floxif | hxxps://mini-01-s3[.]vx-underground[.]org/samples/Samples/VirusSign%20Collection/2024[.]12/Virussign[.]2024[.]12[.]17[.]7z

Analysis

max time kernel
1117s
max time network
1123s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mini-01-s3.vx-underground.org/samples/Samples/VirusSign%20Collection/2024.12/Virussign.2024.12.17.7z

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024ae1-5961.dat	family_neshta

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	Process not Found

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00070000000251c7-9493.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 5308 created 3440	5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe	56
PID 5308 created 3440	5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe	56
PID 5308 created 3440	5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe	56
PID 5308 created 3440	5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe	56
PID 5308 created 3440	5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe	56
PID 5308 created 3440	5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe	56
PID 6364 created 3440	6364	updater.exe	56
PID 6364 created 3440	6364	updater.exe	56
PID 6364 created 3440	6364	updater.exe	56
PID 6364 created 3440	6364	updater.exe	56
PID 6364 created 3440	6364	updater.exe	56

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Floxif payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x00070000000251e4-9551.dat	floxif
behavioral1/files/0x00080000000253cf-10583.dat	floxif

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000024ec1-11155.dat	warzonerat

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/files/0x000700000002480a-4507.dat	xmrig
behavioral1/memory/6112-10593-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10595-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10597-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10601-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10603-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10605-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10607-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10609-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10616-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-10720-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-11257-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-11624-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-11676-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-11971-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig
behavioral1/memory/6112-12008-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 17 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5232	powershell.exe
5376	Process not Found
9756	Process not Found
10048	Process not Found
9544	Process not Found
4436	powershell.exe
10116	Process not Found
9864	Process not Found
9928	Process not Found
9772	Process not Found
10008	Process not Found
2348	Process not Found
9228	Process not Found
3452	Process not Found
5936	Process not Found
1820	Process not Found

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 2 IoCs

flow	pid	Process
392	3884	RobloxPlayerLauncher.exe
479	2604	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 2 TTPs 13 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5572	netsh.exe
5576	Process not Found
6220	Process not Found
9108	Process not Found
8568	Process not Found
8864	Process not Found
6620	Process not Found
5876	Process not Found
7372	Process not Found
8572	Process not Found
4408	Process not Found
8656	Process not Found
8360	Process not Found

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000251e4-9551.dat	acprotect
behavioral1/files/0x00080000000253cf-10583.dat	acprotect
behavioral1/files/0x00040000000006e7-15067.dat	acprotect
behavioral1/files/0x00070000000006e3-15063.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000250d1-9001.dat	aspack_v212_v242
behavioral1/files/0x0007000000024ec1-11155.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Executes dropped EXE 64 IoCs

pid	Process
1580	virussign.com_00b3c5c387437848a1bbb67c833a1d8b.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
6364	updater.exe
7128	virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe
5512	virussign.com_3d62b9b3449c2bac91b8902ecb3d950c.vir.exe
6748	virussign.com_229e5ef8f13c10272d74c7e445a11240.exe
6572	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
3532	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
4516	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
2100	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
4480	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
180	explorer.exe
4172	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
2948	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
6232	virussign.com_68ddabef296c66f97b3f2e10f92a4b6b.vir.exe
6536	explorer.exe
2544	spoolsv.exe
4504	spoolsv.exe
636	spoolsv.exe
5044	spoolsv.exe
3956	spoolsv.exe
5284	spoolsv.exe
3656	spoolsv.exe
3612	spoolsv.exe
628	spoolsv.exe
436	spoolsv.exe
1072	spoolsv.exe
6668	spoolsv.exe
6944	spoolsv.exe
1772	spoolsv.exe
7152	spoolsv.exe
4896	spoolsv.exe
5628	spoolsv.exe
4644	spoolsv.exe
4560	spoolsv.exe
5532	spoolsv.exe
3508	spoolsv.exe
6004	spoolsv.exe
5880	spoolsv.exe
4356	spoolsv.exe
3632	spoolsv.exe
3124	spoolsv.exe
4428	spoolsv.exe
6328	spoolsv.exe
5760	spoolsv.exe
5764	spoolsv.exe
6548	spoolsv.exe
3988	spoolsv.exe
5884	spoolsv.exe
4100	spoolsv.exe
3740	spoolsv.exe
3980	spoolsv.exe
1104	spoolsv.exe
2724	spoolsv.exe
4384	spoolsv.exe
700	spoolsv.exe
2560	spoolsv.exe
2072	spoolsv.exe
4032	spoolsv.exe
3068	spoolsv.exe
4008	spoolsv.exe
1664	spoolsv.exe
628	spoolsv.exe
2840	spoolsv.exe

Loads dropped DLL 41 IoCs

pid	Process
7128	virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe
844	msedge.exe
1100	msedge.exe
4192	Process not Found
2384	Process not Found
2384	Process not Found
2384	Process not Found
4192	Process not Found
4192	Process not Found
4192	Process not Found
4192	Process not Found
4192	Process not Found
4192	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
4976	Process not Found
6448	Process not Found
6448	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4516-11998-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp	themida
behavioral1/memory/4516-12003-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp	themida
behavioral1/memory/2100-12001-0x0000000140000000-0x0000000140B86000-memory.dmp	themida
behavioral1/memory/2100-12006-0x0000000140000000-0x0000000140B86000-memory.dmp	themida
behavioral1/memory/2100-12005-0x0000000140000000-0x0000000140B86000-memory.dmp	themida
behavioral1/memory/2100-12004-0x0000000140000000-0x0000000140B86000-memory.dmp	themida
behavioral1/memory/4516-12000-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp	themida
behavioral1/memory/2100-12002-0x0000000140000000-0x0000000140B86000-memory.dmp	themida
behavioral1/memory/4516-11999-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp	themida
behavioral1/memory/4172-12039-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp	themida
behavioral1/memory/4172-12038-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp	themida
behavioral1/memory/4172-12043-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp	themida
behavioral1/memory/2604-14504-0x0000000000400000-0x00000000010EC000-memory.dmp	themida
behavioral1/memory/2604-14505-0x0000000000400000-0x00000000010EC000-memory.dmp	themida

Adds Run key to start application 2 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	StikyNot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\X:	Process not Found

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
478	raw.githubusercontent.com
479	raw.githubusercontent.com
549	raw.githubusercontent.com
550	raw.githubusercontent.com
406	discord.com
407	discord.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Process not Found

Network Service Discovery 1 TTPs 8 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
6972	arp.exe
6956	arp.exe
6940	arp.exe
6932	arp.exe
6924	arp.exe
6912	arp.exe
7068	arp.exe
6948	arp.exe

Power Settings 1 TTPs 42 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
9836	Process not Found
1336	Process not Found
852	Process not Found
10108	Process not Found
9232	Process not Found
9356	Process not Found
644	cmd.exe
4448	powercfg.exe
9372	Process not Found
9496	Process not Found
10172	Process not Found
9728	Process not Found
1728	Process not Found
4224	powercfg.exe
3496	powercfg.exe
3996	cmd.exe
9556	Process not Found
9640	Process not Found
9256	Process not Found
9540	Process not Found
9376	Process not Found
9368	Process not Found
1388	powercfg.exe
1460	Process not Found
10224	Process not Found
680	powercfg.exe
9548	Process not Found
9564	Process not Found
9852	Process not Found
9260	Process not Found
3948	powercfg.exe
10040	Process not Found
9448	Process not Found
1332	Process not Found
2096	Process not Found
9056	Process not Found
5004	Process not Found
6128	powercfg.exe
6096	powercfg.exe
9412	Process not Found
9252	Process not Found
9924	Process not Found

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00070000000251c7-9493.dat	autoit_exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\dllhost.exe	Process not Found
File opened for modification	C:\Windows\system32\fxssvc.exe	Process not Found
File opened for modification	C:\Windows\System32\msdtc.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\explorer.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\explorer.exe	Process not Found
File created	C:\Windows\SysWOW64\als4tessofmain.bat	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\msiexec.exe	Process not Found
File created	C:\Windows\SysWOW64\regeditchange.bat	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\System32\alg.exe	Process not Found
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Process not Found
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\msiexec.exe	Process not Found
File opened for modification	C:\Windows\system32\AppVClient.exe	Process not Found
File opened for modification	C:\Windows\system32\fxssvc.exe	Process not Found
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\system32\AppVClient.exe	Process not Found
File opened for modification	C:\Windows\system32\dllhost.exe	Process not Found
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\FortniteCleaner.bat	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
File created	C:\Windows\SysWOW64\Registry.bat	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Process not Found
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	Process not Found
File created	C:\Windows\SysWOW64\traces.bat	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SysWOW64\eaccleaner.bat	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b43e1a4df92561ea.bin	Process not Found
File created	C:\Windows\SysWOW64\SofMainCleaner.exe	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
File created	C:\Windows\SysWOW64\Clan.bat	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4516	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
2100	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
4172	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
2948	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
2604	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe

Suspicious use of SetThreadContext 52 IoCs

description	pid	Process	procid_target
PID 6364 set thread context of 5108	6364	updater.exe	162
PID 6364 set thread context of 6112	6364	updater.exe	164
PID 4516 set thread context of 2100	4516	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe	252
PID 6572 set thread context of 4480	6572	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe	253
PID 6572 set thread context of 5148	6572	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe	254
PID 4172 set thread context of 2948	4172	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe	258
PID 180 set thread context of 6536	180	explorer.exe	274
PID 180 set thread context of 6632	180	explorer.exe	275
PID 2544 set thread context of 4300	2544	spoolsv.exe	837
PID 2544 set thread context of 1672	2544	spoolsv.exe	839
PID 5296 set thread context of 3472	5296	svchost.exe	856
PID 5296 set thread context of 1888	5296	svchost.exe	857
PID 680 set thread context of 6164	680	virussign.com_9b055037383beff906060dc78de5e05c.vir.exe	900
PID 1116 set thread context of 1668	1116	StikyNot.exe	1367
PID 1116 set thread context of 4936	1116	StikyNot.exe	1368
PID 6056 set thread context of 4696	6056	spoolsv.exe	1377
PID 6056 set thread context of 5292	6056	spoolsv.exe	1378
PID 6356 set thread context of 4560	6356	Process not Found	1645
PID 6356 set thread context of 2904	6356	Process not Found	1646
PID 6724 set thread context of 7824	6724	Process not Found	3039
PID 6724 set thread context of 7832	6724	Process not Found	3040
PID 2888 set thread context of 7224	2888	Process not Found	3048
PID 2888 set thread context of 7284	2888	Process not Found	3049
PID 3632 set thread context of 1924	3632	Process not Found	3208
PID 7084 set thread context of 8276	7084	Process not Found	3408
PID 7084 set thread context of 8140	7084	Process not Found	3409
PID 7480 set thread context of 1976	7480	Process not Found	3420
PID 7480 set thread context of 4244	7480	Process not Found	3421
PID 8700 set thread context of 8220	8700	Process not Found	3427
PID 8800 set thread context of 7884	8800	Process not Found	3467
PID 8800 set thread context of 6872	8800	Process not Found	3468
PID 9028 set thread context of 9164	9028	Process not Found	3480
PID 9028 set thread context of 8336	9028	Process not Found	3481
PID 7164 set thread context of 3932	7164	Process not Found	3502
PID 9892 set thread context of 9408	9892	Process not Found	3566
PID 9892 set thread context of 9488	9892	Process not Found	3571
PID 9932 set thread context of 9600	9932	Process not Found	3598
PID 10212 set thread context of 10228	10212	Process not Found	3630
PID 9648 set thread context of 9900	9648	Process not Found	3657
PID 10148 set thread context of 10208	10148	Process not Found	3684
PID 6068 set thread context of 9984	6068	Process not Found	3687
PID 9956 set thread context of 9620	9956	Process not Found	3716
PID 9764 set thread context of 9340	9764	Process not Found	3744
PID 9220 set thread context of 8224	9220	Process not Found	3749
PID 9220 set thread context of 7048	9220	Process not Found	3750
PID 10028 set thread context of 9348	10028	Process not Found	3762
PID 4964 set thread context of 9392	4964	Process not Found	3765
PID 4964 set thread context of 9916	4964	Process not Found	3766
PID 9144 set thread context of 7920	9144	Process not Found	3776
PID 9144 set thread context of 3264	9144	Process not Found	3777
PID 10164 set thread context of 11088	10164	Process not Found	3801
PID 10164 set thread context of 11112	10164	Process not Found	3802

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024841-4617.dat	upx
behavioral1/files/0x0007000000024922-5067.dat	upx
behavioral1/files/0x0007000000024d43-7181.dat	upx
behavioral1/files/0x0007000000024cb1-6889.dat	upx
behavioral1/files/0x0007000000024f2d-8161.dat	upx
behavioral1/files/0x0007000000024f27-8149.dat	upx
behavioral1/files/0x0007000000024fbb-8445.dat	upx
behavioral1/files/0x0007000000025214-9647.dat	upx
behavioral1/files/0x00070000000251e4-9551.dat	upx
behavioral1/files/0x00070000000252f5-10097.dat	upx
behavioral1/files/0x00080000000253cf-10583.dat	upx
behavioral1/memory/7128-10586-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/7128-10591-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/files/0x00040000000006e7-15067.dat	upx
behavioral1/files/0x00070000000006e3-15063.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\TerrainTools\mtrl_grass_2022.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\InGameMenu\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping844_807682994\ct_config.pb	msedge.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\DEPRECATED_AnchorCursor.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\R15Migrator\Icon_AdapterPaneTab.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\TerrainTools\import_delete.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Settings\MenuBarIcons\GameSettingsTab.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping844_363243771\manifest.fingerprint	msedge.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\StudioUIEditor\icon_rotate8.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Chat\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\avatar\compositing\CompositExtraSlot2.mesh	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\fonts\Roboto-Bold.ttf	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\AnimationEditor\btn_delete.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\GameSettings\Warning.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\TerrainTools\sliderbar_grey.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\fonts\Montserrat-Medium.ttf	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\StudioToolbox\Voting\thumbs-down-filled.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\AnimationEditor\btn_manage.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\StudioSharedUI\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\PlatformContent\pc\terrain\materials.json	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\StudioToolbox\NoBackgroundIcon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\AnimationEditor\img_scrubberhead.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\AssetImport\btn_light_showworkspace_28x28.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\MaterialGenerator\Materials\Limestone.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Chat\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\VoiceChat\RedSpeakerLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\api-ms-win-core-interlocked-l1-1-0.dll	RobloxPlayerLauncher.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping844_197722356\Part-ES	msedge.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\fonts\families\PermanentMarker.json	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\DeveloperFramework\Favorites\star_filled.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Controls\DefaultController\DPadRight.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_2x_2.png	RobloxPlayerLauncher.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	Process not Found
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\sky\cloudDetail3D.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\AnimationEditor\eventMarker_inner.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\StudioSharedUI\ScrollBarMiddle.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\TerrainTools\radio_button_bullet.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Controls\DefaultController\ButtonX.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\VoiceChat\SpeakerDark\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\fonts\Michroma-Regular.ttf	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\fonts\families\Balthazar.json	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\localizationExport.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\Debugger\Breakpoints\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\PurchasePrompt\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\LuaApp\graphic\rocket_icon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\AvatarToolsShared\Preview Undock.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\MaterialManager\Create_New_Variant.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\MaterialGenerator\Materials\DiamondPlate.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\content\textures\ui\Controls\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\PlatformContent\pc\textures\water\normal_11.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\subscription\.gitkeep	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\ExtraContent\textures\ui\LuaChat\9-slice\[email protected]	RobloxPlayerLauncher.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\SERVIC~2.0\0407\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA4F59~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\_Networkingperfcounters.ini	Process not Found
File opened for modification	C:\Windows\INF\mdmc26a.inf	Process not Found
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0409\_SMSvcHostPerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\mdmti.inf	Process not Found
File opened for modification	C:\Windows\INF\genericusbfn.inf	Process not Found
File opened for modification	C:\Windows\INF\PerceptionSimulationSixDofModels.inf	cmd.exe
File opened for modification	C:\Windows\INF\prnms003.inf	Process not Found
File opened for modification	C:\Windows\INF\prnms002.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmetech.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmhandy.inf	Process not Found
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_BXT_P.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmvv.inf	Process not Found
File opened for modification	C:\Windows\INF\UGTHRSVC\0410\gthrctr.ini	Process not Found
File opened for modification	C:\Windows\INF\.NET CLR Networking\0000\_Networkingperfcounters_v2_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0411\_ServiceModelEndpointPerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\mdmcommu.inf	Process not Found
File opened for modification	C:\Windows\INF\netwtw04.inf	Process not Found
File opened for modification	C:\Windows\Logs\WAASME~1\WAASME~1.ETL	Process not Found
File opened for modification	C:\Windows\INF\sensorsalsdriver.inf	Process not Found
File opened for modification	C:\Windows\INF\ehstorpwddrv.inf	Process not Found
File opened for modification	C:\Windows\INF\SDFRd.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA7109~1.MUM	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA3247~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\c_mouse.inf	Process not Found
File opened for modification	C:\Windows\INF\msdri.inf	cmd.exe
File opened for modification	C:\Windows\INF\netwew01.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\rndiscmp.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA5F5B~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\1394.inf	Process not Found
File opened for modification	C:\Windows\INF\bda.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmtdkj4.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmsmart.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmcommu.inf	cmd.exe
File opened for modification	C:\Windows\INF\ufxsynopsys.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0000\_ServiceModelEndpointPerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA99EE~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\prnms007.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAFCD7~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\mshdc.inf	Process not Found
File opened for modification	C:\Windows\INF\rdyboost\040C\ReadyBoostPerfCounters.ini	Process not Found
File opened for modification	C:\Windows\INF\idtsec.inf	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0000\_SMSvcHostPerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\prnms008.inf	Process not Found
File opened for modification	C:\Windows\INF\SERVIC~2.0\0000\_ServiceModelOperationPerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAB960~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\.NET Data Provider for SqlServer\0411\_dataperfcounters_shared12_neutral_d.ini	Process not Found
File opened for modification	C:\Windows\INF\basicrender.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmotou.inf	cmd.exe
File opened for modification	C:\Windows\INF\sdbus.inf	Process not Found
File opened for modification	C:\Windows\INF\wvmbushid.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA90D5~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\netmlx5.inf	Process not Found
File opened for modification	C:\Windows\INF\mdmsupr3.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbprint.inf	cmd.exe
File opened for modification	C:\Windows\INF\TermService\0409\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA74B7~1.MUM	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LABE36~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\netrtwlans.inf	Process not Found
File opened for modification	C:\Windows\INF\percsas3i.inf	Process not Found
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA08EA~1.MUM	Process not Found
File opened for modification	C:\Windows\INF\mdmdgitn.inf	Process not Found

Launches sc.exe 54 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
212	sc.exe
2380	sc.exe
9368	Process not Found
9460	Process not Found
9572	Process not Found
10188	Process not Found
9264	Process not Found
9428	Process not Found
3880	sc.exe
9284	Process not Found
9792	Process not Found
9796	Process not Found
9840	Process not Found
9908	Process not Found
9352	Process not Found
9380	Process not Found
4340	sc.exe
9424	Process not Found
9316	Process not Found
10012	Process not Found
9512	Process not Found
10216	Process not Found
9144	Process not Found
8312	Process not Found
9968	Process not Found
4300	Process not Found
9324	Process not Found
4812	Process not Found
9520	Process not Found
9916	Process not Found
10208	Process not Found
9704	Process not Found
7056	Process not Found
440	sc.exe
9500	Process not Found
9560	Process not Found
9612	Process not Found
10012	Process not Found
9652	Process not Found
5044	sc.exe
1480	sc.exe
2456	sc.exe
9784	Process not Found
9224	Process not Found
852	Process not Found
9960	Process not Found
10164	Process not Found
2392	sc.exe
2876	sc.exe
9744	Process not Found
10036	Process not Found
9708	Process not Found
9444	Process not Found
9464	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 57 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5896	3532	WerFault.exe	244
2364	6232	WerFault.exe	264
468	4504	WerFault.exe	277
1556	636	WerFault.exe	280
5280	5044	WerFault.exe	284
3548	3956	WerFault.exe	287
1044	5284	WerFault.exe	290
6748	3656	WerFault.exe	293
3940	3612	WerFault.exe	296
1492	628	WerFault.exe	300
6132	436	WerFault.exe	303
4672	1072	WerFault.exe	306
5900	6668	WerFault.exe	309
1936	6944	WerFault.exe	312
7016	1772	WerFault.exe	315
7020	7152	WerFault.exe	319
1824	4896	WerFault.exe	322
2364	5628	WerFault.exe	325
5404	4644	WerFault.exe	328
960	4560	WerFault.exe	331
5144	5532	WerFault.exe	334
3964	3508	WerFault.exe	338
4144	6004	WerFault.exe	341
3648	5880	WerFault.exe	344
5484	4356	WerFault.exe	347
5252	3632	WerFault.exe	350
5580	3124	WerFault.exe	353
6716	4428	WerFault.exe	356
6148	6328	WerFault.exe	359
1396	5760	WerFault.exe	362
6368	5764	WerFault.exe	366
528	6548	WerFault.exe	369
6108	3988	WerFault.exe	372
2532	5884	WerFault.exe	375
5292	4100	WerFault.exe	378
4504	3740	WerFault.exe	381
6520	3980	WerFault.exe	384
4908	1104	WerFault.exe	387
1832	2724	WerFault.exe	391
4052	4384	WerFault.exe	394
5272	700	WerFault.exe	397
6748	2560	WerFault.exe	400
3436	2072	WerFault.exe	403
4696	4032	WerFault.exe	406
644	3068	WerFault.exe	409
2672	4008	WerFault.exe	412
5984	1664	WerFault.exe	415
6128	628	WerFault.exe	418
5900	2840	WerFault.exe	422
4856	5140	WerFault.exe	425
6812	2852	WerFault.exe	428
3844	1332	WerFault.exe	431
7076	7068	WerFault.exe	434
6892	6804	WerFault.exe	437
2536	7152	WerFault.exe	440
5680	232	WerFault.exe	443
6700	2364	WerFault.exe	446
3488	5404	WerFault.exe	449
5672	1456	WerFault.exe	453
60	756	WerFault.exe	457
3880	5372	WerFault.exe	460
6304	6948	WerFault.exe	463
5088	1888	WerFault.exe	466
5940	5880	WerFault.exe	469

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_00b3c5c387437848a1bbb67c833a1d8b.vir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5924	cmd.exe
5572	cmd.exe
5832	reg.exe
432	Process not Found
8976	Process not Found
8972	Process not Found
8956	Process not Found
9032	Process not Found
8936	Process not Found
9012	Process not Found

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	Process not Found
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c0ba7f28baba6d450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c0ba7f280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c0ba7f28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc0ba7f28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c0ba7f2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found

Checks processor information in registry 2 TTPs 34 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 54 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	virussign.com_229e5ef8f13c10272d74c7e445a11240.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	virussign.com_229e5ef8f13c10272d74c7e445a11240.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "29491-27743-3186212751"	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "29491-27743-3186212751"	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "294871699413998"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	virussign.com_229e5ef8f13c10272d74c7e445a11240.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	Process not Found

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5888	ipconfig.exe
6728	ipconfig.exe
1276	ipconfig.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
5904	taskkill.exe
3044	taskkill.exe
3272	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 294971647220542810926672392119139273599314	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Process not Found
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869491596523630"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Interface\ClsidStore = 2949457231695840461635732762160263028725571201652411616083	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-bef193a8f3d14d3c\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{D3774E85-62AB-4822-8B67-DDB1F503322F}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-bef193a8f3d14d3c\\RobloxPlayerBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Installer	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{4A1852C7-87D8-4A50-B7B9-6D932327733A}	msedge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-bef193a8f3d14d3c\\RobloxPlayerBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Installer\Dependencies\MSICache = 2949716472205428109266723921191392735993141401723969	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{52A42050-5F60-4DAD-970D-22C9950EA548}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{4C0AB935-DE9A-4C06-B864-7FEBAC316998}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Installer\Dependencies	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-bef193a8f3d14d3c\\RobloxPlayerBeta.exe"	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{54D87045-6CF3-4188-8B7F-E50AB9C83CF5}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Interface	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-bef193a8f3d14d3c\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Process not Found

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
7112	reg.exe
1208	reg.exe
1836	reg.exe
5712	Process not Found
9144	Process not Found
9140	Process not Found
8372	Process not Found
3024	Process not Found
7012	reg.exe
5548	reg.exe
5964	reg.exe
5984	reg.exe
5520	Process not Found
8744	Process not Found
8576	Process not Found
5464	reg.exe
5244	reg.exe
3448	reg.exe
3488	reg.exe
4964	reg.exe
8408	Process not Found
8684	Process not Found
8388	Process not Found
5192	reg.exe
4896	reg.exe
8732	Process not Found
3676	reg.exe
2376	reg.exe
2052	reg.exe
1224	reg.exe
6364	reg.exe
3528	reg.exe
8456	Process not Found
2796	reg.exe
4116	reg.exe
1776	reg.exe
556	reg.exe
3056	reg.exe
3504	reg.exe
8888	Process not Found
8652	Process not Found
2360	reg.exe
1700	reg.exe
1120	reg.exe
5348	reg.exe
4968	reg.exe
7316	Process not Found
6852	reg.exe
208	reg.exe
6928	reg.exe
4968	reg.exe
6856	reg.exe
5076	reg.exe
3704	Process not Found
6844	reg.exe
5664	reg.exe
8540	Process not Found
6012	reg.exe
64	reg.exe
6080	reg.exe
5832	reg.exe
1520	reg.exe
1924	reg.exe
8388	Process not Found

NTFS ADS 15 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	Process not Found
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	Process not Found
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	Process not Found
File created	C:\Users\Admin\Downloads\Virussign.2024.12.17.7z:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	Process not Found
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	Process not Found
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	Process not Found
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	Process not Found
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	diskperf.exe
File created	C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5196	schtasks.exe
6060	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4236	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5232	powershell.exe
5232	powershell.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
5308	virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
6364	updater.exe
6364	updater.exe
4436	powershell.exe
4436	powershell.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6364	updater.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe
6112	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 8 IoCs

pid	Process
1396	7zFM.exe
4372	taskmgr.exe
6536	explorer.exe
3472	svchost.exe
6824	Process not Found
4056	Process not Found
7824	Process not Found
8220	Process not Found

