89bc28ba72a570869db05f7a2dc3f705d558a8cbbae47161a3f82d560352274bc

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-03NM3.tmp

Filesize
1KB

MD5
7cb9c6d153159f7bae7c22dc98841c88

SHA1
8493a0e4a27722f303a604bad4b13eb707e7f60e

SHA256
2d04636dd2411ff519a8472431fb82dd5f61ccc9a28f1b1bfa24579fb356c93f

SHA512
09f1a63ea10e373dfb7d031c362804292d461808079ee1390e32aaa23cef81016105a2bff6f5bce88c7d678e023a2bd7c0d780565184274729fac53c912e61c9

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-0D8KR.tmp

Filesize
1KB

MD5
f26bc965db4b0fadbc2b93372dde7a5a

SHA1
de4ee4e9143dd3833a4104594c85f14588ad4517

SHA256
3988372a68b15d93061560583a6f79665889a2e2543a2e4724eee00ec8260e6a

SHA512
16b7d76f3bf3a82aad545634f249e5aa3748320f589f6cab6b4880a21bde0da82afbcf78f9db17a40afa2dac2bbece306c3f80bceae05edac0c54721b59f5173

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-1NO93.tmp

Filesize
1KB

MD5
3e9a9515a183c71e4ded6265f5ae0f78

SHA1
e33283229d3111927b042910a0d2322c6bc15db3

SHA256
e6fa0189392f6c86abbc9d0b66999d32500154322943410a0809ff71dfb50832

SHA512
052dc9aa7b985043c817b6153ea2edb8b705db5a8eff4220dbf66c14dddac1d3acf9d7d401b5da9e246dc88285dcafa6f019ebca98d37d5c40453ea252e27abc

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-22P73.tmp

Filesize
1KB

MD5
c3eac2e4696e3a804267c371c390e456

SHA1
b2ba7388b2a24a4d8780c545edb7ecd2f1af668d

SHA256
01f35bb17d774abd6aac207799855e86127dc9c25f2441f206e506e3b59e8218

SHA512
6a08175d08eca69c5c0d91af2d6ebe54c994a9366eee75fcbccc289c762cc6df09f0eda3c3d47da4e897def86c5fbf3a0f7aeec2a7fb8077be0eb677213180b9

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-55FE0.tmp

Filesize
1KB

MD5
1f8c3b4712a0e195744fd41bfee6d919

SHA1
d1fe40a0a4a6a076d0a133a6120445174af6688a

SHA256
2857a049e73dc1966b7f5e7b989e0dd6b606cfec3583268bdcfc892a0f8eb8bd

SHA512
0846b62b20c2132ca41df4948dcdae21c6513b1dc63f542b217786edf8758f93fd67dc54cb0ef3f0c6614507e3d04ad82572da3afe81c4a5824b17af52dad6d8

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-83527.tmp

Filesize
1KB

MD5
12409035b6eeb462283eab6cfdadf363

SHA1
aa9431526797319caf5a06e6dd4ccca2fe74c148

SHA256
59c0fb99e380b2cc7ec53553d41a58186cb18d27ca08796c12421e8abce9dd8c

SHA512
38ddab564f4ea84059b080b9e0f2e5acef8b203def2512c371f1d4b6fd776be7be2d519b85a30b6790773c9cd1d1f500325cfcbd4eb418d6a0b507165c601432

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-8MA9N.tmp

Filesize
1KB

MD5
14e20de2845a68184e8f973186bb16dd

SHA1
4fe63d6a6e85dfda71a8ed1ecf116b0a6eabe3e5

SHA256
04e527867bd0d337fa0d6d4a6e9022b4701e4cbe0f0c47a2813fb13efe94388f

SHA512
565e285d6c7e2119ad4065c2cc5892e946631cdf1cfb913ea01507f08ac1272ed7e37b53c8a229a5fd5911ce6eecd1bd9a63e083616f7c6e59674bea2cc5d795

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-8QT0F.tmp

Filesize
1KB

MD5
93d54dad1c04bdb59e9b03abb45ee984

SHA1
19a9abc9ae1a6bc5775cc4a848b0b9590e219af4

SHA256
04fab3901c4ed39f698efa6979fc2c286a4661501c4a84c3e433895bfa5409d3

SHA512
8abc5ebaae748ee753d070ff454e032315c1cefa7edddf8e81c5eab1942bdb22166ac770ea9766a7e821378fa60cc2c39f00804c343a2672409a2e054d4c5a3c

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-9DVPN.tmp

Filesize
1KB

MD5
28125ad87ef12a36f03674f0a8afa237

SHA1
011f3f4a4e93516e8d305aa42bca303b28bfdbef

SHA256
ee520d85bfea0146f41196635b3ca9278382d34487b53b20e3590c6e48b5a3c7

SHA512
407e902a78d4acddfa8216af2c3f4d53eae760003a6f1c56cc6b2ed97e5aa5ba96121b70223765fc158b60e407c9ad210ef4bcdddada97908ca28da1dea8f6b8

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-9JPU3.tmp

Filesize
1KB

MD5
8a10cf77cba2e11c7e8b2e137100713e

SHA1
28181db6a0de178c8a04d4d10aa32d3a1ed74db8

SHA256
2b0fd65e703776c8043f53eff6579a966e6b53bbbf7fff00ed52c7919cab5e5e

SHA512
a8f6779c44e5833d87c057517007bd7e3e592440712297ccd33628c61c48075992747783c97f5a17abbec80c46c3f82d61cf64e1c37458f1165a86610bb401eb

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-ATLFM.tmp

Filesize
1KB

MD5
4f6007f7643189aad6824e76ac2668c3

SHA1
eab1a454c317ea1237e1021c6f4282f6f8f815ac

SHA256
473410f3dfcd29dc6d45b3957a0aaecb021e701e447d513aecc2fdd05234b492

SHA512
b9b9c453db38d510e00e49a71ec3cb3b43c1ec33a2e5d81c6783bf8d09f6295215dc8797c176fbab0fcac693788ca530d9c0644a18b95737f1751c1942ae0c78

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-DKIS5.tmp

Filesize
1KB

MD5
0c8d8c6769259ecff8e5c900f22e109e

SHA1
d20fd98f7aed0520934fe01329c3907f999e5e40

SHA256
cf998e16b6a778254e5e6df12e5aa54f72379a393596dd6e7566e92c8a1b4a95

SHA512
45767a743dc9ebed5fb28c9efa1e262868f3cd811bc12365dcf98cf3010faf575a03411a10bc82601086e38a4fd4633880fcd44df4070439a8a015768122201a

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-EHK5B.tmp

Filesize
909B

MD5
0e889ee4783e68a6c6d943e3b6bdbf0a

SHA1
c8dd27eac1166fe273ee7de68c905ec74252a9e7

SHA256
4fdbc561aa67baa1fd444f15fcdf0ae3a86e6a654fb9a6f91b83ff81e3b244c8

SHA512
af084d2534b7f1798eaa90ad7b495f2c1f3eb21124926cbe8f03b92f5121cd24077b0d72a3e63e9918b61598f1bbdccc8e669da21763391a1d0186f4cda108cb

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-KIO70.tmp

Filesize
874B

MD5
c7c616bd25c3c77fab45fda8a566c67f

SHA1
707244d54a56bd081e0a2939a1febe18512b4e11

SHA256
215b45d5c0cc1abb008cdd7decf548dee7863544c0c24980da98bccc2f79b2d6

SHA512
bd64530836bc93faee1cd01d2513ba1c32496e6edf53d80f6a600ce762b5e34a721eb9044e77aee6a88f2c166926d5e70ad55800dafee9c4e9199ed697d5d0bb

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-MU9FN.tmp

Filesize
1KB

MD5
007c85aec8520019a3f6a4bb258ed377

SHA1
387bad361280dc34282e591122c774bfe2daca88

SHA256
9aeba2630079bc88a9b5874beaa50d12ca321ca9fd322c4859ec9323ef5343e3

SHA512
48e1f7494be5b78e3c62ac2c6b15a2a640a2609002c0a7f2ff59981ab6517b856cc9b5db692ed54029eaf029bcf800cbf834ef4f5504d06ed237025caf08ad32

