hxxp://discord[.]com

Analysis

max time kernel
1860s
max time network
1821s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/05/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://discord.com

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\DisableExceptionChainValidation = "0"	msiexec.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	RdrCEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	Discord.exe

Executes dropped EXE 51 IoCs

pid	Process
2836	DiscordSetup.exe
2972	Update.exe
4920	Discord.exe
1920	Discord.exe
4344	Update.exe
912	Discord.exe
480	Discord.exe
5452	Update.exe
5508	Discord.exe
5604	Discord.exe
5912	Discord.exe
6132	Discord.exe
5096	Discord.exe
1248	Discord.exe
5396	Discord.exe
1252	Update.exe
5760	Discord.exe
636	Discord.exe
4692	Discord.exe
5292	Discord.exe
5808	Discord.exe
1976	Discord.exe
4380	Discord.exe
7404	Update.exe
7472	Discord.exe
7572	Discord.exe
7796	Discord.exe
7928	Discord.exe
8032	Discord.exe
8108	Discord.exe
6200	Discord.exe
8700	Update.exe
9112	Discord.exe
8008	Discord.exe
8648	Discord.exe
7748	Discord.exe
8732	Discord.exe
7060	Discord.exe
7512	Discord.exe
8304	RdrServicesUpdater.exe
8292	AcroRd32.exe
7408	RdrCEF.exe
7952	RdrCEF.exe
7672	RdrCEF.exe
7512	RdrCEF.exe
6976	RdrCEF.exe
8880	RdrCEF.exe
9828	OneDriveSetup.exe
9988	OneDriveSetup.exe
9740	FileSyncConfig.exe
9520	OneDrive.exe

Loads dropped DLL 64 IoCs

pid	Process
4920	Discord.exe
1920	Discord.exe
912	Discord.exe
912	Discord.exe
912	Discord.exe
912	Discord.exe
912	Discord.exe
480	Discord.exe
5508	Discord.exe
5604	Discord.exe
5508	Discord.exe
5912	Discord.exe
5912	Discord.exe
5912	Discord.exe
5912	Discord.exe
5912	Discord.exe
6132	Discord.exe
5096	Discord.exe
5096	Discord.exe
5096	Discord.exe
1248	Discord.exe
5396	Discord.exe
5760	Discord.exe
636	Discord.exe
5760	Discord.exe
4692	Discord.exe
4692	Discord.exe
4692	Discord.exe
4692	Discord.exe
4692	Discord.exe
5292	Discord.exe
5808	Discord.exe
5808	Discord.exe
5808	Discord.exe
1976	Discord.exe
4380	Discord.exe
7472	Discord.exe
7572	Discord.exe
7472	Discord.exe
7796	Discord.exe
7796	Discord.exe
7796	Discord.exe
7796	Discord.exe
7796	Discord.exe
7928	Discord.exe
8032	Discord.exe
8032	Discord.exe
8032	Discord.exe
8108	Discord.exe
6200	Discord.exe
9112	Discord.exe
8008	Discord.exe
9112	Discord.exe
8648	Discord.exe
8648	Discord.exe
8648	Discord.exe
8648	Discord.exe
8648	Discord.exe
7748	Discord.exe
8732	Discord.exe
8732	Discord.exe
8732	Discord.exe
7060	Discord.exe
7512	Discord.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll"	MsiExec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\WOW6432NODE\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\WOW6432NODE\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Q:	mstsc.exe
File opened (read-only)	\??\X:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\O:	mstsc.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	mstsc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
160	discord.com
277	discord.com
278	discord.com
279	discord.com
280	discord.com
1	discord.com
5	discord.com
159	discord.com
161	discord.com

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	msiexec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_9CFC4AF7A1444901AF64FB9555F85FF6.dat	Narrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_9CFC4AF7A1444901AF64FB9555F85FF6.dat	Narrator.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib110.dll	msiexec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_7D1EFDCB145E46C59F924F5FB4B7686B.dat	Narrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_7D1EFDCB145E46C59F924F5FB4B7686B.dat	Narrator.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\css\main-selector.css	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\root\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\warning_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\version.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\images\sat_logo.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\themes\dark\circle.cur	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\it-it\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\acrobat_parcel_generic_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\plugin.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\it-it\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_listview.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_filterselected-dark-down_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_sendforsignature_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\zh-cn\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\sl-si\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\large_trefoil.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_sortedby_selected_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\images\themeless\custom_poster.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\css\main-selector.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\sv_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_da_135x40.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\en-gb\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\sk-sk\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_sortedby_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_folder-focus_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\pl-pl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\css\main-selector.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\images\cross.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\js\nls\it-it\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_folder-hover_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\SearchEmail2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\eu-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\tr_get.svg	RdrServicesUpdater.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	msiexec.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	MixedRealityPortal.exe
File created	C:\Windows\Installer\e635087.HDR	msiexec.exe
File created	C:\Windows\Installer\e635093.HDR	msiexec.exe
File created	C:\Windows\Installer\e635095.HDR	msiexec.exe
File created	C:\Windows\Installer\e6350a5.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC58D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC59D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e63508e.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e635093.HDR	msiexec.exe
File created	C:\Windows\Installer\e63509c.HDR	msiexec.exe
File created	C:\Windows\Installer\e6350a0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e6350a1.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9A9.tmp	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI535B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e63507d.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e635091.HDR	msiexec.exe
File created	C:\Windows\Installer\e6350a8.HDR	msiexec.exe
File created	C:\Windows\Installer\e635085.HDR	msiexec.exe
File created	C:\Windows\Installer\e635086.HDR	msiexec.exe
File created	C:\Windows\Installer\e63509b.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e63509c.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI806F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e635096.HDR	msiexec.exe
File created	C:\Windows\Installer\e6350a3.HDR	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92AF.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\e635092.HDR	msiexec.exe
File created	C:\Windows\Installer\e635098.HDR	msiexec.exe
File created	C:\Windows\Installer\e6350a4.HDR	msiexec.exe
File created	C:\Windows\Installer\e6350a7.HDR	msiexec.exe
File created	C:\Windows\Installer\e635099.HDR	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI4E25.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI501D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e63507f.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9120.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FDD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e63507f.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e635085.HDR	msiexec.exe
File created	C:\Windows\Installer\e635088.HDR	msiexec.exe
File created	C:\Windows\Installer\e63508c.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e6350a2.HDR	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e635080.HDR	msiexec.exe
File created	C:\Windows\Installer\e6350a2.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC56C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e635097.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e635099.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e63509a.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E2D.tmp	msiexec.exe
File created	C:\Windows\Installer\e63507c.HDR	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	MixedRealityPortal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	MixedRealityPortal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	MixedRealityPortal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	MixedRealityPortal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	MixedRealityPortal.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	MixedRealityPortal.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe

Checks processor information in registry 2 TTPs 62 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSOUC.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MSOUC.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MSOUC.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSOUC.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSOUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSOUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 27 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	quickassist.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MSOUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	quickassist.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	quickassist.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MSOUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MSOUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MSOUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MSOUC.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MSOUC.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422400131"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1180717176"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106427"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31106427"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "422448717"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106427"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{71FEB416-116E-11EF-8E0F-6AE1EDD98849} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1184398656"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\SpeechUXPlugins\Tokens\DebugPlugin\Attributes	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\CurrentUserLexicon\AppLexicons	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Narrator\NoRoam\NarratorCursorMode = "2"	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\narrator\NarratorMouseMode = "0"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\narrator\FastKeyEntryEnabled = "0"	atbroker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\Attributes\NoDelimiter	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\French\PhoneMap = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\Attributes	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\CurrentUserLexicon\{D1915118-9D27-4C69-B82E-7955DAF57201}	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\Attributes	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lts\ = "SR en-US Lts Lexicon"	Narrator.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E	atbroker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\SidThreshold = "6e-1"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\CurrentUserLexicon\CLSID = "{D1915118-9D27-4C69-B82E-7955DAF57201}"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\French\ = "French Phone Converter"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\SharedPronunciation	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\409 = "Microsoft Speech HW Voice Activation - English (United States)"	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\narrator\TouchVerified = "1"	Narrator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Revision = "1"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\narrator\BackgroundMessageTimeout = "30000"	atbroker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\Version = "11.0"	Narrator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d00550053000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\narrator\InteractionTouch = "1"	atbroker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\TTS_MS_EN-US_DAVID_11.0"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese\ = "Traditional Chinese Phone Converter"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\SpeechUXPlugins\Tokens\SpeechUXPlugin\ = "SpeechUXPlugin"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\Culture = "en-US"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_CURRENT_USER	Narrator.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133601081526117819"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\narrator\NarratorCursorHighlight = "1"	atbroker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\narrator\ErrorNotificationType = "1"	atbroker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\VoicePath = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\Name = "Microsoft David Mobile"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\PhoneConverters\\Tokens\\English"	Narrator.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	atbroker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\FEConfigDataFile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\SpeakingStyle = "Discrete;Continuous"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese\PhoneMap = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal\Attributes	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\mpiOqzQ76AQ0oosbVfcq8le78MynY1E1DE-3TxmLfFQ\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\SpeechUXPlugins\Tokens\SpeechUXPlugin\Attributes	Narrator.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib	OneDrive.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\ = "ErrorOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ = "ISetItemPropertiesCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744CAF070E41400\Patches\Patches = 3600380041004200360037004300410037004400410037003000300030003000350032003000350043004100330031004100300045003400350036003000300000000000	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\ = "IAcroAXDoc"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll, 102"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ = "ISyncEngineHoldFile"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Read	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\ProxyStubClsid32\ = "{12BA069D-0FC6-4577-97C6-5DF634CE6E84}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ = "StorageProviderUriSource Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F77C747-A942-45B2-A812-097A1F5CFE6F}\NumMethods\ = "6"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\WOW6432NODE\INTERFACE\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\protocol	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\WOW6432NODE\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ = "IGetSpecialFolderInfoCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\TypeLib	OneDrive.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\mssharepointclient\shell	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Adobe\Acrobat\Exe\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\ = "UpToDateUnpinnedOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\3"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_CLASSES\WOW6432NODE\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\OOBERequestHandler.OOBERequestHandler\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\ = "IPDFShellInfo2"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2492	reg.exe
1188	reg.exe
2804	reg.exe
2040	reg.exe
5820	reg.exe
5268	reg.exe
2248	reg.exe
6052	reg.exe
6096	reg.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
7148	PaintStudio.View.exe
6324	EXCEL.EXE
2588	ONENOTE.EXE
7020	WINWORD.EXE
8248	vlc.exe
8580	OneDrive.exe
9520	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
4920	Discord.exe
2588	chrome.exe
2588	chrome.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5508	Discord.exe
5096	Discord.exe
5096	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5760	Discord.exe
5808	Discord.exe
5808	Discord.exe
6784	mspaint.exe
6784	mspaint.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
7196	narrator.exe
8248	vlc.exe
8296	Narrator.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
3460	MicrosoftEdgeCP.exe
3460	MicrosoftEdgeCP.exe
3460	MicrosoftEdgeCP.exe
3460	MicrosoftEdgeCP.exe
3460	MicrosoftEdgeCP.exe
3460	MicrosoftEdgeCP.exe
3460	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
2972	Update.exe
5508	Discord.exe
3272	chrome.exe
3272	chrome.exe
1500	firefox.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
8248	vlc.exe
8248	vlc.exe
8580	OneDrive.exe
8580	OneDrive.exe
9236	mip.exe
8580	OneDrive.exe
8580	OneDrive.exe
9520	OneDrive.exe
9520	OneDrive.exe
9520	OneDrive.exe
9520	OneDrive.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe
9236	mip.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
452	MicrosoftEdge.exe
3460	MicrosoftEdgeCP.exe
2884	MicrosoftEdgeCP.exe
3460	MicrosoftEdgeCP.exe
688	MicrosoftEdgeCP.exe
812	MicrosoftEdge.exe
5868	MicrosoftEdgeCP.exe
5820	MicrosoftEdgeCP.exe
5820	MicrosoftEdgeCP.exe
5868	MicrosoftEdgeCP.exe
812	MicrosoftEdge.exe
5820	MicrosoftEdgeCP.exe
812	MicrosoftEdge.exe
5904	MicrosoftEdgeCP.exe
6784	mspaint.exe
7148	PaintStudio.View.exe
7148	PaintStudio.View.exe
1500	firefox.exe
6628	Receiver.exe
6324	EXCEL.EXE
6324	EXCEL.EXE
6324	EXCEL.EXE
6324	EXCEL.EXE
6324	EXCEL.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
2588	ONENOTE.EXE
7368	POWERPNT.EXE
7368	POWERPNT.EXE
8716	SecHealthUI.exe
7020	WINWORD.EXE
7020	WINWORD.EXE
7020	WINWORD.EXE
7020	WINWORD.EXE
8172	iexplore.exe
8172	iexplore.exe
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
5300	MixedRealityPortal.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe
7196	narrator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 4128	3272	chrome.exe	72
PID 3272 wrote to memory of 4128	3272	chrome.exe	72
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 4684	3272	chrome.exe	74
PID 3272 wrote to memory of 1524	3272	chrome.exe	75
PID 3272 wrote to memory of 1524	3272	chrome.exe	75
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76
PID 3272 wrote to memory of 4796	3272	chrome.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://discord.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff8b9689758,0x7ff8b9689768,0x7ff8b9689778
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:2
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2680 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2700 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5404 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5444 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Users\Admin\Downloads\DiscordSetup.exe
  "C:\Users\Admin\Downloads\DiscordSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2836
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2972
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --squirrel-install 1.0.9146
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4920
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
        