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
6308	msedge.exe
6308	msedge.exe
6308	msedge.exe
6308	msedge.exe
6308	msedge.exe
6308	msedge.exe
6308	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	firefox.exe
Token: SeDebugPrivilege	2360	firefox.exe
Token: SeDebugPrivilege	2360	firefox.exe
Token: SeRestorePrivilege	1396	7zFM.exe
Token: 35	1396	7zFM.exe
Token: SeSecurityPrivilege	1396	7zFM.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeShutdownPrivilege	4224	powercfg.exe
Token: SeCreatePagefilePrivilege	4224	powercfg.exe
Token: SeShutdownPrivilege	680	powercfg.exe
Token: SeCreatePagefilePrivilege	680	powercfg.exe
Token: SeShutdownPrivilege	3496	powercfg.exe
Token: SeCreatePagefilePrivilege	3496	powercfg.exe
Token: SeShutdownPrivilege	1388	powercfg.exe
Token: SeCreatePagefilePrivilege	1388	powercfg.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeShutdownPrivilege	3948	powercfg.exe
Token: SeCreatePagefilePrivilege	3948	powercfg.exe
Token: SeDebugPrivilege	6364	updater.exe
Token: SeShutdownPrivilege	4448	powercfg.exe
Token: SeCreatePagefilePrivilege	4448	powercfg.exe
Token: SeShutdownPrivilege	6128	powercfg.exe
Token: SeCreatePagefilePrivilege	6128	powercfg.exe
Token: SeShutdownPrivilege	6096	powercfg.exe
Token: SeCreatePagefilePrivilege	6096	powercfg.exe
Token: SeLockMemoryPrivilege	6112	explorer.exe
Token: SeDebugPrivilege	7128	virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe
Token: SeDebugPrivilege	6748	virussign.com_229e5ef8f13c10272d74c7e445a11240.exe
Token: 33	4208	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4208	AUDIODG.EXE
Token: SeDebugPrivilege	4372	taskmgr.exe
Token: SeSystemProfilePrivilege	4372	taskmgr.exe
Token: SeCreateGlobalPrivilege	4372	taskmgr.exe
Token: SeDebugPrivilege	5904	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	3272	taskkill.exe
Token: SeDebugPrivilege	2604	virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
Token: SeSecurityPrivilege	3940	Process not Found
Token: SeCreateTokenPrivilege	4192	Process not Found
Token: SeAssignPrimaryTokenPrivilege	4192	Process not Found
Token: SeLockMemoryPrivilege	4192	Process not Found
Token: SeIncreaseQuotaPrivilege	4192	Process not Found
Token: SeMachineAccountPrivilege	4192	Process not Found
Token: SeTcbPrivilege	4192	Process not Found
Token: SeSecurityPrivilege	4192	Process not Found
Token: SeTakeOwnershipPrivilege	4192	Process not Found
Token: SeLoadDriverPrivilege	4192	Process not Found
Token: SeSystemProfilePrivilege	4192	Process not Found
Token: SeSystemtimePrivilege	4192	Process not Found
Token: SeProfSingleProcessPrivilege	4192	Process not Found
Token: SeIncBasePriorityPrivilege	4192	Process not Found
Token: SeCreatePagefilePrivilege	4192	Process not Found
Token: SeCreatePermanentPrivilege	4192	Process not Found
Token: SeBackupPrivilege	4192	Process not Found
Token: SeRestorePrivilege	4192	Process not Found
Token: SeShutdownPrivilege	4192	Process not Found
Token: SeDebugPrivilege	4192	Process not Found
Token: SeAuditPrivilege	4192	Process not Found
Token: SeSystemEnvironmentPrivilege	4192	Process not Found
Token: SeChangeNotifyPrivilege	4192	Process not Found
Token: SeRemoteShutdownPrivilege	4192	Process not Found
Token: SeUndockPrivilege	4192	Process not Found
Token: SeSyncAgentPrivilege	4192	Process not Found
Token: SeEnableDelegationPrivilege	4192	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
1396	7zFM.exe
1396	7zFM.exe
7128	virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe
6308	msedge.exe
6308	msedge.exe
6308	msedge.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
7128	virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe
4372	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
5512	virussign.com_3d62b9b3449c2bac91b8902ecb3d950c.vir.exe
5512	virussign.com_3d62b9b3449c2bac91b8902ecb3d950c.vir.exe
2100	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
4480	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
4480	virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
2948	virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
6536	explorer.exe
6536	explorer.exe
6536	explorer.exe
6536	explorer.exe
4300	spoolsv.exe
4300	spoolsv.exe
3472	svchost.exe
3472	svchost.exe
1668	Process not Found
1668	Process not Found
4696	Process not Found
4696	Process not Found
6016	Process not Found
6016	Process not Found
6016	Process not Found
5400	Process not Found
4256	Process not Found
4256	Process not Found
4256	Process not Found
6824	Process not Found
6824	Process not Found
6824	Process not Found
2856	Process not Found
2856	Process not Found
2856	Process not Found
4056	Process not Found
4056	Process not Found
4056	Process not Found
4976	Process not Found
4656	Process not Found
4656	Process not Found
4656	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
5260	Process not Found
5260	Process not Found
5260	Process not Found
6464	Process not Found
6464	Process not Found
6464	Process not Found
4560	Process not Found
4560	Process not Found
4236	Process not Found
4236	Process not Found
4236	Process not Found
4236	Process not Found
4236	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 3064 wrote to memory of 2360	3064	firefox.exe	86
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2992	2360	firefox.exe	87
PID 2360 wrote to memory of 2060	2360	firefox.exe	88
PID 2360 wrote to memory of 2060	2360	firefox.exe	88
PID 2360 wrote to memory of 2060	2360	firefox.exe	88
PID 2360 wrote to memory of 2060	2360	firefox.exe	88
PID 2360 wrote to memory of 2060	2360	firefox.exe	88
PID 2360 wrote to memory of 2060	2360	firefox.exe	88
PID 2360 wrote to memory of 2060	2360	firefox.exe	88
PID 2360 wrote to memory of 2060	2360	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
9096	Process not Found
8972	Process not Found
9092	Process not Found
8924	Process not Found
8972	Process not Found
8564	Process not Found

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mini-01-s3.vx-underground.org/samples/Samples/VirusSign%20Collection/2024.12/Virussign.2024.12.17.7z"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mini-01-s3.vx-underground.org/samples/Samples/VirusSign%20Collection/2024.12/Virussign.2024.12.17.7z
    3⤵
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 27099 -prefMapHandle 2008 -prefMapSize 270279 -ipcHandle 2080 -initialChannelId {90b3b6da-8131-453f-ae43-94775e7abbbd} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
      4⤵
      PID:2992
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2484 -prefsLen 27135 -prefMapHandle 2488 -prefMapSize 270279 -ipcHandle 2496 -initialChannelId {52f867cf-1699-43f0-b1ba-a6db27d199ff} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
      4⤵
      Checks processor information in registry
      PID:2060
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3760 -prefsLen 25164 -prefMapHandle 3764 -prefMapSize 270279 -jsInitHandle 3768 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3776 -initialChannelId {99e1ff9c-b97d-4f9f-96d7-48dc04e4ca4c} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
      4⤵
      Checks processor information in registry
      PID:1252
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3920 -prefsLen 27276 -prefMapHandle 3924 -prefMapSize 270279 -ipcHandle 4008 -initialChannelId {3a1d3abc-33af-4ee3-82b5-bf649fc394d2} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
      4⤵
      PID:1912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4408 -prefsLen 34775 -prefMapHandle 4412 -prefMapSize 270279 -jsInitHandle 4416 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4424 -initialChannelId {7fd83d6c-272a-4e82-a77c-6419798431c3} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
      4⤵
      Checks processor information in registry
      PID:1484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5016 -prefsLen 34905 -prefMapHandle 5020 -prefMapSize 270279 -ipcHandle 4996 -initialChannelId {115d67d5-9f4c-49d8-99d0-fb28b3e1425f} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
      4⤵
      Checks processor information in registry
      PID:376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5264 -prefsLen 32793 -prefMapHandle 5268 -prefMapSize 270279 -jsInitHandle 5272 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5280 -initialChannelId {41fd3d37-2d47-4772-b3fe-73499492f302} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
      4⤵
      Checks processor information in registry
      PID:4516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2788 -prefsLen 32952 -prefMapHandle 5508 -prefMapSize 270279 -jsInitHandle 5504 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5496 -initialChannelId {17f4b941-cd5b-46b1-aecf-596949cc4a7f} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
      4⤵
      Checks processor information in registry
      PID:1352
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5648 -prefsLen 32952 -prefMapHandle 5652 -prefMapSize 270279 -jsInitHandle 5656 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5664 -initialChannelId {98d48eed-1c80-4707-819b-45b2d18f43c0} -parentPid 2360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
      4⤵
      Checks processor information in registry
      PID:2212
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Virussign.2024.12.17.7z"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1396
- C:\Users\Admin\Desktop\virussign.com_00b3c5c387437848a1bbb67c833a1d8b.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_00b3c5c387437848a1bbb67c833a1d8b.vir.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Users\Admin\Desktop\virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5232
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5188
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5044
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:440
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:212
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4340
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2392
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:644
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4052
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xcuctcxrvazw.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5196
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4456
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3880
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2876
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1480
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2380
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2456
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3996
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:6128
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:6096
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xcuctcxrvazw.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6060
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6112
- C:\Users\Admin\Desktop\virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:7128
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    PID:7068
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 e2-aa-ec-9d-1a-98
    3⤵
    - Network Service Discovery
    PID:6912
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 a9-dd-b0-91-5e-94
    3⤵
    - Network Service Discovery
    PID:6924
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 1c-b9-0d-29-cf-7b
    3⤵
    - Network Service Discovery
    PID:6932
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 23-dd-0d-13-f6-6e
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:6940
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 7b-52-07-15-f2-5f
    3⤵
    - Network Service Discovery
    PID:6948
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 66-78-7b-95-70-96
    3⤵
    - Network Service Discovery
    PID:6956
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 32-b3-56-5d-eb-1b
    3⤵
    - Network Service Discovery
    PID:6972
- C:\Users\Admin\Desktop\virussign.com_3d62b9b3449c2bac91b8902ecb3d950c.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_3d62b9b3449c2bac91b8902ecb3d950c.vir.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5512
- C:\Users\Admin\Desktop\virussign.com_229e5ef8f13c10272d74c7e445a11240.exe
  "C:\Users\Admin\Desktop\virussign.com_229e5ef8f13c10272d74c7e445a11240.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:6748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@NinjaHexFF
    3⤵
    PID:6316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://www.youtube.com/@NinjaHexFF
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:6308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff840ccf208,0x7ff840ccf214,0x7ff840ccf220
        5⤵
        
        PID:6268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2036,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=2032 /prefetch:2
        5⤵
        
        PID:5928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2136,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3
        5⤵
        
        PID:5940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2608,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:8
        5⤵
        
        PID:5380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3516,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
        5⤵
        
        PID:5304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3548,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
        5⤵
        
        PID:3824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4212,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:1
        5⤵
        
        PID:1756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4232,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:2
        5⤵
        
        PID:604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4460,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:8
        5⤵
        
        PID:6480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4736,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8
        5⤵
        
        PID:7080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4960,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:1
        5⤵
        
        PID:1352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
        5⤵
        
        PID:4032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3472,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:8
        5⤵
        
        PID:8
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3556,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:8
        5⤵
        
        PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3556,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:8
        5⤵
        
        PID:3160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5976,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:8
        5⤵
        
        PID:5692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
        5⤵
        
        PID:7152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6088,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
        5⤵
        
        PID:6292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
        5⤵
        
        PID:2076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6496,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:8
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6500,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
        5⤵
        
        PID:6988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6816,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:8
        5⤵
        
        PID:2680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6640,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:8
        5⤵
        
        PID:5200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6008,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:1
        5⤵
        
        PID:1228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6868,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6904 /prefetch:8
        5⤵
        
        PID:5236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6724,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6660 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:3020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5108,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:1
        5⤵
        
        PID:5640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5104,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:8
        5⤵
        
        PID:1620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5136,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:8
        5⤵
        
        PID:4052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6468,i,14658374841194450801,8086491788979268710,262144 --variations-seed-version --mojo-platform-channel-handle=5228 /prefetch:8
        5⤵
        
        PID:2120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
        5⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ff840ccf208,0x7ff840ccf214,0x7ff840ccf220
        6⤵
        
        PID:3184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3
        6⤵
        
        PID:2572
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
        6⤵
        
        PID:736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2600,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=2764 /prefetch:8
        6⤵
        
        PID:5952
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4208,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
        6⤵
        
        PID:6152
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4208,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
        6⤵
        
        PID:6008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4600,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:8
        6⤵
        
        PID:680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
        6⤵
        
        PID:5508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4612,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4668 /prefetch:8
        6⤵
        
        PID:6808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4704,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4740 /prefetch:8
        6⤵
        
        PID:3792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4980,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:8
        6⤵
        
        PID:1944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4976,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
        6⤵
        
        PID:3632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4776,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
        6⤵
        
        PID:6544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4636,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:8
        6⤵
        
        PID:1668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4668,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
        6⤵
        
        PID:3272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:8
        6⤵
        
        PID:4692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5008,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=2768 /prefetch:8
        6⤵
        
        PID:5200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5072,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:8
        6⤵
        
        PID:6092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
        6⤵
        
        PID:6804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5060,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:8
        6⤵
        
        PID:1188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4596,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:8
        6⤵
        
        PID:5944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8
        6⤵
        
        PID:4192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4124,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:8
        6⤵
        
        PID:2848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4620,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:8
        6⤵
        
        PID:1112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4788,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:8
        6⤵
        
        PID:1352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4724,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:8
        6⤵
        
        PID:3520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4820 /prefetch:8
        6⤵
        
        PID:4120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=784,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4708 /prefetch:8
        6⤵
        
        PID:6124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4780,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:8
        6⤵
        
        PID:6560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
        6⤵
        
        PID:2948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4748,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
        6⤵
        
        PID:1108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4744,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8
        6⤵
        
        PID:1436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5096,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:8
        6⤵
        
        PID:3068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4332,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:1
        6⤵
        
        PID:5332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=3780,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:1
        6⤵
        
        PID:6528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5428,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
        6⤵
        
        PID:6760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5444,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:8
        6⤵
        
        PID:5312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=5528,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:1
        6⤵
        
        PID:3784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=5464,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:1
        6⤵
        
        PID:1620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=6284,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:1
        6⤵
        
        PID:5956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=6468,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:1
        6⤵
        
        PID:6768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=6636,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:1
        6⤵
        
        PID:436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=6648,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:1
        6⤵
        
        PID:7104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6496,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
        6⤵
        Modifies registry class
        
        PID:3664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6584,i,11862636535701511170,2990786370494949936,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:8
        6⤵
        
        PID:5580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ff840ccf208,0x7ff840ccf214,0x7ff840ccf220
        7⤵
        
        PID:5236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1900,i,13122721425172025061,13625188428449076280,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:3
        7⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2072,i,13122721425172025061,13625188428449076280,262144 --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:2
        7⤵
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2408,i,13122721425172025061,13625188428449076280,262144 --variations-seed-version --mojo-platform-channel-handle=2800 /prefetch:8
        7⤵
        
        PID:4816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4348,i,13122721425172025061,13625188428449076280,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
        7⤵
        
        PID:3024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4464,i,13122721425172025061,13625188428449076280,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
        7⤵
        
        PID:1556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4464,i,13122721425172025061,13625188428449076280,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
        7⤵
        
        PID:6376
- C:\Users\Admin\Desktop\virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:6572
- - C:\Users\Admin\Desktop\virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
    "C:\Users\Admin\Desktop\virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4480
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:180
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6536
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4300
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        8⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        9⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3472
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        10⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:6056
        
        C:\Windows\SysWOW64\at.exe
        
        at 13:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        10⤵
        
        PID:392
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        7⤵
        NTFS ADS
        
        PID:1672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 228
        7⤵
        Program crash
        
        PID:468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 228
        7⤵
        Program crash
        
        PID:1556
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 228
        7⤵
        Program crash
        
        PID:5280
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 228
        7⤵
        Program crash
        
        PID:3548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 228
        7⤵
        Program crash
        
        PID:1044
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 228
        7⤵
        Program crash
        
        PID:6748
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 228
        7⤵
        Program crash
        
        PID:3940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 228
        7⤵
        Program crash
        
        PID:1492
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 228
        7⤵
        Program crash
        
        PID:6132
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 236
        7⤵
        Program crash
        
        PID:4672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:6668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 228
        7⤵
        Program crash
        
        PID:5900
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 228
        7⤵
        Program crash
        
        PID:1936
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 228
        7⤵
        Program crash
        
        PID:7016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:7152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 228
        7⤵
        Program crash
        
        PID:7020
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 228
        7⤵
        Program crash
        
        PID:1824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 228
        7⤵
        Program crash
        
        PID:2364
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 236
        7⤵
        Program crash
        
        PID:5404
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 228
        7⤵
        Program crash
        
        PID:960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:5532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 228
        7⤵
        Program crash
        
        PID:5144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 228
        7⤵
        Program crash
        
        PID:3964
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:6004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 228
        7⤵
        Program crash
        
        PID:4144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 228
        7⤵
        Program crash
        
        PID:3648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 228
        7⤵
        Program crash
        
        PID:5484
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 228
        7⤵
        Program crash
        
        PID:5252
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 228
        7⤵
        Program crash
        
        PID:5580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 228
        7⤵
        Program crash
        
        PID:6716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:6328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 228
        7⤵
        Program crash
        
        PID:6148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 228
        7⤵
        Program crash
        
        PID:1396
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 228
        7⤵
        Program crash
        
        PID:6368
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 228
        7⤵
        Program crash
        
        PID:528
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 228
        7⤵
        Program crash
        
        PID:6108
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:5884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 236
        7⤵
        Program crash
        
        PID:2532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 228
        7⤵
        Program crash
        
        PID:5292
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 228
        7⤵
        Program crash
        
        PID:4504
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 228
        7⤵
        Program crash
        
        PID:6520
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 236
        7⤵
        Program crash
        
        PID:4908
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 228
        7⤵
        Program crash
        
        PID:1832
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 228
        7⤵
        Program crash
        
        PID:4052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 232
        7⤵
        Program crash
        
        PID:5272
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 228
        7⤵
        Program crash
        
        PID:6748
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 228
        7⤵
        Program crash
        
        PID:3436
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 228
        7⤵
        Program crash
        
        PID:4696
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 228
        7⤵
        Program crash
        
        PID:644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 228
        7⤵
        Program crash
        
        PID:2672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 236
        7⤵
        Program crash
        
        PID:5984
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 228
        7⤵
        Program crash
        
        PID:6128
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 228
        7⤵
        Program crash
        
        PID:5900
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 228
        7⤵
        Program crash
        
        PID:4856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 228
        7⤵
        Program crash
        
        PID:6812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 236
        7⤵
        Program crash
        
        PID:3844
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 228
        7⤵
        Program crash
        
        PID:7076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 228
        7⤵
        Program crash
        
        PID:6892
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 228
        7⤵
        Program crash
        
        PID:2536
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 236
        7⤵
        Program crash
        
        PID:5680
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 228
        7⤵
        Program crash
        
        PID:6700
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 228
        7⤵
        Program crash
        
        PID:3488
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 228
        7⤵
        Program crash
        
        PID:5672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 228
        7⤵
        Program crash
        
        PID:60
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 84
        7⤵
        Program crash
        
        PID:3880
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 228
        7⤵
        Program crash
        
        PID:6304
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 228
        7⤵
        Program crash
        
        PID:5088
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 228
        7⤵
        Program crash
        
        PID:5940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 236
        7⤵
        
        PID:5228
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 228
        7⤵
        
        PID:348
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 228
        7⤵
        
        PID:924
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 228
        7⤵
        
        PID:6196
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 228
        7⤵
        
        PID:5836
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 232
        7⤵
        
        PID:6512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 228
        7⤵
        
        PID:6580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 228
        7⤵
        
        PID:6688
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 228
        7⤵
        
        PID:5864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 228
        7⤵
        
        PID:464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 228
        7⤵
        
        PID:4504
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 228
        7⤵
        
        PID:6520
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 228
        7⤵
        
        PID:6760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 228
        7⤵
        
        PID:3784
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 84
        7⤵
        
        PID:5256
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 228
        7⤵
        
        PID:440
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 228
        7⤵
        
        PID:5308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 228
        7⤵
        
        PID:3956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 228
        7⤵
        
        PID:5712
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 228
        7⤵
        
        PID:1120
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 228
        7⤵
        
        PID:3612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 228
        7⤵
        
        PID:6244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 228
        7⤵
        
        PID:1664
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 228
        7⤵
        
        PID:7100
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 228
        7⤵
        
        PID:1976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 228
        7⤵
        
        PID:3528
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 228
        7⤵
        
        PID:6944
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 228
        7⤵
        
        PID:7104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 228
        7⤵
        
        PID:2404
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 228
        7⤵
        
        PID:1772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 200
        7⤵
        
        PID:5872
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 228
        7⤵
        
        PID:1768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 228
        7⤵
        
        PID:5668
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 228
        7⤵
        
        PID:5384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6168 -s 228
        7⤵
        
        PID:5644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 228
        7⤵
        
        PID:3704
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 228
        7⤵
        
        PID:4280
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 228
        7⤵
        
        PID:4300
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 236
        7⤵
        
        PID:6136
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 228
        7⤵
        
        PID:648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 228
        7⤵
        
        PID:4960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 228
        7⤵
        
        PID:856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 228
        7⤵
        
        PID:2600
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 228
        7⤵
        
        PID:5932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 228
        7⤵
        
        PID:5992
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 228
        7⤵
        
        PID:1628
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 232
        7⤵
        
        PID:5600
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 228
        7⤵
        
        PID:6840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 240
        7⤵
        
        PID:5764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 228
        7⤵
        
        PID:3296
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 228
        7⤵
        
        PID:1200
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 228
        7⤵
        
        PID:5160
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 228
        7⤵
        
        PID:6912
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6832 -s 228
        7⤵
        
        PID:7028
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 228
        7⤵
        
        PID:7016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 236
        7⤵
        
        PID:7156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 228
        7⤵
        
        PID:5432
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 228
        7⤵
        
        PID:7124
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 228
        7⤵
        
        PID:5668
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 228
        7⤵
        
        PID:5384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 228
        7⤵
        
        PID:3900
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 236
        7⤵
        
        PID:4704
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 228
        7⤵
        
        PID:7004
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 228
        7⤵
        
        PID:4876
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 228
        7⤵
        
        PID:1944
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 228
        7⤵
        
        PID:5928
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 236
        7⤵
        
        PID:5088
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 228
        7⤵
        
        PID:5880
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 228
        7⤵
        
        PID:5480
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 228
        7⤵
        
        PID:6032
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 228
        7⤵
        
        PID:6284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 228
        7⤵
        
        PID:6072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 228
        7⤵
        
        PID:2532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 228
        7⤵
        
        PID:3148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 228
        7⤵
        
        PID:1484
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 236
        7⤵
        
        PID:4652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 236
        7⤵
        
        PID:4340
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 228
        7⤵
        
        PID:1796
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 228
        7⤵
        
        PID:3504
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 228
        7⤵
        
        PID:4192
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 228
        7⤵
        
        PID:5288
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 228
        7⤵
        
        PID:2560
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 228
        7⤵
        
        PID:6008
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 228
        7⤵
        
        PID:2072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 228
        7⤵
        
        PID:5916
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 228
        7⤵
        
        PID:5616
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 228
        7⤵
        
        PID:2880
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 228
        7⤵
        
        PID:3968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 228
        7⤵
        
        PID:5528
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 232
        7⤵
        
        PID:6364
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 228
        7⤵
        
        PID:7096
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 228
        7⤵
        
        PID:2840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 228
        7⤵
        
        PID:6952
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 228
        7⤵
        
        PID:5400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 228
        7⤵
        
        PID:980
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 228
        7⤵
        
        PID:5672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 228
        7⤵
        
        PID:5092
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 228
        7⤵
        
        PID:6644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 228
        7⤵
        
        PID:6876
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 228
        7⤵
        
        PID:392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 228
        7⤵
        
        PID:5484
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 236
        7⤵
        
        PID:2604
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 228
        7⤵
        
        PID:6544
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 228
        7⤵
        
        PID:2464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 228
        7⤵
        
        PID:4076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 228
        7⤵
        
        PID:5932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 228
        7⤵
        
        PID:5992
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 228
        7⤵
        
        PID:6568
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 228
        7⤵
        
        PID:4380
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 228
        7⤵
        
        PID:5696
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 228
        7⤵
        
        PID:3392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6616 -s 228
        7⤵
        
        PID:5320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 228
        7⤵
        
        PID:4284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 228
        7⤵
        
        PID:1348
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 236
        7⤵
        
        PID:2896
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6236 -s 228
        7⤵
        
        PID:6468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 228
        7⤵
        
        PID:1612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 228
        7⤵
        
        PID:6300
    - - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        5⤵
        NTFS ADS
        