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-OK4RK.tmp

Filesize
1KB

MD5
1b957a4c34cdf5e76319e0f66f37c1dc

SHA1
f8b896101b75bb65a41459382e8c282746c6fdee

SHA256
f35626e9a31b2e9cd7ef77fe79fde636404c1a639796a3c6e690ea6f5f3d8ff4

SHA512
fddb2ebb4ecfd0f03502be8fd1575c904003b25f5c39d8afe56f7b25bc4dcb37dbf1b062b9f99ea736bfac2d5eff986c46313b3dcdf68f755d4ce5cc7ffbef60

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-OV11V.tmp

Filesize
1KB

MD5
33081c5ef82e5b59671714d6c551289d

SHA1
9c40f59e2174e7e79f2fc1696e50bac5cdbcca35

SHA256
3bf236d80e3da5b4ba0fcd3ac28e3e2713f8af397e7b8b11153ea87390f62de0

SHA512
0e86b125f4c2e1b350d865465e154b68525861f269d6a59507dd25d6ba6c89bbeab6f7fbca1d5be1597fe3002bf1b516774c842d2d6c4e87a1289a4675f8f41e

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-RE0QU.tmp

Filesize
1KB

MD5
8f5798f6f0d8b050336fef0eb35eff4e

SHA1
57b06a82945b49dcdffd3bbed695c19f2074cb6b

SHA256
c5aa9d8256045253d17cce359a93111ade6dd5d43a38737a7f7b7950d02715e2

SHA512
9877101b68679484a4736dcd2d46f351ad5f82d30b7129514ad82345aad858b8b8af1bf0fc8b3296d35a26378d5a2811399d949d3fde672a038fcaecbc7effcf

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-RGJPC.tmp

Filesize
1KB

MD5
8f407debd8e566c229ddc05afb898d00

SHA1
8bebc676630bc59fe8061585261f4cbb4ea57c2c

SHA256
6ed7ee5637e94dcc04e87770b587aa7ff3d1ad7e1a6f5ced873d262ba599e05f

SHA512
1deb491cba7c2ea090063b2e3ae48521000985017155a07cec885c644e98a225508a4ab5dc6da14210e26cded18fb75a9c2e2b705f77ab0292d10cd22e185299

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-RUL14.tmp

Filesize
648B

MD5
7578277b97c8cc8deb879725a9b8ec32

SHA1
1f6329f17cb2e77d02326a200e1c8d0cf41b1e20

SHA256
6ae9fb805001b1e89494b9964e69dde835c4623ff25523e529d7351da2c71066

SHA512
f4ff14606267f05372e4e46b6b9df39aa5ed82b8d03235d66f4170140447354ea9c9eab6ac28ba0b6fb6e60483968cb5f8ae9d1ef54d0a55264a208d612ee587

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-V8GSJ.tmp

Filesize
1KB

MD5
56d860796a8f607888da05facf093196

SHA1
5ef2c5fd31dbbc9ce42916a85ace98a97c85288e

SHA256
8311046a8211bfd26372c7eab2c04eb8f4982708ace08263ead1944d349d2897

SHA512
5c791ee88d32b5fe8bcb6555a1a27b53871419f884f1093ddf00f29c59935823a7db172ef9da2c32d96e1e05412a8f796c58b4dfc2282ddcabe47048b1d9eaaa

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-VPBJ2.tmp

Filesize
968B

MD5
37151e5b0690287e6cc9166b4db532e4

SHA1
2fd86a616a50915dbeace06e7b996db8439196e7

SHA256
ac31a2ad05b3d0cfde8882544a501c6ab16fdd08a5544130c56e1c81db34f619

SHA512
f3d6f93b3088db62841ced1a540e48216e240449402565e46fda4c2eaf40f64c3852da905cde2001d406fb36a9522278ddf6d070da2d89a9042164fafc7a934d

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\engine\is-VRPCC.tmp

Filesize
1KB

MD5
8b06fe9dc8adaf3fb669bbd442b3d227

SHA1
9273ae9f1b7208df19ccd5db276fb2c553bf1db9

SHA256
a3dd93787ecedbf5e7ceb107efe81f55adc62c39b7170f68642de061eddbcdf3

SHA512
b4cfe231c4267864594ed48fcd9bbaf2ee30b63ad84e12e05c6d5fa321ab06547ffe272f46cdfe87774c3f5d74ec3aaeb1e9dd2e100f16c15ecc133da6e33876

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\netprotection-sdk\is-7E48M.tmp

Filesize
1KB

MD5
941ee9cd1609382f946352712a319b4b

SHA1
c045813a6c514f2d30d60a07c6aaf3603850e608

SHA256
3d180008e36922a4e8daec11c34c7af264fed5962d07924aea928c38e8663c94

SHA512
bae78184c2f50f86d8c727826d3982c469454c42b9af81f4ef007e39036434fa894cf5be3bf5fc65b7de2301f0a72d067a8186e303327db8a96bd14867e0a3a8

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\netprotection-sdk\is-K91LU.tmp

Filesize
1KB

MD5
f969127d7b7ed0a8a63c2bbeae002588

SHA1
5aa6321f397c4409e3f8f6e26481aab583dccdf8

SHA256
86b998c792894ccb911a1cb7994f7a9652894e7a094c0b5e45be2f553f45cf14

SHA512
9aa0f141b4cbd27b177c6f4194ffa3395d6d35eec48821dfbc8fa1c14f311a6c25417eea0993b1ff23fc61ad5c58f387b07a4d4f4706d7ad0632f67818085be2

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\remediation-sdk\is-2E4T3.tmp

Filesize
3KB

MD5
ea85f0886077dbe7338b36461d6f6315

SHA1
c659d5b0419545649a935f56c74ec5715b4d4b46

SHA256
41680ba1803a1c8153490f7409c96a6855b54dce435011566c12e762645a3747

SHA512
14dca8cd83e4d6b3d7e84967253d0d0ed896dabcc71a2c41a7a5ed491e6648926261c16d75abec24df5cfd3831789a73fd3bba2f1e34a1ae53ebf50f304e97c7

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\sentry-protection-sdk\is-42R3E.tmp

Filesize
286B

MD5
c3f89f1ba5e73c1904754ee4201c2837

SHA1
1b879b7a4bf861edc4bd2c9ac2709311d30ec3d4

SHA256
12419604fbaa2969ec103633bf2847f8ccd27f97f8f92bf23a27b9a15ae26eff

SHA512
d7327b3658e752f4c463f64eac40ee87e319a0558f3a60a267f41ba0d583a0836f76b6572f4398b78a787b78be525314526aa858aa34f9d2e9a0e37cc222a10e

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\sentry-protection-sdk\is-9M7O1.tmp

Filesize
84B

MD5
4b0157e625c8623238b906a4e185c906

SHA1
49754ca88fc9609ab22caa1f71b854b3fe2746a9

SHA256
ff3dcfb2c7475dda4eb5169c305e4ce621ba09e1271fbd4e0d7aab67b40b7e66

SHA512
98cc0b8b08ca0ed0829d906048ccc20bf146fe2a7f8d13632d9cbcf1829070fb4245f23d826d04f448ac526a7d906429b3b2eca748197d4f87e042e05ee61299

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\sentry-protection-sdk\is-DBM59.tmp

Filesize
1KB

MD5
1ed44827beb13c7173e9141d23c64f0e

SHA1
afcca3afee50529ff8132e4f5491054349d36def

SHA256
fb1964bd05db9d5b501a738956d7434904003961d0c2d2f3d1cfbab68c65f995

SHA512
b07691222cea79a5cfe560f4e27acbb7c75d5ba93a3c1c38354ef20cbd9e021a451e99d7bdd8d5b548bf240386022b87d844c762b9c490eb58d0443ee477f777

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\sentry-protection-sdk\is-GMF62.tmp

Filesize
994B

MD5
252a2d0d78692203850ee7ef26fb21d8

SHA1
613f175909ca34a7a757ddda8a768c348c064176

SHA256
f31c51e68b6ca95a1b3eeb4a5c9657e898f260fac35e0f9e092c359b0149a3ad

SHA512
d754e6afb79d61dc264bb94539725e05cc8e62b7951e4f1e5c24a2db296b1e5c126bc2cd3824bf27b7cf2b23618099313b37320eb8ce19f4cc76879ed73b96f1

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\sentry-protection-sdk\is-LGK33.tmp