        C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9146 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.10 --initial-client-data=0x4e4,0x4e8,0x4ec,0x4e0,0x4f0,0x7ff6c4813108,0x7ff6c4813114,0x7ff6c4813120
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1920
    - - C:\Users\Admin\AppData\Local\Discord\Update.exe
        
        C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
        5⤵
        Executes dropped EXE
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2016 --field-trial-handle=2020,i,15788884887084678760,10100364802874675488,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:912
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2568 --field-trial-handle=2020,i,15788884887084678760,10100364802874675488,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:480
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2492
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
        5⤵
        Modifies registry key
        
        PID:1188
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:2248
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe\",-1" /f
        5⤵
        Modifies registry key
        
        PID:2804
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe\" --url -- \"%1\"" /f
        5⤵
        Modifies registry key
        
        PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1368 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:1
  2⤵
  PID:6296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4748 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5800 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:6468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1480 --field-trial-handle=1596,i,6708856207300665812,10339193515366653666,131072 /prefetch:8
  2⤵
  PID:6476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:1388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
PID:5452
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5508
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9146 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.10 --initial-client-data=0x4b8,0x4bc,0x4c0,0x4b4,0x4c4,0x7ff6c4813108,0x7ff6c4813114,0x7ff6c4813120
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5604
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
    3⤵
    - Modifies registry key
    PID:5820
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1756 --field-trial-handle=1760,i,14682938005984368812,12074533903320900564,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5912
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
    3⤵
    - Modifies registry key
    PID:6052
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe\",-1" /f
    3⤵
    - Modifies registry key
    PID:6096
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=3168 --field-trial-handle=1760,i,14682938005984368812,12074533903320900564,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6132
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe\" --url -- \"%1\"" /f
    3⤵
    - Modifies registry key
    PID:5268
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3268 --field-trial-handle=1760,i,14682938005984368812,12074533903320900564,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5096
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3276 --field-trial-handle=1760,i,14682938005984368812,12074533903320900564,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1248
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=3868 --field-trial-handle=1760,i,14682938005984368812,12074533903320900564,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2384

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
PID:1252
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9146 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.10 --initial-client-data=0x4c8,0x4cc,0x4d0,0x4c4,0x4d4,0x7ff6c4813108,0x7ff6c4813114,0x7ff6c4813120
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:636
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2252 --field-trial-handle=2256,i,490215096143072723,12950609500124056417,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4692
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=1248 --field-trial-handle=2256,i,490215096143072723,12950609500124056417,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5292
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2984 --field-trial-handle=2256,i,490215096143072723,12950609500124056417,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5808
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=2256,i,490215096143072723,12950609500124056417,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1976
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=3508 --field-trial-handle=2256,i,490215096143072723,12950609500124056417,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6660

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExportClear.jpeg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6784

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:7148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:6240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8b9689758,0x7ff8b9689768,0x7ff8b9689778
  2⤵
  PID:6252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3000
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.0.1423394704\2041715902" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1809c1a5-9001-4a2a-be32-304395e2e2e0} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 1796 2af501d4e58 gpu
    3⤵
    PID:1204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.1.593615533\88402854" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b07d0d4-8b69-4b94-b0a6-af5d596259ff} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 2152 2af45072858 socket
    3⤵
    PID:6852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.2.1676381207\1796731870" -childID 1 -isForBrowser -prefsHandle 2816 -prefMapHandle 2852 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49a5b49b-92fa-4134-bed6-7f9ceb47c45a} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 2720 2af54214558 tab
    3⤵
    PID:6672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.3.302707060\1075195553" -childID 2 -isForBrowser -prefsHandle 2700 -prefMapHandle 3452 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fef8244-0daa-4527-972e-cb5b81baf3f0} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 3204 2af45062b58 tab
    3⤵
    PID:6988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.4.1835711777\1814083606" -childID 3 -isForBrowser -prefsHandle 3688 -prefMapHandle 3680 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bcc8942-c99c-402f-aeac-d3e22d9e6431} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 3700 2af54437a58 tab
    3⤵
    PID:3188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.5.1260086419\1870783706" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 4812 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b07d51ca-91b4-4181-a3e9-cfa38355e78b} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 4824 2af54437158 tab
    3⤵
    PID:6212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.6.861370525\706339346" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b1cb805-7552-48d0-91a1-0403b5e3ba9c} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 4656 2af56e42b58 tab
    3⤵
    PID:6276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.7.1839269710\1435294521" -childID 6 -isForBrowser -prefsHandle 4756 -prefMapHandle 4740 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1cd7c26-9422-467a-aa68-91578b38afa9} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 5112 2af53177f58 tab
    3⤵
    PID:6248

C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe
"C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe" -ServerName:Microsoft.PPIProjection.AppXyc5005t48873jyf8bjkqmmpy1ga90a9q.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6628

C:\Windows\System32\CastSrv.exe
C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
1⤵
PID:7180

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
PID:7404
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:7472
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9146 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.10 --initial-client-data=0x4a8,0x4ac,0x4b0,0x42c,0x4b4,0x7ff6c4813108,0x7ff6c4813114,0x7ff6c4813120
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7572
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1780 --field-trial-handle=1784,i,4451643220861235452,13460642376211069990,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7796
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=2872 --field-trial-handle=1784,i,4451643220861235452,13460642376211069990,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7928
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3028 --field-trial-handle=1784,i,4451643220861235452,13460642376211069990,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:8032
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1784,i,4451643220861235452,13460642376211069990,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:8108
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=3676 --field-trial-handle=1784,i,4451643220861235452,13460642376211069990,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding
1⤵
PID:1156

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6324

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2588

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:8120

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2544

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:7452

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:7456

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:7368

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8716

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:7020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:8172
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8172 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8172 CREDAT:148482 /prefetch:2
  2⤵
  PID:1176

C:\Windows\SystemApps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\MixedRealityPortal.exe
"C:\Windows\SystemApps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\MixedRealityPortal.exe" -ServerName:App.AppXqzc0q994ba4dyfr1v6q634vrcqmmq29w.mca
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5300

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
PID:8712

C:\Windows\system32\narrator.exe
"C:\Windows\system32\narrator.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7196

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8
1⤵
PID:5620

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:8856

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:6180

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
PID:8700
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:9112
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9146 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.10 --initial-client-data=0x4a4,0x4a8,0x4ac,0x4a0,0x4b0,0x7ff6c4813108,0x7ff6c4813114,0x7ff6c4813120
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:8008
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1756 --field-trial-handle=1760,i,11611417911169463713,11795119596838567121,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:8648
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=2968 --field-trial-handle=1760,i,11611417911169463713,11795119596838567121,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7748
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3040 --field-trial-handle=1760,i,11611417911169463713,11795119596838567121,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:8732
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1760,i,11611417911169463713,11795119596838567121,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7060
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --mojo-platform-channel-handle=2680 --field-trial-handle=1760,i,11611417911169463713,11795119596838567121,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7512

C:\Program Files\Microsoft Office\root\Client\AppVLP.exe
"C:\Program Files\Microsoft Office\root\Client\AppVLP.exe" "C:\Program Files\Microsoft Office\Root\Office16\MSOUC.EXE"
1⤵
PID:7544
- C:\Program Files\Microsoft Office\Root\Office16\MSOUC.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\MSOUC.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:7548

C:\Program Files\Microsoft Office\root\Client\AppVLP.exe
"C:\Program Files\Microsoft Office\root\Client\AppVLP.exe" "C:\Program Files\Microsoft Office\Root\Office16\MSOUC.EXE"
1⤵
PID:7748
- C:\Program Files\Microsoft Office\Root\Office16\MSOUC.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\MSOUC.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:8296

C:\Program Files\Java\jre-1.8\bin\javacpl.exe
"C:\Program Files\Java\jre-1.8\bin\javacpl.exe" -tab about
1⤵
PID:6420
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xbootclasspath/a:"C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" -Djava.locale.providers=HOST,JRE,SPI -Djdk.disableLastUsageTracking -Dsun.java2d.dpiaware=true -Duser.home="C:\Users\Admin" com.sun.deploy.panel.ControlPanel -tab about
  2⤵
  PID:1684
- - C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    "C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe" -getconfig=1
    3⤵
    PID:7376

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
PID:8068

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:9084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Sets file execution options in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:6968
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D7229A9A58279F1E56090BC66F3DC213
  2⤵
  - Drops file in System32 directory
  PID:8828
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 76117787D34391DDB9D73A9A1F6828C8 E Global\MSI0000
  2⤵
  - Sets file execution options in registry
  - Registers COM server for autorun
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:8580
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20069 19.010.20069.0
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:8304

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
PID:8292
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Executes dropped EXE
  PID:7408
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3C2D08558B71CDF0EC59A7EA3CF6029F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3C2D08558B71CDF0EC59A7EA3CF6029F --renderer-client-id=2 --mojo-platform-channel-handle=1592 --allow-no-sandbox-job /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:7952
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0899836267B0916301C2043F35EA59F5 --mojo-platform-channel-handle=1600 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:7672
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2C9608065BBAC607FA457C18FA1C398 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:7512
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58417DB01C35A851DD0825770C99B3D1 --mojo-platform-channel-handle=1680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:6976
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F83866EE8C500A0CFEFB0F26923CDAC1 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:8880

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}
1⤵
PID:6944

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:8248

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
PID:8580
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:9828
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Adds Run key to start application
    - Checks system information in the registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:9988
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Registers COM server for autorun
      PID:9740
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Executes dropped EXE
      Modifies system executable filetype association
      Registers COM server for autorun
      Checks system information in the registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SendNotifyMessage
      PID:9520

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:8880

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:9364
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:9424
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:1
    3⤵
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    PID:10044
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  PID:9432
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    PID:9480

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:10132

C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe
"C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe"
1⤵
- Suspicious use of SendNotifyMessage
PID:9236

C:\Windows\system32\mstsc.exe
"C:\Windows\system32\mstsc.exe"
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:9672

C:\Program Files\Windows NT\Accessories\wordpad.exe
"C:\Program Files\Windows NT\Accessories\wordpad.exe"
1⤵
PID:6368

C:\Windows\system32\quickassist.exe
"C:\Windows\system32\quickassist.exe"
1⤵
- Enumerates system info in registry
PID:7584

C:\Windows\system32\psr.exe
"C:\Windows\system32\psr.exe"
1⤵
PID:2544

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}
1⤵
PID:9836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d1855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:3920

C:\Windows\system32\atbroker.exe
atbroker.exe
1⤵
- Modifies data under HKEY_USERS
PID:7512
- C:\Windows\System32\Sethc.exe
  "C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
  2⤵
  PID:9372
- C:\Windows\System32\Narrator.exe
  "C:\Windows\System32\Narrator.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8296

C:\Windows\System32\LockAppHost.exe
C:\Windows\System32\LockAppHost.exe -Embedding
1⤵
PID:7348