        PID:6632
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    - NTFS ADS
    PID:5148
  - - C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
      4⤵
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:1116
- C:\Users\Admin\Desktop\virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe"
  2⤵
  - Executes dropped EXE
  PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 188
    3⤵
    - Program crash
    PID:5896
- C:\Users\Admin\Desktop\virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  PID:4516
- - C:\Users\Admin\Desktop\virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
    ar
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2100
- C:\Users\Admin\Desktop\virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  PID:4172
- - C:\Users\Admin\Desktop\virussign.com_b4bd52ca9c2793243177e02a86e24f32.vir.exe
    ar
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2948
- C:\Users\Admin\Desktop\virussign.com_68ddabef296c66f97b3f2e10f92a4b6b.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_68ddabef296c66f97b3f2e10f92a4b6b.vir.exe"
  2⤵
  - Executes dropped EXE
  PID:6232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 932
    3⤵
    - Program crash
    PID:2364
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4372
- C:\Users\Admin\Desktop\virussign.com_6094452daf763ea4992f5cf8c128cd85.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_6094452daf763ea4992f5cf8c128cd85.vir.exe"
  2⤵
  PID:6772
- C:\Users\Admin\Desktop\virussign.com_6094452daf763ea4992f5cf8c128cd85.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_6094452daf763ea4992f5cf8c128cd85.vir.exe"
  2⤵
  PID:3128
- C:\Users\Admin\Desktop\virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe"
  2⤵
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Enumerates system info in registry
  PID:5472
- - C:\Users\Admin\Desktop\virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe
    C:\Users\Admin\Desktop\virussign.com_a72d280acf360b7e4715ab4c7090e08f.vir.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=a065fa5e0513dcb30a17b6884c502caf34bea3df --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x770,0x6a4,0x6a8,0x66c,0x77c,0x11c7678,0x11c7688,0x11c7698
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6644
- - C:\Users\Admin\AppData\Local\Temp\RBX-7B1DF94E\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RBX-7B1DF94E\RobloxPlayerLauncher.exe"
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\RBX-7B1DF94E\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RBX-7B1DF94E\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=02b4c5ddb67176d38cb24d82ab58f517d625d797 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x574,0x578,0x57c,0x550,0x548,0x1a68e78,0x1a68e88,0x1a68e98
      4⤵
      PID:3988
- C:\Users\Admin\Desktop\virussign.com_0dfc9f7833d3e1e20d0d9308faa2b66b.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_0dfc9f7833d3e1e20d0d9308faa2b66b.vir.exe"
  2⤵
  PID:5764
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C del "C:\Users\Admin\Desktop\virussign.com_0dfc9f7833d3e1e20d0d9308faa2b66b.vir.exe"
    3⤵
    PID:4544
- C:\Users\Admin\Desktop\virussign.com_9b055037383beff906060dc78de5e05c.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_9b055037383beff906060dc78de5e05c.vir.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:680
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:6164
- C:\Users\Admin\Desktop\virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe
  "C:\Users\Admin\Desktop\virussign.com_add1aa4615abe1f367bdc349c79e1868.vir.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C taskkill /f /im OneDrive.exe >nul 2>&1
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/KCfyvNCZGA
    3⤵
    PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://discord.gg/KCfyvNCZGA
      4⤵
      PID:5256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/SofMain-1337
    3⤵
    PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://github.com/SofMain-1337
      4⤵
      PID:4876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sofmain.sellsn.io/
    3⤵
    PID:5992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://sofmain.sellsn.io/
      4⤵
      PID:4276
- - C:\Windows\SysWOW64\SofMainCleaner.exe
    "C:\Windows\System32\SofMainCleaner.exe"
    3⤵
    PID:6460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color b
      4⤵
      PID:6492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:6584
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
        5⤵
        Modifies registry key
        
        PID:3676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:1940
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
        5⤵
        Modifies registry key
        
        PID:6852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:4340
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
        5⤵
        
        PID:6836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:5260
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
        5⤵
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:6604
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 2948716994139982145528496249099801337325315324612441215995 /f
        5⤵
        
        PID:2060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      PID:4868
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
        5⤵
        Checks processor information in registry
        Modifies registry key
        
        PID:7012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:7092
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2948716994139982145528496249099801337325315324612441215995 /f
        5⤵
        Modifies registry key
        
        PID:2376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
      4⤵
      PID:4620
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-29487 /f
        5⤵
        
        PID:7060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
      4⤵
      PID:1792
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-29487 /f
        5⤵
        
        PID:6540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random% /f
      4⤵
      PID:4644
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 29487-16994-13998-21455 /f
        5⤵
        
        PID:5888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random} /f
      4⤵
      PID:4012
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {29487-%random} /f
        5⤵
        Modifies registry key
        
        PID:2796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
      4⤵
      PID:3252
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 294871699413998 /f
        5⤵
        Modifies registry key
        
        PID:1520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random% /f
      4⤵
      PID:5848
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 29487 /f
        5⤵
        
        PID:6356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random% /f
      4⤵
      PID:5760
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 29487 /f
        5⤵
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
      4⤵
      PID:4524
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 294871699413998 /f
        5⤵
        Enumerates system info in registry
        Modifies registry key
        
        PID:6012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
      4⤵
      PID:6624
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {29487-16994-1399821455} /f
        5⤵
        
        PID:2876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
      4⤵
      PID:6652
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {29487-16994-1399821455} /f
        5⤵
        Modifies registry key
        
        PID:3056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
      4⤵
      PID:6628
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {29487-16994-1399821455} /f
        5⤵
        
        PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:5496
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 29487-16994-1399821455 /f
        5⤵
        
        PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:1068
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29487-16994-1399821455 /f
        5⤵
        Modifies registry key
        
        PID:7112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:4840
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 29487-16994-1399821455 /f
        5⤵
        Modifies registry key
        
        PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:3052
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 29487-16994-1399821455 /f
        5⤵
        Modifies registry key
        
        PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:2576
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 29491-27743-3186212751 /f
        5⤵
        
        PID:4100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:464
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 29491-27743-3186212751 /f
        5⤵
        Enumerates system info in registry
        Modifies registry key
        
        PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:5056
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 29491-27743-3186212751 /f
        5⤵
        Enumerates system info in registry
        
        PID:408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
      4⤵
      PID:1808
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {29491-27743-3186212751} /f
        5⤵
        
        PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%%random%} /f
      4⤵
      PID:3512
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {29491-27743-3186212751} /f
        5⤵
        Modifies registry key
        
        PID:5548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
      4⤵
      PID:720
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-29491 /f
        5⤵
        Modifies registry key
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
      4⤵
      PID:5008
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 29491 /f
        5⤵
        Modifies registry key
        
        PID:5964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
      4⤵
      PID:3248
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 29491 /f
        5⤵
        
        PID:3940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
      4⤵
      PID:5524
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-29491 /f
        5⤵
        Modifies registry key
        
        PID:6844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
      4⤵
      PID:6968
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {29491-27743-31862-127516043} /f
        5⤵
        Modifies registry key
        
        PID:1224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
      4⤵
      PID:3876
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29491-27743-31862-127516043} /f
        5⤵
        Modifies registry key
        
        PID:5192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
      4⤵
      PID:4812
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29491 /f
        5⤵
        Modifies registry key
        
        PID:5464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
      4⤵
      PID:536
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 29491 /f
        5⤵
        Modifies registry key
        
        PID:64
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
      4⤵
      PID:5840
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 29491 /f
        5⤵
        
        PID:8
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
      4⤵
      PID:6464
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 29491-27743-31862-12751 /f
        5⤵
        Modifies registry key
        
        PID:208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f
      4⤵
      PID:4556
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 29491-27743-31862-12751 /f
        5⤵
        Modifies registry key
        
        PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
      4⤵
      PID:5492
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 29491-27743-31862-12751 /f
        5⤵
        Modifies registry key
        
        PID:1208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
      4⤵
      PID:3956
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 29491 /f
        5⤵
        
        PID:3496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
      4⤵
      PID:60
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 29491 /f
        5⤵
        
        PID:4188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
      4⤵
      PID:2028
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 29491 /f
        5⤵
        Modifies registry key
        
        PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
      4⤵
      PID:5792
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {29491-27743-31862-12751} /f
        5⤵
        
        PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
      4⤵
      PID:1204
    - - C:\Windows\system32\reg.exe
        
        REG delete HKCU\Software\Epic" "Games /f
        5⤵
        
        PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
      4⤵
      PID:4924
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 29491-27743-31862-127516043 /f
        5⤵
        Modifies registry key
        
        PID:3504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      PID:6196
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
        5⤵
        
        PID:6716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      PID:6224
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
        5⤵
        
        PID:3768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:1628
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\MountedDevices /f
        5⤵
        
        PID:5780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:6212
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
        5⤵
        Modifies registry key
        
        PID:6080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:7024
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
        5⤵
        
        PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:2264
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
        5⤵
        
        PID:4988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:4520
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
        5⤵
        Modifies registry key
        
        PID:5984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      PID:3612
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
        5⤵
        
        PID:1708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:6980
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:1776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5572
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Modifies registry key
        
        PID:5832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:636
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        
        PID:1940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      PID:6836
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
        5⤵
        
        PID:5140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:6024
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:3144
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:6832
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:180
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\MountedDevices /f
        5⤵
        Modifies registry key
        
        PID:6928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:3548
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
        5⤵
        
        PID:3656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:5288
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
        5⤵
        
        PID:6076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:1792
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
        5⤵
        
        PID:5888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:3084
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
        5⤵
        
        PID:1884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      PID:1112
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
        5⤵
        Modifies registry key
        
        PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:7100
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 2949457231695840461635732762160263028725571201652411616083 /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:1496
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:6364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:3056
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:5348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:6932
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:6856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      PID:5728
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
        5⤵
        Modifies registry key
        
        PID:5076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:2860
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        
        PID:5048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
      4⤵
      PID:6216
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 29494-5723-169584046 /f
        5⤵
        Modifies registry key
        
        PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      PID:6132
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
        5⤵
        
        PID:4100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      PID:3960
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
        5⤵
        
        PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      PID:3804
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
        5⤵
        
        PID:1656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:6416
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
        5⤵
        
        PID:5204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:2904
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
        5⤵
        Modifies registry key
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      PID:720
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Hex-Rays\IDA\History /f
        5⤵
        Modifies registry key
        
        PID:3528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      PID:4980
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
        5⤵
        
        PID:6204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:6992
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
        5⤵
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:5268
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 294971647220542810926672392119139273599314140172396916127 /f
        5⤵
        
        PID:6868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:2236
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2949716472205428109266723921191392735993141401723969 /f
        5⤵
        Modifies registry class
        
        PID:4244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:5464
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 29497164722054281092667239211913927359931414017 /f
        5⤵
        
        PID:2348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:5036
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 294971647220542810926672392119139273599314140172396916127 /f
        5⤵
        
        PID:1464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:8
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 294971647220542810926672392119139273599314140172396916127 /f
        5⤵
        
        PID:516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:3188
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 294971647220542810926672392119139273599314 /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:2384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:6668
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 294971647220542810926672392119139273599314 /f
        5⤵
        Modifies registry key
        
        PID:5664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:2148
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 294971647220542810926672392119139273599314 /f
        5⤵
        
        PID:1208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
      4⤵
      PID:5532
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 29497164722054 /f
        5⤵
        
        PID:3496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
      4⤵
      PID:3956
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 29497164722054 /f
        5⤵
        
        PID:5172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
      4⤵
      PID:5804
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 29497164722054 /f
        5⤵
        
        PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
      4⤵
      PID:2028
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 29497164722054 /f
        5⤵
        Modifies registry key
        
        PID:3488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
      4⤵
      PID:4984
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 294971647220542810926672392119139273599314140172396916127 /f
        5⤵
        
        PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
      4⤵
      PID:1204
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {29497-16472-205428109} /f
        5⤵
        Modifies registry key
        
        PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      PID:1648
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
        5⤵
        
        PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:3712
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
        5⤵
        
        PID:3920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      PID:5944
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
        5⤵
        
        PID:6208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh winsock reset
      4⤵
      PID:6028
    - - C:\Windows\system32\netsh.exe
        
        netsh winsock reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh winsock reset catalog
      4⤵
      PID:6568
    - - C:\Windows\system32\netsh.exe
        
        netsh winsock reset catalog
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh int ip reset
      4⤵
      PID:5756
    - - C:\Windows\system32\netsh.exe
        
        netsh int ip reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall reset
      4⤵
      PID:5832
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall reset
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh int reset all
      4⤵
      PID:6736
    - - C:\Windows\system32\netsh.exe
        
        netsh int reset all
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh int ipv4 reset
      4⤵
      PID:2120
    - - C:\Windows\system32\netsh.exe
        
        netsh int ipv4 reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh int ipv6 reset
      4⤵
      PID:6860
    - - C:\Windows\system32\netsh.exe
        
        netsh int ipv6 reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /release
      4⤵
      PID:440
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /renew
      4⤵
      PID:6324
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
      4⤵
      PID:6296
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:6728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
      4⤵
      PID:5760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\FortniteGame\Saved
      4⤵
      PID:6504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\INF
      4⤵
      Drops file in Windows directory
      PID:5212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
      4⤵
      PID:388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\Public\Documents
      4⤵
      PID:2876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
      4⤵
      PID:4044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\D3DSCache
      4⤵
      PID:6692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\CrashReportClient
      4⤵
      PID:6432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp
      4⤵
      PID:6544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
      4⤵
      PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\SoftwareDistribution\DataStore\Logs
      4⤵
      PID:1936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\ProgramData\Microsoft\Windows\WER\Temp
      4⤵
      PID:6008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\AMD\DxCache
      4⤵
      PID:5712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
      4⤵
      PID:3052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch
      4⤵
      PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
      4⤵
      PID:6676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
      4⤵
      PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
      4⤵
      PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
      4⤵
      PID:5876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
      4⤵
      PID:4284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\Engine\Plugins
      4⤵
      PID:408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
      4⤵
      PID:5440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
      4⤵
      PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Program Files\Epic Games\Fortnite\FortniteGame\Config
      4⤵
      PID:1568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\NVIDIA Corporation
      4⤵
      PID:4112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Roaming\EasyAntiCheat
      4⤵
      PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
      4⤵
      PID:5072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del /f /s /q C:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
      4⤵
      PID:6988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
      4⤵
      PID:3932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp
      4⤵
      PID:3248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
      4⤵
      PID:1424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
      4⤵
      PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History
      4⤵
      PID:6984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\Intel
      4⤵
      PID:6976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
      4⤵
      PID:4244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
      4⤵
      PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
      4⤵
      PID:2348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\FortniteGame\Saved
      4⤵
      PID:5248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\INF
      4⤵
      PID:5700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\%username%\Microsoft\XboxLive\NSALCache
      4⤵
      PID:5516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\Public\Documents
      4⤵
      PID:6824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
      4⤵
      PID:1044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\D3DSCache
      4⤵
      PID:5560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\CrashReportClient
      4⤵
      PID:4556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\temp
      4⤵
      PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
      4⤵
      PID:4308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\SoftwareDistribution\DataStore\Logs
      4⤵
      PID:6900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\ProgramData\Microsoft\Windows\WER\Temp
      4⤵
      PID:7084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\AMD\DxCache
      4⤵
      PID:6704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
      4⤵
      PID:3796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\Prefetch
      4⤵
      PID:5064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
      4⤵
      PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q D:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
      4⤵
      PID:6052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
      4⤵
      PID:3692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
      4⤵
      PID:4960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
      4⤵
      PID:4356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\Engine\Plugins
      4⤵
      PID:4296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
      4⤵
      PID:6180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
      4⤵
      PID:1556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Program Files\Epic Games\Fortnite\FortniteGame\Config
      4⤵
      PID:6920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q "D:\Users\%username%\AppData\Local\NVIDIA Corporation
      4⤵
      PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Roaming\EasyAntiCheat
      4⤵
      PID:1392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
      4⤵
      PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del /f /s /q D:\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
      4⤵
      PID:3460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
      4⤵
      PID:5796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Temp
      4⤵
      PID:6328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
      4⤵
      PID:6840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
      4⤵
      PID:5944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /s /q D:\Users\%username%\AppData\Local\Microsoft\Windows\History
      4⤵
      PID:1240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4256

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6364
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3532 -ip 3532
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6232 -ip 6232
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4504 -ip 4504
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 636 -ip 636
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5044 -ip 5044
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3956 -ip 3956
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5284 -ip 5284
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3656 -ip 3656
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3612 -ip 3612
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 628 -ip 628
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 436 -ip 436
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1072 -ip 1072
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6668 -ip 6668
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6944 -ip 6944
1⤵
PID:6900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1772 -ip 1772
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7152 -ip 7152
1⤵
PID:7116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4896 -ip 4896
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5628 -ip 5628
1⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4644 -ip 4644
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4560 -ip 4560
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5532 -ip 5532
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3508 -ip 3508
1⤵
PID:6644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6004 -ip 6004
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5880 -ip 5880
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4356 -ip 4356
1⤵
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3632 -ip 3632
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3124 -ip 3124
1⤵
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4428 -ip 4428
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6328 -ip 6328
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5760 -ip 5760
1⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5764 -ip 5764
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6548 -ip 6548
1⤵
PID:6424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3988 -ip 3988
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5884 -ip 5884
1⤵
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4100 -ip 4100
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3740 -ip 3740
1⤵
PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3980 -ip 3980
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1104 -ip 1104
1⤵
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2724 -ip 2724
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4384 -ip 4384
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 700 -ip 700
1⤵
PID:6336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2560 -ip 2560
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2072 -ip 2072
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4032 -ip 4032
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3068 -ip 3068
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4008 -ip 4008
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1664 -ip 1664
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 628 -ip 628
1⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2840 -ip 2840
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5140 -ip 5140
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2852 -ip 2852
1⤵
PID:6888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332
1⤵
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7068 -ip 7068
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6804 -ip 6804
1⤵
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7152 -ip 7152
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 232 -ip 232
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2364 -ip 2364
1⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5404 -ip 5404
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1456 -ip 1456
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 756 -ip 756
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5372 -ip 5372
1⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6948 -ip 6948
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1888 -ip 1888
1⤵
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5880 -ip 5880
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1820 -ip 1820
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 856 -ip 856
1⤵
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3124 -ip 3124
1⤵
PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5876 -ip 5876
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6016 -ip 6016
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5780 -ip 5780
1⤵
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5072 -ip 5072
1⤵
PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6640 -ip 6640
1⤵
PID:6656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3512 -ip 3512
1⤵
PID:6164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2748 -ip 2748
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 316 -ip 316
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 320 -ip 320
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1056 -ip 1056
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3960 -ip 3960
1⤵
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1924 -ip 1924
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1656 -ip 1656
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5124 -ip 5124
1⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1704 -ip 1704
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6336 -ip 6336
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3460 -ip 3460
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2380 -ip 2380
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3316 -ip 3316
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1492 -ip 1492
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6132 -ip 6132
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3996 -ip 3996
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2948 -ip 2948
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5800 -ip 5800
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7028 -ip 7028
1⤵
PID:6888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2064 -ip 2064
1⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7024 -ip 7024
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7164 -ip 7164
1⤵
PID:7120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5748 -ip 5748
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4896 -ip 4896
1⤵
PID:7128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5792 -ip 5792
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6168 -ip 6168
1⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1112 -ip 1112
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6876 -ip 6876
1⤵
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5420 -ip 5420
1⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2264 -ip 2264
1⤵
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5380 -ip 5380
1⤵
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2028 -ip 2028
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3644 -ip 3644
1⤵
PID:6884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3428 -ip 3428
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3056 -ip 3056
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1872 -ip 1872
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6568 -ip 6568
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3044 -ip 3044
1⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3544 -ip 3544
1⤵
PID:7160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5448 -ip 5448
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2624 -ip 2624
1⤵
PID:6580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 376 -ip 376
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7088 -ip 7088
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1936 -ip 1936
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6832 -ip 6832
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5508 -ip 5508
1⤵
PID:6920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6924 -ip 6924
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6804 -ip 6804
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 536 -ip 536
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 232 -ip 232
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3608 -ip 3608
1⤵
PID:6700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3496 -ip 3496
1⤵
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7148 -ip 7148
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1100 -ip 1100
1⤵
PID:6776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3472 -ip 3472
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 704 -ip 704
1⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5804 -ip 5804
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 212 -ip 212
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6300 -ip 6300
1⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2464 -ip 2464
1⤵
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3392 -ip 3392
1⤵
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6500 -ip 6500
1⤵
PID:6516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6764 -ip 6764
1⤵
PID:6200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6456 -ip 6456
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2136 -ip 2136
1⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 464 -ip 464
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6164 -ip 6164
1⤵
PID:6640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6576 -ip 6576
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3980 -ip 3980
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2024 -ip 2024
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3960 -ip 3960
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1620 -ip 1620
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2044 -ip 2044
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4816 -ip 4816
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 760 -ip 760
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5516 -ip 5516
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2340 -ip 2340
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5548 -ip 5548
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6620 -ip 6620
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4252 -ip 4252
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3376 -ip 3376
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4056 -ip 4056
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1376 -ip 1376
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6668 -ip 6668
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 208 -ip 208
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3608 -ip 3608
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6708 -ip 6708
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5236 -ip 5236
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1100 -ip 1100
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5920 -ip 5920
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6056 -ip 6056
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5208 -ip 5208
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2284 -ip 2284
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4356 -ip 4356
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2212 -ip 2212
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3428 -ip 3428
1⤵
PID:6716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3628 -ip 3628
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6148 -ip 6148
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1700 -ip 1700
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5924 -ip 5924
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3044 -ip 3044
1⤵
PID:7160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3272 -ip 3272
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6616 -ip 6616
1⤵
PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6764 -ip 6764
1⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5292 -ip 5292
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 388 -ip 388
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6236 -ip 6236
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5672 -ip 5672
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708
1⤵
PID:6948

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AppNeta\Logs\install.log

Filesize
105B

MD5
083409b7f1835d434ce18bcaf364e64c

SHA1
33970b336175981da3a639524b52cb68ff44ac6e

SHA256
0327bf0752da57eef6320aa7765595430ef25efbbce17d0fa3bc3922a2ad6b83

SHA512
b90886ceaf161b271e4048f6fa7a74de013bad8a08277eafd715f1662261e3c50b0972e8c8652b9c176e0c2c6749ac1086aede8d549c571291951c9206b5362e

Download Submit
C:\Program Files (x86)\AppNeta\Logs\install.log

Filesize
246B

MD5
104fb20b0c8d30a3e838e2fba59ad378

SHA1
c18c2bab089aadc62befca0955caf11a9d02ec59

SHA256
9b927c7d57c62608f267b20571c55f326e44cba7371a06b753705d2c2ae34346

SHA512
42764a3a976346fcbf5874358df38d91e04f590007dcb19001fcaa6805c5a90efcf2b1fcfaba14b9838c643b457e8afec61011642d1c7caa4f6830c96aa150b2

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
8.5MB

MD5
eca4513b644a3cf6731ca153b09e1eff

SHA1
b6f50c2ae36498e5abeec3e13bf52ae43c04174d

SHA256
11aae8f52ac0ed689cbdfc18c23411525ee74b51c3258e205ebcec0f809221ae

SHA512
492d131e9ad0549809eee4b3ee65497b34577937c35b9df7b408752c526f7de3a08e9cc1e57e0023204a07bdcff392cb48219383425cb193e9a86f81a142b652

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-bef193a8f3d14d3c\RobloxPlayerInstaller.exe

Filesize
8.4MB

MD5
5a1886265c56e44ea2baa73624468c11

SHA1
f57f18e5e4eb7469a4f70867ba29005468d839ab

SHA256
33d404233e2139e13e26a162a9999576a4fd0667229fd85456cef93fc577c37a

SHA512
972d25531d90de57115c41cc6181923e961caf11f96e4a4822cb6e732cbc799ca071b0f6502e8490d2f1e8a1591e8c3fd33ad2a5582e5bc02fbd01bb1c758669

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1100_16695138\_metadata\verified_contents.json

Filesize
1KB

MD5
68e6b5733e04ab7bf19699a84d8abbc2

SHA1
1c11f06ca1ad3ed8116d356ab9164fd1d52b5cf0

SHA256
f095f969d6711f53f97747371c83d5d634eaef21c54cb1a6a1cc5b816d633709

SHA512
9dc5d824a55c969820d5d1fbb0ca7773361f044ae0c255e7c48d994e16ce169fceac3de180a3a544ebef32337ea535683115584d592370e5fe7d85c68b86c891

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1100_16695138\manifest.fingerprint

Filesize
66B

MD5
8294c363a7eb84b4fc2faa7f8608d584

SHA1
00df15e2d5167f81c86bca8930d749ebe2716f55

SHA256
c6602cb5c85369350d8351675f006fc58aea20b8abf922a2c64700070daaa694

SHA512
22ed0211822f6f60fe46184fb6e5e7fcb2b3a9d2e19f25fb6e84e1ca3a5d645183959309549cdb07c999b345cfdd9a1351f3474e03fb8d451b0f093d44844d7c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1100_16695138\sets.json

Filesize
9KB

MD5
eea4913a6625beb838b3e4e79999b627

SHA1
1b4966850f1b117041407413b70bfa925fd83703

SHA256
20ef4de871ece3c5f14867c4ae8465999c7a2cc1633525e752320e61f78a373c

SHA512
31b1429a5facd6787f6bb45216a4ab1c724c79438c18ebfa8c19ced83149c17783fd492a03197110a75aaf38486a9f58828ca30b58d41e0fe89dfe8bdfc8a004

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_1237285385\manifest.json

Filesize
119B

MD5
f3eb631411fea6b5f0f0d369e1236cb3

SHA1
8366d7cddf1c1ab8ba541e884475697e7028b4e0

SHA256
ebbc79d0fccf58eeaeee58e3acbd3b327c06b5b62fc83ef0128804b00a7025d0

SHA512
4830e03d643b0474726ef93ad379814f4b54471e882c1aec5be17a0147f04cfbe031f8d74960a80be6b6491d3427eca3f06bc88cc06740c2ad4eb08e4d3e4338

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_1359083378\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_1359083378\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_1376311475\manifest.json

Filesize
238B

MD5
15b69964f6f79654cbf54953aad0513f

SHA1
013fb9737790b034195cdeddaa620049484c53a7

SHA256
1bdda4a8fc3e2b965fbb52c9b23a9a34871bc345abfb332a87ea878f4472efbd

SHA512
7eeee58e06bba59b1ef874436035202416079617b7953593abf6d9af42a55088ab37f45fdee394166344f0186c0cb7092f55ed201c213737bb5d5318e9f47908

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_1712687040\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_1789318616\manifest.json

Filesize
141B

MD5
811f0436837c701dc1cea3d6292b3922

SHA1
4e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87

SHA256
dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d

SHA512
21e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_1865024273\manifest.json

Filesize
118B

MD5
395a738237cb5606743da99d5459bd59

SHA1
53a2e376dbba8020189b4d629d1ce452c43abc42

SHA256
6a15b2c0969575a4ae419e8b0eedc7c5515c8ae3dd73771e431e484689684aac

SHA512
0ac1112218d23328eb3cccf777c9bf7b0c31b71387fc620d0f91fec73994661021524ae66d8b81f26d1d7f4df8ac60c12f7852c72c65030d0c106a0ba773a8bb

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_197722356\manifest.json

Filesize
116B

MD5
2188c7ec4e86e29013803d6b85b0d5bb

SHA1
5a9b4a91c63e0013f661dfc472edb01385d0e3ce

SHA256
ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62

SHA512
37c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_2002858433\manifest.json

Filesize
135B

MD5
4055ba4ebd5546fb6306d6a3151a236a

SHA1
609a989f14f8ee9ed9bffbd6ddba3214fd0d0109

SHA256
cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5

SHA512
58d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_272280799\manifest.json