Filesize
6KB

MD5
cd010da4cf5b82714dbc32f3e05df760

SHA1
c52f4ae980af344f6c98df74aa8117f6a2c7903c

SHA256
15b8e85f410b23610e424681c010e1b2833c9805f977131713ad6f7decf3fe90

SHA512
8aa6fc03c353a83bcab9e65d30c69b5393f1ac6c0181c0b8e357c85cc3a15c63c57d4fbc8082eb8dd539bc885b5ac2808a294adc42a541ebdc6b06bab5357cb1

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\sentry-protection-sdk\is-QGSTA.tmp

Filesize
5KB

MD5
d411d82ff48b1b136c6b35e5ae969db1

SHA1
71024ca6fb0b8d49f839021d75f02ac2e903ff1a

SHA256
55972017b8f8bffee8922b5be4ba582ac401a3b70b5e62a4b8fbea56342b0500

SHA512
bc943588c003f00cda4e1388a3d37b1b2ee201acf8bc7792531c5223192b2f3a01f7892b6ac505a3ee21c011ea0ec07ad35771807024ced5cdcf0c10bb57a778

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\sentry-protection-sdk\is-VDERQ.tmp

Filesize
10KB

MD5
750a20d3f6af564ae7384975bd2ce7fc

SHA1
50a0da1ba36a240cebd30f5836c47da339100d04

SHA256
6a2edf4316a801aed14efe2e3c3ad9257722232a4d539482dd7be832b43ea611

SHA512
714c83f48706a499918778b3d65aa5db402a93e8eb24c6c2b884cbb13d31f2ff119cf1138c4ade32bab79ea8385aadaa7f32e03efb23d46639d1949b86f48fd5

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\telemetry-sdk\is-D7P28.tmp

Filesize
3KB

MD5
d499814247adaee08d88080841cb5665

SHA1
90ba482db24552fe26fffe459bbc350224a79b3a

SHA256
b2cdf763345de2de34cebf54394df3c61a105c3b71288603c251f2fa638200ba

SHA512
36e34230cb8b99438f5194cae44967602c41a981b767cad3da7fef0a46921dcbc5f4d19e0d149760f0e943a67e7cebd082d4bbf035b520a90943e57996ec0ac9

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\telemetry-sdk\is-U3VQD.tmp

Filesize
2KB

MD5
97d554a32881fee0aa283d96e47cb24a

SHA1
66933e63e70616b43f1dc60340491f8e050eedfd

SHA256
bcb02973ef6e87ea73d331b3a80df7748407f17efdb784b61b47e0e610d3bb5c

SHA512
7f33032c46743ca79fe444cdcaa5f4d07ec128831b162fb36f84a25c2aaef5e1b6518f1fa814d7147f68e7c83778e2eaf8f3c3e2424537847d245bb42414d921

Download Submit
C:\Program Files\Endpoint Protection SDK\legal\update\is-2N9U6.tmp

Filesize
1KB

MD5
154f1433b629aea39e672a4602aceb7e

SHA1
e44de570ccab8cf307eda83eb6a8ee13f7927c44

SHA256
1ee376fc340e0aa6ad6a3581c94126e741468705096ac92263048a21daa86460

SHA512
bc70655f17b3e598713955fcb8cdd51529f5db46913c948d44ead9b027244c06a7829e30726e3ff9564aa625966225883510fd5cf352a1de11cebb6d1e97a49a

Download Submit
C:\Program Files\Endpoint Protection SDK\netprotection.rdf

Filesize
79KB

MD5
eb9e9a3f795e841fe7884d6a7883e4ed

SHA1
046728011c71d5bb08089054ae7e1a177a37e633

SHA256
2816a2356cd447799d068478142c7354c29b973d1dd0ad8c32dbf713c8dd7ae4

SHA512
be0943ef87d676e8911d11b30f4c04df0e83c5b4ffa2eeb94f9e3cdafdae33db218abcbf6b83f4efc39374516bfba84990a756fcd37f29197a32a32465075422

Download Submit
C:\Program Files\Endpoint Protection SDK\remediation.rdf

Filesize
347KB

MD5
a12f87b8fd077838216d482691bd26ba

SHA1
29401b96d98214ebcb33ecdf3e19b701f0c69bc0

SHA256
a47d9cebf7d90b459e4c1d41e054faaa3826fc2d7a265e74004bbee73475b45d

SHA512
d9b37966538f3bfb31bb25388c13e08e54acea6af6f5f112657d67320caf45bab6397eb7dec86ed2a37354cc29c5361be26180cdac105931b521c72e2d2f087d

Download Submit
C:\Program Files\Endpoint Protection SDK\rtp.rdf

Filesize
237KB

MD5
6a009c4fd085d70ca84e63f0a4fb1ce0

SHA1
472833e72785df0bda6717774a6879b565f59a6a

SHA256
5093026dd21bf8f29782ac435c0af6136036cfdfb7c1b0155d3a68d957afcfa0

SHA512
d96298367e9b1d9a24ab43bf0f6f90c88fde89b6510492169f661cdf59c18d53512feed8ddfbc6eb4fd5487aa2ce4353449299346ace22d7db2ea6994b6b52b4

Download Submit
C:\Program Files\Endpoint Protection SDK\rtp_setup.exe

Filesize
5.7MB

MD5
030368a7ce7465d46c7f543d262f9d6e

SHA1
245ab219c6767c95ab594368f664f53ff822dadd

SHA256
91007ac7857879ab7644b9486899a9d3da2a8ec7d84bb93cb7968b6f12a2ce8b

SHA512
278776c59dd8528eb7f8baf4b46d4efcb661a62626dc6022b38e632112ff21bd2f6a7fca1eea623fdbe5e606697ed9dda00b4fc817215f6f6a8bfb9eff4677b1

Download Submit
C:\Program Files\Endpoint Protection SDK\rtp_setup.log

Filesize
38KB

MD5
b4fd05b6593af2ae7656c56690e224db

SHA1
6be33e372b8b26d0206b85378847fbe25005f070

SHA256
984a74815ec6030b8c191000595db6a1e1a3440aa59da3eae81b5324eda70e04

SHA512
5624bc142ac030dc230d30b233043daf0cc033941d3c7243349c8bd9484b683e998bde7dff57e1b8088d6fd5f9c091da524a6703b21e4a6cef367ec410079d65

Download Submit
C:\Program Files\Endpoint Protection SDK\rtp_setup.log

Filesize
38KB

MD5
3902f480a957e7c72e6a4da7de86428d

SHA1
9a48eae4383a193469eef17ca15d26cb958efddd

SHA256
ce52b38a0b9b8373c90c941b25e40aeea64b2334f507a95fa0847b89e2362bc8

SHA512
0ce3cd648a9aa08e70a2fd7aa567bd7b3c664d0060c72d8ed1cab274fb67ada226b26337068286f59ec499596f0313be858292c466cd6d4d0027ac63d753591b

Download Submit
C:\Program Files\Endpoint Protection SDK\sdk.lic

Filesize
1KB

MD5
b175ce23e78313d2a60a6779bfdcb8a0

SHA1
74d3fa7c1c8b769652216f88c6e052d1dc4734ae

SHA256
b01c8975ac53b9a3bbbbc72da3caf896eb00508cacb43504af31465742cd0f41

SHA512
be7be391b9e848951116e1e8ef2fe5191a980b1a0fbc177679e48b9bea102c5858efa0dfec742ba6ee979d7d7d31b8513789b21d0ea05ef0a24b40c588491fec

Download Submit
C:\Program Files\Endpoint Protection SDK\unins000.exe

Filesize
3.1MB

MD5
f42730d554a991e6e1f86763d82fa875

SHA1
e882e61b0dfe5bf4de0ea29dd4476a10a13f9d41

SHA256
098c2f494aef17a19656ddbfaf48532c88f58faf252800f3b724348a5da17283

SHA512
4afcf018c0f50ac80a04ddec3308582113846599f2b28b48eb3f66c558d24d8b04cff3fd3de5e8446d9c8efe88863b5546af407859318370db470bf4d766dacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4a5d9cadb1baf0fef92289489e71cfd4

SHA1
13ba55539c99b4ccfd40f16acced9a5ee77aa101

SHA256
1ab3c43befa8e22fc85b9acc52d7c8d008e438a256d29aef223048e8941e616d

SHA512
8fab6e74c967d3a00280c52d92853220d4ff8ce39486610cf03299286b9301d82709a0c3a5eb2cc7b920db2134f9ffdd96645a89e973c88f0c7c5e436e12a530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55598db3dc40b52ef5937f295fe3372a