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Modifies data under HKEY_USERS
PID:10012

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:9992

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\1e074aed24b644a1911141fe9b9162a5 /t 9200 /p 5300
1⤵
PID:9712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e6350ae.rbs

Filesize
632KB

MD5
fc2e75b89a69d21b6e7639eca81b785d

SHA1
eb42d71d0e81ae5dab1a5192616ddb9238d85c9b

SHA256
1b988cb1dc41711bcab1c48e18424b3a2def8f63f79d0f20c193752bb11c81a2

SHA512
52a15c01d6541a94c18b95af461752fcacf7598ce6d4966acb8496005c6a86b05bc0ad56ec5510479029b73ce1191ea0afe5e569b3ee471a4dd9ac704867226f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_remove_18.svg

Filesize
711B

MD5
8bb62cfad37334a15129a0da2091d472

SHA1
a9f223eb2bd355c8cbf7d17db501db834f39cb6c

SHA256
94f76b160568e3705f1e0d2d6ff3ee6927bd812032498d373bbcc516af2864f7

SHA512
da08c15accffeca9c1ec985899ebf234aa881546dfb80862c72bfe206dfbf92772582ff87c0636ca0a4cdeeb03635de7a24aecacba86e22683a1d689724d6dab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon.png

Filesize
445B

MD5
ed537606a39879a091a8c085cf95ff38

SHA1
86c73d85094efbfdcd80abf119f03b64a71cbd0f

SHA256
42c312aa2a038ca54e9a6fe4bad8c9c044c35b4c5f421496f289c00c957d7591

SHA512
fc331c2e1ec84a6a83b51f365484033b3069d73c5987094cf526c45a92c3297df22fe2a35ec20382ed4d563ee604ecbdbdf17fb735f7e0118ab444b4d5db8e9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_2x.png

Filesize
611B

MD5
37d179c947c13f64b7b6356f57441032

SHA1
9d1c1bd0c370336c229baeb2cd7f80d7b3cf4d0a

SHA256
71039e6370f68913e67cb8451d3127c22d3e1045ca644e4dc9821e9f6f6899aa

SHA512
3034a8b9694bbde20be0f7fa2596fbca8fd3f1e45810b15a5cb1a2bc6f4ef852afc36639a56f82a4e582d74684724d5c4ee43cbf5e33c94c6cf00b3c059757bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover.png

Filesize
388B

MD5
6d8f7e9751f955452a9ceeb815456035

SHA1
e6903b2ec0f2c5632d4288f88d993d4a41f04527

SHA256
8bcf53efcb1b630087d4cfcedf5e48a7abaa9c71dd13745eedfd2c7cfa6827f5

SHA512
c869a94a224bce8ed553f5a86ffdea6d8a279e06a1c060b311cc52e4538b89e07fc0a4a76f85a28e2f62e8629a7c67101e990cc12bef2d0e2d6d7d3c1d4d7d90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png

Filesize
552B

MD5
f364ee8508831e375004ac82b924efd5

SHA1
b04bc510ef53760bdd22ce0dd9d2e2f248c16df7

SHA256
87da831caa04bd303918a32265830ff97648dc8adc18881ba14d1cc1d28cde85

SHA512
399b2da615c0373214e3cf421f502fd0de02bdb9473da644e9f23df9ea7fc792da7d36bde61a456c2451276f74877232c8bedbe55e57098c1ffd13719206bac3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png

Filesize
388B

MD5
39be6b8bd8dce3ff5a1c20ac41ba993f

SHA1
a49d8a0c769601bf922c8aa1673bfd3a92d67855

SHA256
854a09f1f875a3a2e6566c593af465c9c8a3aa9b9112eb755bb09cee76224a63

SHA512
9fd5d4f02aa9d24ce9591ac0542d0abadf2b26208c3043220d2a0f036298199131ad804f9be20c6cc67f39e2921eebec65efb3a1e435ee7318fd8591fcc2fa2a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
b34c8c3b8117b038839beefa0df5a7ce

SHA1
c8d1e8eb4c71d5aa02e36fe3b7365374a9e4e32b

SHA256
bfef65c62bfc309f698e8e0b999edfc06ad272b87d805f183551c43f08d704a9

SHA512
89fa9f31f62c6e119e6280dbc475c35dd7bb37c27457732a0b1cb04809a35fec44a12ccb6a3a626586d596a0636d754a9ff79ecd9ed739c5c6edea50738a60d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png

Filesize
388B

MD5
2ca9f57d61ed45337ec4e6565480367f

SHA1
fa06ed14d72ad8ced6ad98a4e223bc80cccc5e75

SHA256
a584379ebf9aa0d3c0239edb7e1f114f01a9865f01c68494d5f28d410ba8d873

SHA512
83a172f2f304b2f634c313e248b62c11b7798f416872929ef233134bfc4ad8f44b1b4dfa123e8378a233417e1298a73088258f5671ace96ff677d1f26447de87

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
552B

MD5
74af10749d7f19d15c8dca65a7453415

SHA1
dc96d9dbffe472600548dc64c724055e62620d8d

SHA256
0e0084df79ab98e5df48ed1e01987f7ac3fcf4a038dd5453708d868f73a073a8

SHA512
83d190bf6f9cb77894e7aaf84029c40a2a0335e43d08062ca2275a2cb7a784a29b3b7b8be820c7dfb2f1458ab0528fcdfe45f05491be673b30495e1ed916999e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\icons.png

Filesize
7KB

MD5
d3963e6fe853dbd9d22f794d5ece4c48

SHA1
db35a3e565d0b6dca7ad243443a5560a1247eb33

SHA256
a870c4e9ff6c433b5583a8f09fcdfbe712241c7e7d64cd59a10c2ad592f64fe5

SHA512
fe60a1b2a20d3c11152df2d6fbee05c3d6b80c89486d258dd6d318c3f89deef3e91a116c502c117d79a5020489e394194310f5c7a7ea3d4b7d284ca5a3e43ca7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif

Filesize
7KB

MD5
d4585d0ccf35ae69b1246339cfb46b90

SHA1
1fffc3492684a5db89e949d2d8b612eabb38994b

SHA256
d6707a7a393687bccd92de05cecbd746be791f3a670cb4fc106252f49d2a0a2a

SHA512
a85560cabd3ce3dd21177948884a921385c0325b431dd281edda61d3585a69ceef28cb339c5a88d167597451ce22d54828b03d69823b5737bf3e253bd9bda9f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_retina.png

Filesize
15KB

MD5
7045217d47de04c1d72eea7413b780c4

SHA1
04c73e38fa17d35a1f684577cc79d77615c09e02

SHA256
8c659d0904687a97d9c6b649e4b74e99b286265e92252908824efcd07f956b66

SHA512
abe433cb154598ad2c0de6070d6e75bb70274a58ce92007ce200201f788553517bb579b0df5cbde3b4f2bebdca1243f0e54836d125d72ea206b3ccba1d15a385

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons.png

Filesize
8KB

MD5
0e366a48bdf6a3b140508e56eed0bf0f

SHA1
bcd76a4a537fc00d8c468b9496d3d5b5dd6a2a7e

SHA256
a311b5a78e1b856505337b90e53edb4ba380160234e1b4e8801c231ba8d590a5

SHA512
1830e3e260a50f79553673bec5775c0ba623284d233c25a2da016f273e67e218f5d2f49bed5f9e68842c7dc14b852e979fbfc7ed336f9a34dafd04a48742f827

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png

Filesize
17KB

MD5
28a435033f504be69def6f9d52efd2b8

SHA1
6f50318e05b79851a445f98d4b3ae3d65feb22ad

SHA256
f84c7c93947e86e2a499117d4c55910de9fbaefb6d703a8d0f90f4867c69c182

SHA512
a2b410bb6bb328eb1e3af794259bacce7918f44698c8145fa530af9be6bfc22a064c1f0ee5d7ce289f4a60a50fce9b56a720793d19ec477340b1d7ef158df6b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\bg_pattern_RHP.png

Filesize
179B

MD5
117ec36a5cc6d82e63e8b3beae4a3099

SHA1
4c692192be53827f8ec8015ceb129f6e0f89e923

SHA256
041917c06c638a1b1accaf0d2f0b2a6dd335dea629de602e104553024d822ea4

SHA512
abb02a02a9161ece12464020676e880f1eed96b43a9dfd4f7ca06dc203fe633b0a712da5f151d36a5644d65aad7b2880c135df0bc42d7c1e61b44006807a8c9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\illustrations_retina.png

Filesize
19KB

MD5
ff84cb8f89545b86e32abd27a9694e1e

SHA1
3cde537531f8689772bc9eb39a12c687da5d5225

SHA256
8b32854c17056ea617a680cd26ea91015e77d68260f656758984583eb6895a87

SHA512
2690d712ba02fbaa769689d0eae380d0988721c6fcb710e04e1e2aba56496cb58f5d4168fe75540139afce179b1250c2ceb11fc4c3d589a3615ad20dccacc8f1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png

Filesize
703B

MD5
ccc8d470e94b3441e41521572ba86ccd

SHA1
d294d7e78b596fefcc8084fab7917c54d3043e27

SHA256
a7cdf870b0b1b8459e94ed25a29daa87f5e9050294bf6cdff3bc72f93b928f94

SHA512
f3b2ca4d3160a089f6959b7c8e3e6c213c0facb2733f7948a7222196d3bd8c7350015602569df2cdc7408e38b0ff6700306d7e3439f0892b4d13d9f2d5329e42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\illustrations.png

Filesize
8KB

MD5
f6e318123e7ad5933a49669eb035c737

SHA1
ed8938fa3c13af75978bbd0bcdd3e8bd40a02004

SHA256
19f68990146444907956056019aaee514c522c3c00ae00604da44a1bec2f8f51

SHA512
b2506a283dbdcf40ba0cac63b4fd0249463218cc9511ce52cae5ab8c36706090fc1f1942f1082204dcdad5d80e7b655d9e12326c820ac21f64a508999e130743

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\ui-strings.js

Filesize
1KB

MD5
d59d8ff7aaa17ee875adbe48b7a77e78

SHA1
7405acc07f6137b7fd9575f99a2b4354135956ef

SHA256
d74c0782682efde01c1c30e46814256f7d16d7df00a7167d90f2bd55ebaab626

SHA512
63fc8bef9e8ef833e45d99f954a9eb99d6bbcae39b2eca8a7000ac11b976cdd0ce0581e5e5e6b2f1bb2bdc911e31690e503dad945f0a3ea702dfe404896eded8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons.png

Filesize
683B

MD5
a0522ef468697e74b90c444ceb4aa17a

SHA1
31fa5bb9b4ada150c9001b6e9f3213644117187f

SHA256
57804748e775c08ae188b4d860f31e4482ab99b44ed1d8489780daa6756fb11c

SHA512
bbb91f8b3c204c4c04da2ad635eb18e9f224f73395dac509c438c0a645316162b6ff78e03e7af76d5da2d9e84cd0c4b5e9db1d4dc08bc3f524bcc55c1f4dbbd3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons2x.png

Filesize
1KB

MD5
99a1fefa123aa745b30727cc5ad50126

SHA1
c48f74cee78f8ed8463634d80c4112f3e12bd566

SHA256
7a610114be56ff131462bc67f9a23bcd4fde4fdd0158691448ab9e4a3eb2ca3b

SHA512
504800f03a4aa57c1cfa15b28542382728b5f3dd85309fe12ebfd711980d78d15d8241d5f54956ee41da2cd65203b7764ab7b15119457b74ebc07fcf8e55a742

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\ui-strings.js

Filesize
1KB

MD5
3dde11f8594519f004ded2687db9b90e

SHA1
fcf1854df851616a25d7cf1439a9120b16902420

SHA256
196c132938d324c62184ddc85bdb1cd642af830712e0fbf0fb3230978316d510

SHA512
adc2cb3a37dbf5fe2ae79f5752c0d38d2427a95e333e848ffa113046f630eaa967b3cb29c049dcdd9b921d57e23392562d779c24207f770aba6e92392064f17b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js