Filesize
145B

MD5
ba1024f290acf020c4a6130c00ed59e0

SHA1
01274f0befca8b6f4b5af1decc4ade0204761986

SHA256
551b8c76c19c654049d2d8043a79b8edb3c03e1b695cabf76b4076ed4921ae28

SHA512
e55b871dd3500f30d639089cc42a4edc3bd4d26d2c4fd151322a363fd8edec82d5345751953f9b581e40f22b6a8976faa0ea7ec9fd286f73f747120c87ea7157

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_541036315\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_541036315\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_541036315\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_541036315\manifest.json

Filesize
121B

MD5
7122b7d5c202d095d0f4b235e8a73ca5

SHA1
0cca47528a8b4fb3e3d9511d42f06dc8443317c2

SHA256
93b603f06d510b23b95b3cacd08c3f74c19dc1f36cd3848b56943f069c65e975

SHA512
ad6fba6e0710cc26149dcf7f63143891aad4ebba0cc45670d8885fade19dc1a50b542a15b10a7604b6b1be4b8e50fcd5514f40c59b83cc68bd10a15ab2a93c1a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_5547482\manifest.json

Filesize
114B

MD5
e6cd92ad3b3ab9cb3d325f3c4b7559aa

SHA1
0704d57b52cf55674524a5278ed4f7ba1e19ca0c

SHA256
63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

SHA512
172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_607835694\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_62615167\manifest.json

Filesize
72B

MD5
a30b19bb414d78fff00fc7855d6ed5fd

SHA1
2a6408f2829e964c578751bf29ec4f702412c11e

SHA256
9811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f

SHA512
66b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_636738894\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_636738894\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_636738894\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_636738894\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_721882569\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_721882569\manifest.json

Filesize
80B

MD5
9e72659142381870c3c7dfe447d0e58e

SHA1
ba27ed169d5af065dabde081179476beb7e11de2

SHA256
72bab493c5583527591dd6599b3c902bade214399309b0d610907e33275b8dc2

SHA512
b887eb30c09fa3c87945b83d8dbddceee286011a1582c10b5b3cc7a4731b7fa7cb3689cb61bfead385c95902cab397d0aa26bc26086d17ce414a4f40f0e16a01

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_77577611\manifest.fingerprint

Filesize
66B

MD5
3fb5233616491df0ec229ba9f42efdb8

SHA1
18a8116e2df9805accd7901d2321c3fa92da1af4

SHA256
946f3a9e019b0d80f5671de782f295132341f663f74aebad7628f22e528d6d52

SHA512
e9b17ac626bf6508db9a686825411e90d316a0f1dacbf63dbec5baaaf6b96af4dbc9a7332975b6d5c16c43757d79fddca6b888ea97bc07a8dffb1b3a06366b4d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_77577611\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_807682994\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_847101659\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping844_975649248\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\ProgramData\Roblox\Downloads\roblox-player\f9e8d87bd5143b90593d582e0bb840c4.part

Filesize
8.5MB

MD5
f9e8d87bd5143b90593d582e0bb840c4

SHA1
8bec20280f8cfeed0d91af6df710be777d6a3882

SHA256
51ef6126c67bad7ffd85f550c9ac04ed829591a0be610c5ac3ed369bdeea9385

SHA512
f6ae86f4fc596415ef80a72b486a313fc902cd5a7596ff7a3a778865560a037481cb0c6f3f9032aee53bc6980c6103061c8f2bd80dc1714f7e95ee86f51c40fe

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.6MB

MD5
4dd6306e9a75c2d0d788035a9947ee82

SHA1
b5483ce92ef54650edbeecbd0ef59184ebfa7c8c

SHA256
ed8ecfe33d0663f3cd0c5ab5c944dce4ce523063afb0b2cd119180aee8616293

SHA512
1690f6abd2fd768cf123dd791f1b3b01fb92e88384e144a8666c0c65f7c672f67cdbbe83414e8ebd3a27512116209df8a6f124634ec4a3ac53cfe83c5da5faac

Download Submit
C:\ProgramData\Synaptics\synaptics.exe

Filesize
6.0MB

MD5
5d8ac806e1c2dd5af6bc4cd3912f91f5

SHA1
a98b68654b16d3a284c84a63192659dbd29d2a77

SHA256
5d71a6b8c13346ee90f4180e454ca6e58118dd0a513db07101a7b62e2394cc93

SHA512
d13ca8634051eb85eb3686fb8ce6a0767b2e335ea046ed390146f914fc928ce9f3a36d6756b281e5ce3026484ece83826bb33fbc2aac8796ab86225060b230ce

Download Submit
C:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exe

Filesize
5.6MB

MD5
85bbb3819299d505b529416dba78c410

SHA1
2ae728670facc8588c26c3a4f33912030c455cc6

SHA256
1b7f9346969a9d8ecf0fdafef51bbc181283206a0b7a84ce29addabfc4508d35

SHA512
3c49a6cee54ea711d8f4b1b5c2b6dae493dc9c0daa4532c177702e6e1f8a8d0e87adf2f9dddaf3bf49fd43e63a9c046e5b21c1e1bb2f10fc737b07a7266f708c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.14\autofill_bypass_cache_forms.json

Filesize
175B

MD5
8060c129d08468ed3f3f3d09f13540ce

SHA1
f979419a76d5abfc89007d91f35412420aeae611

SHA256
b32bfdb89e35959aaf3e61ae58d0be1da94a12b6667e281c9567295efdd92f92

SHA512
99d0d9c816a680d7c0a28845aab7e8f33084688b1f3be4845f9cca596384b7a0811b9586c86ba9152de54cafcdea5871a6febbee1d5b3df6c778cdcb66f42cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.14\edge_autofill_global_block_list.json

Filesize
4KB

MD5
afb6f8315b244d03b262d28e1c5f6fae

SHA1
a92aaff896f4c07bdea5c5d0ab6fdb035e9ec71e

SHA256
a3bcb682dd63c048cd9ca88c49100333651b4f50de43b60ec681de5f8208d742

SHA512
d80e232da16f94a93cfe95339f0db4ff4f385e0aa2ba9cbd454e43666a915f8e730b615085b45cc7c029aa45803e5aca61b86e63dac0cf5f1128beed431f9df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.14\v1FieldTypes.json

Filesize
509KB

MD5
630f694f05bdfb788a9731d59b7a5bfe

SHA1
689c0e95aaefcbaca002f4e60c51c3610d100b67

SHA256
ad6fdee06aa37e3af6034af935f74b58c1933752478026ceeccf47dc506c8779

SHA512
6ee64baab1af4551851dcef549b49ec1442aa0b67d2149ac9338dc1fe0082ee24f4611fcc76d6b8abeb828ad957a9fa847cbc9c98cdf42dd410d046686b3769b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2024.12.2\crl-set

Filesize
21KB

MD5
846feb52bd6829102a780ec0da74ab04

SHA1
dd98409b49f0cd1f9d0028962d7276860579fb54

SHA256
124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

SHA512
c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cc556a80f0eb04ea04e04d80604381f9

SHA1
bce6c457d2762bc4da714bfbf2d5356586353079

SHA256
f1f0366922dee5a1c551cfb2c010723b8052ad5309a17e26faf8fd2dc7fea0e5

SHA512
ca58d377fe72069b0bcae79f1fdc7b5de90c7312121a03d95b936cd9aec2ea3f3571227189a270157bccf3650adf9a33650fe31b741d85ff839f625bea1b5540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
d9646a9bb22755b4550b334099c6e31d

SHA1
f73d8412920095a912bfe2d4787119475d2de5a1

SHA256
79f91c89f75ba8a2eb493ce2930778318a254bdbf84ebf912b6686713ad1cee0

SHA512
2e132da1fc14d041091a65d7044b8a5e94dfd55a5953a1fceb6c28908b18f80990cae9fb8904a9f1a34f5377e50e1530a9589b5e3eb6b1228e8a6051ecefcc60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
3641bbe51b5d31c8f3302b0f49f743c9

SHA1
a345481223ead24d63f6f35c0e4a13710817f4bb

SHA256
9c0098d82b9952ffaa117f3e6ec4dd02bb27f7f1f9a85895158672f73447a4ef

SHA512
64ce57c7bf665ca65cd01ff973aacac320959f825831c0ded66d72ff29ce2f8de53bb2d0761cbe35ad1ade194d8dd293dc0cd95c8cf878ee53dad45f2dc714ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
520KB

MD5
52c02e625bc8b358a464dd9178abfd63

SHA1
647aa4ed1f8b2db318fee6a52eea2481142e8b8f

SHA256
a451369d3254576887878a83ec2f1d1e48e4bf69d9e03fc6b660090cc3cfcf7e

SHA512
c65c1869cdb16cb4aaff44fc8e6d753e431f9c9a5a736f4b2e3255ae49bdef5c6071fed60cd57589e3ab75c52a94ed8995a0617d838835b5daa522bc95b45e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
d104afcfd214366abeb8093cc2659ec5

SHA1
a1225707f0587effe81fef96c0def2de542b3900

SHA256
398d98285626d57a126d0ab927121f8e10d0b903e81085f022279ca5e46d7af8

SHA512
d6109fbf60286bb8099221cf0e33cf312e187576a5f1bc1f470dbb6c660c0a61fa2b85f4ea4db21a22ceb3a7a2c936b6ce7b08d620b045805d78b8597dc965e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cd586ae08a4449e2d2d73b89401dc952

SHA1
5fc97e31a58236fe763cb6d032d7d9b7cb1927a3

SHA256
957ac9a5f11fd13a51417bef68026326522ddc74004a4455eef1ee13e131bb70

SHA512
dad30b804cf39af45ab479d66e08b0af0e2447160de75963dbe4bba7122421726708993e5fa1c8b491640a736c965f976898c83bddc553f04d47f6b82e57616a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c2d04f6d8b5d70b21a287c96f83517f7

SHA1
e1497aa409c4b06f4d86fbfe828fd0f354bfe457

SHA256
9b308b1496977260db20a73e8ee62f205f890aaf7a7e6b6c72d22da1c8c8bde7

SHA512
b1a6279da14787b4ffd6dd13a7382f81ae6805bbfcabe4492b7d7963caf0fb0b5e3e58f9b8bd98f92ea46d5774f24af9033bc7432bb3bc1bcb41fb9ac0992e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5db921.TMP

Filesize
3KB

MD5
53c315e96dba263eedbce7bf61cae025

SHA1
83c905f3cefc98dd24a445c2d33951510db10758

SHA256
89cd9fc8539ba9f76c4a3fa5dc066813c86c8b5c61dbfce596d35ebc9b87e8b9

SHA512
99871b1d8e6781677ad7b7a65ffe2c8ab6e365d3646f6703467d54f78c3f82bc807d7544bbfc21b7a41ec25b62a527f8973bc6bdd54dd81926645576a879d9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
764f117737d774a22a18863b5515066f

SHA1
e5124be3ea1573e07c4837988a7af37576981f08

SHA256
61952014b3bd0736a6c9159bfc13c9fe63bcfc86412a275f7d80135eec34deb8

SHA512
92b5bd35dc139aef18a0a1fe3af39be88b0cb7313239adf6030720a5b418f72a9102c97af146ae8b3d094f9d912919e0f7ad48f8dd12378e47daa2eda02f9ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\a793e754-1755-4c2e-81a8-93002450054a.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
192KB

MD5
0d47c19cd109f2ef15d28c38bf429eda

SHA1
da4dc7d9fb7e1292b9f98cd364a0fad32446d983

SHA256
0344ea02da8d59d428c43a3469eee25e1c570739b0f18bfef3b7b1513e4b1f32

SHA512
a71e324b1b165d9f43ec9c70aa472e7ff2230cd13a6325a2922c965fc98c701088ae2a4c2697719787d42267f47f18cf723c9e2f2d0dec24040de36ac8267d79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log

Filesize
172KB

MD5
5edcfe47a8c5b67cc7a543d7c9b6e1c7

SHA1
43e0e4dc50cc69d78da8794357e55235fd565137

SHA256
d29f5249f64f1a4d0695ee5e56040b707b68f1ee63b3d94cf7ad1188dc3234f5

SHA512
f13636ddc7b1377f2a531d510388e68e527365620e5d7ecdd198c0a9ed9fb599ad4bc38b545baa67fedc16feeb15d28d45bd08efb1cdd9b11fd643dc101cdbb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG

Filesize
353B

MD5
a23996249cec936bbb337d953ffc5df9

SHA1
eaef677b3e2066631a5c57c7bb912d8021a66ecd

SHA256
be48c0faf211b9b18810ecd65fed1266d533f22c8ca566745d993a4e4023aa05

SHA512
4ec843c3659e9d8c4446f56bd528930c042c010b4dc22ef89928b79d834d037a58ba8b4189940eb8642046c22fff54657732aaee6b798365ad6177a0301be19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\5e41e732-f136-45d0-b2a4-a443612d9f52.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
c9c2825d0ee5929f24d97a88d81c9934

SHA1
b5854a63667ba69ece4fc7f3be0c003089f272e6

SHA256
03e16307c645265d6a0137ccf4cb2e325b714c1c3a6f1ef1bb5249176d770c3d

SHA512
e8ec9b32c88826eba4e61aed9b21653a3e7e4e633ddd1a8e420d0e2ca11612ef44f17140e119b2188c213d480e087d1f80fa5f48460773964d9577f78b0e6091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
fdf1929fa4dc13d3052ee526fae56755

SHA1
2938ad2ad00a580f496021157ab3c210b486ceb9

SHA256
7f5acf81f925426a1aa29d723e3d5f70adf0c8612ef53b3f9632ece1baa2197c

SHA512
6b583288c7e39a26d2054f5d4ce62fb84f7e228fc8acf05b7c83af22a4934e752c9c143eccd3556315c6976cf1ea354e2e40a8c365b23fc034471d2372e1f78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f9cd9dd34a31a78987adabc7d8d3f5d4

SHA1
557664274e9bce1754b520c16a42b26249d75227

SHA256
b57bcfd84ad95ed6a4b954b03edf7cc47de50531cd190744926ec493b06f9603

SHA512
bfa31c7504e6b86f60fcda010defc4299bf5bc4ad586a50436dfeb9dab11a865496de27d5bf71f4342e11f4fe9bb1b9b48b79b0d8a279511dc3b08372cb815c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
17fde0da0d69fcc6cb79ea50cd46a8f6

SHA1
25b9bd553fc6df42bce92bb34e0f0be5371c11b5

SHA256
84e44b742645546b32114d2dec070ca5c4e9ac37b658f9c669a701ff6a66d5b8

SHA512
b51d108f0ea5725c7424e3c822c766519407c2370899349f2f2245c1494c23d956d11421ab5aa6f84d74f371844b4490c5ea686735827f2433b1d6c64180038a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
4e6bd3e6e3cd748b7368c76ea1f76904

SHA1
8f58a86397dc803aa090d3cfc0e08d69bc7c4405

SHA256
7992c14412d643766504e71a17cd3e1a7af2b4359c5a5bea8b7a5e0d9651bc4f

SHA512
e7f61096fe7c95a6403df912d11e9b99d99321fa09349603c082da4d1a1397d19d6d59b30694b4919207566f95915270700c47643fdd8646d90e31fe8e7f7473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
23ed0b95bd0dcbb667a6bb5739f80484

SHA1
2e08d14b66dcf868697bc6245a1e15a711a6d9e2

SHA256
b24a99daf3885e87c4121589570f3f7c05a4cce3abeee66b77c9d3ad6dbf5fa8

SHA512
c0c68b91ccd5ceda393b497792fe5dc1ebbb90bb0e79e368cbdcd352cd2b02c769059fe62fb0825003618cf9ffd6dd21623ad9464dd307261dfec5670af07d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
38b9f0422298df3b01cccb61b8d345b3

SHA1
ea04fe92d4c81f86075ea954cfe348c5d8953edc

SHA256
923bca47f1473acaec9becabcf60358efb13fb044b0be68ef3b0e222b818d4ac

SHA512
b279b007959e932513c4b21630e177436e256fd64a1e81cade37b390f0be3421a063f8f9f0dac6d010fa703e83df7d50b8101e3ea6a186895aba7b3e83ce4458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
9166d7a755c4f79b7aea104df4e5ea3f

SHA1
9377d389c0b3f1d5c0621ccb3784e2cb62a6ae5c

SHA256
1cd47902052a89e617caac56207d3f0992aff5f118f49c46ee885349efa31484

SHA512
b906781a0705478e7e48b99d3c4af5452aa30830b963347182a10c545d1cd9e3df8a0b95c2facad00ed75df00270b90cdb91337bc431ea4903ec5763e07080f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\be464f4f-a757-47fd-9899-9dce6eb648a0\index-dir\the-real-index

Filesize
576B

MD5
d2a9c8fc32ac38db9e775fb6d52dfdc5

SHA1
f7d5a91d3fda9cd7bcc0be956fc681ccf55eef29

SHA256
80008f19d3b4ee619fc70130b51eb95ac00c473f78f76393e5ebde4f8663c8b2

SHA512
287406215609fa4bd7ed2324249b81baf4fefa4412242668c6afddc9ff0ece94928a59e5d81a80bb649917854da63b7d46e144c53d7f56116f031d77eb3937b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\be464f4f-a757-47fd-9899-9dce6eb648a0\index-dir\the-real-index~RFe5db912.TMP

Filesize
48B

MD5
e704af709c9525dc96299f52c5b78b57

SHA1
c91111a95af72e4ec7ad74bbe96a529a2020d990

SHA256
6c58d388961c00a971f4236149de73db425eba1435a167a23d6ab944d7ce053f

SHA512
39260c4a88d27a0735f22baef071d6073544d0a00eca02a8c8ab4274c69c86332f44a831c846a3128583c39de152a8e5f0c1a5da1e4562e15961a6873c58e140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fe0344a1-b1d7-4ffa-af74-b7d0bdaac06c\index-dir\the-real-index

Filesize
2KB

MD5
6b0f4d27c1b5238049bb31978a1950c8

SHA1
457bfe809422fe2ae5635624d7832c05e47f62f5

SHA256
c3fd6531de4b3b5def4c411f6385bf9ccefa8f3266701f6957b536d3a2de2d8c

SHA512
c51ac73485086837d1717f4b865a40aebf6740ca3794c54ab354c488acd4e61721abd3de5a76b84ca9616f72acd2b79e541117b28921bf66b5dee0c37bbbb6fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fe0344a1-b1d7-4ffa-af74-b7d0bdaac06c\index-dir\the-real-index~RFe5db912.TMP

Filesize
48B

MD5
fa75630f340d79515cd8ee8de3cb6492

SHA1
c6dd5ab3baa800392dc906961d2c374070303447

SHA256
e90b96e7d91386a0cd010de9ffeeb7ee6eea5eb92760a01a5e6cd97541fd72fe

SHA512
78e32b1ecbde67d36199134fce423e68c0680eb68bdb494f967526976d63fb231842cadec235480672b9a2334009819105629242e70cc99bd925a842ecde126d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
1b1d302a0105607fbb8781e4985e108b

SHA1
5f4b95b61198e56ab033f4fc97c723fb92449103

SHA256
c9fd0ef87e85fbfba2a4ab8269938fc41509d147a1af2d583b0aa2a70f3a9762

SHA512
1b536bfdd562063f847df18a3f9a7878a01bb0f600fe35b29c4c57f375a00071361d6288f7c92647e112ee5d89bb8e39baf8aa937b9be8b749da2123e02858a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
186B

MD5
c9a9bb099854cb8993d171bc74fbe881

SHA1
748a9c0cdf2abf6cb764ef74258cc0ef1a175c00

SHA256
ca1d41ee243478c75a207241cdef1d7c45c343ac40e19235f5c1596ec420f6ac

SHA512
86f71d0d7d72b20a0ad0a7fca406bbb7f7c09a04b56aefecee3b07fe7a7c88262f714215f74492d14e54d8df81a928f0821d8b430c0c8adc33d0151f6e5c47e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
268B

MD5
6292f6c2ce26678be484384631011acc

SHA1
4aaaa6cf93652ee9a330b9f30a3a265bd53148e4

SHA256
aaad7a86f6f2ce8cc4ffc71951db99e970cfddbec017a176a99d1a0617b2b193

SHA512
b773d88e9470d9fb762c74c80d8e89e0e6189e7609766a650da9a922cb6b6a3d58c52ab851cca9465e0c752821f9f6016ba88a999aa10e4bd821803f65ea5923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
262B

MD5
8b4014f89ef7034aeb6cd3000d452ba5

SHA1
b16f51cf220d6abfa93b771aa9be75fae510c171

SHA256
4a34a9d760c8cde9dcaa46215e2d243b54963911235072f55c085c2ab53a694e

SHA512
8b6b68771fccb03821d85282bc0144306d71830519c7686d008d023c453ee9a13795b3239bd0b719bead26294125790f3adcae1eaaa950dd2ba7ab4826457d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
15bcf81157c0245bf584fa684c829e32

SHA1
6fe477da4c93216f9415b4f52ec386f17ccfa580

SHA256
aa6b021476aa409def860280466d8aef8a5b8b248c910e1fbe2dca81a933cbef

SHA512
5d587b9ff1e08b93d650d2b0c225a09b23b81c0f047fd20ae7d080a167aee33171051b424deb4dacd62b8eac6a6f855ac9b2f6029be1ce1545e5f121b904c4f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5d6350.TMP

Filesize
119B

MD5
a99dbdcedc4cc636d0c9b9be960c105f

SHA1
af4a42e055d46d2e8e1ddf05e5a81fe767414ec8

SHA256
b652a5bf9189e3640f39413495165f23406743f3264cd6fbe4de48d89a92eff6

SHA512
a5498e96740228581abbd88675fb85533adc40ffb42360501c13c5fc65849e2e51ef864d131d0d9f226b3586724de2ef73c014a1606f2df98fd54bda5ffe76c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
333d680b0d00f8422a6de9dd01fe2050

SHA1
c6dc6cd3dadbbf7622193773cf609da24973d01f

SHA256
f4b7a54b0380bfbe877f9d01faba07541bb20e7c4b921c79fcd295210816709c

SHA512
440b50bda0604146ef8fa586a997d498e727e290b97f353ea743c373579b1dc0e635a812dfb9bec7be570afc8cd407ef4e4118a828ba9c39e3d212b72ca2c6a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5db50a.TMP

Filesize
48B

MD5
4ad2b68e211f1152b08a107940caa159

SHA1
3bdaa74e18774fc8a09d498b5c3c936e43823009

SHA256
870bf0148609c0264f8c96ffb33e12a94bdc1080b2bd2fd1d25e6c9f274af205

SHA512
fe4336a244598ba128a01353b68cca5a9a56f2b76739c335e0de52a0453517d25765fb6fab54a535c28df35824686685b5ef636502ea99b83d2c2b60cca66877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
172B

MD5
e5cdc5230fd676080260eb900ee3a320

SHA1
2509255086c9b3800a2f3f48c249df3733c8c42c

SHA256
7342d4cfc1b4f4c68df608222448d6fab46ea8b19d9c9b7b7bfd0fd11474fc64

SHA512
f259a93792077d91d26711f0c362e397425673a215de49b2b2feaf12c97ded7ae8166f1f5bde9891319fd77e545f78957d0b257a73826a5f5389018594a45b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
97fdca5016bff4104cf254446d9065a1

SHA1
2c1a1939616d70e0a3f7135073ddd760874190cf

SHA256
5593aa2c54ce19bb83d36b8b964f0d3cbcb13785728413cc5b78b431744e4fd4

SHA512
db04b66f53967d41afda0bcf7b422e3689641d93a71bc3e546243b43f588b495dda9517e66b149577493d8128e56cf274a204bcc3c6d5fab5b356d4ee400feb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
7f114dd7183e20def28bca3fd98765b6

SHA1
1fd16406f00488f3acfc48a3302ac10d144b3885

SHA256
f1ebe533161a41b71d2edbb263d8ffe8216df7c813dd8f0b790b1e9b6ad0f1b3

SHA512
93c1add05ef7b0a101f64a8414a1e3b9f6788c208c0ad05c77f373b7d801223cafa15fef5f62494e49bef9a73498d8ba45aca3659aa5aad738cf4c6ba1944a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
cd3131e4d897390f9f9eb2bd8fcf1891

SHA1
82b9ec9774b7057cce999d1f2f33c436a4e69e80

SHA256
0dec6e133e864d77c518fa28819de652b963610d036b0cbef0cbb6475a471097

SHA512
2bd6a70a5b30aa43fb7bcf805bafef77cc550be72c7b0e5a2edca880bf51502ae8d32f55a4338e70bdc8ae91d3002476eb921718fd80b8feab4ade1cd199b0c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1KB

MD5
4ecb4691fca69af6a63ed3946ba8bd77

SHA1
ac9edfa9313417c866d87e811dd9e2552019c45e

SHA256
7edf96e791606e834702d1b2e6b76820eb591235d2f3f8ccf0f45218a5309b9a

SHA512
fd8c20e82faa79fe82e0decd287819fb236bbfeedb2d331e504f778318e10f6f10a4ffd9b148618cf58f21ec63a85da7b23f4061e454042674bd3bbeef4bcca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
462B

MD5
bcac22c5a593d2706d140c80449ab01a

SHA1
e78c201c0aa8f4ec2ebcb9712de875d0367bdd3e

SHA256
12545868d19e51b5e7f08fe985b52225a8f770b777b999a2679c9dc4676950ee

SHA512
c0916bc84488c8717cb54a853188bc6f6c2dd4d93c68c449b97f1bc234b0f9ff9bbab9f5052b80ead16efedb2be42c7d202317ff3b439dafd76475fb809730f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
06686bd22c89ea95b300637479109cb8

SHA1
c55e3f2f7284644f4a2f3e529ff0b822304a93d4

SHA256
83f41d87d54bf812d5a947dcb7b140e592c6e8863af27b1732e5d2155ecedeb3

SHA512
c789d7539a77ef697adbde2e26aee5121830c5776c9b7d82a8eb7aaf143b9f2571af74cbf2fdb1cb315cb160ea377acfed13abbe208924773f7e4db13409c993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
876B

MD5
e66938f827450198016711d1602d4f6f

SHA1
971b1c7cfcc5a4a383543d1ec3f795f58a18c7cb

SHA256
b4ead3696e0646ed703df82ca8181dcd6c1bfac94776da0d767b5e11c93237c2

SHA512
add3df97767e82e936cfb31964a68004bd60b072ac5ef0de403220e5a54eea84230206bc966d4c17257787f44bd7a38a7792f22b9c32919ca04cbb1a3223e754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5ea798.TMP