SHA1
4ca25d612f4759ed48f166df42e42e0b9be44819

SHA256
780a259ce0e385d50d83d2335dae08af681fc49ef9b0f3f0727d5ca8ba992cc0

SHA512
8f6a05691a334351ea534671619606f244bdfa761b20f4c42f60fe8378b56d1155af0a612f3dfcfe9ebe96ee1edd97fcfb3062113eafa57e2d4349ea9a360c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
1e115c1fdaf2e27718aa517f50890a84

SHA1
0151c631ace314d7fe695c14573692e499049d88

SHA256
cffde27408b3b62804da6d44cea08cd1e0bdb377c72393b854f18e3625a1588c

SHA512
7182c03653dc4ccfe6dd873d10250f226bb33f4cf339d38b6b818dd0e1e52f43f952d48a07cadeae6cc0a47053abec3c675c53de75f1635232cc976f716c08f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
8f8c8980ec9b86f6820063337143895c

SHA1
75ef9dc8ee616176e2945f6c137b7e8aa6eaf7f6

SHA256
a77475282755cb61f6b5e0b791b69243498c56f2e703ff845fb3db27dbf6f509

SHA512
3d9a8ca5abf13bee0738da1b7f86bcfe62ee5a30f65fa3bcb5ee3e6abeee690f3fa96ae1bcc459d1af1f690934664f715db63f39ba04824e780a335aa23ed845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
18b3f050034318725a7d9b81a05627a8

SHA1
b074ea122d9bb7226a8ad935e9695a16ad5d6d10

SHA256
567bf20d0fd90f2b0b6879b92120f52354d98b5d1ac41e9f7b23f659be460587

SHA512
265cf6943cfa9caaa5a62b92513b12fd2a39f73500611b377228a3ea0f658a2c99bc179bd5464738e21e642f2e3dfdc900df94869ee28d00cf20c5456d66570d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
71KB

MD5
96b274d08645c312cf3e7cb3d7ab0e89

SHA1
e569b7142f2bc22d3383fa9b04b3c223c084a5e8

SHA256
05ad8674ca7243eb11e9a94b64b003dbdc5d7fd1f9e63e478551a31ccb37ae58

SHA512
b9dcc399520c338e37705d33e0a374d29725a7326cac7bf991572cbb56319b47ce0a69f8c4414e5c4ac2753bd16fe57fb6ac53ebe21f4f7ba47421e082117aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
66KB

MD5
0b1df9c2cb01579525f81aea06657009

SHA1
ebd613a1de840004bc1bf060c3af7981f8913c63

SHA256
cb590dc29358669e396ce3c34cfd694027d6e8e979429267051789a7796d8a2b

SHA512
a602e549b235867464a34eb01ed2cb124d5997c9a655e0fbf77ee42e2f10a34978306e6c71b3e0a5fe0fb9b8af0667d30927f8e5e61c61429af04f33d65f42e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f778274962ff03229f970c6a6e831763

SHA1
040b428f09db6d99d63e21bbfb7e68062b3eb607

SHA256
d3fbe3c07597008e05e55ab585d25edebbe3d7ee2c631012019adc20caee8d06

SHA512
f647a4bec7f68aad12b705547dd6ca6f2fbac0d58794a831c903533ef5772362e12a0f5c3bb0726c94ce8eaa3b39393af62e98d7e2795afc9aea9de0ba41d6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d22002e90e067a3e1382b8e826e87930

SHA1
dba25268127351fdb28deacd50a7e5c9f6987f44

SHA256
e10d39296adf26dbe2975e591e34ca0b294d6a6490bcd8c4cf530db336d1c98b

SHA512
a0dab373c18581b942d458e4f65a001dd16409d12565e2dbbd53a032900c5f475ad634537f399d8250ab191fe388bb55fea4677ee3f901b9a0635b05037d4aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
350a7eaa11b1c7b2daf20ba824c9c4f6

SHA1
1dc7b1124a9020c32f802d469a0e8f42a11da1a9

SHA256
4c4c9f750e5bee41ec490bfd417068e2f2d05717dbe68e8cdbe8cc212cd8f4f5

SHA512
6955cdc36854a5f6fc1064f67f688cdec85651074c9851b818bae4da873313c62b92aa46632faaff1a07e5b2643d1da7dd7b7f95c7bcc393a4fb303b71d9452a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
bec260eecde7220f98f053df9c5b6739

SHA1
58ae64476568c43fd0a4d688b581469c5f287223

SHA256
47f9efee1433e16b2464e534fdcdb798ff081dd5241b1b4452d6b22b2aa3dc01

SHA512
e218a3b064c90f073725e0190b9d0df0b8f06024b975720fea069fade944afa21a440936d706ce3fbf501f9748b560a7c024a09fcf5e7f7a389784d49f276d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
ff55a768c3bdb950c6746fa97b0a2690

SHA1
93a0d89129c958f2bd66e8c030ec94a0d5e787da

SHA256
4e0e7bbb6cbd82677eb999797b884677de480a839c264962e83009ca334bd156

SHA512
e2f5777b50db2e6ffedf277ae8c4061d60ac05b93a85e1d4c0a048d534a4750db2b0b189162fb83af5276da76bb8f3f782ee99270d9c41c6ceb264d8ae2dfead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
3d6e936e36a46a69d131dee0bb1691c0

SHA1
f46c8d234270fc3b841e48d3df4891694067292a

SHA256
6fdb50b61c70706f77f6bff2837559557efa3acce2f32e5b5d57f844995f939f

SHA512
ef3ae12a7e6b0ac80c5b6a1224e04fa591c286e8f955e8bfce41fe0053f730dbcefe32f597ebbd8cdf8f5ecac5930c5b4a0914492839040238a0796121e4346a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
5d352a03280eba57cb274d27ba6c6b7e

SHA1
8887766642a81a1248dd5f93239ce63e93839900

SHA256
3b358849502f5cfd881dd035ff274a5753f90047a131884838c677e22f2305ab

SHA512
b8037a046c4be7be120bbfddedc780a4175fc8e6c863e9095e39a4e16d2e8ced27c40f38c569a79df990057175e3db6aa35eac645598af3647caa5744052bb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
706010f7d805131183a6365a41ab3878

SHA1
c272bf85d302a659d7fb5e9c3903d7f7c619b6bb

SHA256
51a01c97a6b823c112dc3b98266e91ab038423645bcd953f3f3337e05dd2bfac

SHA512
b1163be7ba502b3e4907657c6718f9abaff22533a13cb1e798ea668789b918a49d8c06f466abfa3f7a39d54de548eeecb2ba2a9438f146ccc0117b65ecd0d3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
21fe6d2d84d8830d1b7b3f9d605036f4

SHA1
4d48945becf9924d2a94a38982bdd6c8f476245b

SHA256
bb399209d46d8c5b992662f621f9b5bf5177e1d273876f34638636e6a0cf90b9

SHA512
89605767b888bb444e16b995f654f3896511557051042905b141b9afecfaf48e3199efcc86f39d9cfc400e8ed58039cb5e0052aa9effddfb8938a38196683dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c01f5c2c49425946552a0034c368d2c8

SHA1
f8f732f2433c5d8840ad32494b479b1df727e92c

SHA256
e338209e6f8ed1c99c621cbcc7be01672577dbc9c15b4eff59f4d66b81fd27c0

SHA512
c52c296339444b1f9c9a042763aed876c198791cf001d9b534c0ffe7263b500ceb06d8a0cd955846d5626541fa65ff120330c58a0a2720cc7155d0e2347953b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c8964e9eea673f93578d9624f6863dc8

SHA1
29a552ee819c71da04262bea0186a8c105f816b9

SHA256
aca4d8e2252dd4e6fc8186c327e1ef7b91ef2026dd9af908bf3766da7098e48a

SHA512
15c8c78d5755571dbeadca122ac664c658624e0f9930c93534018db9daf925d064fdd96c6540ad6bec06e8c26f32badeb6c32e86a5b74c3b7271807a46811c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc3f140b789f695effe57d58d9398980

SHA1
065f4ea19706db016b20e1754a14467f8518e845

SHA256
7dde268afeac48989a67553c536579e94a1f360656631f4ed51583e7d32fc163

SHA512
1d0ceeea6b264db0dfaa8b976ec068763a1439e7146b567af79301189d060e2b3b5980820993a6c6dd7400e5ea48d51832b3a022306fff4cb3534fba80f6b924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8172bc9727436ff06f42c6b6bf025372