Filesize
823B

MD5
5e884e2f05ac036b7a6cded3efc2ea2d

SHA1
807c1cf1bf0943404601b6241bf4bcf9fcc29c9e

SHA256
b333de3a4a7be7749b82302085ed26ad868f0f8eccd09d2a8bb8840414e624d6

SHA512
6665aa6fa35e05d01a4a2312a93faf52d6b39409bfaa861c187b0cc2fc51e74aa253ebf56061872d548cb6d3d7bbf1f7c2568de81e5287e0a1d6591c1e780f15

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-selector.css

Filesize
802B

MD5
bfeb063e064c71e44ce75898e79c61bc

SHA1
c4dcb4b6814cbee53b415a2a5df02fa500510ef3

SHA256
af439ebb0d55750003f7dbec517e7b0b26a6a0506b21e3b74d800cd1c7faa004

SHA512
0835ebe63867fba6d69a25c83dca767ffd9c57907ba76d9c71012be18510e2145a358d37c1cf4e4ad35d1cdd4f67ffd5928e70e18a376db607d8482356f12219

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
2KB

MD5
4c27ad089d04cfefd979d56f2a67b172

SHA1
63289f9198ee4553759b07de7a4229ad370fa976

SHA256
e34bcd5b8436d3bc45f98dd913d41f185c6b06326b66937d6e0d5c6434b16fe7

SHA512
23f9283f769fd310dcac26cac00d2eb033763d73bd45b0d148ea1ec3a3c75b073572c9fa9234699372a7e1caad7fcde7629d004815536df1d39d291f2d2d96a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
2KB

MD5
61bd39ed095fa82ffd334fbd7982616c

SHA1
51af9c2cd42743c5cf81200e0fba3cfaff801885

SHA256
237a70fe0388ce6884f5424692c460625691ef7acb0bf80403ec6b25f348b94a

SHA512
54dd8e1a5c19a9d51892a12e9501b7f6f69e09e0c446ec36f7ddfd9ad0d9cef52604ab2f8071c71ce63989510a703f1cfd5492e1ac20c8b37258ba21f8952400

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

Filesize
4KB

MD5
543415ad8ba14db1b75a93a551a4abfc

SHA1
3d4737451e899240fe19daa07f3c58ce9a623631

SHA256
03bcfd7fcbd98e48b1954f912ecd66ce0bd5c181da0c2408beed01486ed23804

SHA512
7c4bd1cf6fc8d7aeedb1c666ca45c95615927fe76cad3d3c4f4dafc987f4ac04f527ecaebb3103f593eb080302e768fcd77739ce8344ff2e7ec10efdd1113cd0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
385B

MD5
c789d387908d7b7f21c6474a86e84019

SHA1
1c36fc6954178c43d9249a5ff3c7246057c6aead

SHA256
223f32512aec50c1c00fafc476d8e4ce61e79aa748c67b72fe55514882a31a5a

SHA512
1cab85dff119b591046049b69b6208283ca5e009d95129bb407df2768c82da30fd2af8debf6f1bbd91f37518538f3ba6bcda32b63d1d278b56fdd1f5f93439ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
1003B

MD5
c5aab3d175e0a3753ed2c3bbd7b929c1

SHA1
3ebee0101ad62449a67f506df9c8e7dacc39f877

SHA256
2e187b74e926afe70eafe0648c7125817e99f5586eee3e2e05446e360d4cc1bd

SHA512
e967020462477c3e9465e3383c544cf468dd89f4da084193634f5bcdc001b90f5bad3f4f6dda9e95ebe068108986daf41504e02331f4922ea25e7ffee1f27040

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

Filesize
1KB

MD5
808971f45b803583d9d1f812803d81b7

SHA1
0f6aaecba7c976ed8c2f53782b3d3148f41b2905

SHA256
c25d9409ddf9645c2731ec785cacbb7568005bfc78fe0aec7df3ae3c4d30e333

SHA512
121e6b01125f9e9d4894f7d498bb4d39ce676ce51e29cbcd148e0c1feed46fbc58267cea7d5f66654be831dc479e4643be8b28b005467309b7df5cc7fbcd0dbe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
2KB

MD5
ad68c0b141ea1dbfcadb540c1817289f

SHA1
548a46167f7f5193c5a1335753bc208bf92aa504

SHA256
537ac64cd204d7ef82cfe41c932deb9cb1ae738b2156eff4dbf73208384c0a13

SHA512
269ae39458a9f30351166f304825b777f3ff143b7914b98e83e01600fa04c7790e6e813466c2a1c5396ce13cd2199792905cf0baba1cd28a420440efce0843e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small.png

Filesize
289B

MD5
36503740756a442b7be294947462be83

SHA1
a1203ae869deb46f59a3273f6d130e7457bf5321

SHA256
d188ab283c552eee50677129f3b0ffd8d97828c4e7007bea258174c9a2200e87

SHA512
6ff98b15c7d757dd351bf50a1c4ac759a73fdafe03d5fad506478550987d0ec016ba9e617c099e6bf7b0263846eddc4eb32cb70fb1fbbc1189791defe556967a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js

Filesize
840B

MD5
32147da1c647161e45a1004eb1b16349

SHA1
a953c222cce91729ebab36bddd43bd5a795a69cc

SHA256
434731fdc6d2f5115c5f7786ac989fedef7d0f60cd2ad4385cc98f6d2160566c

SHA512
8c825f8d38519cdac2a49e4ee8a9564ae72839199562ce9acfe72b4fbb94f8946775054782cf26a9566eaf8cf944a26e42b7b372c4e7349b33a8e17dcd13df94

Download Submit
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5508_1309663164\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5508_1309663164\manifest.json

Filesize
1001B

MD5
2648d437c53db54b3ebd00e64852687e

SHA1
66cfe157f4c8e17bfda15325abfef40ec6d49608

SHA256
68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806

SHA512
86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

Download Submit
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5760_392701642\_metadata\verified_contents.json

Filesize
1KB

MD5
c6a8dcff24d9d1852b0175d5ff59231c

SHA1
b343627d458933aab66d303aa57c723a1d00dead

SHA256
d0715b04bb7d32c7f7d888834983406ceef885799520af976dd164e6b8d1d535

SHA512
52905fdbfcf9b24708be49c1bd481a066c7091e8769e049a46cde0da866aae92e2daaf4c930a9234c4253eff383c62414e8837fe5a4ff3fcd3d0827252bbaaeb

Download Submit
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5760_392701642\_platform_specific\win_x64\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5760_392701642\_platform_specific\win_x64\widevinecdm.dll.sig

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5760_392701642\manifest.fingerprint

Filesize
66B

MD5
a2c66c5636ba1d6c6f4e6f6e2beab7b5

SHA1
72f4d77d5fcba521e25df2ae082e339d39f7bae3

SHA256
a47ff5dba25765c696476506ed4cba5e7ef5dc1b402d8acc5887bad76083f6aa

SHA512
23b9484380a44db3fa7f45bff40928f3e940d67899d2d0ef3c7faa80f943aed69e878964f4cca3405563a87af3db2b7bff8fb88f66698abb94293dccf940fe38

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
869e5bda5a73c325b4d8d3cefe8ce4fd

SHA1
b7f79ea6e7740dbd3e17c26629b48e3932dd007a

SHA256
68d281644d77582c2967f42ef01e4899e30d47896ec4f2f3c42cf6273391eef2

SHA512
ee874ea2cba658ee14c984afbdc3d0a78377dc98626ac2d0a6937a7ea207ef3c4ceb6222d2d279e0dbd29f9efebc1c925ccade805e427adcdf9068309893ba83

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fa257dcba36deebf9794e0f95d623997

SHA1
27826c126aeb159c5886908e8a6cc4cae6de5e9d

SHA256
5d06a43054f404b605acf493a6ce40ca3d984b4279f7475d4c8c411e6256a797

SHA512
c3d17c47348ad9f196de819102036b8d2d289f7145c8ff0e4a5d2363a16ff07c4f6655b416b7ae409a6e6e46ab905f2e1b2e6d344aad91cc036fdfefc8f12b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
702B

MD5
d64029bd6e651ae7f79feef797d9cbb5

SHA1
ff41e8db9976c854d81f5f07c51d6380b8864dab

SHA256
c0d92c39885007d6751a1cc4bcb2dad2b85881d49c13c65f3ce40d35010773ff

SHA512
8c1f848839800971ae41b49d08a7cab8a05c1d419db7b5ef7c7810cd250680f3d2b0eb2bcec9d7f8a9365b2ad3a99fc1584e594af37a86cec9d72b170b12ac74

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
702B

MD5
1e0267f80587b560a638c3dcb054d2ec

SHA1
03f96c6fc52098878a715f13b9e955ed9059581c

SHA256
bf3578b03017ac6c7f389118999211134ba93769dd534b718bcd83c9dba625ff

SHA512
f0f40a9a185c4a3a2a2c4fb28aa9b2c9cdf6beb24209be970e836eec3fef476440ef8524af860cebc286c11dc0a416b2e37f4aa62d5ed440b0c068224cb09b93

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\chrome_100_percent.pak

Filesize
163KB

MD5
4fc6564b727baa5fecf6bf3f6116cc64

SHA1
6ced7b16dc1abe862820dfe25f4fe7ead1d3f518

SHA256
b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb

SHA512
fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\chrome_200_percent.pak

Filesize
222KB

MD5
47668ac5038e68a565e0a9243df3c9e5

SHA1
38408f73501162d96757a72c63e41e78541c8e8e

SHA256
fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32

SHA512
5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\ffmpeg.dll

Filesize
4.0MB

MD5
739c4604b23d60920e5af2697e5ff7f0

SHA1
42812be62f1b3f86aa8ab164a3c757a87a7d6169

SHA256
76977c01b52be46c8147a82d1310d6885fe633a9a7cf9372112b31a23cb8b54d

SHA512
efc84a35f9c7b4def31c5ac44a1341a7062cada4a9c386b7a9334111cd0c28cf551b36db552f1282398fed39d0a83aa1c12171ffd506781175ee5097c00c71cb

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\libegl.dll

Filesize
487KB

MD5
aa5b55c41295bbb8f15358dc5ccb6973

SHA1
79a96d4bc2627f452649a3048e2835011792433b

SHA256
0eae1cc04e3523b1d9d6ecc8b82e9edb8f1d786d64ce0fd272639807dd7f146f

SHA512
4b427e51f23213fa0225f3b56b55c61cd73abce6a8b892b117ff853086951cf7e8c928053e0a1efbd11782c16077b6e0d155a93efb0eb6c01b3f1809dc81b9fc

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\libglesv2.dll

Filesize
7.5MB

MD5
91c833627c774f7037611a4d49483dd9

SHA1
290dae6a0d7a1dc26ae85e33c3c800c5b35df1ce

SHA256
f2c07d4b6d81f09cd319cfb495d453f7abc48844319bb51c6bb994294dbd658f

SHA512
ff538fbf1db44e999fbbb9f68dce322cf6e46ba46f6ac84357b02445481c8e0f09463151b414b68d9ac8b4970201189949dff98064c0b19718b55806de62ded6

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\locales\en-US.pak

Filesize
428KB

MD5
809b600d2ee9e32b0b9b586a74683e39

SHA1
99d670c66d1f4d17a636f6d4edc54ad82f551e53

SHA256
0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb

SHA512
9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\resources.pak

Filesize
5.1MB

MD5
e9056386a2b4edac9f0ffa829bc0cfa0

SHA1
f8d4b8289ebb088c9997a1fde1c2f12aedd6c82e

SHA256
546456d9a1328836a99876824f3beb7279f38403cd001515f5d9eb204939e57c

SHA512
c49e832e5c16a1846ea882395e83f9cbe9f4f6b44be9f0c7276d0a4495b88091bd95593c5e167dba853834058d7ca823db60d2fac73434ed952b7064b2daf6da

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\resources\app.asar

Filesize
6.3MB

MD5
a42420c26ae3cf2ca48e1a5490e65a7b

SHA1
ddd362629e5aedd4146bd56b99954a11ed663eb5

SHA256
3a442f61576cc36e2812bc287f36713a15d90975a3ef047d05ef98fe5260228d

SHA512
d38843eabb2dd87b7472fd9d2cf7af02974a25376c7f995a6102c511382232bb9078455d79337fcd9f0dca9d82f9964ea17567457e6a4b8f85edc4abc900b2e5