Filesize
467B

MD5
c4fdee25e48cf8c048571c74520e6175

SHA1
07f6c2f984efa4f501c1a463a93b2e25dd4efbfe

SHA256
f623f51fa216fadc21bcbb638d71de18ee3df74994327496dfff5f8a151ef974

SHA512
7270006f75a3cabdc1d89896ac84a5af50183818b8f826317e15c034d66dff02846d316c7b12f96b0f75ba3834ba0c5ed604c95c5e64088ee86acdeae338c651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\da11f6d2-f860-4824-abdb-60fe173872ce.tmp

Filesize
21KB

MD5
e4dfd0504387a1ebcc4a48846e44a23e

SHA1
a5a91da421e3d8728ae857694dbeb24ea72b7866

SHA256
d3c39babd9652bcdb02ae17f895437ed85f617cb04f7ba4bbaf7ad7e8ab78cb6

SHA512
94a1d4ab7b18763b55c9246d73feb0ed64a7e506572884a2940696b12910d6ff2a03a0b1aca3e4035a81548633acd437e762e758952ba72dafc97f191e46d419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
125KB

MD5
11cc89c5bdf92c5b708363aee358b97b

SHA1
ff6a0d40cb7c7b5b00ca403c61216e08f0e04518

SHA256
9f2bcc6feddd180ab6ca3fee8243eeb0c5ab62a61f49da9eeeef5f679a2d6cb8

SHA512
62cecc973434c1940c32109baa372e1bd0427d1e13db7f34fd34851243383280e50243a80255a7560d747b0c60716ced11f1760084cd7d6b5818b685093e94e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
2b2eacd14e2173209546a5b0a35af60a

SHA1
bf79dd68153d7e53ecb9e8e735c16a664df5ac46

SHA256
ab1c313f92c7b1ae5cf11ac2d7ddb8ad845233ce77e72811dc45f8ceaa52086c

SHA512
ebf6839cca4047295445342cac84ad9e7528d45396416f38b27de93ce39bca34c42e5c0418a0b7f402dd39cd5cb52d69c951b1750e66b80e5ff16b24bf5de93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
5462b96ed2fef8132639c70611fe8c27

SHA1
7a723d6f4f51c1edf871b985868cc69d9ffe9a46

SHA256
ec6147a26246f87f4fbef50bdcd4d83e038c611f9242b8802cc73bcf3486137b

SHA512
960382a033ac82e85d97a4af544b2bb16d1d4290d271a4d559d6fff7af270c72fb0ff259f1efa77f66eceec850d751144549421795696f886a3cccbe15f69643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6c4137276de6f379112886d074ad3998

SHA1
6046ba2b973c796e793e3c4608485561ff70a6a7

SHA256
1826a0321d78a21bf2910acf173d27821922cb51164dd3c415d10e4660ffe381

SHA512
04d19e6501bf0a831177e23784506a0697f10124ced91920294d9843363625d4a4ed9120215dfcc05493a9c924a197a6c28e21acc2ac45d77dddffb5c4c96dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
f115215e773954a466ec23ac359328f7

SHA1
6b25dda31bfbeac363a42da4d1d5ce9c9f6e9506

SHA256
7f05f3971686681f0684f610593672289d5c5c72dce35f67610ef46a251f53df

SHA512
8a5cea6b0cf3718780d27b2702293dbade6109824d6316532780917792c0e8aa62e593369b7e58f95341115baaceae5ac1cf3b6db7776d1a5875664f7eac3452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
37KB

MD5
c5a21c6e0a9e58a485ddfebd21b8115a

SHA1
2920e18c0fe12a096fbb6c8497211519ecab16d2

SHA256
f2570c14c71095f4ddebacfddc00e6db566def287b2dd55978a9a8070d356b81

SHA512
2c3c3b2dc0e0d852a7d758ca5aac1a0ab373c8d5514938afe7a392c22fc4a9352fc4b7dd22b9526e041f1f8deda824804bc8a731abfb44de7b1c822c26f0e6c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
37KB

MD5
208586f6ded93ffab9b2adbbf0838b3e

SHA1
26b536a3a36776129b191b81428f5b6ac14831b5

SHA256
19e4e38240ef1d08f122f863e7203f24884bffa71083af82e15ea77e734818e8

SHA512
513410eadaa26a563dc7dd1c737f77796879662d5cd87fc07c6daebd8a54b89143034d0ad21f9f47f3466ae91266e03bfa630c47ce67e2ed8914ea5e5d062209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
47KB

MD5
484ff574b9b617f81cba6fc0d87676dd

SHA1
e6620ac655e1d823c67424f24b230fc32ea52bd0

SHA256
1fd67f8037013b763749c68c562986d6a5ea5b2c48ec4e2cf9b1d5c93d66d8d6

SHA512
5da3d8e39e5f092c502f319be5a63db74851197e48b32b80b120f007d6a9cda18f6e3837881901d16146901d8c5c8c87003f9846201fcc73cd1d4ed1193d5919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
36KB

MD5
049fd81631c8bbbac6fd97348a6c6f39

SHA1
18d2ae6855a0446bb8f62db5068fc80cf7bfb4bf

SHA256
d41bba1eac6a7d5001e3c7828a70bbd231d9c50bcff1d2abee475858582aebdc

SHA512
e19d2728b18d073a6a4f5624457457beeb0fa7c65fd2bf8e1fa8f1046181ab642f6803e7cabba0f9de65f73e360a4f7f9357566518e832df3dd700854d84d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\safety_tips.pb

Filesize
163KB

MD5
bd6846ffa7f4cf897b5323e4a5dcd551

SHA1
a6596cdc8de199492791faa39ce6096cf39295cd

SHA256
854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666

SHA512
aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\typosquatting_list.pb

Filesize
3KB

MD5
17c10dbe88d84b9309e6d151923ce116

SHA1
9ad2553c061ddcc07e6f66ce4f9e30290c056bdf

SHA256
3ad368c74c9bb5da4d4750866f16d361b0675a6b6dc4e06e2edd72488663450e

SHA512
ad8ed3797941c9cad21ae2af03b77ce06a23931d9c059fe880935e2b07c08f85fc628e39873fb352c07714b4e44328799b264f4adb3513975add4e6b67e4a63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
3fd7128538889039d4d48584098cf1ad

SHA1
71810fcec9d708149c82504400fc7d1d271086a9

SHA256
008f7724e9a5b036af5a99e13ccbe56c9df8e7fa69bf6577d840c28d967669c3

SHA512
7a030bea69343122b108565de8e7bdb4af39ac7650bdac1d2eac9f2c96fa474aaeeb31b5b986636db5c4fe2f000319a60d0661f283570045cfcd03948f62e4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules\36\10.34.0.57\Ruleset Data

Filesize
2.8MB

MD5
6a62b26b738ffda1414b1e45b3b97c12

SHA1
ff44417a79841f948bdbeec9049f9fb59d16dc9f

SHA256
da3927c997d3bb2326e97a8dd7835c28f50ad8c4a9dd407669f20730c0159207

SHA512
820caca570523600a057dbedd38b7e3b375d6427d716cb74d0aee0825e621268a9f418f135443e5bc6bd7b9a1fbb8eb6676324d46f9111e56404b8953f23de53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2024.12.14.1\keys.json

Filesize
6KB

MD5
b4434830c4bd318dba6bd8cc29c9f023

SHA1
a0f238822610c70cdf22fe08c8c4bc185cbec61e

SHA256
272e290d97184d1ac0f4e4799893cb503fba8ed6c8c503767e70458cbda32070

SHA512
f2549945965757488ecd07e46249e426525c8fe771f9939f009819183ab909d1e79cbb3aeca4f937e799556b83e891bbb0858b60f31ec7e8d2d8fbb4cb00b335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.20.1\typosquatting_list.pb

Filesize
638KB

MD5
da8609745ded15c07f9b3b42a794f1bf

SHA1
6f51794da7f06ce1e79ea3e42a22f67d068525bc

SHA256
7dd01720dc53471b5cfb185a9b1e39be94a095c53e5dc8a295818e425ca265c6

SHA512
a04bd2845bd6df19cd59eb6d62be863ceffca5841f8c878c289364418a89e4b0f1efa4224f3fb0d10a010ce73a23a60e81e6d7437ec27da3541f085e22ac938b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\alpjnmnfbgfkmmpcfpejmmoebdndedno_1.82619AB08DF7CF22656D61766214356A12DD9CE8FEBE4B1702A2B26247C7B37D

Filesize
220KB

MD5
bc8ecf984ec5c8f8dd2323bfa6223f55

SHA1
0529f6bab83cc0bc3ae2d23f20d3977b5c5ec00f

SHA256
82619ab08df7cf22656d61766214356a12dd9ce8febe4b1702a2b26247c7b37d

SHA512
6519e76ad03bb674b54aad959ebac9d6fd342652597df8022b0e6f99ffd95f6a8c7a507705c92498afa1e027d2adc74d012fb77b9f6ec04f6d0720ec2a0fa22f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\cllppcmmlnkggcmljjfigkcigaajjmid_1.7BC5ABD7C86F0BCDF52D76CB979A17B6D339892886A6DED8DD5DC6339A3F3FE6

Filesize
4.2MB

MD5
80d2cb242963705629661da810369556

SHA1
38e35efc4fe55c3131ec14ab4bef9e824a8a6e21

SHA256
7bc5abd7c86f0bcdf52d76cb979a17b6d339892886a6ded8dd5dc6339a3f3fe6

SHA512
cf776d5b6581b7be72a7e1c633beb9948eaacf7385fe2acef0f4f85a45f4136fdde62bfd587e26a8e86f7caed0a033d4b3725a2cb6bfbb9c0651048b572d9389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\eeobbhfgfagbclfofmgbdfoicabjdbkn_1.8BFD50D350D47445B57BB1D61BBDE41CEDA7AC43DC81FCE95BF1AC646D97D2A0

Filesize
1KB

MD5
e15208ff647aea1698bfa7da5287df5e

SHA1
bc5d6e7d0d71ae1bcac13320ee237ce0adc493f3

SHA256
8bfd50d350d47445b57bb1d61bbde41ceda7ac43dc81fce95bf1ac646d97d2a0

SHA512
07e2435f9e609d92daf97b5c6b75a79c9f8c229facd24999a45d954ad2eda130f7b7deeab6403f8518c5bfe2791b9796952c7ee58023488c90165cb1b0d5f47b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\fgbafbciocncjfbbonhocjaohoknlaco_1.2EE0FD95211580C591EEB5DF8280DB42AA00166AB03A919A3748BD857A42EA75

Filesize
7KB

MD5
369f75979fb96e26cb9eaae79a824dbb

SHA1
26eb633af481d1cd73ba3a87b53f0cbd7693e325

SHA256
2ee0fd95211580c591eeb5df8280db42aa00166ab03a919a3748bd857a42ea75

SHA512
bb624cc07a91119598bc11b58054424e8dda47d79b69aeb9470dff0065bc679f995aa87b69abbd21224738daabef1cd211d4245db31f5653d6ae81a800345ce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\fppmbhmldokgmleojlplaaodlkibgikh_1.A81D1959892AE4180554347DF1B97834ABBA2E1A5E6B9AEBA000ECEA26EABECC

Filesize
952KB

MD5
1a9c030cf025d340ff394cd9e5b664f3

SHA1
c1e8490662903d90de97760cb3102426f2784bd9

SHA256
a81d1959892ae4180554347df1b97834abba2e1a5e6b9aeba000ecea26eabecc

SHA512
7a9584c96849b1c8c623119bea4255a628e0f36d3a5f670e9c6a20f84d250fee859751a521322864b1577d7ca3ecdd7ee805c0f35bd7d74ddf43afc9f2abf8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\gllimckfbolmioaaihpppacjccghejen_1.8D64E3A35EE2C3E0B9E33AFD63069FDC917A5647DD1E20C5EAD97955FB6979F9

Filesize
247KB

MD5
5d64fc5b0fb5cd8b08cd7fb5219f3ec9

SHA1
4a4b34bc0ead9ca4d1f8420a7947ab390434b36a

SHA256
8d64e3a35ee2c3e0b9e33afd63069fdc917a5647dd1e20c5ead97955fb6979f9

SHA512
a6d01c23a362ea1c58b736419ebe7275b64862ffca1ea35b482f1fdd2a8e770b49c1281f467c20405cbefa83791f5079b83aa6e868e7777ccf4f61455e83355c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\hjaimielcgmceiphgjjfddlgjklfpdei_1.A00289AF85D31D698A0F6753B6CE67DBAB4BDFF639BDE5FC588A5D5D8A3885D5

Filesize
2KB

MD5
e0698dbe3caf467562d26f00893901e7

SHA1
7b9e6bf2af3edad3011162b6031afd47d4c2c151

SHA256
a00289af85d31d698a0f6753b6ce67dbab4bdff639bde5fc588a5d5d8a3885d5

SHA512
16da0e128b2f8245d9baeb5aca8cc7e8001784cca332241829c455f31710a874402d96b09ceb7b56a1ad56c5caae432d89f6de9c46c7fe02af648e67df871dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\jcmcegpcehdchljeldgmmfbgcpnmgedo_1.12F4481AD6CACB38388666CFE13A3B29B60098BAA1684D75556ED4D655822983

Filesize
176KB

MD5
562137493d17c2b6b8ed11c51c335375

SHA1
771cc8499e251bb3e3159b9b7ba17d487df8b4af

SHA256
12f4481ad6cacb38388666cfe13a3b29b60098baa1684d75556ed4d655822983

SHA512
3220af64f37439f364edb08e1da425a5a8a8ab74f44ee44339f7457889cd0791a861d7b20011276c6a64567b17c22448fa964095bbb7c586f426eb0f61f442c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\kmkacjgmmfchkbeglfbjjeidfckbnkca_1.4A84F2BDD63DABE6ABDE22B9047A6942EEB7BDF93D8435CC4B188DBE72D9E30D

Filesize
2KB

MD5
9d86366b5c19a2b12e1f824933c40073

SHA1
8b456aa335ec40d4bc05c6d630d78d635450d4bd

SHA256
4a84f2bdd63dabe6abde22b9047a6942eeb7bdf93d8435cc4b188dbe72d9e30d

SHA512
7e463246c679b38f802b249427d1cadb6255fc05fbd1e01cf36a7a8a1d313522f43632501c773eb5f435fb1eab850960cb00dbb2552f70f90401c98ce47d5518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\kpfehajjjbbcifeehjgfgnabifknmdad_1.00AF3F07B5ABB71F6D30337E1EEF62FA280F06EF19485C0CF6B72171F92CCC0A

Filesize
1.0MB

MD5
14ef2d35ee97e8be10d6046b2e1942de

SHA1
8ad139e47d4d58df369e40c025923be0d82a5f9b

SHA256
00af3f07b5abb71f6d30337e1eef62fa280f06ef19485c0cf6b72171f92ccc0a

SHA512
f6e646031caa27f972b222a94aee3b2b610db686009e1dee6fbf0c4ac7ba6edb632eafd9ed81e15bb011e2c31ed4dda82b16dac560ed68596159ec29064ecda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\lfmeghnikdkbonehgjihjebgioakijgn_1.B963F6CD6104D30F0FAAA175AD8D11B3C0D760A07FC9671256BD98D9B193CBAB

Filesize
17KB

MD5
8b130f5edab0f92dc1a80d8e19770e95

SHA1
ea4aca0800ba36aa1128a35e3f8e322a194741f9

SHA256
b963f6cd6104d30f0faaa175ad8d11b3c0d760a07fc9671256bd98d9b193cbab

SHA512
9711f4fc9b455fdffe27cca0aabbee63b08d52f452a9f4a28038423b7a40bf2dd3a8ec94560365684772e040c7772c4b8d0b370d00aed95a7618d33bedcbef32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\lkkdlcloifjinapabfonaibjijloebfb_1.18019BEB1D2B6F91D1849CE2ABC6B9BD83FFAB505BB252125F79A4ECEDFAC75A

Filesize
82KB

MD5
bd9ce4f5bc69e2803c9de1a5a70ad044

SHA1
f3494cde4179c089a2fa9ec0ba010767ab5d2ed7

SHA256
18019beb1d2b6f91d1849ce2abc6b9bd83ffab505bb252125f79a4ecedfac75a

SHA512
5bc3152b6efaba8c0811b420e3544c4f2296cad4a4fafced47205e483bbb84455d44b8d64f565d0744f4686ce1e0f85efc0bbb323cbd97256de9930260460671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\llmidpclgepbgbgoecnhcmgfhmfplfao_1.16DC24B2E9D5402FA390FC2537BE6CB9988289BD8E65D36CA77BE83911500CAD

Filesize
3.0MB

MD5
c7fad3a1c1a38413bd7f351232bbe09e

SHA1
171ad19f738a61a006044aa628c4e218d50c1b27

SHA256
16dc24b2e9d5402fa390fc2537be6cb9988289bd8e65d36ca77be83911500cad

SHA512
b7c04a40f90731e1a49e825c8146debf7db18e4af7618da000fe734dfb481d6b7695fb8789fc8e94facf93b342f8a6dd7880515161a68fcffacc7d5d45f47d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\mpicjakjneaggahlnmbojhjpnileolnb_1.1F430EE51251CD6853CF572A1E536A2724AAD90F5E4B02432D27C84DEF762421

Filesize
66KB

MD5
3bbe09c89632b897a8afe9611d60d0b3

SHA1
5051ea87c8d9a823c8b60217d66529d4156e753f

SHA256
1f430ee51251cd6853cf572a1e536a2724aad90f5e4b02432d27c84def762421

SHA512
efb8d136a03d753654eb1fa356121efc0b904f4798eb2ae7ccc09532dea4eae3a2777933ecb090e13b0faac2220fed29540a2654f86e2fbfb6ea03a7a662ec00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\ndikpojcjlepofdkaaldkinkjbeeebkl_1.69D0D51AD8D1AABAAE811B5BC6F72729BEEBE8AB40C8E6080C8255453F913377

Filesize
1.6MB

MD5
4e1b8110c0051df94a611086b3afce68

SHA1
76d1fda433efdfde03006189e9727c270e4a6936

SHA256
69d0d51ad8d1aabaae811b5bc6f72729beebe8ab40c8e6080c8255453f913377

SHA512
67112ab375f836e12af54062540d60737683e331d07fecb2f4e830ee005ac093169dccd1bf12f60e5ad5c52cca869950ae5f0ba5b01c007c47599329e0bd6842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\oankkpibpaokgecfckkdkgaoafllipag_1.1AB07E887ACCA305058EEAB9053C96DC531C2C5C067AB4F30AFA2B31F1EDD966

Filesize
22KB

MD5
025fe5bcab10e941f276145d9d00ec80

SHA1
ac4c2c93fe10274716ec5603452269a8b5b31f71

SHA256
1ab07e887acca305058eeab9053c96dc531c2c5c067ab4f30afa2b31f1edd966

SHA512
3785cfae9f9ad3ecbc40bfbf822cc371965723610af8c6965b8b0a1e3b4728e744a51678178b414329d4b46afa5d3557b44a8723a1d89b7499b09e8f28c8c535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\ohckeflnhegojcjlcpbfpciadgikcohk_1.95FD9D48E4FC245A3F3A99A3A16ECD1355050BA3F4AFC555F19A97C7F9B49677

Filesize
1KB

MD5
89fb6ce8c3a916d3d5a46bb06d99b190

SHA1
38a1828a642f128fcc644190dff9ba10a869db8f

SHA256
95fd9d48e4fc245a3f3a99a3a16ecd1355050ba3f4afc555f19a97c7f9b49677

SHA512
e5f2c9a4f07d5d683687da44711af5b102b478cb76d547b74672656a5283b9c8b4564ca8472255a803e22bf3bb00ff2b66b4bb0f2e8da1909d4082cb7ceeca9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\ojblfafjmiikbkepnnolpgbbhejhlcim_1.74CB8B03BCEB8B1A18E409F69977801D1488A02631DE7DF6B41D99335549BB81

Filesize
14.0MB

MD5
473a6a0d206f7834903e52b16b43bd45

SHA1
c2313b0f7e6a434912d8201443d2ccde2dcdfa37

SHA256
74cb8b03bceb8b1a18e409f69977801d1488a02631de7df6b41d99335549bb81

SHA512
165f9841ae276180c067b41a42e8ef99cbe86fcf8bea6683184a773fbfceba633f1be5c51748d1a9bbc6d3f62798015a11f5076b7a8477574cd71ab6b1b9a8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\omnckhpgfmaoelhddliebabpgblmmnjp_1.DD91C7C496E4D9E8DF5BEAA3D33D45F9EF196B4F888D0FAC50EAF08CAD6B29D7

Filesize
7KB

MD5
f924d186e0ab6bff22bfcdce152ad371

SHA1
603c7dda4af9bb7a7c5bd224814dc325fe140999

SHA256
dd91c7c496e4d9e8df5beaa3d33d45f9ef196b4f888d0fac50eaf08cad6b29d7

SHA512
f4d34d14027edd9c106d30ba07c842fdd85d00ba1b546065334b8d46563dd9dbbe73275edc10ff7ac8bbe2ea4b91c58270a71f92742d9e676f08b016e175e43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\pbdgbpmpeenomngainidcjmopnklimmf_1.B27BEC7581505715364F132DE1998818C82462DBF55A1F55F9B15E29E988D791

Filesize
45KB

MD5
dbd21f0a10f93049b085f37916973d80

SHA1
a19909d8fc8a24742358df62e16a736ff862c291

SHA256
b27bec7581505715364f132de1998818c82462dbf55a1f55f9b15e29e988d791

SHA512
00d7fd23a61e3c7f6b3238ecbd5a8e2670ef8983e5ee27c470644047a4406fe5c49be987a1205723002882dda6c5978a21f39e3c2b0e5b804fef8781f3b21183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\pdfjdcjjjegpclfiilihfkmdfndkneei_1.A3A37C49F6DEFB87760822D31C3F90D9D77D2E9C84D372A45E4E88878CC046DA

Filesize
6KB

MD5
635be48f979966a8f10efbdaefa09637

SHA1
dc0595977e0348c24a1e5d82db5eee90440cd0cc

SHA256
a3a37c49f6defb87760822d31c3f90d9d77d2e9c84d372a45e4e88878cc046da

SHA512
938f32cbaa0c00e72242795cbf5947385bc2c5225b67a6833844d9134a8bf0fc72b6ac8c7bf3734fa4f675702f3282c602b842d78d9a131976e611926ba4c2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\plbmmhnabegcabfbcejohgjpkamkddhn_1.1E1174204F8A0A13DE2E224A1BE882D2724A6FD13BA18A895FD5098FD5552460

Filesize
76KB

MD5
fe7c3b1644d11d2fe23b2dd3a0c402dd

SHA1
dbddd1d475fb110a51b96055ed9f2599e485875e

SHA256
1e1174204f8a0a13de2e224a1be882d2724a6fd13ba18a895fd5098fd5552460

SHA512
b4e24f593523985ed9c73a8895f12f66caaf48775300261b680a77b32903f1f59f22e6068e8371511d5a6e894506760c9852665199e2b9adca85570a39df7afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
1fba5bb18eb95ad462822230a7fbbcfb

SHA1
d5d2a296dc9f74195603f23979652c6a20894485

SHA256
30ba3e14c47bcf70cae703605dc219a3060d7d8f03009d21415e425f9eddc3a0

SHA512
20003606c0b3694af9135cca3ffb4ac97f4c263a40593e57312c8f8c47edad424042d8ca0e37c074048f5231783b2ea66ce57b0a6ff646ddddc014b89fe22e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9F6MUY9F\BatchIncrement[1].json

Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
df29ba7b1454198b13bbc72b5286fb45

SHA1
8eed51cb57de36f1e8db248a31a86b7f67e6ba16

SHA256
207ed158a6c61ee12833d25b8fd2c367cc5c6a1d582187969293f1e583c64554

SHA512
29cfae910f9c8aabd860fdeeb69c3fa45969bff5fa2cdf10e3778ab1fb45b8f5dbfd77792172ff3e63107fbecaa8da4a8579c246bc813f382ad8f9486cfe5a72

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
aba87852c8c81303ae0f9aa46f2ca89c

SHA1
4fe92f0e7a93e3bcb14e5b09c18bcf9698f36b30

SHA256
05b4308087a85715b86d57bce6c86a760d4e8dbd7efd4c52122f1988f4db285c

SHA512
c777d3bd1aabef3f4c038e882034d015d704fa0ec60b8346e4e52a97913e8ce9675feb0e4ca940fa7eb42a92f910326c1eb0aec98157543fa04d03079eda5357

Download Submit
C:\Users\Admin\AppData\Local\Temp\18489b4d-c986-4aee-b50e-1fc953787464.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB816E00

Filesize
26KB

MD5
acad5401dd7a8db52c6533d54c03fcac

SHA1
d460c044e61abdb014dca438555c3b92707ab3ae

SHA256
06960f7f94ea648eb2e358de1eacf5cf191a094ffa1d4b3a9bea93e6801c35c1

SHA512
f897216977ebdafdd64f3f57b8c6dd6d2cced13c2a9968199e42ab9962e2732546c47ba4656620a8ea883258969957e71e17440ec94f46a851d83b5643b69704

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvalkx0y.ea4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5e5cf6e-3227-4244-8c1c-b4ade222e8b3.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc4ea7ea-7d21-48b1-8828-4dac9621697b.zip

Filesize
3.6MB

MD5
0c2056e942d8aa56e7114a5e23c093cd

SHA1
a66baa86567ea453085e35bcde945937fafcdbd6

SHA256
196d16674153ec9d78d103e120266e2ea2bd83c0769411e2bc5143eea8e62184

SHA512
5ea2ca961e2f9e21ed93b36f8656497c044c94d95db6edb71aacde7a6d867271c27a932374b55e2cf754856455a0b3d8ec4c5e459bf853a3bef295ea76b09987

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6308_1956589346\2c0b94a7-3307-4ac9-86ce-807516229608.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcuctcxrvazw.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1FB9A942-A6B5-452D-9239-0952F6D3B320}\ISRT.dll

Filesize
203KB

MD5
eddad4bc2b7e8c423deb9f2711fe653b

SHA1
7423ba67726bc90f96f42002c25f4a1f5334029b

SHA256
793b3384751f12793d24cf769438aaa7bec47a6b0f22397e8588e83cb8fe4b61

SHA512
3515a044950944f58e2989b32368749ffed52786dcaf03c10d49e96cbd0c13c6f9ac5bb1d136ebb0045801a7c10278ba91e945cf72a78c1c641149e9dc9e3b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1FB9A942-A6B5-452D-9239-0952F6D3B320}\_isres.dll