SHA1
1dc16f763013815a48664bd67ef09f66dfd40c82

SHA256
f11c17075e4da8bd910aabb39bca52236a123610e06596158df3cec1a907fa66

SHA512
578fe9de32499c0afc3e7da346bebcb12eecc88d9bfe2f5225e25cbc1f875b7bd2cfa8eee012b163665d60dfbeea21385e19266d01f64b971b158bc6d303df3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39dc7d3b1168b91d7f838f87fdad46cb

SHA1
334243774ef12caa6b874e0ffddf1de394b62fac

SHA256
b6860fccdee916e9c2d1eb5125cb2e754b69e1281822a795d192dab043437c9a

SHA512
bdf4a04c3a3e133b1f404a35c776649b5e3d91722282ec8463baa17cfee34ff9baad8496fbdc9254fa00ae1393b3d0597d190ddeef2c50346b6fba39eaa2e9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dda3d23ac9e294eecb722810740ca7d6

SHA1
3e8ec29e6d615760379dba2dc824786f6fb3da72

SHA256
e55eaffd30dd5bda6dc1eaf3b31553f6808b8c03f18fb62989cedff8e64d4d27

SHA512
226e51ae97144cb2a4ab41aaf74b168090c0777cb509ed6eb16234d420b0d131555a54cf45b8d3e33fec18d33c4081b2940d7291abc164aa25fc36520d8c410c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ffd968cbb7bb4ad6ffffac1c2b66188e

SHA1
bbf16404f13d29d48f2244d1980257afef4bd59b

SHA256
c6233c7650e33de5d5abf287146c32377770d087ddf6afc5ac3b26e60292c35d

SHA512
dbea4badc6be8559bc68944f467c9cc581a61bc0a3fe5e02b82b2df8fe0a20bf585a017ef2bf69520457e3714814b0d245784fde0ff0733b5f653b27f9f3abb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1a4fcc265b6c957f5a7d85ed6ce166aa

SHA1
9c9f7f2d33c8fb9e34f28d16ea36cc8293c08d92

SHA256
c9f8d2cb644c332625b40ebf66accdf410702d0edab9f1313c9d759af2766202

SHA512
c537c34cd9af501d849723db1efa34d633b5d09176d25eb19c599e395320a8e8ea75e685a44245df4d1d3b7ae5391b7cb48a54d11552870a3f6dda37653f6845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
36a00f41c85c357d68235b59290895f0

SHA1
452f259455d835704cc289eb054c5a85766bcc9c

SHA256
e77ab2e93fa9ec80765b483704f139d70f4d5c3f0a869d229123f68675142bde

SHA512
b80393d99dead45a7b94f1b770610e2e53298a3daf10007bd5eae78ff6c32e2a4fbe1132d972e9f2413924caac89577e2fd859d367bf3ec164b2ef6a688e4889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
09a46bda3b47690cd7e20a19f1e3bb9e

SHA1
cb9a397e3c34f2d193e5d37fbf250b37c5198495

SHA256
f2d3b604d8bd4678976d8b27b71927b572116410d886c09f2cc6b90cf3dc6ba6

SHA512
da0c8aa5fc5dd4727f03f796ca73dffc7a6952356454dcb012c9c56d9872af17a591fd0645ad7c165261f8be2f21d585be5ecdbf07eb8b0a7c6e4b798e9a3b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8a058446bc8a4a185a189b9902691545

SHA1
34e3e1181cbd28958796cdc648a0789d4b537d6b

SHA256
63486c2095871c994545b890054ccac33b54575701b1881d3867858c7e0e4ec0

SHA512
cb761c22bda364a30d91ac1e148aa0e6310326eec76276f0bffc4b31e81ae0743c6884b4b74cc2022b2640a24d3014f9a5d7ab1d84c85122f2a1c857ef13d7c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe663ec5.TMP

Filesize
48B

MD5
c80d11758522826f899cf67c7e4bb2d9

SHA1
f3315a994161fe4dbe7454d41a190f240a48a551

SHA256
5f2caf726d3ce2163cb78f823fcacfebcbc9c0a638f09f694eb9914894563894

SHA512
ff128fe7b4bf750cfd858ca6dd6441b805952ffcd5ec41729eeafb1b02c72eec975694e79bc669f32fcd6bce9294808055934f2f86fa4364aefca8353b633b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
6f92ce0cfcf7ea970f67e28ace45d741

SHA1
20de80e6c66eb446a2ae1252bc5af43855ab934c

SHA256
5e8a20d6d87a4252882ce4ce2b3acf96924ca9ccbf93f70e4f0f4b067ee9e86e

SHA512
0c6a5ddd41e9a6d0068df26d50ee72d7c7bfbfd897622bbe8b264f8d99c92c014c69d3418583d43a1c86a872f381eae33d68eacf28a5f0d9ae8ad156332df794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13378246540053458

Filesize
488B

MD5
a473d6db766785f05f448f20f223f33e

SHA1
be81fa634306c6f3ed50ae36ddeaef888593d02b

SHA256
80b81fad32584ba65d45dad22cc6c233cf12b43000942d5456cf636432ef8579

SHA512
02a6cbd3f3140ebe42e2f2b600f469a986c4574ce30156f36a982d29fdddfce30bd8d7fe7244bb235e4c3eb5c5cab8f44549598345c7b7a7fd30161cf9a1a68c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13378246540210458

Filesize
717B

MD5
3a22751913213a07374829e4043ce948

SHA1
c0e350739de2edd8975660be823cae999d59f5f6

SHA256
46871c23d34617ac992ddf72fc2f9ab6d11a2e363aed3fbf407d703d62379ae0

SHA512
6a185c4ad02675862c2909da8e7e0100da8b1e001c2700d47b9761a83444ab104837ca6112ec634f9f8c7d2c850c173dce98145a2fa00cd9773c7588485e4e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
8be985ece811ba0a3f10087f5f4e6fd4

SHA1
c87c84d4fe182ffb8362f3cabd33349af94e9b55

SHA256
da78d36c765d3248b1a72ead5f83b7a58cba7d361f17a6831332ee994cee939a

SHA512
901932baea8712e89188cfce00a6b2388ba38697bcbfeebcf8b83b88b0cb26c7323b098ba6983c312ded1041f6e297412010113a32e99a9350aa4492ca40efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
cd56a7a665bbd61ce673262b8923239e

SHA1
782b368be5c63fe4db5f98b7d5e89d6d7840e027

SHA256
c5edadd9dab9d8c07cfa5b25e0460c3a19076c4c4951454984ec567a36847484

SHA512
495b463bc814ee1e328cc8f087b4026a2679be9703b697e50b8ba7d43308ada4af383e179950b30b3ff802b342e0f40b75f5bee6ba841241d7aac5a7e5264bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d359d2813bb44231c519fd892fb8538a

SHA1
7f57f7974ea88b9b4fa8c6d6614da65f46d5eb71

SHA256
19fd310e66b7de0077e6d6eae11226dd5baf642e8a02e0a9a44339614a4bef15

SHA512
d3294d91b9b9ce9e2f79dd2c0e73476cc2700bfc6e03585bed8271948e19a479823c02abdf02367a2ef1d2131358e1f90a4485e7100bac7498d45158b7ec1063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
fb7fa772c70bec4f7366ba3af6ea98e2

SHA1
b60b48bdc47dc9e4efd3b3f91511ea940dee6f5f

SHA256
e7da34fc07918b0cf6f1deb088d16d8d71f98f6a67b49b4b481026365f668f32

SHA512
8cf6d1452c7387ddd3930901e4dc9c50d2b8f5204e9930970bf5f8ea8c6b6005793418bfb2da5209ea894b5b0b2ba131b442f26ab665e85ca0ba716f71e0e398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a7306182127f391cb7a8d77fe1dd58a

SHA1
ce5a5bddf8d2ae79cec2ce51547092373b5450ec

SHA256
dbdb4568a2d05656820fadf3ca54c92f1dd30b4f2fb7b40d0f50eae320d23605

SHA512
d4f5b2950ac60a0d63d706fa0c7c70182a222fbc7d4c24235bb38e824f20624492b0fa17a30e2a713064c4221873e98ec9717c1b0782fa4753bd75069da2ab24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8e4d12f18daf99e8e74decd579d0193c