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\resources\build_info.json

Filesize
83B

MD5
fb4585081ca18fd9d729f74277122ed8

SHA1
bee0414df83c428a1df7783b761f90e5d06d394c

SHA256
d7dd71d655585c3005a908a726008af33aa61dfb906c6712545580affca52dbf

SHA512
8fa78a8f6d812fcb0f39479d9ac00ecfafd0ec3aa84d0cf885589de98bc2bc1faedb38d43ac5f5ce8e776ed206c7fb20bdf45e976f9193cfc77cb6a314710291

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\v8_context_snapshot.bin

Filesize
627KB

MD5
1e4da0bc6404552f9a80ccde89fdef2b

SHA1
838481b9e4f1d694c948c0082e9697a5ed443ee2

SHA256
2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918

SHA512
054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9146\vk_swiftshader.dll

Filesize
5.0MB

MD5
3b64f23983bd4677558eb94ea6faf7bd

SHA1
f6b7d751f15e20d992cec209087d6976b667c700

SHA256
804e6cf63ce347f14f4412938651de386394e803b1d84d7b0fc2aeaa65a97226

SHA512
f8ea2394ff90c6e13f69860b4b957bdc3abe7148eed3d2cf9bdf9ec7ee86f69637e3c6faf55c41a1e31d5115fb5a9793e768ddb34340eaa82aafbb248dc1dd9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2d9f034fe011a3626c641622da4e1fe2

SHA1
e79ffce5333c61d94a36ccaf9cf1a72e03268656

SHA256
34b2d6b896be4a5c8771e65da5d9342ef5f69880e9948b6a9522c06ca50efc00

SHA512
703dae4d2a4f7ece62ef72c964d232b229964ca84638c916804a983bab85c5da30a2af269359261c3044a56e362341f442e0137eeef6f82ddb4fc97b358fd580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
acf0e76b77c774bcced041579e1e9b8e

SHA1
194f271b35b6d36b6bb527dd4336108e7af514fe

SHA256
7af34b222f8d6949339dc157aaee254468f5164b930e65485165bfd0c0bfa30d

SHA512
94bf1589736d83639c1bbfe2cd374b1d24ffd91d5f28768398c5253cf6f9b977980634766e7b117af1e8b9f2b6f0f9eb51aec3807109ac72ce19db5dd19d6c3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
29166552e0f1c18648547d9b9b7c629c

SHA1
0f46e90f399e80cea3f9ebbd97fbe758e82d1bce

SHA256
5fda9e48d2720381e13aaccfafc9b97253758f2199094d58e43db4b650b60bff

SHA512
c5243f1ed70cd33caed41c128db438f5773b285b4723669f0837357ec30180a49dd2272c178ce96a4d87753550b41326efe065ef03833e8c3dd5780c1802cd0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
77f6556d93632db8d548460d14dc6ec9

SHA1
c6e6a487bbae3bad70096e090a2811aa1b0ddb91

SHA256
29c40ad16d1201fa27313a2a34bbf7184eb0b0945cd7e53743ca5cf804ce7f91

SHA512
1523e5d8e9d8862f2a4fa848809065778e73e56a3ed46092a06dc7f79a1f9aa56cf47834a36be18b64308079203f0fc0aeb719b52fe66035e4a8e41ce77c34ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
30481a26168553027846e15253194b90

SHA1
9e9a19d57b8f5e71419500070f48b266a1a0b866

SHA256
511cab43fad89377530e36caa4b1892f3a5749b03ec61bf3990f7f3525e12074

SHA512
d0f35d744b5deef3bb16278ff621a72575eabc2371887707a83bb3199a06959d04d8abbde609163eb949f1ec271feb12577c2d8c11bc54fd736f0b8bf1c9f210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fdfeb2447729877818187475dca33d19

SHA1
c90faec9537da5e9864a0db684b26032c2261fe7

SHA256
5f10708958de3be7fb27419db5d43681e2d3861c8f93bd0ac6f9726cb8c36f11

SHA512
6f85ff7be4a97ecabb1b1793513e30b3282c1e12ff6a9d53be878a358e11108aaa9c2fd45f4bb886b15a7034c68312ca2be0fc32634a508009fe1f8fcaae781d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
324043ca9b6b29f1332c2b82ccac535a

SHA1
1e9e0023748dcfe86202818385e6f850766f54b1

SHA256
7688e82478a8d4a755e94c44f38316760082ed99d66439745f309aea8b6127d9

SHA512
e1eaf4b67fbda48fa6ef584e6b2ae51db909e751fd3a63c3a5997bc4dc0c57091255a8eb2b7a5474efbc87a4d1682044c176c05c4e5b8bdc39e19042248b4d12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9bb125deb6cd8295420afaf23341da8b

SHA1
b3177d4d8b8b7231f961c972f08f17dd88e40f61

SHA256
c5cc751f0d8c2c055fbb668d5838032b0dbd7aa399c635786d33c903829a1f56

SHA512
c1b26c381fb95a19da93d17dbbe2f3053f437a69da9188e3b7c55b9888dea9f2545cc15b91223ac98f5a12e99ed5fefaeb1e0db236e9bb2c7a9ba1799d1a4f4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b8c3a6a290ea271b465c9c4fd8561858

SHA1
132dd7a2499c6a4ca69e7366d0d39d9158090f2b

SHA256
2225fff476ebc8f01842cc304144583fd8387485ffe6978c1d6edafdffbcee62

SHA512
13478fb779cc237314a5fd632d3fd00fc3c088f125299d0257d4ea9e095d06abb071500a9ca3b4db9645189ff71ff9d880eac680710fc23aa32396d7c538995e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
be8071246951604f6a636ffc0dc536ba

SHA1
aa7390166cf97083f3bd106031105380dc04b26a

SHA256
f9647c1f95969f6ea51e9036c6be497e44b6d2864898bb5a7b3a21e957f4bfb2

SHA512
979732174fd52390631307ad091855aeb4f5364da51bba0bab6556fb37d2ee66dbb12f76002a49e739639a07e6b05b8dca48394ce899b150a9ff5134f0ed5bf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fd8d28c71c0dd096888f4f3b299b222b

SHA1
3caf732d487dd963eff400c63f1b0f2139a15498

SHA256
051b026c6ed196cc18c7f2fc90e6475ac9d6087c349a9f07f9a27450af36a98d

SHA512
0f97e7afd82d754335ad93aebb3f040173bac451412fd20c2352e1eacf480e35d96a1a8a9d64feef111438785621f8f51bc12b29e4f67ac376d164dccfff839e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84153a76243a930a1d7a6184331936d6

SHA1
39d2131b2ec57b58926a8f5b623ca12720896f28

SHA256
09c2bc7bc6877c8d9c86aeb992f5c91503d69870ea2312a72858d2d6e7f8983c

SHA512
48d6aa982ce2db6f08cd97251f0aa2472ff60cf555b643901c9b360133257c315e1d22ec653eb2904d513130c08e5970d5a4053a04d101db20718830453aa5ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a39f122820639b26596d0e96a27ed077

SHA1
2d161647f20d5085e103bdabebeb8f983cd182f4

SHA256
de8a8d9fd92b474ff80bedbc3fbb98e0e6f07115ff24f4fcea699abc52527119

SHA512
c57889b6005cfbc8c2abac1899b1485f2af7f9fe92e2723ede9dff67937b9eea76436e816385347418adb2d18b30f134e5be1feb3670713de770b3b2e9acdfbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f2404790ab71859c9c695b755aa7dce6

SHA1
f1fd3dc1ed9508e68cbf118472871c44a33f46d4

SHA256
bf741bb423eeda2bc3cf0d70159ececc15ed351a4fe1826eb1291c82f282fd61

SHA512
5b887a9549d60b57aa6492b172ade3fd9b0c896964625454c8fbd7b2ec10856f73e14c7bcbf91ebb09ce3a887e116c0ecf6ba763651068d7a7c41640ad6cb57a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
938fcb67b38a45a4c75af2e91ef9eb82

SHA1
31cf6b3a53fd89db1c85f9862a0935cea6b4b5bb

SHA256
352d55877c3332b953beb1e742e30367cf4407b06fa27ec7e4df5918ecfb9173

SHA512
b99a98cc9f7073c2f62635b96969bc05bf6223cbd25a6b8dd044509ec21830f7d6f29c28d49b238019c5527c0f661aebe4776b87c6295a737955a57974a5d2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a3ea0889c89fcc09ab15bcf4c3a84fa4

SHA1
4999c23c2348e9e5ecf9266ead56c329c3458a67

SHA256
6246b678858c348b988d653b8556f27294d04d7420dc0ab581c8f519e390b6e0

SHA512
4ecee991c86a30b4ffed705e4dce4acdaded9d886f15999ba35f2f13b57128aeaf090e95fb204f4e0301f1f5d6944dd41511bffe5d1d96caa92ee0baa6d60f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
7be0f29f831281b2917db6c48c653012

SHA1
67e9c47d264aadff5edb22486221c859611b8f73

SHA256
27fdde9909c7250ef506e7804a3d7ceb4434ca8b07fcc90c1bb811c59ec6371b

SHA512
8146994c3451c478d25a070aa03ebfb4480aadb4ca64863c8636870778355efec6b9c17f913420146dbf9961cbe7b9e04d481dbdab6d40888f2bdbbb4f316709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
259d282f247d3cec8941d8746e46bc49

SHA1
90df6549f960e20e54903a4525f8326bd10cec9b

SHA256
bbf444501d750586043e3bbd957cdbfb3bde6d34a92690f118b0949e5cf187dc

SHA512
38af9e638cc42cec4a23b9c83725ff8505cda0f37aa444c56c4d2d0404fc9cac2659366f627043a3eccb671c4371375aeda20a66463d63a7e605d93cd7d17e7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
660753c6feb6db3acd447c7bdfda5750

SHA1
e767c8dac2f8567cee7c89bfa4125395cf264bd5

SHA256
c6eed6fb84e06ecdeaa6f3281aa174050da163703a558c73971d2949000a4a86

SHA512
2cad85fb1ad253d6bb2361ca5c9476ad8ea07366a8ee536a50d41d32fa8526c6b785fef58ba6fcd1d75d2d7d06367d7e3e1b97ff1c0bc78de0647b042dd3ba45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5905b3.TMP

Filesize
100KB

MD5
dfb8a83977c901b25c12170860d0153e

SHA1
ecc66cee5b757fcbcc1f29e86aaacded0653c4a5

SHA256
b2f931117ec30a0d02ab391220807a23faf23fef0b635110cd76472c108a76a3

SHA512
85d16a5077697d114e446c98b6518bfd1967ef0120857d4b9c01d18f5a7292582ffa1ed5a59698d14e4ded5103e06e9092a497a2ca76e07a9c6199bd099a96de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
0289e9b157eb3ed1ddb234f3a455c5f4

SHA1
a32b9559b17db70b6d42af5f5d99b3519402aad9

SHA256
23a720a6712f25a1c03ab0b5aefc23425af5efe9694bdef2e0c454d6df0a13e1

SHA512
9568fbe768619cbc4bd6f3d46dba8c0dbea36544181c37ca635d68d91c4195a94b8460bd67d5c13e0c049a8844b60ff942ef964150cdd05269fa1d8b5a9e36a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml

Filesize
271KB

MD5
395bce55d8e8d52da689f4d9eb0b68c1

SHA1
9c8312a4709144bfc5cc5fd9e5980896affcaefb

SHA256
ff6dbb79af9940b24f3b33542e319d0a8623894f1f562666cee1ab5280280cc4

SHA512
156d5240019a42d8af3e8d65156e2d72706a052610d590c7a527d842214bc554900c15ab4693c643a6ee12f692aa4292c5a23df03b7c36eaf60da135cd110788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe

Filesize
2.3MB

MD5
c2938eb5ff932c2540a1514cc82c197c

SHA1
2d7da1c3bfa4755ba0efec5317260d239cbb51c3

SHA256
5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665

SHA512
5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe

Filesize
2.9MB

MD5
9cdabfbf75fd35e615c9f85fedafce8a

SHA1
57b7fc9bf59cf09a9c19ad0ce0a159746554d682

SHA256
969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673

SHA512
348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
b2563e74ca717b7211d5275aed2ffa79