Filesize
120KB

MD5
e54601d8a464a455de081d63d4b7927d

SHA1
0ff6da399c123394cca3b4cc64a41d8037787b73

SHA256
1e154a29673d129414ab56b995d04afcfa1a02af47dabaa28cd11c25f7d6026a

SHA512
5a213430fb8dc6a19c24122f8d9cd03479ee7ae421eac77d1026f16bf520a1f113d43380e2a60d5f0133e09aa7ad323a7ef9d1cccc3eea1e905f09701b118e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1FB9A942-A6B5-452D-9239-0952F6D3B320}\_isuser.dll

Filesize
164KB

MD5
ddc53065de22141017d5ea09b29130c3

SHA1
20e4f981bb432ffb51e76a4d70d943b20f3c3e6f

SHA256
fe0b9ec04b58a76afd6a3556cff1ee1876856f2e89b3b535cccbb9b5cb340848

SHA512
71a8e13e417952982abcf4c72bbdfe2dbff0193b46bcbbf944e74794c797e1db5bec65277b84bf6dad62e146258c1b7b58bd2e642b4f30c1d5467f518d3301b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\compatibility.ini

Filesize
198B

MD5
ce9ef13caa8a74c25157b184aa038475

SHA1
db03a9935d8bb3ce6b120aca98feade536805160

SHA256
252b7fff962848c61092e82a3d87adca163849767713a93ab533bb397f1f53bb

SHA512
0f6f5053e78167ef5cc5fa70ed3a87dd116df0671a590299277a197341bed983e3d77e37ad2c33cd4afe880fab9ed1c7f7502210040617a01f97a81c1e1d4f29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
881f70a6c781ee4f94fc91a78847b468

SHA1
d712997f73b061853947bdefbf94f3856c600aaf

SHA256
7a4f7e6847d3f6ec4062b93ad5f93382df45a4e00d477d29c1aea36edf2255bd

SHA512
1a957f702f98917a5976b4c48d6d5c8531312c50f6c94b67fbac3e29b272fa9f811c58d04fda8e648d21d44bfbd433c3caa9f33877e1bd88872da0fd4cb5a6a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
dc7ba9123b2ace9a70c183c9cc8a07bd

SHA1
849fa0b2d4e5aa14391e8f64ec517cb3c788f399

SHA256
c35c127cf2b5224e9194ef358a3210ae957f8523c0ff6677f3a258558246131a

SHA512
42c921bf96112d62e9a0dda0c97caccb91b9535f36a16f599a1afafe4d67086169d32701c7710d26e4610fcfe1cdecb4c2502dabc517c8fdf547ed8c6566abed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
da71514fd2c3463de55a1899cd8d3ff1

SHA1
212d6b5be6b6719031ac9e7972fd827ce1a40d65

SHA256
e50bf3d07a8f2d849016fc084c34257331cce5f1f7d1cdd617a4b9c6f9a83201

SHA512
6c8b748c75d2486e52baceb114783e60328e44a516af6f213ff03265c26a6016b0e6ca86b57349f5bcae59e1baa2f872f2a7e4bbcf201da5fd5781be1976cf75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
dde4a5cfec081dc663349a2aaaa7a0c3

SHA1
8fb5fe7f4d8ab096b217bb781060d63b48ef15ef

SHA256
b87c1c910851b6d333b6688255bb30cfa05e0ba42da7da77f4836ffce56284e6

SHA512
5faf65fb3c2da9f22fd6a46ad8c434cce99325b022c5728b494a576298a63aed677ceb86a4ea7fe9101c189f27f5a3584acbade3bbbdfab848abd5d5945a0c98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
030c5ef3ebc8c6259e1d7dbef285b434

SHA1
16a888e3b63c55819c399ed871bfb30ed07c4b46

SHA256
994e0a99cc5f9ad38ec3af38e7e0b2066611052bf99455c0d567a721d8bd2d58

SHA512
45a73668072366f2e21c988173de524740238987bdd8755ce0c10977e44a8714664da9ecf855770fd10c4217e25822db9afbe8ad40596383c24056e5c4bf6bee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
fc535eb37fd0d5ec63294a9bb7ebcbdd

SHA1
d0b2a1ccad88ad021c1fb91012617ab67ad292aa

SHA256
33b8fd77ecf5cfdff3b4cddbf6369af3db4635e9e289c460d82760e0d21d997a

SHA512
af1d0778b85fd325daab78da220bf5b68cc039a7442e831bef217634a5c694f4d2a2caf4c56e564e5c81990f576274c795e21a5e31d4076f593fad421d0d148e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
ea6f7a40422e48e69f3e94c7743ebd5e

SHA1
ed85ba52ea408b8feba7e5b0fc9e150609c80610

SHA256
c4381045c7ba9a05f09c18f096ddb46758a04134d5a00c4934880158612c40d5

SHA512
6d15d1186445441601cbf30a564295ded3780f89118a109785c15c8316c261efcea9d1950d82cc3ecffacb0f39f28928d18b32a4cccc3d58004488f3d529cdfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\1136df73-9e58-4da3-8f30-29b775a264eb

Filesize
235B

MD5
56673d391f2689f5ea5192d1c1e6abc7

SHA1
cffd7b706db73d5ebfe96cf1ec67502ce8b1c445

SHA256
4bef241a54ef0362189af5ffb77687503d42ea29dc1236960277d166d38834fc

SHA512
32c95eb09195720976a4bffa55a3d2922925ab7b96645c2af5c6ee635d587144de439061ab48c6b2e878a8a66e505a9447df31b52872ed67e730f22fe40e1496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\33ace620-923d-49c5-be8f-0246f2e4c4ff

Filesize
235B

MD5
e031f192aea63cfad40efdd0d42384fe

SHA1
2a1bac3d6e5e226433cf167f9a8ea9d98af2d73e

SHA256
2532d2d65d66eefe7cfb5b3b1ebed78016df80b4058ddae52750916155f1799a

SHA512
9dcbe60bfd486604a11183e836f58feb7680b1b0f5bddc852998fc4a48ed2f5ff2188ac0b9801b0893e1a6aa028dab2fb1b5193c632611f899a6662466f8df9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\5e2c3f79-7970-4d16-95d1-0f3c91a0c9e1

Filesize
16KB

MD5
b3f4973511b7a09f77adcf1ee4e7145f

SHA1
79616b15aaa3af1e595d760d7b17f9e8c6cdb930

SHA256
b3d56def544e25e6a3adcb9a74fc80be895ac1bb3bb631c5610fc4d984f8668c

SHA512
0981dcc3e3f403e70290f5e76e0435f43d1516efe6dd97ff2de876a60d84ff1638af5be7c35bc5345663618b92344b2e0ab08ca93b0dfaf8206e28a5fafe8972

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\7d9e1c2f-1408-4759-81ec-9d7d6d5b5d89

Filesize
886B

MD5
38af4f28a2cc21268c4da17e40eb1398

SHA1
5103026840fc33b1c7cf3b575e2332b61dfa3463

SHA256
5f1a3b674782502549c91683e3ce69a07b0d8882188918a1af4796832ad22844

SHA512
78fa81521b0be7d7eaebc05ed1f13de96d9183cd602abb476129175e3e3b2239dad7c56b5aed8914b056a95876f0444cfa08b184cb55551c644396938e2aada8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\91378969-cba0-4ba7-8a63-0a4e9203ba38

Filesize
2KB

MD5
fb2955b1143bd9211e47900ec43bda7a

SHA1
4fc3bc23e4021a765120f35f892f7500649fa9da

SHA256
d1741664a43118bb701ba88d7d2b9c6f7d60441e8ece546d267ccf3daafc82e3

SHA512
17513bdf62ef1d1b1f8935f02985626aecb21f7e07ac0828b740faf61fab093efd83c18c7e4f3b9c34effeed56f309528002f23f2fa88471ea52372c0f3a8939

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\d355f682-f18e-409d-bb0e-c64407e2d805

Filesize
883B

MD5
9e1471fb03128ac8186d2047730c63a1

SHA1
c1aa5af0424322704f72ed9c90ff98039595eab1

SHA256
0ad56e0c950f0536880a4b5ca72604422ebebe144667299a202a26c7219d9aee

SHA512
ef2dea1e00e4a8337565b8cf87dd0c57211ab2fe493d09ed0acd4e05af4d50ada4d68764c72fa238455dcd4837475ef6cfac122876a56071c7d2137b00e3425a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll

Filesize
18.3MB

MD5
9d76604a452d6fdad3cdad64dbdd68a1

SHA1
dc7e98ad3cf8d7be84f6b3074158b7196356675b

SHA256
eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02

SHA512
edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
6KB

MD5
b67c7d41fdbac3e521ddef8a12763d4e

SHA1
1637f0ddc427fabc5b77935b7328c0062c83fccb

SHA256
58d272334d4050ed3933c5a8e29dcb1042c54cc4da01af5094de17c1a03d33a5

SHA512
9b37b8f70571bd81972d33f2b92280ebe1a38e9f7491f25e0cb059ca49630fde06a6e0d6ff1ff622ad995e65ba129dfd9db0faa9ceb779f07efa775043fe56a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
11KB

MD5
423773d1e5cc1b563cb086bcde3a0cf4

SHA1
8cee7519641b00092567fce417670cb694439487

SHA256
b5a038d96ad7784970389bd9d47754fbf724a23c12471e46ae4d25595ae0a43b

SHA512
3df5f70a86383d9730f41fda1a06db3e4922549fe2dec9c0763de4a0d97329d43b936e5a0ce1b7b824c710189f0515fd53fa52281f8354289822e6690cbecff3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
7KB

MD5
28fb53d60df90ea100155ef7ebeca501

SHA1
9d7d9a99160fe2664edede8c56050e36834ace4c

SHA256
6661edb70bca7c59b3ce4952d37d086d3f50f761a305ab407e6a37aaa3df5828

SHA512
ca61b2cda240670e1512dadff852bdac7585b960a7d224f8e9b049de4c0f168c524a1c416ad904ac5447dc183e1a5b03cefbac1bc01286e737b8792969611bff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs.js

Filesize
6KB

MD5
3388a142b1baabad0e1c91bc1e5dd2e4

SHA1
4e9ade20693c8a9b43877c15d2c17032cc4cc356

SHA256
bb068a4ce0e45b0825bff98e097f55c7ed36c41d169dd939d49356b21d1e24e0

SHA512
b8906cf91b84248a2d4eeb6ea4aea4483562e36ff589da1e7305e928d7676f1e64a2f77b8549cd40d5ac653e490861c60e2f126e2dc211aab1531c7070eebda5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1cf7192e38674b064ef98c6308deca71

SHA1
697e3c4515e58ba30255250e178a00b085db272a

SHA256
d4488cbd44d3ca6624b9962752dc11379876cad2e626375807593b37ae71d41c

SHA512
8da737c482da04e1a925daf1fc243736bb699c59d21ccf754bfb46847f9ed7a48bf04e9c8cb78a17328ba67ed1b42c50a47c2185dd1fbcbec0a4baf90041c461

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9f63ad955179cc277eedb425b049b22a

SHA1
171e9d8908a984ee552f8a9fdea83caab890e55c

SHA256
943fd9e58a7024aedfee85febfc1a32ef8f2ae0eda62e0b4f9ce1e51720d52a6

SHA512
61f78e1f3e55e476441010331e99f5657200d521d1ff17d4670f042be68a6b106f6e565c220bb36c27abd0ab9d5c8c04dcaf257e26f0b7fde143f0ec80fa4da8

Download Submit
C:\Users\Admin\Desktop\virussign.com_00b3c5c387437848a1bbb67c833a1d8b.vir.exe

Filesize
65KB

MD5
00b3c5c387437848a1bbb67c833a1d8b

SHA1
3db25d71315ea3566caf870023130497350626b5

SHA256
d2554e6d6614f552edb2b56bc751f1ab9193afd381cdce15cbaee4cdf48f9cb6

SHA512
442b168e5de5cdb9847ca5d1f3248a4b6c29bc1ace320236cdd92a3897f58e91f22355414319e2d8bc0fadecbd92b00f4d9a6436d1be533bf3e01fb8fb8d8457

Download Submit
C:\Users\Admin\Desktop\virussign.com_229e5ef8f13c10272d74c7e445a11240.exe

Filesize
8.5MB

MD5
229e5ef8f13c10272d74c7e445a11240

SHA1
272e2f25b3ec540b3f95de25d383256b818b4af4

SHA256
9aea5ade969eab776134383e912fd2036f5857bfa9e46938de18402064318203

SHA512
a7a66a68448302a21395bfae475b77cd5b7725a50b75da2531fdd05125c237106b98661961d27182287c0bfc4fd47cfb5a9951813c72fc516c772a054d5a467d

Download Submit
C:\Users\Admin\Desktop\virussign.com_3d62b9b3449c2bac91b8902ecb3d950c.vir.exe

Filesize
8.9MB

MD5
3d62b9b3449c2bac91b8902ecb3d950c

SHA1
79cb5e10753d25c43318821deab78418e7569ca7

SHA256
7ad36c77fa43f7aadea57ea2f3b6d4eb0f48a4b30ad9f2ebdbf489828d5d9b7a

SHA512
be35825b1c4c3b4529e0293f7ba5fcb849d7c39fe575076ef7385d45791007b742f03fa8eb0a1cc7549889166d4bb272580f97b5661ceee89e4412bcb3d697e1

Download Submit
C:\Users\Admin\Desktop\virussign.com_637d6e7d3a037c982eb59cff2785d091.vir.exe

Filesize
9.6MB

MD5
637d6e7d3a037c982eb59cff2785d091

SHA1
f0c4bb4e990afa940fe608aea8d1ce3c0f0ac2ca

SHA256
25978d120edc1f6989d4e7c88356af16a8f5b5760ed931be754fe6a21426d591

SHA512
ca98bc1fc24377e1fc68101782e506de8112b2ae03d711aa44a35faeea93398705f0887e6d3dc47d51a8c9bfd4ff29aa5cb2d656f648784aa2c2318abbca4432

Download Submit
C:\Users\Admin\Desktop\virussign.com_8a1754d1f5ef9b37e27a5106d310007f.vir.exe

Filesize
8.2MB

MD5
8a1754d1f5ef9b37e27a5106d310007f

SHA1
bfd7c126ec029446ca1ea03456d9e413222d8fcc

SHA256
8bd0e8081ba615b62548e3c086749fb2d2fc55f49a3bd0797f40ea755b7eec55

SHA512
97de0000bd8f94bd92596b8aeeff50beb5a58fd38593274cdebe249852735a0374500bc3f72a2aa31a82d5db07bdbfd49887b1eb44a589712e6a824f7a0db1d7

Download Submit
C:\Users\Admin\Desktop\virussign.com_d432499fd3e71fdd8db320f50be51497.vir.exe

Filesize
9.2MB

MD5
d432499fd3e71fdd8db320f50be51497

SHA1
401789ff3159e111437dd0c79d4d3d5ddf1959e3

SHA256
2b486f2af4963c1628b2526500d09bafde4422ab0ac66b3e73f06746763af9fb

SHA512
5d67a97599389a90b52c0fa6a4a31ca4eef9c737ffac5672194943e0522b8be64b48ec794cfc168df4f04ce9f3537e79adb263cd530be6712800e94bf1d83e45

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_01b4441471bb699b0d2affbba4e46341.vir

Filesize
1.6MB

MD5
01b4441471bb699b0d2affbba4e46341

SHA1
ad60ab6106316bb3629ce0e04c41ea3163ee9b2e

SHA256
f7ee40c160bf42909bc1e829f8925edb7947269a7892acd06a68161109c710a2

SHA512
58e436abe9a5ea2584b47a84c700459e97766b4d9ec6a75cdab43dc61beea236f49668fdf7d3a108e459b45a6b841212b0bb55df6166f7f1a27695c13d225428

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_02b7ef7995d9a50af14cab74e1d6cceb.vir

Filesize
468KB

MD5
02b7ef7995d9a50af14cab74e1d6cceb

SHA1
d10d780990ffbf738de141b3f484e6cf156ef615

SHA256
0925c920a22aac3461c896a145b594dc67a218e20b796694407beb17e98b0661

SHA512
efc9d626b16b658af05436fa6d8d6228ed39c3b8c4bd8e7333711b9fc7d6d58ff56bcac1e9545b529e462c0c3947820e86f2420356e4d72ef60676202d128ee5

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_064acffbc16ec8d3e316910b67acde97.vir

Filesize
83KB

MD5
064acffbc16ec8d3e316910b67acde97

SHA1
db2ede2c449c281e71b80071999da7eba86be497

SHA256
22e7f2589f3b4fae67c10ab8528d345d6268722d693de57112b3857aa4f757a8

SHA512
b2a735349061bed2c29948dd0b24bd94302ba9c48b1ebbaa07a2d393601cf77a1658ae31fd4e139a4ced3478b28ad42733042e4431ab91c5c708ef0412b3bd85

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_0d71dbb056154917eb1a9f015820dfe1.vir

Filesize
456KB

MD5
0d71dbb056154917eb1a9f015820dfe1

SHA1
6454dae78a1e886e342c19421accd27a414ed299

SHA256
16186d361af8a3082d643bea0fe58c3479403fd9fccc5ae40d22cde11375dfac

SHA512
053422ca8edce2daafec32eeabab9b5aaf1edb59dae2a3c9f4fe47090ccfafa6282c33daec786eb1ffc8e9c6e322898078d91ecfc5f86d36c05537a932dd0f20

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_14344345e963ca31b25a90fc4c791998.vir

Filesize
468KB

MD5
14344345e963ca31b25a90fc4c791998

SHA1
c022b2b3e9bc721019de11735960960875e66658

SHA256
9dd07caf700eb63645165260d7c3d04becd3ebf07845fa075889524bc276abd4

SHA512
d9bd45ea68e897446c87f61df476432e1d4b33f704cd898c5d278bbbc6a968a0217c6339caf944db5ff720300cec10bc18813959c9821002463f40d547634911

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_16a55213f5773e1445a817ec8247ca5e.vir

Filesize
203KB

MD5
16a55213f5773e1445a817ec8247ca5e

SHA1
1742d5fea82b33345180e92403ad5774698e166f

SHA256
feb9dca1ed3236a9be9efbfe127e47eeda262ccd04b42101fe254edbbe3c1ef4

SHA512
38afdea5b7dd8ec4e9500dd90ae2fd97d0952e217222f573fcc53f596e24ac54cc57594a9231298436615819d0477d6062017428b862d5f2f3f8d5649da3e894

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_197b167388cd6cd7a0dd5a6a05000891.vir

Filesize
468KB

MD5
197b167388cd6cd7a0dd5a6a05000891

SHA1
20db7e0db899ebbb337ad7bd4cbc81c5dcb146d0

SHA256
bcb2695f4977f5ec914c615c87e507364bcdaee2040c8bb9b34231e9537ca0d2

SHA512
862fa2ae7e0fa926ad0f75e4daa4f4bdd447fb8b37e83f110235654d929d4a2ca9d0c3d93961fcfcfc5cf5f8a59d06f26234ba0172db05049b3007e9e7ef72a0

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_1c8fee409707b6151212157ac5bf3796.vir

Filesize
49KB

MD5
1c8fee409707b6151212157ac5bf3796

SHA1
a2347cb4f26baee8931b07330db018568bb2f4e7

SHA256
eac6d60727cc08a6f0c0ca17ec5a3a33c09bb2c4e6ac38c371be7535b8c3fb87

SHA512
385ebb7f9620bfa77fafc360b933039cef5d1c023c08fd710040a4599011d3770d9be1eb96f1049a07c6c6f714bebdcfac35cfe1d66953c96b27da208036eee1

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_1effa9d9c5444e65ac25b4c764d537f4.vir

Filesize
468KB

MD5
1effa9d9c5444e65ac25b4c764d537f4

SHA1
80372419d3fcfb2d915d8ca97410468cec586026

SHA256
885881fd89c814b4299443bae61fb09f189d16cf92ae3446c261d6fa096d493e

SHA512
34025e8a1152e00b19d18f27c5400533b7a33c63c52607fa5badd41bfe103a83041049c68225a1b6d72f6e1ad12b4c23964af8f166651127c944526503650aec

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_20f60d614ca4c4ef154e738b01252fcb.vir

Filesize
468KB

MD5
20f60d614ca4c4ef154e738b01252fcb

SHA1
f1a0be7f1c8d970f3eb920d3a5f1a2e4193e2856

SHA256
9be355baeece253b5ea10097a725145cc48815f3512e3c830ee5fd35ba03b455

SHA512
45bc4a143fd540df72c56db0d0667aea46eef838129e9a87a971a12b0dbf0191c2c5def512c3b7f4a0b58723ced35fb4293e222a0f350488b86156f89cf73aa7

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_20f94937bafc470b63841f41ff9b145c.vir

Filesize
468KB

MD5
20f94937bafc470b63841f41ff9b145c

SHA1
cf648b97c8e6f7c1d7d26af5d5fe1ab562cbc63d

SHA256
5cd213b04c502141e654f6cffa8d874704a660cada017ca18a3ff2b0c8c7d18b

SHA512
3d7dc512bd0e9f2a8b07f34f1b2c8d96818dce7ee48b99d66848ab526a85d4804718fbdb2d744efac32b7dd22437775c564db06c361fd978c6e4fc144072fc1a

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_24c4fa428285b2fec376b460c6b38b7f.vir

Filesize
468KB

MD5
24c4fa428285b2fec376b460c6b38b7f

SHA1
7d37b69bc39970f3ad5ca4255fb342968af4d246

SHA256
b385b372efa278e49efc44fe337cc0c7e9addee9f3e4709e4bccfb9c84aa12b1

SHA512
9649b02268505dfe37f11c7aa1ad54d2807d29dc06f315c7e9430e7b4a01b9db14516d66b640608259721d1a74926b68b14c8d62ed6c4ce6037d6fc90930753b

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_266f2505859454ef0df9e3b9a9483896.vir

Filesize
468KB

MD5
266f2505859454ef0df9e3b9a9483896

SHA1
aaa51808fe725988041d36800e3212a6b133e714

SHA256
f96bee5d403f2b135c6a6dea9254e979109fe08b2728ee4bbae6a58267d0ff3d

SHA512
823ed9a58f12377338d5038a665221b30c98269aac7203001397269d057db2a503df8458c0102ced9be1b8dc8238ef43740dd406f5692868c236b81510769310

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_272894a28db20cb5e77c3e63680534c3.vir

Filesize
468KB

MD5
272894a28db20cb5e77c3e63680534c3

SHA1
2e53c1379a2ae40365106aa9b7d29051581b2ba7

SHA256
a9177d7c46fb4cc2b1c5c95eef476ab0c6f1a28b560caa7d3da7bae24bf166f7

SHA512
418eef07b19a8d20fc7f01b4db60a164729daf15d2409031fd669a20c57c8f8cc208da4878ad01005304925afe7027c8184a59840984beaf9b0ad364b5762a84

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_28448cfbe9e78b07d6a2332b9b9fd119.vir

Filesize
468KB

MD5
28448cfbe9e78b07d6a2332b9b9fd119

SHA1
26a845c48648e0cf1c1a78d33ab703ddf2b6b956

SHA256
a110dd9533a2701ea81b5831cf5de72fa0e447e8c7cbfe7c0420a3d3df8cd1bb

SHA512
6df3e5e49c4af2755643fecb9d82c04aecb0c307439f4fefac1a01d8f2fd1ef572cee9e3103fa8576be518d9f71bf2b1225a01ad09ee5ab15de21c06d7653423

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_294ac191a10019f1d4c88f04ce715d38.vir

Filesize
468KB

MD5
294ac191a10019f1d4c88f04ce715d38

SHA1
4c15413ed4f68af0ffd0f5f128502b67bb125113

SHA256
d5483751254561102e8f782864cf313306561cad04055849a4b159c16de6dea8

SHA512
81613d889e908bf6fdc94adb297044a74498fa212e2e843b2ad955a88f932768caf9677051a843f23bdb1a4c9ffd3cd472289b613c41e3e8c988209ef9b4c85f

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_2bc844d40bd4c6bd5b21844750e038e9.vir

Filesize
468KB

MD5
2bc844d40bd4c6bd5b21844750e038e9

SHA1
909b28c0f5af9d74957f0a5b8f2c5d90a0fb6b01

SHA256
a92acf5497c7b10e78255b4cedc03dd6de92526e74d35588c26c809fd67142f5

SHA512
698af2dd94a0257380a6b5328ab5ca5a0437911f85fad73769f04ee43151a9311f15ae2c9ae94631d75ff983447b8206b66f51705b73ce6b5c7b315aa3aa166b

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_2c8b50ffd93ac79e714759383bd9ff72.vir

Filesize
468KB

MD5
2c8b50ffd93ac79e714759383bd9ff72

SHA1
c8f1401b2e7a30bfcc0b9cd94bac647b3929b598

SHA256
b4c0fb425b9ab33ba77d3fcbea28b24ba58528a83f0b37637a5d6d573458d45c

SHA512
9d99d0c80ec6dbb279c39300ca2741acb7a33d6ff2b4a259c649682b13698f3a95769c12d122e655f74f9d96713f00e4b92a55b9011686f4847fb02305d87828

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_2d6659e1984a9cb5f7f23e849b1a6a22.vir

Filesize
143KB

MD5
2d6659e1984a9cb5f7f23e849b1a6a22

SHA1
8ef0284277e412865bcaa692342cf7e82ee8236b

SHA256
aa2eccafb9223da992ad76088e3c9a507e034bee992320a80f42629722c20746

SHA512
715610f7b57a203b2b8f2a7ad456829a8a0192d345e33db52d51f573cc0478fcfe6d0f29dc3b91f206bd72efd768e5853fb72b014f14d62b87def83d99606351

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_2e19217839437a71a5843e365e6e440a.vir

Filesize
468KB

MD5
2e19217839437a71a5843e365e6e440a

SHA1
c9240bd9e797f711d6475c65f6f2a6b7221a8590

SHA256
7fef34bf83bbc219a62efb3118025dd173130be5c1a9cfef0cf0a2dd4d724011

SHA512
715304bb93e9fcdecb272cb5e2e6ca8c0e584a387f6b3ce1212e0d92b421433f29503fd84231fd634bf59110eb870d7d3fffac9914de731ebd4f7def36e7691f

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_2ef7fb661b16ec16e73e2056969ce879.vir