SHA1
3442b07151176fe1ad1b2fb1543499aadbb9d17e

SHA256
1996289fff8552432f48a2d0d4fef116560529826b2ebd7cc84438397537005a

SHA512
133ba3c6ad2464742fa39c3297b91df5243b30fdb66622e57311e9def06f5458a1a387e4bf262f5eb0c9f3fc6c6dda2ef45f8c13c658cb84464fab8c487b065e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe655fee.TMP

Filesize
534B

MD5
3dcfc407c9401730bd3e96c737076e32

SHA1
469f9f015c83cc05e4de22196293ca6d3af2ea1c

SHA256
b8efd68e4915b48a438152b107a02dbcd3664b2640bce37e04837a2242cbd00b

SHA512
da680d5e734ad6c27150aee3acd1880fc5f1e23d9a518d8b07878c3cbf9ad2be3849fe48842e372372ce8cdfaf78c1274107b75472ba50d3b85c1296f7e091c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
a8061a5ecbe607120a8f74e2e0e1286f

SHA1
8ed7e4fe2a7327b61c7f9df8114759df7fefbf01

SHA256
020ec2e09d30ccc6e47f19f8326a8685c42a03bf288c317fc8933e7d0ad33efb

SHA512
83ef872686fa3f8f8c1bc5767b038797dde3e4f62b6f7141c271d5429119e369e325aea41bf01ae8e985430e3db6e76c00f1c9456c91f5b114f8e1ba09dfbded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
83fef0bdee292fe70d1aed0542c9a54e

SHA1
f43cc3a1a1b2a1e1c6d1ae9720f62ba4fd1dea52

SHA256
e3ff6d565b52df0b1792fec4be2ad05eb498ad0af5ff6b0afa51a79f0b5e723e

SHA512
56870651a39164cae0bad3341993d43a10c6b5cccf6915cd5ca5355c8ebe0e6e44c60fa62d1d9eadd9bd7fe81baa3ff7fc5f1081955b5640b5cbdc20286467de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
3KB

MD5
87f28eb64d0f96291a84909b95bc2f6c

SHA1
735d05c83cf34ce6a0f476efe07092b40efd99dd

SHA256
cf3994cde4e8eb25fbb05660e15d61b822beb25f1cc6274f2c01229ef2243e8e

SHA512
678d25be7d91897fbb632ca4f5aad79f846f0cf3cd66a430dde2fa48cf915e99e2f1f96f2d64aa2d7602252769fae635f80a8917f235487aff67c8f9f93a2b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
2e3977cb4e34cf7a3ab318f2b633c4eb

SHA1
405613a869e6cca7293f25c86958e4c7cc4f0db8

SHA256
664c3a40edddfa53895015f0045890e39c212b022119a736091870daab82e3f0

SHA512
50a35526ab1c51d5a18e90f526965c60216e688fedf5e1769416f6925321aa8eb92582c4ae090f4cf8f3db0d323428dffb1adc2023286dae8c20465c952e5569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
a79b0aa502b15fa052f082d4a519bc72

SHA1
f9642158d5ba0079cadfb659a589a1a5f0edfcf2

SHA256
fd7ceb5a5aaa810d9315d29449319690d091d62398e867e22a8fbf2e857ecb5f

SHA512
82099dae5dcded05c6c4c05f1d53a907a32dd00083d15eef5340474023f7c328ac32a5f159afac053f47fb8ae94807402e2a26163f48963ea6266ddb0f9ab4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
eda49725b315e3be52fbc4e45b34d401

SHA1
51b8e85c8fae657a9a4cab2576116eee54cb1c0b

SHA256
a69e1ae9f466d7bc4ec2623fde80f59c391d0bc5db4445245bc4f4cd516ace11

SHA512
f8f8f0afdadb2da627a9c03e6f66e59faa15ed85d6b8e1c144252a7df8c6f4c2475fb053bcdf7338b8bafb056e546a042b11739026b4aaf18fd29a8a6594799b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
316e1472d4fbabcd31523fff02a89516

SHA1
64744ab8ccf3e234429f7cc8271e0ea01b17be65

SHA256
7024a49d70d511e0762d17f4ad63d1c95e6d836aac0414e27e5558ebb7db7518

SHA512
f8c87113428db1b16845a49afe78e1e685989dd614621d926232e53eb1a8570f1237fdbcf91e5b05769b4e5df29e38fe6a39fc41c8f7ebd5844168676b5aff66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
df94cb05ea00e29f2ce87657523d6677

SHA1
bb722459c0e833460314ffb9cf4ba9c7c81c3469

SHA256
8b0b1b8b41e5f4abf35cc92d75a9eb0214a92cff9cb25485d325b6cfcc551601

SHA512
f4e55f6d69093cb4ae3960c8a72feb66266d14be23277bb8736bd0927e7d9e982633078c460dd461d3842ac7b61207e8ca825e56fd06bc9d4353c1e8bcfeaec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
e340f0283188cb4622dbcb26deaba24c

SHA1
2f5966882e230267293665c26957bfb3eea678b1

SHA256
b0be3626565a648f13fdb7b497eae6be01679f0833a15c9283b0dc7e38287f0f

SHA512
6390e53b5192c124680fc193b811e27a7487db0c97096ec6d31620a2dcac50ed1245e010a85ac1cbe7c9df871956a21427771d388d1280657d5f3dd05cf392ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52e03181c893bafd9699e8be26a8791a

SHA1
48a06e414fecfe74721b5c2277209bd37134be37

SHA256
9fd3ee0f988a5c7beb26e36437b45f6c35e4f1ab63448c7b65363766f8d4eb02

SHA512
01b315ba6069789831787affc2cc80a4efbb6ee58a56044473925534dcf8ac2eb04f2e46ccfb3ae76c542a3ed3d03d3afda54be266d7a4a4d9344cf7c32f4faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d890b140cc390076b819d60950e6fd4a

SHA1
5a75f8788163b6242e29d51b86a12ad886f42e35

SHA256
3730a892e087183e0228d7827b80f4b65a45b3229a7ebb75d7521b1e18bd125c

SHA512
dcca8ceb665c7c519e775f5f6e315f5775bfb5e06663d6a4039c0889a1a2689526fa4fd6c728845eca09fea355b5fbe378d30aaf8874f674b0e94d1611c86600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51d8d489a58d8ef6bbc1badb1abb87a5

SHA1
240a9a3fa81c2769cffa9857b93b8baea2ee80bb

SHA256
c6ab11442785d9b9ebb7f73b15de243422004c84bd5bd18b6c5c35863bfc8be6

SHA512
aeca88725c02e88454ccad4782c3c6c522562abc0f90f15106754767d28bf8c6547defae9e4bbb3dd56b5579069f0b6900a0a4307e8f180555029c4790539e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
25fa7fe86df2a5f48726c7be2bef24fc

SHA1
ae854461fce115537c52e964d54e0af3f32ff14e

SHA256
4fe19e4436038373c90a02ddbb056c8f75dbe9cbb197d600da542c88fa868bca

SHA512
b91a08b26a954769747a5bbf93df714e5a1743f636d987884d6e908e91d9741f340b8bcbe6d8c3b3f45ff4963a10fa6f11e44e23050787f93f0a9f8370114eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34a667243af4dbbf665df5959419f347

SHA1
012940be0a12e5f2c41d96832e217973bb6b4e96

SHA256
30ed38a8240b3f05fd32fc6a291fa377da862f4eeacb4f06113a3f8a841a9905

SHA512
2f875a112d03d58a3a717eb86683ca37df3416e48509e88413542efe51000d5ec39e21d2a6d6c466ee80bef0b2eee907fa2faf9d2de078d74aadf385c5b01a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
5b1ac09523363fff29136a9e75c02978

SHA1
b85cdf7dfe24918ac49eea270c3e389a9c4117e5

SHA256
71a39f9684593309b92859172fc6a6e14bbe67598e987d05ff0d4eda45c79644

SHA512
c61c79dd785df8e8caf9e20156c4a8dc078e22e803f9f5554b07ffb8a4b4f96bec890a492032a5af72e7166b049e15dafb88cec3ab33ca4edd62d2357a8ee70f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e4c590c8c99d7b33d59d72e4df4b34d2

SHA1
69b27ea8cb7df96f03bc8f9f358fe8bc0e85cb03

SHA256
0b2ef37f11fb968b2fa3da65835b95da0e455fe2ea0a3ddef008e6e25a417579

SHA512
5774aabb9b852076c88fdd6d3746386510edde061cb9a14d96f168dc1959963d1d0284bea7503ba6266afa909563a00f7586880ea68607edab030ece60f48b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
12ec2590a911126fba587bbda6dd1d0f