SHA1
44195c0669f19b8b5eb2c411455d7c1593a1fd0a

SHA256
c0a46fb8958b745d650d71af995c8123e1481b27ded4ed757fddf767f1c736a3

SHA512
6d236e59d72b9b057032a0079fd38ddc0ab0069966d1f71fabd62666c5152f3fc5d139ceff88088518fe6684c90163b5fbe2218e0ee527a79ab23fa9ef9a767e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
38B

MD5
cc04d6015cd4395c9b980b280254156e

SHA1
87b176f1330dc08d4ffabe3f7e77da4121c8e749

SHA256
884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

SHA512
d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2TT8RSZ7\rules[1].xml

Filesize
1.2MB

MD5
a87271512937a308ca9442032a0029e9

SHA1
bc5fd38d28683bfdf4556a499bd8184159d29301

SHA256
70e8f749d63636609f3d60d85c00e7a1230faccc59adcc9ead0bb9101e7d53a6

SHA512
d60944a41ff8969de33eecb68dbb02e09005922b5eae87e39e28e52669edbc65c605f181a82f4eac58b4fa9b0f64669d9dfc3a6e052a9d873c02bd52a821ec83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\64DULKK7\instrument22[1].htm

Filesize
2KB

MD5
ec098d4e1a36718ea29833d4af0f011b

SHA1
938c8a202fd2710c4f1d0792375c47149aa64b98

SHA256
bc4163aabf74b8fd1eb2cbb57255869c815f9bf9f01ea1da5b3b66adaed34dca

SHA512
837bbd530eb2d1e75d6048abfc15c398016a8032331fd8740634b3d7cd67bcb7d9a11e78b6bad6496678639fc816223bf9c90695e3e81fc11683bf65f0bc07d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KXT1H4PO\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q7BUKSPQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\doomed\14834

Filesize
11KB

MD5
a5667002186b4413310b29156c4226d0

SHA1
26dbfe59cb5167b9af9a5a96b46d91f1dd88eddd

SHA256
e9010f25f81b31665a230a02ee1b80fcfd2bf2facaafefa4231ab84ca3980157

SHA512
70fa1c106abe034e97151d5585b27423606af68d17b9ac28cb1c485cae99d4e55dad013e8e328cfaf474e85901fe68c327bd5fdf7cb9671cdd5c5072aac5a64f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
232B

MD5
9edbad59fdfcff859db35d146284a4a2

SHA1
d1b4bb843edab2e9d4b30b95d39a70c24643074a

SHA256
00f523323f5e099d0dd25968f817a26c73622d7ad36e9d903db1586ba7331ff4

SHA512
0bfc0ea8cb8dbb253ec082ad5bc62975c0cdcd15712e484c7b60a0d0da9fcedbf255c55d0a048b37173666b00544e150a7a9f4cf6c25fb113209e80b518758ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
283B

MD5
262c01aba74cfb84608e062e20bc2b69

SHA1
c1cca5fdc5377839875fd6cfcfd993e024944d74

SHA256
57da7b64eada9d44dd6c577df34a5891f6de0d11abee6a1cc757fedf876e855a

SHA512
19c65d912f0b51e0499efbbefd47db1650325112e67b900210156b0817de61161b76671632c3b5b47803289575c9c7a7d11d83e433d677f668e7f109579b2498

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
233B

MD5
a87c7d8c39ee092e9eefa5b796ec7b8d

SHA1
99a40c4de8afab1f894e49e19aabedcec58c02b5

SHA256
93ba334a0a9d47a3a48b40f1485b31e336741755d08fa862d1833c44c23a9c6c

SHA512
2fa6148f37f10091ab75d3c463dbb3d474a1f0d6c5f9c03bc46d0692120c07cdba37c96f01c0858350850de017ca0b4d91114d0e48e689f5704637b9c79691ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json.~tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6U17TI3N\4TQ6xhX_0XDFyLdFRS-kPhFXirA.br[1].js

Filesize
7KB

MD5
fbf143b664d512d1fa7aeeeba787129c

SHA1
f827b539ae2992d7667162dc619cc967985166d9

SHA256
e162ccd10a34933d736008eb0bc6b880c4e783cf81f944bca7311bf5f3cd4aff

SHA512
109ec6433329f001c9239c3298a10e414522f21be2a3d7b8a9eb0b0767322eaad1fdf8f5b11edb1f42882b4e75ae71bef7fe786716407c8efad4feacb3dcf348

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6U17TI3N\652737c319ba7da75394c4dc_ggsans-Semibold[1].woff2

Filesize
32KB

MD5
890a9ab504c3657183ff118b1aff212b

SHA1
127609df5d04fc779da4a9e90d8d09bdbb390149

SHA256
d472a71a0f92855881ce2c2334df77a333461f6936f1f0388f952fedb056fb3e

SHA512
a662c708882ac3d5a7bfa64f16becf750ffadc333784a72350c71513cf2261a8cf63b67da989bb5c1fa78589d570eadf45a9d9590286e764520fdc3144e6349e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EXL5J2XF\vDjLjnEkXEuH2C8u3tT0A004qwQ.br[1].css

Filesize
2KB

MD5
9baa6773c6549250a3393e62c56eb395

SHA1
5bb4eead8609cd30b9b96b23ec4fd0082ae64c1d

SHA256
dadf403df8cfe888e59e6a051aee3783a2bf0bcc60dc1d09a7797daaee726ca2

SHA512
cf12319cf07897864828d9c950df4a98a0628d828a7fee75f1235fc5d3a57c90a40b5ded2743af2e62b1d13d3f6be0d302ada054e7c0d7164b8ba12054909b8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LK76EKKU\65273da62cbf8363b445b021_abcgintonord-800-extrabold[1].woff2

Filesize
40KB

MD5
3d07f5abf272fbb5670d02ed687453d0

SHA1
5ba49c861917331a4d29d2a81ed4f93e94f62212

SHA256
3afc8b61c01534f04c628962b34e53104e0487b010f197a54d2e9ce357bf9733

SHA512
b60507b188022163686e29e2a670d51d62deac4a2450c71de5ef943a784b680ed1626f87d5803a7d1175d55aee3122c6c9060113bbd9bb41a95c91196cd1fced

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LK76EKKU\65274471f1a58fe9565b9ca9_60ae8e384c11e54fd6986f3b_ABCGintoNormal-Bold[1].woff

Filesize
61KB

MD5
746a4f241e03deffc59b08c5650cf458

SHA1
16569eaca9910e7538f31bc3c1460c2761eb5ca3

SHA256
12954218db16e3a3c86a6ee84e41be8bb35cee983ffd5233b37c7e094f9dcf11

SHA512
baab1c55ce9fd605b3a5cba7122dc24cb21f21f69f1d650f9542e2a764962906e42fd6a1ebda744190ffe526fad132972af264f1194713f3d5f35df461494683

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LK76EKKU\th[4].png

Filesize
913B

MD5
b44cfad14d5878d38483ad32b3460f7d

SHA1
ad393e3f18d3a70d5068f1c96d07cc9321382a9c

SHA256
8cdb9ca09c83ba6d0826e4147911559a5cc43216368ae8c61c304febee939b09

SHA512
20f3405229bd03057d9e8dbf0f1c16a569bcea123b4f0e68e1e30845f1ff0977aed5a4d3a134d7d2830507d1d56172987fccc8f3a3fa9adcf9cb394ea767c900

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\T1410QD5\652736292cbf8363b43d077a_ggsans-Normal[1].woff2

Filesize
30KB

MD5
ef78ef4e179e7e1766882d2f044cb39d

SHA1
ff3734cda8426368beb9deee703344815817e987

SHA256
88fba47546b0201525b02b5f65c8af1b09367d470fff48aca932e7b43e3fd67d

SHA512
0e8f4e5989b731d4623666e164338119bcb0243aeaa8d18297a31274d0bf2c5c6edc7ff1d1482c69fb89976fad03f93a88e9e5f59141846af02169fe8926fcdc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\T1410QD5\652737c30510e4ad4333a424_ggsans-Bold[1].woff2

Filesize
31KB

MD5
db6b320298071092b190ca887d06e95c

SHA1
8016461ca1131ea676cff368c4405d79f52c7867

SHA256
9f97ff47d66b2f3cdd1aa40988382749ef90ac9051d1a548b12a1260d10c1e6e

SHA512
7cec34499c90daf790d0fd4879f1282d90a1694881a87318ecb418fc65cf084f66bd127dd3c6b99bbed8ff2822ad70b947ed269afd27aa8b60e723c16fdc6a7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\T1410QD5\652737c319ba7da75394c4cb_ggsans-Medium[1].woff2

Filesize
31KB

MD5
6db712e9212169e71d90c9999b5d98f6

SHA1
dac145a44f8530b801f8fa525742ebc93efce6ba

SHA256
d68a183592ac8ad34c6a0649690b01946cfd17762dc317e0ca31791e707a2d84

SHA512
3ec5022affc61a10f67e4a7df21be4dd2bcd9798d38d2599aa4270577e1769acd4f7c59430cbb787ad81f23ccfe8309350ae090b860d9acf2f52026a5b9d5579

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\T1410QD5\fRSNKQanUHk53F1a1Bi8UA71Qt4.br[1].js

Filesize
289B

MD5
9085e17b6172d9fc7b7373762c3d6e74

SHA1
dab3ca26ec7a8426f034113afa2123edfaa32a76

SHA256
586d8f94486a8116af00c80a255cba96c5d994c5864e47deac5a7f1ae1e24b0d

SHA512
b27b776cb4947eef6d9e2a33b46e87796a6d4c427f4759c08cf5aa0ee410a5f12e89ca6ab9cddd86c8471037e3c505f43c8b7fc6d8417f97f9fe3c5c47216bc4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\409Z2O5D\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\5M5FWMQL\62fddf0fde45a8baedcc7ee5_847541504914fd33810e70a0ea73177e%20(2)-1[1].png

Filesize
557B

MD5
c309ae41848547064c2ddb7dc66b6215

SHA1
6d9801822541e4be3ed25137c4e53a249c85ba2a

SHA256
11848b5f1c8a7f294c6211c2f0d0dc83a8a28bfe1ef0829a8dacfdf475c5e5a2

SHA512
3ef32b52e7070ca0fa9a8cf06e49fe43d67da63fd3a0cd0985363f6223c758440a44e65c3eebc7d6cee0b1ca3aedc4c6ee78b7167fc4136d90539d6ba18d030f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\5M5FWMQL\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\8MF6Q8GB\favicon[1].ico

Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\8MF6Q8GB\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FDCKBH4I\favicon[1].ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\4d6dbg1\imagestore.dat

Filesize
36KB

MD5
5c01586649b2c0467149602d1c0e607d

SHA1
21da92ffa3788d4f9b5e52b465e393b94e14ad0e

SHA256
b2eda886e40a09385a22be6fee8f4133b4ba1c88c675d18d6b4d51b3a2235ab4

SHA512
d1e368aa31cd7ad1482383ae5339cb824b3800c1a9a3e8c4509af133fce7c3d84211542fe1b6d94f1cfefa36cbdfa7dc825f1afb2eb1ac33b3c1f45541e46a15

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF13C803225A6C3A25.TMP

Filesize
24KB

MD5
97fe904fa6fe06f7e409b61568b2e714

SHA1
ea86b5d9afc92073dcf13443651a462220a6907c

SHA256
ac4f722e6442e39b083982bdac2936ad9dae03cba45e649ba93945f1dcfb13f5

SHA512
72011beec80ab57daae03d2c86ed5438043b58fc60a2ead9c01fdd3840f60ae3e70019ec8d219345aa0ccb79a77796a5160cc2412abaff1f4ade2d0b12da24a0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
2949dd276d344146ecae0c767d8b3e7a

SHA1
21eb30fae754595ec4b62626b26b84e1653a3eeb

SHA256
d1292e867455d1d83d5666176d670117383239d83f43dbdc084b2f9e3f2cb213

SHA512
d19629f09557bc07bda64c150a375bb5fe41611ba7ad78885d38e419818833627b58c20f9bff7574548cf6ac649a32e993cc98425beca5beefb310a800450816

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
a19350c0d89280020457130f82c2dcdd