Filesize
468KB

MD5
2ef7fb661b16ec16e73e2056969ce879

SHA1
2003f8b1d47a9356c7eca107881e1afd8b936ee5

SHA256
dd9e4254221c367811985204644479e85fd224e38bd809d21474510009428fd9

SHA512
ccded0ab9f125a25dc27f0c82054d7c20364f47fef3d45787ba7bb6796e869e3cb6b94553e7a9b938c2c81389bcb4ce40584a7e2086a9ac5b3d50e43e77c7b16

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_3a89aa713068c01a83d4745524ea7ba6.vir

Filesize
211KB

MD5
3a89aa713068c01a83d4745524ea7ba6

SHA1
83e630e6e31bf84d4f45761db0483b9e37a50b79

SHA256
4d8e6d39cb49deb11272c864861d4d1906fad5dcca283c4e7a1d65cf52ddf831

SHA512
9679b03f3f075e834af94f2e615cdc2f5f09e393488a4b1f2f9d3f6fcd237b532df1869f10186e1ca24e8cb9151e72f868cdd16c875103efdd2930dc1676779b

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_3aaee0debe6dc34adb5d4c4d64e15ff7.vir

Filesize
468KB

MD5
3aaee0debe6dc34adb5d4c4d64e15ff7

SHA1
1fb524e0af47cb4dc8fcc803ba7ac05db32d758c

SHA256
276c7b9a30638a35b04eed09c19e4dfec74c5e348a92fe25087614cae15ff4a6

SHA512
a26497195eb2c584fb8af8790b1c540b339560b4ba874ca27db680ac525a69dd22df6fa67210782504156dfa291cf9b805cd0a0cb878073d8603ae1b8d1bcca6

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_3beb2909a7369e8edebb432fa1400874.vir

Filesize
468KB

MD5
3beb2909a7369e8edebb432fa1400874

SHA1
b6256edfe36dc73daa77cfc203ad51b0ad57d08d

SHA256
8b3ed7577ad3575edbfc785798aebc2616433007042ef849c05f4d8e72fc8f49

SHA512
ae9539397f554f531c6e69c823111d7e0afe0c58888ae3353380e0841d18f7df3bde5ef7c1da447f905b75cfd63233192e8c9f3f8aa9a303a9dba47b34d24657

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_3e0fcd8218fff9cf2b6c8b5c1b4c3a90.vir

Filesize
468KB

MD5
3e0fcd8218fff9cf2b6c8b5c1b4c3a90

SHA1
21a7fecd084870ea0f1ae36d7bc40ad6a8c286e0

SHA256
9bab6cf28c74a8a21b2c1d657aa89b39f5ac7b4adde1941643bdc45b3df2c99c

SHA512
5812669ec60081dbd493266f99b3fc03344494c5071fa8292e671c4e2191639201722d71cb03029dc3fb200fee0e4e26c7ebd9963386658501d5252e5f246a29

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_42f21c7047e0a2a3cd94d90671a7d724.vir

Filesize
468KB

MD5
42f21c7047e0a2a3cd94d90671a7d724

SHA1
8ee1bb68d5ebda0da80ed191fb7e7c4f2658b6f4

SHA256
bafa24fddab623bd60415c60679032cc6964d5bf67077824e4547bf721eaf272

SHA512
938ded43924ea9e81ea2e0bf9bd26e2211e8e33684c2ac2c5b87eca31cdb1d35ba47cb61f149d455b9788d5d95869f81dc786ba6dd6f6251da612133d7ae78cd

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_448e5648ea1a9e06bb8b2b7befdb1914.vir

Filesize
468KB

MD5
448e5648ea1a9e06bb8b2b7befdb1914

SHA1
20d29cd00a4b5214b62b29829fde0602fb43e136

SHA256
d3bad76c5ced3dcb8ad4d45d93ce1035171e5ada132e78bc45feef4c5dbbaf92

SHA512
cf00a0d6b7752ed02379feba13160d1cd97a83eb35b02a398d4b7fa3089f195157577293ba4bb3e0ab61f21f92ebae5e1c484b4a516804b5f83ed803c557f089

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_458f8ff92d290f473adf896beb56387a.vir

Filesize
454KB

MD5
458f8ff92d290f473adf896beb56387a

SHA1
47552be5df245d2a877e249f0ad73e2f12e05694

SHA256
a3af81a5811414aedc96b93f4a61fac1aa7fae627e4ffae21e58ecac5ba87b43

SHA512
67be2ad9ed4dca4fe829874a076bc6f10f87c4b15b6d1686f734edf4dacc83bdb96fd7401f9a3618af9582588188454d7466a1cc5fcc88fd4b94514719e2e00b

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_51da0c58da391c4864f29796725fee37.vir

Filesize
468KB

MD5
51da0c58da391c4864f29796725fee37

SHA1
efab4240f2c8a7dfd481be9d4bebe9660a4dce74

SHA256
a84570a39e5a5f87b7f0bab2273c0af16f8c6791d76aced39fa7cb7f5e4f10d3

SHA512
c17e647df62300b33d695c62bea78a0c0bf66d6e44c5f3305ec147335aa67dec7fd36c65662be52b78408b796c7fbe083a30a72f7dd05ddaa4bffab7d64e5eb9

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_537cf2d00d4b3090406e3bae9c03e94c.vir

Filesize
468KB

MD5
537cf2d00d4b3090406e3bae9c03e94c

SHA1
49a2b83654d9f35e170206657ac8dc713fd61295

SHA256
1c84e527a98d5af21f78277ff550d1dd83924e5ac639c534ccb6c4d2f0f2d753

SHA512
dd49c02b13238e6ccd69dec9259a6249624cf8990dac911c8ff2a0e581cbd3098c0897e25c56044ef333eb7e567c52b37dcabae81d3d692fa81d3cd41b33e1ca

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_53832526856535cab9d318dedde88a25.vir

Filesize
468KB

MD5
53832526856535cab9d318dedde88a25

SHA1
94b7bb016591662a6185ab0124d47f3b55573c22

SHA256
aefaec8de50b88ead7c0085299b8f41046755deec969650bc06b0e42781093ea

SHA512
d7a13f54011859a06a3cb06d1995ce402955636bad048d72e563853a900188896f601906b1165954fbfac48ad5b9fe98ddcaead70fcfeb8fd584beb5670aede5

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_5737e79aa4b73e60771bfdf8aa0d0d79.vir

Filesize
468KB

MD5
5737e79aa4b73e60771bfdf8aa0d0d79

SHA1
804df983142ed36f5c50d0901a3364e13bd8dde8

SHA256
a0c7b10dd97333b992e4add06d296731c4a48d9682619cda66d270741b7dc582

SHA512
d60f8b7a417d446040586c95202ea750d5049cfb80aa698cfd3741ff66d40089fc938b432bee9ca05d5b33d43e6009a12f9ebf8f69986e9b263d45036d85bf25

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_58f10b4d71f834fb5cbcd013337845d9.vir

Filesize
468KB

MD5
58f10b4d71f834fb5cbcd013337845d9

SHA1
271dc51a816da4d848dee740393089885d036b87

SHA256
86a03c0156505b89dba7c36a96e429d84ffbb6edf84ed0cb6b7f0ff6c3451fa2

SHA512
214c59697dda8eab6e214ea8433d44efc67ffba65f17dbc61634c2cbb442fe2c6937e9a1fb1643c9d99a82530dff5b2d430fa2d7ca963985d9357a39e8961adf

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_5c99ec4a77fd55d4d61f7697344b4498.vir

Filesize
299KB

MD5
5c99ec4a77fd55d4d61f7697344b4498

SHA1
b0c997fd647906b54f846b20be729656d1a015fd

SHA256
aa558df6fe91f09b93fcc5dbcba26f145448cb430dc684b6ba0aed2cfd40d342

SHA512
5918d488e951dfdbc3d686b3dd76ac72e8fed197c57a2c092d9a0b3a28040f9740444c614b4efa91a979325476a03ca757ef066d3fa86538d91965e6b080f9e7

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_5eded15e58a18a624e0f95e23cb276d7.vir

Filesize
468KB

MD5
5eded15e58a18a624e0f95e23cb276d7

SHA1
209b2111d02dd46e2d58663506881a91c54de59a

SHA256
d1df7a82cca6c3ee7afbd330f5443537bd45f5af112c4b7fcbd834096d4f60d6

SHA512
88bf8d34022a8559f8e49172518d7ffdd258cce8ccb2c762ef3cd2aabc22213d327bc42205c5dd0f14dc8afd4d9bb928a7f4cd6ab26ec775d647a4ad08072b2e

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_5f63cceaa9b2dfb0147c3887daf8a403.vir

Filesize
468KB

MD5
5f63cceaa9b2dfb0147c3887daf8a403

SHA1
b0840df81888ee7b606a4d34bcb55198955eee3a

SHA256
b215d58778390968fa5434ee1d66a35d78cd787e5a13ed4b8ea9b2fdd955831d

SHA512
d1440c9c3af9dd4f09dbab23ed177941c478163e3abc14a248564e40c14b063c7e72cf6578f1eb5a18fb422c96542670f463d5e6e84571f39c17dc6aa8000af9

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_60a764cdc26855fddbca107722474231.vir

Filesize
468KB

MD5
60a764cdc26855fddbca107722474231

SHA1
0466602167b393706baaf71dad9a8445f1eeefaa

SHA256
e46a8a6382beeb442b86f6eff74228f3f3aa13d76c9e02fd9e0c27d5934f7f7e

SHA512
9326cce2c47c21bd19cd9a09f3e205ed6f6c8665c362ae56d542e6dd41888f7d780ffb253e60dbed6af5247007f442527e77985344419e1388591503278852b0

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_62af4a6e05d61e990f903b9414915420.vir

Filesize
468KB

MD5
62af4a6e05d61e990f903b9414915420

SHA1
95c6ac5555e2be2cf6852e85a5a7b6772ef2b6b8

SHA256
708bb2138f465d10467240cf44b3099b4ab96872d45a59d362f8b81544c99952

SHA512
ed51b0571357d93d3f4692e0529ad2ba341b85ee4db4872034bd8aa8269236a0fffbf9a2005abfa86ad56665cf0651836aed337fae1c9f39ad8ec81e9c0ac083

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_65c9b9560d28f796a3d1a4e9e099079b.vir

Filesize
468KB

MD5
65c9b9560d28f796a3d1a4e9e099079b

SHA1
e0151b6f30b7cf0a25ce34d29b7f7779c1025424

SHA256
b63b0b9792976f874d7bfa91e6857f145338370ed6f22be3e5348c2277925a02

SHA512
738aeb442bab4d672febab6b37a5de98ee43eb6698cbd5a4eb8ca9f8af6ede547e30251571c5dcbec4e5dbac1fe6154b583cd02ef633f0d63864583083a08d74

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_66a15fdb58d35ec6f65fa7a741ae8ccc.vir

Filesize
655KB

MD5
66a15fdb58d35ec6f65fa7a741ae8ccc

SHA1
4faf544689bc38c24c62b1aae0147a2ecaef7a06

SHA256
17cfe533bd1e92d728c00cc74c436112a909f55e79d469eb5be9d4d49d3e4293

SHA512
d0a38b5edd0f173f5d2f61d2f92a1a139a84d8a5c35bb1c1eb90d6efcc5fc12891fc02eb1f10dbc096ad654811125e2e1360d79ec1eab1f99dc42c311fb78b1e

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_68521301ca5ba89f0b00952ea83110c5.vir

Filesize
468KB

MD5
68521301ca5ba89f0b00952ea83110c5

SHA1
44602c2e8f0207a975726825a8c6324b90edfba2

SHA256
a1ab4d4efd48ebdc0f70900bea5e42316ff463142e4b10480c061accc7f479f9

SHA512
5b25812a1767bb8714dd6488f3f0a6c18c41c741a5cf2450ff7956314b47b9ec14db964f7f8864c03b61fbcd5878acfd02cde524558db4d2e21f6b0220974811

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_688b0124139f7dab51e422fc0c22094a.vir

Filesize
468KB

MD5
688b0124139f7dab51e422fc0c22094a

SHA1
4c9aecb0a5be343447bdd8be10907990e5b697a7

SHA256
0a6e535a80861eacd093536dbb396ee74b439b331a7e3fdb655caef37783fdda

SHA512
be378bb287722464f8ab1682bec4815d7ed456744b456bbeb1c92659cd5fb75f0315d67ed4af588336b02e0b3d7f8beca87e25cc41a204b9e1941a6117aaff48

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_690cac1d7638a8bc22bd1724e9353bf4.vir

Filesize
468KB

MD5
690cac1d7638a8bc22bd1724e9353bf4

SHA1
71932e2a2610c9c5589da556c4b16a6d9eaa9580

SHA256
9b1abce1af81d470ecff495297b51772c855dcc1e4b22a18132577c8a7562c19

SHA512
98513e28b0f4f8e8c8448bb3860abb66edae79b5ff4dbcfe442815581fa32e1f66d3841014ea1bf2b3de9781d878e97ae05746858b8857033abf1a20eb1d46ff

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_6997bd4bb4078686ff9d22d8a11f5896.vir

Filesize
468KB

MD5
6997bd4bb4078686ff9d22d8a11f5896

SHA1
7017d3109e372e00c13f6d21522a75bd212eea2d

SHA256
9b32f5aff9832b3a943b712918bf83c449b1ea30f104f1368a9de2fd5c7e6949

SHA512
8628d212982a53e258320c99466d1b82c4cfa103af7bb628b3110cd4f641d0d77fd06ba6d9b54aa743635910cbd08a2c76caa398a9f6bc136dd67f0c794b725a

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_6b726933d45283a4076a43d836ec9330.vir

Filesize
468KB

MD5
6b726933d45283a4076a43d836ec9330

SHA1
6d8b3f0b6e8ed8faab418eeafe2ed90194a30029

SHA256
2decd6fb935c60298e23c7dce04762217859f01c342b9045970baa30822f35e1

SHA512
8b70d32ab0c32f6d7cec68b026e4bf9b6926011728e4e32b03f9e1109fee87a69bf34b7cfb299377db7048bb9b23374e2f9ef8dc9e7a7c4a6621d7782e17229e

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_6d998976a469909106cc5bbcbf568487.vir

Filesize
468KB

MD5
6d998976a469909106cc5bbcbf568487

SHA1
6779b26fc8751d6aeed77c39535bee895cb5b2b9

SHA256
da14aa65823ebb4a77244615b639fb313729da2dddc64cf2fd98250f9adb28aa

SHA512
893a1e1d0113e80854b415359e5e9dac1ceb3cf25f3c0557f5f1d7acdb5f5b087e8eb7890cf23b497556a85e0fbd731d4472041efb09cc97ddc47e2ec0616364

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_7032e70a3580ef8ec35e7eee7e8c712f.vir

Filesize
468KB

MD5
7032e70a3580ef8ec35e7eee7e8c712f

SHA1
9e8e2515a9e5d5bb90696e0b8ea9654a5cc13c9b

SHA256
dafbc152d322f7a6144552f5dfc388cb53243e3ac5060d4bc6e174633ea9beef

SHA512
a835b0c130ae20caed4e3b41ff1ac36a29141d1004f18a6b958961a2bc4f2f2f35fd8e9433a4a40e15801d27d7d3788be15abdcf05808ff65a2298e11781dc5b

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_71a96e4f2cf0100191fcdd3646ecc197.vir

Filesize
468KB

MD5
71a96e4f2cf0100191fcdd3646ecc197

SHA1
fa658f3f3bf49039ba42c4f8d587c09af8016258

SHA256
b04755e1f7479350602bb9fffeb602acee8ddd40fef500c003f09a59b247908b

SHA512
345dab66ecd08d4b0375f2cbfb01b2752ac574e074b6a363830950bc6945b07c1422c5d3b617e9a603e2abb021622ee5fd62d8317f52b6f5bad6fd1a0c015108

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_753c89639ba02f0bb201caf6dc1ea6f6.vir

Filesize
468KB

MD5
753c89639ba02f0bb201caf6dc1ea6f6

SHA1
4abeeedb40fccd6c8029fbe41428873f5d53f554

SHA256
f70c7c1edd3b839e338cb70364e41c3c2b4b3b085ed8148ff3f60d4c596b2830

SHA512
20d68af208e6feadb3b3763c854751af53e0023be1b1d43b8e776a76af44927614342ecf6eca97472a943b0bb7028fd11a1a2dc49fb11f0c9adb2747389c024c

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_77edfb67e9f2626f3bcc521da1add48e.vir

Filesize
468KB

MD5
77edfb67e9f2626f3bcc521da1add48e

SHA1
290ce63328e8c82f730ba3316aad37b57e46df8a

SHA256
bed046baa0142b060ffd0c142fa787de50751b051493b4ed4ead8c09eb878e20

SHA512
bce917e5d1bf9f6562b0487f7d98700186b176bf85cc5d27ed354d1f58f3e5ecd8c5cd97572397342c9dbd36880a7a088836752d441f55566cdb57d11fb1d90f

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_880cb4cd0a6fcfac5f9dd00d9079c08a.vir

Filesize
468KB

MD5
880cb4cd0a6fcfac5f9dd00d9079c08a

SHA1
8eaafbda8321f8aecb24583450731c513a7f628e

SHA256
80c0ce45ff02f644a012e79bc962d42eeaa66e07b1fdf6e52f95fcaed278443f

SHA512
227693db356aa82ff647178ad2df60e40148d0725f5d719c5b1aaab0313e0bf64b03a1608d575295ec824f6430dbb9a2ac928074df2d815df6f7d068f620166a

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_893025b272d95f86e571f493fd9bdfac.vir

Filesize
468KB

MD5
893025b272d95f86e571f493fd9bdfac

SHA1
cd5944251c078794376a7bafce91f3353d569ce3

SHA256
a887f966dd56548676a90ffacaefd6c7c34b2503d630c0189d42e96451905781

SHA512
f6adb1f26fb7735e3643c05ac92d60f68e5ac98c9ebc5a56667a64e663948ffcb4374419d31530c4de5b815135f44968965e66cce2964cd1b6cb5339c20e19fe

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_8bcd77faa00ad74cce99372639e3be30.vir

Filesize
56KB

MD5
8bcd77faa00ad74cce99372639e3be30

SHA1
21fb9302f44c73b56c3a4abcfa94fd4a2d8d3904

SHA256
750ee9d2e624c74b91a0e20deb3d241c80d284befac6892860f8d180331f26a2

SHA512
2fdf4030813cf36b66734c6d520fed25c293f30e5e066f5c011a6f43be3773498638bf1a23e7ee341493e4952dd6f008cc8f34d9a2a0d7704dddf700940b3570

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_904e27b55fb2c3da1dbae793102623e4.vir

Filesize
468KB

MD5
904e27b55fb2c3da1dbae793102623e4

SHA1
e42de70621c5d0b478762e81e88d1b199e8db4b4

SHA256
de33d99d94338e350800b5bca4e10582fbc57a348c9edb1da382edfe1fbc73f4

SHA512
cf703d89edacf3f62a9dbce2666c5d8080a6ab32dff2c744fd3c218d34762f55f37eee6f7851d2edfbde038306f28d7122fd30c99d48a7e04679adb986e98c2f

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_944481233f06b4c269423ff1041981ad.vir

Filesize
468KB

MD5
944481233f06b4c269423ff1041981ad

SHA1
2c79caabab3d4640ae4084875a794e8d8fe36dc5

SHA256
449ff16fdc493c705fbcb9956886b24ddbe09c7c118a7876e93753298314f3d0

SHA512
50b2a8275a707ed09893e198e4440c9f491b93e31a68e56145a43aa17863626d37101bf6292ebd92a4affd02fe0c39582127584eebb6051ab0f20061dec92ea3

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_953a20d6dc0684a22c0a90c022423a56.vir

Filesize
468KB

MD5
953a20d6dc0684a22c0a90c022423a56

SHA1
c3acbdfa746c536567760d9bcf2379558f225773

SHA256
62f777a55b62605f94b769488fe8df162e3cb2cf5eae52f481641987939d6c48

SHA512
f18418608e33712b5c22307ba5f5cabc9fbe7d38461c2e94e372d4ee80ad8ff12a1900a244111ab8a20de02cd6ac5c0dc8980b12a856f2c5c8cace4ee33dc116

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_958137e15ddb683bdab8ef037d82db90.vir

Filesize
331KB

MD5
958137e15ddb683bdab8ef037d82db90

SHA1
0ae6dd802f6b7e43f069b94c3d3894f5f5d3896b

SHA256
a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420

SHA512
938fe091f9a99a6429b75a3dbab82d71a37cd38fe83c0985ec1fb8b09629c11652ac5be42c964197ba76e2f63cbe53f9d90b3ed45840135121656d7bf39468bf

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_9620c10bd9c2bcaa499e8e42bb6c488b.vir

Filesize
29KB

MD5
9620c10bd9c2bcaa499e8e42bb6c488b

SHA1
47b367312d49df6d9d61170c0ac8e641affd3824

SHA256
182b571433dbe70dd761d3f436ea5f877a00d1d21bd86ddfd440007a75e5a80d

SHA512
91fced3f4a4532ee7622d071c10b3b230c0bf6784beba08ce2065e375f3ce0fbe149bfa13a085485def28af1ecd81c22d849c219afbd588881404ea320d4f17c

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_999a2f1687a28a399f857de0d0d7b06d.vir

Filesize
468KB

MD5
999a2f1687a28a399f857de0d0d7b06d

SHA1
c2209df5716e9a3f73e14954658a87c85be80929

SHA256
6a478b2b169601ee13737908cf1b2baad382d81aff8e87ead4373317a405932c

SHA512
1becd20d8ad2274f23d763f83fa875890e9fa0cba059d023487435f3bdbfd97bd1ba76543fb553d95e1118ade458375ffd0f4642d6de46d8451839d9d51fcc46

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_9c3f853a6d75dc88d6172fbc50439338.vir

Filesize
468KB

MD5
9c3f853a6d75dc88d6172fbc50439338

SHA1
c180f570153d299a21d94fd5a00d4c2e570ac764

SHA256
febe46b8f273c68e46f7773104b26e6633c6d36707ec35b97abb5dd7b4fc0f4c

SHA512
4dd3a597e2e3a79eee4e1c16a68c8a4d0343cb06c58de58b4e5f4b8f875dd081d3c43298e4df466056edb9625d9c857d8de887fa5529120581a6be68d384891f

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_9cb202c3771bf9e62f1d902465e9cf77.vir

Filesize
468KB

MD5
9cb202c3771bf9e62f1d902465e9cf77

SHA1
fbfeb53a6049b761715f158994fdf79ecc5d745a

SHA256
15a586f8e97a7e720d5bb42c90fec025061fce00ed3e813eb5c571dc39f303eb

SHA512
da1bbb947fb584d59292b0a8069e1c5e3ad1aad4ee66974235c88b47aa462bcd16c1ac6285aedfde3b6e95c4c280e9996b9f05ede09ddb25fb7956d95623519a

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_a1790f3ba75e23d8fc1498e1d474f4c1.vir

Filesize
1.0MB

MD5
a1790f3ba75e23d8fc1498e1d474f4c1

SHA1
407ee9bcde5a1e4344dfe0d3c8f1a1f0c6bad2aa

SHA256
1de37be13596f37386e4ea3591d92d87129ebd3402612cfb69fd2120b0eef1b1

SHA512
7030cd23d6dac8937b750a771e49932a31dfd8283d523105597edddc426670175ae2d60eeac1c4da8713c945b0bffaca567b0d6b5a966ce16a17d618bdddf123

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_a2bc7b4afc7e06f00487ba1b0aed8af9.vir

Filesize
468KB

MD5
a2bc7b4afc7e06f00487ba1b0aed8af9

SHA1
f7e705f4d0298bdaf706f97c24ea08ca4218a78e

SHA256
c416f6d4327f6bcf36834f57f15430893ea5f38e318064eb3e7a29c43c969fff

SHA512
0f68286706ebfc9b793b5cc856f47cd8e90465147c64dff34dd41c81986dc2fab8d23ddcf714cf406335a6cb8a355c448eaef492a1cfa06bc2e2fdfc3b6f23c8

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_a5d0613c659010a75c98d63840b14604.vir

Filesize
161KB

MD5
a5d0613c659010a75c98d63840b14604

SHA1
088c03c707b61e0ed4cc609dcc6fa8ad750d38db

SHA256
c9c017126a53b8e40b02509984e2956f9d2323b08d2f0f721168d68ed7659dee

SHA512
29f4ac2deb421a805312c14da763201b4e8e2803aa127a79b73313605ad36be4ab70f52239ae9fa184b4f6ce6ce294e7da8832a5b01c5381d616d4becd00f930

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_a69cd364155f2b0fcec0542c8fa730ac.vir

Filesize
468KB

MD5
a69cd364155f2b0fcec0542c8fa730ac

SHA1
dca12c386bca99382bc9790d2df844acc4b5852e

SHA256
2caebf36b3bae1d3789c126690330c5730a7756c4ee720d6ade11f23cc1ba572

SHA512
f63507ac9c79e6058ea9821391ee9165e4dc671dea07626b3ba45c7ef4e7f7f354cc612593b3064270d6d14a558a403fa83369eedfa27bd3b2fbad7f3736f1af

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_aa0c2dca879a22fa7d38fc194ff09845.vir

Filesize
468KB

MD5
aa0c2dca879a22fa7d38fc194ff09845

SHA1
b0d3856fb6dbb6513637c758d0ade56a559fd796

SHA256
840b6d17550782713f05c26777f9c3db719b57dddac5a3d537365d3c3ce08944

SHA512
c141b15d7f347ac9641e28ebe7de13ff981e17e886d4b5d99696715a4505cdf6984d4ecf1267a14ff826abf8eed8a7c25421b0c557c2b7b9c4b5300f5dbe8590

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_b0c02597499b40f5e75262360d3c6df4.vir

Filesize
468KB

MD5
b0c02597499b40f5e75262360d3c6df4

SHA1
092645ae1f71295dba1030907df0bd080dc590aa

SHA256
bba2ddb970f0aa5a3068af53be9adf4b1e63c64342926b90a2343a8059c1776d

SHA512
39d39ae61c847fb27e77d1e5895ea962956026c0286837e091787a3659e3d91f98d11d3f3987963c6d615cb035fa34882830cd22cf139c2e62e33cc43b006674

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_b5471fae4a2109ec548dc914c47e719d.vir

Filesize
468KB

MD5
b5471fae4a2109ec548dc914c47e719d

SHA1
1fa62311c0be09ece9a54a432849dd2d603d0ce1

SHA256
f474ca7042be83cde2b6883dd0d8d68bd34e1517bbcaaab4009f03dfe95f910f

SHA512
c2b25dcf4e1443ac60b334bf322bfe0a0281d58a265d1a4f945d3d34ce9ca72cdf890ce64a07d26b13dd69abb18fb6a35b7bf0ba9edc3593174926a6981a9447