SHA1
6d89b25f75d32ef52da2fe2f9ff4109ef99bdac9

SHA256
fc5b8b548d539266d174264d4556886c1bf9d6ba4e6d27eb009e842cd6c34b5e

SHA512
4ca163a4e857c69dce37c06a13448bb334620a783b3c9c1075a4d375c1f0ee11acaad5d2ab206188c6fa22fc540c7c252fcd8693e2d980fb9074ea91f2e14808

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4268\installer_1.jpg

Filesize
39KB

MD5
224807d05fc8afa9c1ae1c4d59cc0326

SHA1
9243dece39968177f985fb600fac522cd29b376e

SHA256
769ac79d53745f164b3628ab33717cbf451d0ecd9c2636c10ebd48766da2df17

SHA512
5d18c12c06094d4c9f31686e0ad3ce0d14e76c80250fb44654ad6dca0ae60348057b52b96375695bf09d92ee0f77c458873889645af0c9ae795de67cc679fe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4268\installer_2.jpg

Filesize
21KB

MD5
140ae324df733c4faa943068aa7b91cc

SHA1
cbeb5b6e36d98945e3cc322d7b3b82b9fbb0441e

SHA256
d5dd548d6372a688279c52ad8a667d839f92d967c50cecfdfab7602d749c583f

SHA512
92c8e92d2b6a924bd8a0bb40e774e93a3c2af8cddad198367bd745926aa31862149a12147441d5bef0b17e49fe11935e12e051a05c63c304e0088bfc5d2147f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Epp_21946\uninstallLogs_EndpointProtectionService.log

Filesize
252B

MD5
20d1a381f04f1189f8ab74cdbb2db621

SHA1
de695047f6c501cc9a07659e1a34a9526d7dd030

SHA256
389bc6f294d3e893fb1d79a8f97a50525f102c15d78d0130a9ca8474635d0d18

SHA512
8d2e0d15e4ec45a53f83a7a2f0f366ab648ace68f11a704a7d2fd72be7796e692bafcbf5563fbb33ed933a80c9063c7d93a140c526a6822aba4b5c4c12e9054b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Epp_23811\uninstallLogs_EndpointProtectionService.log

Filesize
252B

MD5
c06148c0cd5e79ec1f54ac2941652ed9

SHA1
594c1241a1f583dd2a77364e182c00b5b0f279c8

SHA256
7a5b818ce640a09c9e259c6e90c0c1b6ddfda6a104f4ff84827a7d3b1da5856f

SHA512
65f4ee41676d965b2ff0b9933da3d7223e1390f64b1cd6985979c0676eb3589867d80105689bc10ef9d387f911c21998f681177fcb51470240408c7fda207d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID59F.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDEE3.tmp

Filesize
838KB

MD5
4a3f6a4023abd6bba56534de47d20017

SHA1
02dd888e467143e2e35465d73f39cf3e66afad10

SHA256
a8dfdc283ad8d4dc6f500ddfab564e79dadae075c0d54784b50e1ca548709b30

SHA512
580c7918ef90eb0020901bab645b72bcaf945ceb5bd56c2e7847f229b31a961bc4cd4ca9cb2583db480947ca8a0880b5ae4bd26717217abcacc9754352aaba28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CE0F1.tmp\installerplugin.dll

Filesize
5.7MB

MD5
d0766c7d1d2c50e9ed592dd071bfe113

SHA1
7ad9ac427803cd1e1ace4b263b0bd9873f64b9fd

SHA256
eea816e7da80d43fad2e06fd71b358d8ae16d6893a8b7e04c030029a9d8a078b

SHA512
115ec117bf8ca33288f7a21cd6b26cf9391453b7dabe1abe909e7cd9500caed2141f5edac84e96a62acd0f3dc5fcc95d05395af16b872156aa34bab8c78325e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiE115.tmp

Filesize
5.0MB

MD5
b40e4304f279119d9345be970babce41

SHA1
f76f5b30e7c333efcba1d4e19215ef1fd21d6943

SHA256
06285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7

SHA512
ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\ShieldAntivirus.msi

Filesize
5.2MB

MD5
20dbee8529cbb96005bf21648984a628

SHA1
a8ea93344c57ced1954a83d7050b480a46aeef0a

SHA256
b0a2a76f14f565aaedc24c9f0e09f2ed3c9cf13b783722b2d51d5dcb84ff2eba

SHA512
477688cb174915eb4f865c2fd1405149892288f58f837f84957230490fceadf1fc4f20e00e608ea4ebe9115d4daaa3e4ffad22d462c1666d89abcfc363bd9f59

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\Toaster.exe.config

Filesize
163B

MD5
dccd44fb11b8e4ebdfb822e809a54b6f

SHA1
1889d5ae8c7c70c051cbde104af6e0f31f8c1b63

SHA256
6862b25736259f7bfd344e43eea10a703885be381eee2a745ceb12916b01a158

SHA512
dadffe41bdadfc3a79cb34369c9a8b37ce4833aee18058b02dcb13d64007f022b80b63ab404572c60278937cf83b06b00712ff9ee302e725b9d5c7fe14bd5f50

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\mixpanel-user-tracker\LICENSE.openssl.txt

Filesize
9KB

MD5
c75985e733726beaba57bc5253e96d04

SHA1
c5c8a68f4b80929b3e66f054f37bb9e16078847f

SHA256
7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a

SHA512
07bdeb77b6ebe1f18ba5285d98a05ac53502a82837118e194d81384bbb9c1a8e7bb7ba627df288c770e9e97599e24a5135e45546cbf493330773c6b9921ff5b6

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\netprotection-sdk\LICENSE.gsl-lite.txt

Filesize
1KB

MD5
22fdc5026f96333146783303939a1e71

SHA1
840bb9ce00d96550dc69b0cec1bb15bcbd0d7cd3

SHA256
6d0398d22a6af6682c816ea648930e1387cd41d1fdf9baae6e4e91bc1e45ea5c

SHA512
2ea64059606b0c19485064d1766a29a96e5cec779146349c291526817d7d86d02f271193cd9bc6ab9f14c21e66a3e9f3978885572ca8afb26301a620141de23e

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\netprotection-sdk\LICENSE.jsoncpp.txt

Filesize
2KB

MD5
5d73c165a0f9e86a1342f32d19ec5926

SHA1
db16de9f0016978749716482a56ddec474b7d0b7

SHA256
cec0db5f6d7ed6b3a72647bd50aed02e13c3377fd44382b96dc2915534c042ad

SHA512
5bba53109b7f765fc43ea8c71c40e86cbbd51be2aa3e5caeb1da8ffb234641fc24ae96b64ee5de9ac50c672278c1e266c9d1e90a0b79c2b8482b5a47bd7ab66c

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\netprotection-sdk\LICENSE.zlib.txt

Filesize
1002B

MD5
b51a40671bc46e961c0498897742c0b8

SHA1
233f44af3fb55dcc7fddfef8e77ac627b0008756

SHA256
845efc77857d485d91fb3e0b884aaa929368c717ae8186b66fe1ed2495753243

SHA512
b2401af44195a0409091e5b1849c5f8e75f49987b2d9d1cefe043a34bc138596824e91f112de0409d3c69b4bb21cb37c9bc84fe5a566565bef884c846a3d4011

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\ondemand-scan-sdk\LICENSE.boost.txt

Filesize
1KB

MD5
e4224ccaecb14d942c71d31bef20d78c

SHA1
3cba29011be2b9d59f6204d6fa0a386b1b2dbd90

SHA256
c9bff75738922193e67fa726fa225535870d2aa1059f91452c411736284ad566

SHA512
d6078467835dba8932314c1c1e945569a64b065474d7aced27c9a7acc391d52e9f234138ed9f1aa9cd576f25f12f557e0b733c14891d42c16ecdc4a7bd4d60b8

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\ondemand-scan-sdk\LICENSE.magic-enum.txt

Filesize
1KB

MD5
b15f48588464ec8ef87d2b560aad2caa

SHA1
e2878966b3418e04c9702eb69d80cd5ef4ccb7f0

SHA256
cf451c612ef409b7692b51aa74eeb2b8df1ec9be38e6f7f72b8740f489ca1387

SHA512
2e20af4c7154bea2f38f209463c7e547b1011169b1a0ebf1b9ff7622fe591d616fcf85194cd2e6a14db21aa83604ba291899d80a3380f4fb31b6658a0cd1a2cd