SHA1
907f1f2dc8ce810890c1d1921ce3789498fd89a7

SHA256
653f2319b6dab07987518e076317629df446cde8a72608872b376138df39bbcf

SHA512
b93b94b79657f71e44322525bd86f6605b53802f2c47c41fc61c9640c4a2602a95fe34ef9e83b96952985ea052dae03e01f431665aeb4c4c055b0f79df5716c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD298C.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp75281.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80078.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE9D.tmp

Filesize
35.9MB

MD5
5b16ef80abd2b4ace517c4e98f4ff551

SHA1
438806a0256e075239aa8bbec9ba3d3fb634af55

SHA256
bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009

SHA512
69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
d77e3690e56ca204645f80bd857125a9

SHA1
dff8c1b90ae613531b1fe88a468e6c79a8a887d9

SHA256
dc6a00b4d7c1f231cb97893cc93a42ee9cb8e2879346341d59914b3e984ceee6

SHA512
c89fc748df39cc6a6fe75fc9ec66d231eb373e70bea4cfde146e20d2adb98993c61cfde3626d88c7a1b1618197d2e294368fa1c84110e7be501d7b501be3e18d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
1111d89adcc2d884c515e3492d7b78e4

SHA1
23bae08e3e02a1ff92eaea41053b0c169a63aadb

SHA256
df11480dcbabbe757e97e1f7a436c1c8f6d13061f4b0b4b9f282ffc456122375

SHA512
ddd805f6c7c674c21cb65dcf7fbfdcc021128ea121c8075cb76706da33d443ca0bb91885f2652c1699b1702b047c3407aebaff3ef1bc520a8e2dd3dce7b0081c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
dfe3b31a92da177310be5c8d5822144f

SHA1
916c9fb06d027d609e096cad65567b308c296f82

SHA256
bad4e384a93ef73912df809d8716d96cfa3780e367aec88cfd5da4b06ad19af9

SHA512
e8aa17dba155f0327d11a37e6c261b2e6a046b78f1f4b4820b7f7e6dc1c1dd99fc33a87b5b34709ee14060c4e0569a521d159961d3b6b7ef573523597a43ad0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\bookmarkbackups\bookmarks-2024-05-13_11_fHex2gcaYrcM3bB6rAfVHg==.jsonlz4

Filesize
941B

MD5
06d87d126355fd690e457ce18b4778f7

SHA1
3de1658c09f3729a9ef1e86d20a4379192b125b3

SHA256
d7f1acf55995a0c37cee175af46bd974fa2bb09f2905e9001aeaf604166b7294

SHA512
78ea844adc923e9d7383c4c2c2566aa99097542d69ad04655398dae6ae4e7b9b63037c5c5a7776e939f6337f216e5e906fac5f3faef5bdad8302b117ee653eb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3ca397c5ce33772d91b88ea5ae73e254

SHA1
1d75e67c1058ddbecde2d31f567aa79bd7b65ef4

SHA256
b6fde08d2da08eb08fa80d4b18607d2d83f6159334522cf6a3415fd169f11926

SHA512
64771b51ce2bc59ee183b3dd92c7692458ab4fc6050e89945eb09e599001f514558f6dc005a4d2af09db02f3bda717bdbbdaebfc129fec3487fe8c3c3839bc6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\2ed53c42-929c-43ce-ae12-38efd71118e0

Filesize
11KB

MD5
ffd64e2768d5ce8d9ceb46d533d26797

SHA1
89dd132ca737031f3260bc72577d6e7f798b17e2

SHA256
c309b353ef2ce4ba85bbe960662cdc97ba9173e87c15bc80274f17bfaac9ce5a

SHA512
62f36e94e88bca6fdf05bd61fa1009b9e7aeff2aa2a0bb1748a88c353c54c15b98cbcbc73ee2b5b2b29c8144674f764fe65938b8829cf958cb68765ce3b39191

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\6694c5a6-b4ae-4924-a381-948fcbfcdd66

Filesize
746B

MD5
a1b9b311f50be83f5ba51ab64d020af1

SHA1
7b102437124f3d3d4097e09f0f6a61010abfccd0

SHA256
27206d6b8a4a1ef5bfefc9394cc6ea45a62b56a0fc8a002b98b4ccaaabfe1369

SHA512
3762ae1929b68b0121962a4f96aa0f62cde30f03911878e49126596f8545cad84a89223efedeb2a6656d6ad3e3a0c5ad4afd34f7ab91df5143775bc05396f1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\extensions.json

Filesize
36KB

MD5
1aa68313884fec74ee725b3a8b15ced1

SHA1
d451f5695d55c4ae173cb5c2dc4ed9e4ed906434

SHA256
f727b4160ea7660512fc52e0cabaa5a7a605ea9ec5a3f8b543c0fd3a521929e8

SHA512
736723043df7d4f160933189851ea4b326aefaccaa8275e8f6eec6d1086f221f47607fb237b1a6e2dfa7ed3291f1754acaf2b162518d5e28fea1443e0d5ca7c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
6KB

MD5
bae5d4dd853f43fda08fe2d495a7973a

SHA1
5fb74028f0d205af02b82a1352fb467e0ee699c2

SHA256
e3747227a543f27aa40a5b85b71320b2bf0e831241785c0ee3c98467b879e360

SHA512
e7ee4e87d451daf867b9b4994d0abff17c098863a3953556ad460c8d7ffbcff79de3c8a9e39bddb8fd92996cacd61965116b51d845e25ae7dacfd25766a78af6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
6KB

MD5
d8b4ebba68dddfefb4c04ffc23f71f88

SHA1
cb3c005618a1b14756a69846155ad39cd531cd64

SHA256
3658d327510b8d05f474af67189a4f3bf8ebcb5832e945bf3ad236c4ed8b6e88

SHA512
9198e9d5faa0d695ffdbce79ab01272abeb7fb106e26fdbf882c30ba6ed93396f8daedf391a28ec3b8dd59a4e44db351e66248884ce6323ef711563ea1b8ff1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
7KB

MD5
c46e7c07212110a5cd2b67474846f146

SHA1
eea408b9e7b793ec5dd8ecece46bc182c5b0fc34

SHA256
139e80004ef4274410dd22e594dd7ccd129a44cde3930ae7fcf189b371fb577d

SHA512
311c902f97ac877d3546e7391fc2a80ff6a9c1aa572ebb4e88adce3c8e7bdb7488d96584a215d16bd4d44a81d7b988a0addc18a014ff1ecd55d7a10575410c79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
6KB

MD5
9e0a16e4f8cd7d52f9874c43bde74e0a

SHA1
20f29dad2a90f10d171e711b38bb1cfbbcac719b

SHA256
a282e7efa0f1f37c611ef03f831bb73fe07c90aed65bbc1f8b4aeca293310553

SHA512
7e8ee64a6354409daaf60b841dc12aff37113947d1470211a9337c80fc75304bbf7fe7df8bdb4b2b575d6cc2bbb56f83c470d6a939cb0425e08ff386c3375ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

Filesize
6KB

MD5
bbc5ddbc9ffb3646c1a422e97ca1a724

SHA1
f20589e8e734be0f6ed7a058b07acc945482faf4

SHA256
5d33e327614fd460dace1490cc0e583839984cf96bbc556f8844036311c6471b

SHA512
191c49d24ba02f8ced402d95da1124f7e73cfb0b738853f1dd89e80c8ee2daf3c7b60eec0474d8e5ccd7c364689f35e8386da50f4e0cfa0f94cea4674a38e075

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

Filesize
7KB

MD5
588b7578fa2573fec9248466c204d2ef

SHA1
717c701b8d8fe5a2bf35f2713372694e300a430d

SHA256
9d2b692ac853899fa2712ceef99a1f326a709afdc5b6717f6276740dcec0f3e3

SHA512
249c4f7c55d6785897f0cc7a09b45a5dd6ab268e1900a19c288b882bec2c29c6a76389c48fef8edccb83d57cac3264a81e480a40518be30d4aecdcd9bc7083c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

Filesize
7KB

MD5
42a81d340668fd4899fa7de8bde51d81

SHA1
7cc548e71fbd07149139e0b9533f46986f109215

SHA256
0a46b755cefde4aeb2848b84720c67ada70e8cf966009484d3bb0fa836c26885

SHA512
b3e589aba5db032de059941daba2be84abcb796d72fb77208d74b43b9642ce15d22e1ce92637903614a2d46c2e656ad3aab1fef2a1e6845c18b18e0c4fd06c1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d26e2ef23daf49bb4c0d63be065767be

SHA1
b1069f5d8f497c4d5208192f9ac0cd5332665131

SHA256
328b54a96e04e57d379a4d55d173bd4dc0fabf0b2161f7cea6c4195fe7ab9c0c

SHA512
fd2e324df4d35d4fa58ed6842d9579f4438327e61a26194a7a6cadde13483606241cff47c2adf4baa51e0a2cca876e2c6f0fd02a3bb066f9afbe955160efc65f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
8bf82f68a6da44346116c17eb4842d2a

SHA1
eb2b5c4daafa178d87ce142a2a58536a56da9490

SHA256
3dd79f7b618dd88623419e0303cf15bc6b52f0138cd8fb365992938f40e1f00f

SHA512
e6cc1d503d1ed095d48d4e8fd4cffceb486ebe38bd96206f71bcb231d03c94822f8fa3d816cc6c2c006c5c5011afb9e74e4b7a7e007466b29a1d6c19b294a67b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\targeting.snapshot.json

Filesize
3KB

MD5
1efd1e13d8d9ad03a667daf0495591fe

SHA1
d6163ee3371df04514b0b05d5fc815f812d10da8

SHA256
b89b73b7ecf9266dd1038c60fe9c691f8040c408bf9b2b356af5ec087e905611

SHA512
26fa44fe07aeff4fef2ad9d0a9ecdd8785da1fdbe8042d167a2f809c6919f06e48deb3182999e067db030f4f632bcbd74db4dac8aac040cb0fa881e9be4d06c0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\9b160445-e4d6-4baf-8747-d9541608ca02.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Crashpad\settings.dat

Filesize
40B

MD5
57b6bb0ada7745d5581e45fdc4832dad

SHA1
a3edc725d9e52c4ef25184ba7f466c2ae9234b36

SHA256
5389f255c91d65c71dd52970a2a5bb1a53ebb2d56616fc930695939be7101969

SHA512
26241dda9df1bca9d95e3f2b98db15845ffd19b198313b74c6226d7e18db5c346363ea840b5fd24a65c1e57300df2bfb4c22b173741a13208590870863b06d06

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_0

Filesize
44KB

MD5
9518ec594b91b1fb6709ab5749a23949

SHA1
de76cd7acf7069815c14476a74322acf5dade01b

SHA256
1749c5ba2e8011bf72400e1baffef9a903c6f913a8f6b834e0e7b4014a28db64

SHA512
d63c7278eb4804988fb89637594f9b00a12ae0553d3eab019d4c976356e2b460bb6b4f75f6c5ee017b2cc68bbf97a088a19019bd5866815278da05f0f18b0a9b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_1

Filesize
264KB

MD5
4103ccb8b622abe8346b1ca9b8bc997f

SHA1
0b1895452eafea93328ecca593bcfe7dcd45d4e9

SHA256
edad50eb549010c467805b0d38ff7ed58aebe41bde4ee224b69dd94b46199bb8

SHA512
bf89dafd3d03e89c15bfe08af2d772372e97845ce0cd7b96f76b5540d71943210825e8334ed379825098692c54784f2268b31d6cb834a01cbcd78fce472df172

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
643B

MD5
45ab8f3a0a8b2a8209b828e5a08f2e41

SHA1
c4b5c8e4271334eb8e41777fe09aa1f1923c3bc4

SHA256
99c8d482b8ed7686b9506e4279ea59abf38bca3c2a75e5547a23aabcd3c5b5bb

SHA512
eeeb64751b7db95f073199faaf099f0f1d5f548cdba2f18c27758ecfe1ec9fadd3b616044ab015781f51b655477ab514ecbb89f2aa2562e2ac8e038e51b889a2

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
643B

MD5
51cccc9fbb5b2ad549092eb97dd2bb46

SHA1
05e6e59dea7d7153e4c0e24e89fb198bcbad7f1f

SHA256
2a025844e080bd1d25968446de1ba99356d45f6f47e73cc685ec8cafd67824ac

SHA512
c62d8ead4599be9dc26cc6a8bccdea730f98c10585b4da7d472e5ccc2b13a7f92175797f98fb4d4a2ce29da9740c192c3ce00712cd10f2fceb340c5057ed8a66