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_b66b7b736b8b7ceea73de320d533d648.vir

Filesize
468KB

MD5
b66b7b736b8b7ceea73de320d533d648

SHA1
c8beb9e963b5f91b2d73853bd5c4f16ae94fd79d

SHA256
ae406e12ff698c8f3241eef37e7a3139874638cef08629f07062cb54a96b419a

SHA512
1052de0c927ee0b43c2998c221cbc146bca033b2c12cdc95403e5a0b4cb8a3c73ea8e66e494b8032ccaae9a654e9a3fcad31a9eab4baba90607659e30f700fd2

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_b75aa36b320af6537d387ddf20b8cd3c.vir

Filesize
468KB

MD5
b75aa36b320af6537d387ddf20b8cd3c

SHA1
8f6eb38156e99427a7b42177e636ef7a0b62e6f0

SHA256
80a5371bca749e39aa6bd471124073dde4cd464f8a0760f19895aeb736c6e05c

SHA512
3d0e992122f4287a7fd05e0e64036d0b90dc56e923e5d6b8e68bc29bc704a7c8f5c834b7ad199b7eb0126311ba6cbf20581b9937ae614c9148c9899ea29d2722

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_bce175ffd1a63e86d2817259865bf78e.vir

Filesize
65KB

MD5
bce175ffd1a63e86d2817259865bf78e

SHA1
8e3b8ee449e71cd5c683fff887bbcc29b0f60b5e

SHA256
a70c4138db03e13107876fa36409e31f836ef64217cd2866ba3ce92048283d76

SHA512
77a7e7a0dfc7fa70347570ea13f91aa77631d03334d4890e0aa8d4e2164596fd9ed3eda26b29883a44b683ddf0745a3f3fd47e29cceed401dd47d68a28c55787

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_bf65dcdcc320d1be890585e825b42008.vir

Filesize
468KB

MD5
bf65dcdcc320d1be890585e825b42008

SHA1
5cda86023bb73ef854c695ec18e041efd873e159

SHA256
caf77ab081cb780b532f4309e7634fc364a697c7f3a680c7bf00a9eb435958a8

SHA512
13780ebba0eae7b67cf0fae133ffe37d6f5f0db214a4abf44f742ee2f10ec1833a46f1b3bc23fc6f9e9e86713498ffa8088bb2251be9f705864cd15ff98035ec

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_c1df963aa7d60b7c6b909d3b8bd3423b.vir

Filesize
468KB

MD5
c1df963aa7d60b7c6b909d3b8bd3423b

SHA1
fc55f398ffaa6eca97f8d11bb27d05a8c7e5dcc8

SHA256
02c54730b3e957011a4cc9ce745ad52f8f17cfb027ae3ec4d38231b77e239d92

SHA512
4248ec974d008e7c1cf482ed904a1de5dd3af7eb42a0648554bbd7ee8747bee3bea89feca863fe5f42fa100bf40b25ead6e1edfe8dde76b34195a6d2c48867bf

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_c3eab826692745fedd0796c933de61db.vir

Filesize
468KB

MD5
c3eab826692745fedd0796c933de61db

SHA1
69c3b271ab98fbff522f5cc7107e2ecab93bfefc

SHA256
8e48eb59873b28340d69dc537d194e09a9b2019cf691a8cbdda873c42471de73

SHA512
c67d6b1891e1b2c7d2909e0fe44e03f684d67e54e66eb4189cebefd1aa63794c5351c53c2a8bc6caa58914514a6e60e2e57f974f8fce05d5aa9e962216687bde

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_c4d7332fc04651684c0107645eb5198f.vir

Filesize
468KB

MD5
c4d7332fc04651684c0107645eb5198f

SHA1
dd01ea60b6d3fc689d7d5eec3cb4277a75ede9fd

SHA256
f11949a16b71f67c513778dfb2f79e99f42dd002d852eb5368a26112da79a709

SHA512
03a63719cf70d4021a6a627733f0c407ec9440ed5a3ee73e36e84db941b1771f5787d9535e45ccea407d1eb04a82e64a31299be5b98f0ff3de2f069b701a947c

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_c5889cd82ad3e79f66d63e5383e1d5fc.vir

Filesize
468KB

MD5
c5889cd82ad3e79f66d63e5383e1d5fc

SHA1
cb6e2df705baafce55e0fed1e6f72bf085a6c8a1

SHA256
7be3cddb040f01efe768d87234b280f99067c8a490a4857abba2a7fdda5e73cd

SHA512
2ffd2217b5367c15d1db7cdf1e31a9f9bc27f653ecaef7206989c748f44e750c616355f9f7386b027c47514483e80d243d7adebbaa9a59f7d5bef537ebae4f38

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_c65099ad0a84235984c9db0115c62c71.vir

Filesize
468KB

MD5
c65099ad0a84235984c9db0115c62c71

SHA1
24c5b08db76662f0daf6d1fcf7b71fd17f37c123

SHA256
99b99712d45a3ee5904ff3cd2570b7cd74c7d94419501d774bf4a0f9299b78ed

SHA512
9db5d10f8a68ce58c912f294f82214d6c1cde020ef92138341a10889b27860f2b1fafc59b4840e16beb1113f58d6e075d3507a632b2ec4c1e595070ed68821d8

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_caa584aa3c344f6b1d355459688556d7.vir

Filesize
468KB

MD5
caa584aa3c344f6b1d355459688556d7

SHA1
3e2ec58b792334baa3c38907ea203a1bae460bc2

SHA256
f9558441c8d0928135b1318a36c0678a88c137084a32189a961e94e62a6dd267

SHA512
f58ab54b5121001fb1d6a69f5041f19a0c6077d097d7bdb8e8d186b34f22a58c79dc64c1c08c1882b8145c49a79c6e9bbc3f2df181ca3eca769661b0db7dbc5c

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_cb59dc9abab0c40adda516ec1d4e4f64.vir

Filesize
468KB

MD5
cb59dc9abab0c40adda516ec1d4e4f64

SHA1
9dc10fa136c7a3db1de1c873a63f984a95550425

SHA256
05d5cf9b9fdd698415995698c38ac1be46335ba4295f6c3e49e913c1c5d3d83f

SHA512
da01c104151ad5a80faad9f163073d676e1df08c523ad49e184054bad1191bcc208de02fbd6487c818139763d8764cb5b35be5fbfc430bbc136210011556dc29

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_cdcb29bcd7bead097bd378cefd7a3be1.vir

Filesize
468KB

MD5
cdcb29bcd7bead097bd378cefd7a3be1

SHA1
6f77e0a54d63a6c5c7880968292f75143b8d3796

SHA256
c0685e086a55077883d176d8e71cbfc6aa5af4d3dd825bc71f726d00b52e5f04

SHA512
97ee48a2e8eb7c98e2309ec74ec90d34ba38dba663c1774ee5ef75c61a3b751553054dc5f452d87378e891500b806ce980655f1e27f01b9ac3df6655a658aafa

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_d16cb23383a2042e236c034902d69401.vir

Filesize
468KB

MD5
d16cb23383a2042e236c034902d69401

SHA1
a6a7c2552808d64b7a0911a981ddb94c27bc77b0

SHA256
af05781bf3c30283671a7aa7d67d51bf3145de6a243b717fe275823b7ea83570

SHA512
1396d8ada37921ef45a3a5a5275339e6c91da68eba21a1930e26739b48730f4889b2da610db17350fc641604a9b808acf7e538e4cdac3e0111c3b6eb282a4104

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_d1bf9d5954b1d6256f41e47242cab25b.vir

Filesize
468KB

MD5
d1bf9d5954b1d6256f41e47242cab25b

SHA1
f32036ad5f2a0434e7d17f7d7518ab30f29d8d06

SHA256
c61c76e578ad24bc2c6042afe87f7744ffdafd0e6e368bc9748ce1646b571db9

SHA512
ff990f24df72f6a9c782f92b5f78b3cb506b027c08d3b60f86e7a0f592b0ffc835c88f90832fe8adeb9212fe9be896d0dd8d76d736852dbfc9a150164e25df62

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_d2dd229dd5ea4182e62fd93cf92258f4.vir

Filesize
55KB

MD5
d2dd229dd5ea4182e62fd93cf92258f4

SHA1
a79bdcc084ef8db418125d791db52e4c90289f21

SHA256
344fb15ee9a5b0d14ad9babfe6ba10876087e15db94207f89c27e039f7115bc6

SHA512
7d9c9050b51204809ad8555c568faef5bb35c9c6f32bbad4abdd04b936fb685de0cea2195dd903f34855a713dce10732773329441eb178c4eb7249f9fd336dd6

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_d311cd2dc88136d686ae85d15e6f4d40.vir

Filesize
1.4MB

MD5
d311cd2dc88136d686ae85d15e6f4d40

SHA1
aeda4456f4d386b32801a010ccec1bb3bb9c88eb

SHA256
a7dc4a66d1c1f4ae240c5b115750c264cde56a9a6e0e9b36c6445c118ca0b739

SHA512
d7571845e9d4a5f986cfe2ada6399f31ccae4d5d4836e51ca964026b7bfaeb1c287da9d050ea746cb9d0c54d419c3bfc453eae9bcaaf1c9a017ce6832943da12

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_d65083fa4e8f29a623aff2f9ab67a826.vir

Filesize
76KB

MD5
d65083fa4e8f29a623aff2f9ab67a826

SHA1
07704bb030b8e4479753a88ef54ea2422f88adb1

SHA256
8966a24afb889e1ba6b2515a48ff6825dea48bf1fdbe91e8159eab2184ff0039

SHA512
0d0fd4d1f140197e9220a45ec2958d77348fd072e28933b8246788818d2984089c9fb426d85eb8248879a150e414fbaa64a43dd37d1dbc3dad6af5a576c09f10

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_da933b03bc4e50ffb989f1400764c1e9.vir

Filesize
135KB

MD5
da933b03bc4e50ffb989f1400764c1e9

SHA1
49a55ff57eadab96f5c91774504e01ebf0311060

SHA256
e5e2c627c1ff36d0e569742c598023217a7112fa5b1a2f544e0f4dc393332bbe

SHA512
991784f1f5bc77c5e311e4a8a6283258c4aeb7e5fa222276b2962f24220ce14c0f6f5e228aa50345e6b1b130e9c51f5e3d9d5bab54b6df09469fbad44a338202

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_dea98ee4a6b1b3e08c9999801272d7fc.vir

Filesize
468KB

MD5
dea98ee4a6b1b3e08c9999801272d7fc

SHA1
50e37e071c01804960f517236543f591af862771

SHA256
05e0fbaca20538a405c362ccd1d8e589b7b5a3c312db304524652e65142b3aa8

SHA512
4c6d70258c0e9fc56b049123bbeb419e7a963df0607c0e57b9f4646e56a5e01e086c79725421535ba2939c7ed1787f4bfe6900250baf2f33916664cc9ac3d1c5

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_e3d7129e6bfb6ddffaf03b613e953c99.vir

Filesize
468KB

MD5
e3d7129e6bfb6ddffaf03b613e953c99

SHA1
5992c20f27c6ccc707d0e406bff01da43ac8f389

SHA256
644c220d2a66bce11326629b43c50bcfde80a4c69ebe2a5fe5f983215de3ccb5

SHA512
4a689b3fa48d9a36c0434285169bc086227644cda120ce1cd8cfa69d52bd51899641550a48d4af05f7c70c8c0ab55abdefe073b39c58d9d9ea1c04f62e4cefd4

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_e643f081178712d0b1f826d67a7a9972.vir

Filesize
468KB

MD5
e643f081178712d0b1f826d67a7a9972

SHA1
863224150a61f9af64d3cefdab51a554239e0f15

SHA256
4ce207766106e11664e31e7de30d1c12a946f8fea0692474dddfb8cb1f2ca0b1

SHA512
672b968e407fedb4f71e31fcc40000bdc81a2e6a567b9b97762405f75d3e2cf4d39abc6f681f3efffebabf37517a24cca3dd3c0d292935e47092e41f22602d4a

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_ef84b95b74218457266d1bda7e4416c5.vir

Filesize
1.0MB

MD5
ef84b95b74218457266d1bda7e4416c5

SHA1
e224c8c34587c4c226f3fcd137aedc2671f9fe4e

SHA256
b72064863b1a09a129b8149b8cdfa4897344d70cdf6f29beb93ad36345e05f63

SHA512
300d11448693a9c8af58a79a4dc7a0d173301c5322c5a2174f3c9420e5b16a5bc8f7a6bc441d23782af5d61ca8d9fa2073c25a4490a52453cfd8e94bf713dfd1

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f00bd2f05bbdd1d44f515ea934431211.vir

Filesize
468KB

MD5
f00bd2f05bbdd1d44f515ea934431211

SHA1
1759f22332da9baab53471121e860113239e4c1a

SHA256
928527140c2d5af23f4c47ff7ac993efba82a8a87136ab5e9e784fcf51f205a4

SHA512
b3c8c5fc7681869abee476b72ba629c8a944929a986dec8c6c049eb07c52c15d682d86a32923f20896944d6f3bf5d62ec524ab6bcc52ecaa1b03a35faed739a2

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f03549f903d6a9df82fa81f0ae57be43.vir

Filesize
906KB

MD5
f03549f903d6a9df82fa81f0ae57be43

SHA1
685f5ca07bb7cf53a98bac801322174c6fb9a059

SHA256
0035140c5580be51b503e9fd7d14f7512deb4e5f6de263cd7c24cfa91129a0f1

SHA512
deded2f45b56ce4dbc3658d73e82d675ba20290f5d556d965ea648723f4f24aa719ffad8ee842ae9da4da9609d7d66b4e3221e0a102dfc94e01e81adc0051d9e

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f1d4599ddeed38505b55d63b4cb419f3.vir

Filesize
468KB

MD5
f1d4599ddeed38505b55d63b4cb419f3

SHA1
4b6951a591fd69efbe4f3be213754e73dd02c7f0

SHA256
16c4b696e171904ca1a47c4080c5c09f20f75cdc6a5b0fcb2a5923b3d8a25b37

SHA512
77ed2f06eaf644e249ceb303b2d54b01f947a31033745228bc97fe90d339464f6c7175ef9c6e05b90592637ec32a4054a0f81d9ef1be1f7bd1c35ddf716b8c8b

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f347f3e9bc4322c254ae87cd48ff6a8e.vir

Filesize
468KB

MD5
f347f3e9bc4322c254ae87cd48ff6a8e

SHA1
06da170b7a7d421dfa3fa687b90e72257b43cd99

SHA256
50cc8ccb4f1d70e007e643324236ef605fa573da8e410d26fdfc7946b9646358

SHA512
91a4b69678c6cc071110005759d41cff2baa339da3eec536aee6f0acfb38400633e9f6db8c6e3433138c648f8a09a96b2baa2a2fb1ef7ae44691308f0063f10a

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f512a5177cf08536d0c6c0f672b963c6.vir

Filesize
468KB

MD5
f512a5177cf08536d0c6c0f672b963c6

SHA1
398c25bd8b3ad2761eaaa9c12d29d142b78d5152

SHA256
1b35aa9802c87554cb4791d1cda9f7b39037a3d61593f169f56ba94112534895

SHA512
3ac65eeda09ee1b1e3d3d6fa4877d9d051e5f3de0a7c0f4667d059eea7d58c2c5742eaf55b79f59b755a3e25cbfa8c188a0f89ff0d003bf8016456b7667c5569

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f5ccde2fa9593c72e64aa82bcbe06744.vir

Filesize
468KB

MD5
f5ccde2fa9593c72e64aa82bcbe06744

SHA1
8d5f510eb52fd9d372ae34373ccb37f31965a12e

SHA256
9acb144b379afbb544be85e7e15447700c572f8980ea9072b3da84d611e7b1cb

SHA512
5c4772761b1ba4656d0358d7cbe911fafe16d0fcb51202ef9cac148f7316d60a98b849daa949f82753bc8be44ca26e1d5fdcb3a489e45ee46cd94311529d5294

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f6f325ebcb3b7a90cc81b660d521470b.vir

Filesize
468KB

MD5
f6f325ebcb3b7a90cc81b660d521470b

SHA1
5656df0a2de860e4c33109674adb7cf4bd8fc002

SHA256
584b24e7dcd8ccef51df357fe0b79a5dd0f2f1b815b77d57a3b9fb65917159f9

SHA512
34d6e06ffc9a02f3e784d0828847805fcd93357ed561eae06068dc6b10483e2a5303329143861c1b0101ed965af67c1528e522b0dfd82efc263e85f96b65890e

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_f912770cc6add3a52ca66b1ffbe58310.vir

Filesize
468KB

MD5
f912770cc6add3a52ca66b1ffbe58310

SHA1
ece5d3173b869b6584f6302973f0da512fbf8c06

SHA256
81341971254f86a4a154999fb40ac126629cd57bbf158ccea69cbe4389626237

SHA512
ec8d96316d9999e4c6a0182291dbf792072da244a01db35d674d2e2d6262261524cd89faa855a11e5dde74084a25a1fb278ea44211f352c91e4c603bc5e07026

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_fa9f99148424f954dedfa61c208fc300.vir

Filesize
468KB

MD5
fa9f99148424f954dedfa61c208fc300

SHA1
732f1d8bd316776df00fd8b6e7d9b5b00b7b5e75

SHA256
5131698e8e0edcff3f0f1efc40ebbe62504304d8014191d9e363714d4a8517e9

SHA512
e48e47eb295ec65e411bbed8a09a36f40a8d96a81477718efccf1f9304020f815d34b5373aeb03677a5830d42b07692a171be44d4e1f95db07ab91bbe289d552

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_fb44b887c67d9628263fa9093ec26a69.vir

Filesize
7KB

MD5
fb44b887c67d9628263fa9093ec26a69

SHA1
ab95e789e3327ec0cbdc70ab8f5dddea8ec1ca03

SHA256
76e5cb3039b8efe7798fcf6f62e6a867a2cc9317c747dc4df1684c9affa05e57

SHA512
b0ca22ea03093ac504a01e99017aad3844a6cd0f270a1b4f0b5e4da445760ddd80c2a7e5660a53aa4b370201a2a521e80536b58bf1262e28042a523921e42435

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_fdae976aab1a53daf2fc31edfcf1bbe6.vir

Filesize
468KB

MD5
fdae976aab1a53daf2fc31edfcf1bbe6

SHA1
25cf817b534da11b13a8294150da821d13e5c066

SHA256
3cfeacefcbe65eb5bcc23c245a5a18718996ee63d0170833298d4b230ea18d92

SHA512
783ae7ed05c284a3a8f16ea5bd92b4e459288daa24c9345b56cfa6cd6ab378b8577f88a0c736eaaa72f832899a9a6ac1ea217f4afeb63b76cb67e4335d824f2b

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_fe5c2dec00f70b33bc0d48aa4db8e891.vir

Filesize
687KB

MD5
fe5c2dec00f70b33bc0d48aa4db8e891

SHA1
f4971ee225adea3333c1c3158acf707c9c1b35ea

SHA256
87179a7232db3e6bab43bf75150a76078d2e6b01075c3ae60a1c612aa3eaad5a

SHA512
464748ed4b97e52a4479a25f82b5581595060035080531a5956fed8ece78a80f866ca9f392c101f45abfc309b3999f3dbaa3c673b9d5dce7e175577a755630a6

Download Submit
C:\Users\Admin\Downloads\virussign\virussign.com_ffed9c429b175d1fbd17dc9fe3a46182.vir

Filesize
468KB

MD5
ffed9c429b175d1fbd17dc9fe3a46182

SHA1
358ca19c8512a49c00db30202e9bce40a64315f1

SHA256
94394016e9141cef968579bfed1e8c24aace7b6766144e83b817143b502a963d

SHA512
fdb8f29cbda79028d791832ab4aea793a09f58439fe737a1f926bf3976cd05fec399c0f039dea816993d2f416ba8c76fcbb6fb4bac4b2173d2c28dc2eaf107f7

Download Submit
C:\Windows\Installer\MSI9942.tmp

Filesize
52KB

MD5
4a908ee9c6f2f4aad63382cccee731e4

SHA1
e572580949f277987fe232757ce88c2ac35e0223

SHA256
459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e

SHA512
75ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
687d2e71ae83719d5e8beb7c07392569

SHA1
90da26f436079f844f18cbb1ec4763c1886d0ff5

SHA256
ede99b5eb4fe9189d3bc08ad8f8301afa5c87ec6d85e32b8ba287001815526d2

SHA512
d35e8e907b5dd36d6f61a2cf21d516bc4022b5a4627628e8e030418499374d419804b2dab6c5e11ba785cf7a25ee4053560c6bc92ea511c944dca80f3a2f65c9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\Temp\lvvrmxqkwnox.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/180-12057-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/180-12288-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/180-12036-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/180-12035-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/180-12034-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/636-12297-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/636-12340-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1580-10519-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2100-12006-0x0000000140000000-0x0000000140B86000-memory.dmp

Filesize
11.5MB

Download
memory/2100-12004-0x0000000140000000-0x0000000140B86000-memory.dmp

Filesize
11.5MB

Download
memory/2100-12001-0x0000000140000000-0x0000000140B86000-memory.dmp

Filesize
11.5MB

Download
memory/2100-12005-0x0000000140000000-0x0000000140B86000-memory.dmp

Filesize
11.5MB

Download
memory/2100-12002-0x0000000140000000-0x0000000140B86000-memory.dmp

Filesize
11.5MB

Download
memory/2544-12375-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2544-14170-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2604-14507-0x0000000006140000-0x000000000628E000-memory.dmp

Filesize
1.3MB

Download
memory/2604-14506-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/2604-14504-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2604-14505-0x0000000000400000-0x00000000010EC000-memory.dmp

Filesize
12.9MB

Download
memory/2604-14508-0x0000000006020000-0x0000000006034000-memory.dmp

Filesize
80KB

Download
memory/3532-11969-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3532-11968-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4172-12039-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp

Filesize
14.3MB

Download
memory/4172-12043-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp

Filesize
14.3MB

Download
memory/4172-12038-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp

Filesize
14.3MB

Download
memory/4436-10568-0x0000017AEE280000-0x0000017AEE28A000-memory.dmp

Filesize
40KB

Download
memory/4436-10565-0x0000017AEE290000-0x0000017AEE2AA000-memory.dmp

Filesize
104KB

Download
memory/4436-10560-0x0000017AEE010000-0x0000017AEE02C000-memory.dmp

Filesize
112KB

Download
memory/4436-10563-0x0000017AEE250000-0x0000017AEE26C000-memory.dmp

Filesize
112KB

Download
memory/4436-10566-0x0000017AEE240000-0x0000017AEE248000-memory.dmp

Filesize
32KB

Download
memory/4436-10564-0x0000017AEE230000-0x0000017AEE23A000-memory.dmp

Filesize
40KB

Download
memory/4436-10561-0x0000017AEE030000-0x0000017AEE0E5000-memory.dmp

Filesize
724KB

Download
memory/4436-10567-0x0000017AEE270000-0x0000017AEE276000-memory.dmp

Filesize
24KB

Download
memory/4436-10562-0x0000017AEDCC0000-0x0000017AEDCCA000-memory.dmp

Filesize
40KB

Download
memory/4480-12009-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-12013-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-12037-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-12296-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4516-11999-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp

Filesize
14.3MB

Download
memory/4516-11998-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp

Filesize
14.3MB

Download
memory/4516-12000-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp

Filesize
14.3MB

Download
memory/4516-12003-0x00007FF6D1060000-0x00007FF6D1EB2000-memory.dmp

Filesize
14.3MB

Download
memory/4560-12399-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5108-10592-0x00007FF7FBC20000-0x00007FF7FBC33000-memory.dmp

Filesize
76KB

Download
memory/5148-12025-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5148-12014-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5232-10523-0x000001FB27CE0000-0x000001FB27D02000-memory.dmp

Filesize
136KB

Download
memory/5308-10539-0x00007FF63FE40000-0x00007FF6407D6000-memory.dmp

Filesize
9.6MB

Download
memory/5308-10522-0x00007FF63FE40000-0x00007FF6407D6000-memory.dmp

Filesize
9.6MB

Download
memory/5532-12400-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5764-12481-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/6112-10603-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10601-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10616-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-11676-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10593-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10595-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10597-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10609-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10720-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-12008-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-11257-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10580-0x0000000000C70000-0x0000000000C90000-memory.dmp

Filesize
128KB

Download
memory/6112-11971-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10607-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-10605-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6112-11624-0x00007FF7F46E0000-0x00007FF7F4F20000-memory.dmp

Filesize
8.2MB

Download
memory/6232-12063-0x000000000D5A0000-0x000000000DB44000-memory.dmp

Filesize
5.6MB

Download
memory/6232-12064-0x000000000D0F0000-0x000000000D182000-memory.dmp

Filesize
584KB

Download
memory/6232-12058-0x0000000000020000-0x0000000000838000-memory.dmp

Filesize
8.1MB

Download
memory/6232-12061-0x00000000086B0000-0x00000000095AE000-memory.dmp

Filesize
15.0MB

Download
memory/6232-12062-0x000000000CC80000-0x000000000CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/6364-10579-0x00007FF771F70000-0x00007FF772906000-memory.dmp

Filesize
9.6MB

Download
memory/6364-10541-0x00007FF771F70000-0x00007FF772906000-memory.dmp

Filesize
9.6MB

Download
memory/6536-15148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6536-14333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6572-11156-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/6572-12029-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/6572-11575-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/6572-11157-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/6572-11158-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/6748-10612-0x0000018EAE220000-0x0000018EAEAA6000-memory.dmp

Filesize
8.5MB

Download
memory/6748-10613-0x0000018EB0660000-0x0000018EB0672000-memory.dmp

Filesize
72KB

Download
memory/6748-10614-0x0000018EC9250000-0x0000018EC9464000-memory.dmp

Filesize
2.1MB

Download
memory/6748-10617-0x0000018ECDDD0000-0x0000018ECDE0C000-memory.dmp

Filesize
240KB

Download
memory/7128-10591-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/7128-10586-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/7128-10589-0x0000000000770000-0x000000000119D000-memory.dmp

Filesize
10.2MB

Download
memory/9928-16016-0x000002B36B620000-0x000002B36B6D5000-memory.dmp

Filesize
724KB

Download
memory/10008-16086-0x00000199BE090000-0x00000199BE145000-memory.dmp

Filesize
724KB

Download