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\ondemand-scan-sdk\LICENSE.zstd.txt

Filesize
19KB

MD5
8e7d22cde48f4983c22eff59921516a0

SHA1
71288d1bad355d0fdbdb793f1ca640875ad4d830

SHA256
434dca949c6da7c500413aef694539fe37f867dd1a94d83d4ed1d260194e2660

SHA512
2bab90a1b3b4fd1027d06a5e49f615108711121e752a34199c0e0eb6d7af13234773d0362de9c2c3a52a86d6183c309fd7de432f48ce51e3a98974deac6c96ee

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\remediation-sdk\LICENSE.lua.txt

Filesize
1KB

MD5
c14f56d4ab1b03d38ad0c1d17782be46

SHA1
6b9c623b254a1f2563f336aa14ec7012a1f17a1f

SHA256
32a2adbaf0d6ae5b0cdd56afe4ee5059d58c540a2f9ad90a346f31cb4b3fa3ef

SHA512
881eca54239fbb9ae3e0334e606742f64af4e5740438bbc1c51323a1f517980cfb8efb8ab512e6ec4e1b8b4d0499e278bd96fd2777f7a34e726330a849a4d831

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\remediation-sdk\LICENSE.luabridge.txt

Filesize
4KB

MD5
624a52cd1811fe332902f24bd0bd72d7

SHA1
683178ba8076d194564e85fa69edd8d33d46503e

SHA256
ff3d7f85d5486b5c056aa4f597fdbb24b5f4581204196ce1091a3e5c3628a0ea

SHA512
e6f81eae54e3c8c84b1b74e8ade6ddaf8cb06d31b3bbe063647c06ec13131d074d5c3331700d5e4ea8f7fd144aab19a5dee19c53f87098c49bdd1fa87145d377

Download Submit
C:\Users\Admin\AppData\Roaming\AvInstall Shield Antivirus\ShieldApps\Shield Antivirus 5.4.0\install\1B1D025\legal\update\LICENSE.curl.txt

Filesize
3KB

MD5
b8b7b8814b6f7f42803b2e1c2d93b0d9

SHA1
d2ea29d8607a7b4302c0e824bc9562518a203e2b

SHA256
d54faa0777a38c6867d3706cf86ecda6501d5415c7b4f0356dd9bb9751105aa9

SHA512
155d3f68dd77992cb7af4d3ba2de8215fc66359fd29e30d86a8a0f754eb07990f1a75167e2dc61eaa436622d0b6173fbb0ee37c868cfe4c7271465ac5a087739

Download Submit
C:\Users\Admin\AppData\Roaming\Shield Antivirus\usagelog.log

Filesize
354B

MD5
3e971ddc19df5542ac94055a8e9afc4b

SHA1
4533b3400bba9f1ba3e01e7150ffd0e2f75a3bc5

SHA256
296ad45ccb59cc7d664b79beb44679f8b57b17e8ad0410a372fb5b0d46cae9bb

SHA512
acf0b8584940da0422bad2d8b785bce960333c6efe9e8e58290c984392f2b6c1449b71851024ab289f7f5751a4167d08db3f425d82d39248538d4549fcc20f08

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 500948.crdownload

Filesize
291KB

MD5
10eea1709e698496d6df4ce4b3edddc6

SHA1
04725e288af175f4fa788cce8148fbd986746c8f

SHA256
0c13fd3e21b4a996c9921a865ed7c50e199537098dec9f0a5e186a6a1e2ca7a1

SHA512
62cdc930df3eea888fc853982fafa7c2fca8416257f48a2f37aa64d05fe323fd7bfc1abb8ed714f9fea3a15600275b0ca8bc0e55416437e51f99937ab6e1c18e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 950930.crdownload

Filesize
8.8MB

MD5
d6295d953f579094c6912ac0c86b4a2e

SHA1
0e0fad15063eca59af4a5ca63b178b82af2b9f6d

SHA256
0edb92ae95c89b86f3ecd0448c557bf28280eea880c3692dfcc62505151307d5

SHA512
b8f6d875516af9c02b273e48d3ff14b34768065532f8186591996ea253b8f7075297304386f0264cfe201c31ff369031c709a4b42e74e0bfe6d81f4e7aba7df0

Download Submit
C:\Users\Admin\Downloads\estrouvinhar.js:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\MSI1406.tmp

Filesize
834KB

MD5
065fab0d856b9896887392a021578e0b

SHA1
11087b4dbbc6855c245c9e686cefc96d581a578f

SHA256
a9a34d9c6cc14ed252cf0a07896f266187d57b4635c31a89779dac5843f17411

SHA512
19f23c2a9f2bbf6d9f05f29548740a5ba495ce340a1166549ab1adcccc5d582c9c5b6040f9514f03875894d25aab73a8f217d39e0ad36c0bc0f01ae988eff98c

Download Submit
C:\Windows\System32\drivers\rtp1.sys

Filesize
418KB

MD5
b04079e9776549886e979a167bf58948

SHA1
849cebbd22896ffddc9df80b256e2e3df1fe84bf

SHA256
633084b674ccdb451ce6d2189b19e1a75637e1a0769eb36d0514903103c9061e

SHA512
f127c5edcccb7aa018f2053be48fb5ef343ef512748d7a87fd463d92bfdee4ee140f887b2dfc88e8ba69e0aa1a888c238f5dd548217238ccf7e43906bc99d3db

Download Submit
C:\Windows\System32\drivers\rtp2.sys

Filesize
418KB

MD5
0252dab71ca2d6157413f3b52de99cff

SHA1
7c9c337fdd8d3620d866433d8b116d88a61e8675

SHA256
25b7524ce1916c3a33101e3080121c6945881a1d433015c154c7e4113903c9a2

SHA512
58fb691938e6f4dea15bc0a9d4c7545e38c39847fbb9836ed77713f842493fbad35f233afd994c8046cb4e2783c6626fccdabcbbfa866fecc8df6aef4e6d62b2

Download Submit
C:\Windows\System32\drivers\rtp_elam.sys

Filesize
28KB

MD5
21d0233e31a7e4c6d59425e49591988e

SHA1
f062eb0c15de8dc8c16074099d4ee051d69cfb68

SHA256
dfc20d22b095af9a30c88dc3aa9f6a83cb30e8e0f3b74fe3cef86fce4f0a970e

SHA512
3c258ed5535377e323efec9bc980544f100255375f09d74a2a8432078e7ae1373b0070f5b65d7ee6d41be18d46fd077c6eaba65f7df478bc7c022cc11267925a

Download Submit
memory/816-4289-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/924-1431-0x0000028A24CD0000-0x0000028A24D80000-memory.dmp

Filesize
704KB

Download
memory/924-1449-0x0000028A25580000-0x0000028A25AA8000-memory.dmp

Filesize
5.2MB

Download
memory/924-1426-0x0000028A0C300000-0x0000028A0C318000-memory.dmp

Filesize
96KB

Download
memory/924-1446-0x0000028A0C3E0000-0x0000028A0C402000-memory.dmp

Filesize
136KB

Download
memory/2016-1425-0x00000229886B0000-0x0000022988708000-memory.dmp

Filesize
352KB

Download
memory/2080-3009-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3015-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3010-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3018-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3017-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3020-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3014-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3019-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3008-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2080-3016-0x0000023C2B880000-0x0000023C2B881000-memory.dmp

Filesize
4KB

Download
memory/2876-4177-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2876-4291-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2876-3043-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2940-2797-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2940-3003-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2940-1715-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3024-3007-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3956-4295-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4488-1400-0x000001E6CB760000-0x000001E6CB782000-memory.dmp

Filesize
136KB

Download
memory/4488-1401-0x000001E6CD510000-0x000001E6CD56E000-memory.dmp

Filesize
376KB

Download
memory/4488-1402-0x000001E6CBBE0000-0x000001E6CBBFC000-memory.dmp

Filesize
112KB

Download
memory/4488-1403-0x000001E6E5C70000-0x000001E6E5C92000-memory.dmp

Filesize
136KB

Download
memory/4740-4232-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4792-1447-0x000002E307380000-0x000002E307726000-memory.dmp

Filesize
3.6MB

Download
memory/4864-2849-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4956-3001-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download