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
643B

MD5
0edb03c911129f0655bc3127a0a7b2b7

SHA1
e65a4cbfede51f4c37dce042a8eb9c45404003d6

SHA256
7e7333ccf731d75b979428bcc2ae7ed6ea5bdcc6db808dc850908a9ba631a409

SHA512
7336c7992658eb6169a23d9438c7ee7ef9c47b70d40e3a13e41ec089e37098148bb6819395baaf50bc61856b68e25fd3b529e079f62a96641dc4425d9707ae26

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
643B

MD5
6be64a6812e0032593e4d08c2ff72511

SHA1
6edc7f8c135dc8c91c5c583c72ebb47947d8d51e

SHA256
edf94ea54b25799d7d2a290dd96cc31cd899e96f582f7015c8fcc491158982f2

SHA512
2a3c9c3ee9d8e45f080e0bab1cdf2163d9851edbe657a496dbe5483e6f7fa1265cc342368f2f8728b6fb3d6eec204a66bde4241c4517800251c0a40e63862ac4

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
391B

MD5
5bbbe1c35ebcc6d1408f5c71316c80fe

SHA1
d00b8522eac8cb15cc058330c4766aa6eb2ee85f

SHA256
b75f31d456432dd90c8947e14904338a4f77b5ed57f45c4b628928c2639a67fa

SHA512
d714014467b3093f0baa3488af9be6a5c00023167050c83df2a0faa31d7426e4d1acbe44b2d3f2833b755c2a59ac81a91c0a1abb5185c925c9f1cf988090d278

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
300B

MD5
ad06532c49ff509856294618750ffa9f

SHA1
a4ec283fe84ab0d2e5949dd7a44620cfd4d99f42

SHA256
5ccb9937b81b09a75abf205022a8dddbcb2e08a03856826a4e7d52b9b82ec27d

SHA512
8355d204b9da22d9014504c4b9e92a616b679ddd19e0edc11f640bc907f43bf30acece59a68c8328ee0ebff95c150f62272cb7cb9e975b78c49c64823c60bfd0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
391B

MD5
2b4b89d77870b2b631440efc49e79f73

SHA1
7c7dfd240c2f096ce4ec1f17ca63c2da67b2c1a6

SHA256
b042906455514b65ba1626606abe741c4c4c0aec408bfc9da83994767d77bf40

SHA512
29aa1f17b300b7d556440c1fd54e56ff875a1be62b196407a643b0523eb278a29e2cf87659c5764cc3262e425bf8493e9d77efc53b6dfeacecb9a77c77b69ab5

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
391B

MD5
04476d01a62c11ef2b86401607c81ed9

SHA1
b311a5c4f271f540301e6d5d6a7b9fe7ff73e614

SHA256
6e0b64a84dcce56bedb4a90c6d45879de1653db9e5f07f3b27ea5022a9fc92c3

SHA512
415ae49e3cda722ea66ce9d009c35dd2b85cc9a83675fc1e76bcad0c7e0cc68544d64410c3eef77b4cf0565a93455f85473c550352b3a0dc9ddcd1c5b7c3d4e4

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
188B

MD5
76a403516cf63ea78828252efd6182dc

SHA1
5ca3d3d619f158562f89d7e0e047797b2af5b892

SHA256
52448b4cda31a3387209a0cdb6fd66e31aa951a64c05f8275e24a0389883e71d

SHA512
948d06889b81170832052d909661b82ced88aa216203f9f81aa7b78f637111ca1182e03d9cc77c123298173aad2c46d263d16847c42001528efba918adc41347

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
188B

MD5
f2be78c753431186f0fed7a7bc50f877

SHA1
cac284bfb85c5c9284ada6bfb3947f04a51e045d

SHA256
040f7880bd96f43cdae202874c5b5d0a7218b5fcd53d419d5e7acbc2b1bb58c7

SHA512
c81b118f0bcf3cea2c9b5ac76bbabdc2e80a30f951dcf36708366d1fde2fb6d686aba5d290414ddc720a755e7f4ec2d34fbe4e6fd9736ed25dc77fe17267da39

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
186B

MD5
2be0e7424c3d24c1264b2be383c987df

SHA1
f00e675c04232273894c056c973898ff31e7416b

SHA256
4eb35a78d715d37dd91d88525cc1aae4d6f522e433eab2fc9f86d224badfa65e

SHA512
9ac5bc21c845214341ad75b7163e7ac87e9b2d070b39fbfe014fc51da76dcbef695798d47eb441f4cdc0dfb5e83e95c3698313bbdaf7084565da12f901710b66

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.d9a253514b6a010dfc1916c55246797e5773f13844ea3ec2d25078e845fef760

Filesize
13.7MB

MD5
17c227679ab0ed29eae2192843b1802f

SHA1
cc78820a5be29fd58da8ef97f756b5331db3c13e

SHA256
d9a253514b6a010dfc1916c55246797e5773f13844ea3ec2d25078e845fef760

SHA512
7e33288afd65948a5752323441c42fcc437d7c12d1eaf7a9b6ae1995784d0771e15637f23cc6bc958e40ea870414543d67a27b4c20331fde93d5b6dc6a59cbaf

Download Submit
C:\Users\Admin\Desktop\InitializeSuspend.odp

Filesize
435KB

MD5
0d6796e4012c395f4990a53d9501f984

SHA1
cc7f03246baea0ee207ea99841233bbe336e82f7

SHA256
b095c0f63df37b1f1dd5cd719469846e018cee1be6474843dc331974c4e0e7eb

SHA512
34d40f2d9b06d3184b7d311d20eb5003f42f193b9b26c591308bb4a692f6743e782e3a623c1230d55886958fa3f30d0e0e67177ef7d091aac97c264fd04f4923

Download Submit
C:\Users\Admin\Desktop\PublishEdit.emz

Filesize
1.7MB

MD5
1e4bc80e97821f681078be6c6a1a693f

SHA1
1776de23d313e05f5b75ef522e7c3817b455a5db

SHA256
0aa06149b84aff7a13d5557760961e50dbfbb917fa3861502573d7e2155ff0a0

SHA512
ddd2089400bd17b366454a3d0ae672d0ef0168b4c47f258df00b2554d4eb9ebcb3c45a3f94748a94a4210d961c9298011f62146215bb14514c5472439ca720c3

Download Submit
C:\Users\Admin\Desktop\RegisterFormat.wmv

Filesize
913KB

MD5
30bb8d637d745e87495eaebe7e848a54

SHA1
d8e791a014fdd51ba40af25fd7a9b5b42197d123

SHA256
f208f1140a9b55977fd986d06d7d9a092779424caf39d8f4203faac5becdfe5c

SHA512
7ef2cc1e834728308241499ab3ed033b393b9000bba9da95fc422d9940387da03dad7246401e98e7bbffc3fe23e768883f08a1bc660723fa956be0bd3567c84f

Download Submit
C:\Users\Admin\Desktop\RegisterRestart.mpeg

Filesize
1.0MB

MD5
301f0f398c02e11fc6d32c8611b2b401

SHA1
818792866aca1d83e5d31e1433f96162a58eca6c

SHA256
834dbfc220f81d8da5ae1f5ecfd15ac45303ff01931a11729236631eff10ee18

SHA512
9c4b343afe738993a71527fd4d1ed83c85c6055ee5e3a9cf7ef1817baef1a1d2fbce2ef2ba407847ed9a2270b66ddf5d278cb26ceba08946a66672ae83cef3b1

Download Submit
C:\Users\Admin\Desktop\RequestSubmit.wma

Filesize
1.1MB

MD5
885b9340a68d99034f800ef0a0442d38

SHA1
067a8f89473d6fcbb4b3444999705634e8c9a0ad

SHA256
465260ea3281aa8086a2a9920b302c4336a2d658b3f0e761694c9f8228839d28

SHA512
b330e64baffd4aa8cd214533ba36cfb02f4e14e980b22eeba6950036a39d03cb91f094e26ec0cd46bb437f76d973e6792ae396a3ff5666b1b96634d477923688

Download Submit
C:\Users\Admin\Desktop\SelectExpand.ppt

Filesize
1.2MB

MD5
52e972514a4703b83be1ad2167958f15

SHA1
5e119a5b9f902cf1a7bf7d513c82319c42e6b2b2

SHA256
38f1daae079957ae2469a97ea45084dbd1be51ad9b6fa15c961da725ee0f8b53

SHA512
026ee9cca1f5b276b75587193ba34627200e65d7ef85ed26eff2fdd6224b36b8e40da6c6a4fd84367eccf4d75baac34923d37569752a3230897e8ebd66927aa8

Download Submit
C:\Users\Admin\Desktop\UninstallConvertTo.xla

Filesize
783KB

MD5
4d6e318861dc112207bddeee0f64a28b

SHA1
4a1d8477697daf6e6520783d6c5454f9e9a9cebd

SHA256
81d5abeb264365c3c993e58221dc9e99fce3da670dbd2954039e3802b64d68f6

SHA512
af5240ab8bd5a71492bd260f70018d3f96357e46c17e8a77b05a2a28d77be07e350284c04c9db0f63471cf1da1b7acfd348caf60776f2a5cdb3bd35622763f62

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
4976656c16006813871ecbdba12abbae

SHA1
6211e11fcb29a2f2828bf4f5f7138db8c9862042

SHA256
5056cced2460b6ce4939b26955bc8a61b47e6d86b1a0de5bb2ac29d5633d99a5

SHA512
cb7855f68c52d9ada8bb7f84214b86e649538bccf5a1dc7146f8b9f7b4bf95de3e77363dfb89e8dba877f64bed9d9769692ea1211f967a1691eff3760a9cf5a2

Download Submit
C:\Windows\Installer\MSI501D.tmp

Filesize
418KB

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI6A42.tmp

Filesize
148KB

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico

Filesize
340KB

MD5
d07cea5fbf17f2ffa4fdcb38e395dbaf

SHA1
c0218a4f53428d71f19f1121b8532b3fe0d178b9

SHA256
c5ba5c23decaa64a9176f20f8b18a8c89b42ed54f55f3285bd400fd74051e37e

SHA512
98ad990280e9db23ee91e23ee5d0ebc8e289eed7923cd07bb31b845af28ebe0a09bc49f9de2c7e81a49a041d9f87f089a4a67402e1182c41e0d41a3e47264d4f

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9146\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
memory/452-581-0x000002775FC20000-0x000002775FC30000-memory.dmp

Filesize
64KB

Download
memory/452-565-0x000002775FB20000-0x000002775FB30000-memory.dmp

Filesize
64KB

Download
memory/452-600-0x000002775EDE0000-0x000002775EDE2000-memory.dmp

Filesize
8KB

Download
memory/1388-633-0x0000018B27E00000-0x0000018B27F00000-memory.dmp

Filesize
1024KB

Download
memory/1388-670-0x0000018B28300000-0x0000018B28400000-memory.dmp

Filesize
1024KB

Download
memory/1388-693-0x0000018B28500000-0x0000018B28600000-memory.dmp

Filesize
1024KB

Download
memory/1388-671-0x0000018B28400000-0x0000018B28500000-memory.dmp

Filesize
1024KB

Download
memory/1388-674-0x0000018B28400000-0x0000018B28500000-memory.dmp

Filesize
1024KB

Download
memory/1388-691-0x0000018B28400000-0x0000018B28500000-memory.dmp

Filesize
1024KB

Download
memory/1388-692-0x0000018B28500000-0x0000018B28600000-memory.dmp

Filesize
1024KB

Download
memory/1388-632-0x0000018B27E00000-0x0000018B27F00000-memory.dmp

Filesize
1024KB

Download
memory/1388-694-0x0000018B28500000-0x0000018B28600000-memory.dmp

Filesize
1024KB

Download
memory/2972-251-0x0000000007F70000-0x0000000007FA8000-memory.dmp

Filesize
224KB

Download
memory/2972-250-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

Filesize
32KB

Download
memory/2972-226-0x0000000000FF0000-0x0000000001166000-memory.dmp

Filesize
1.5MB

Download
memory/2972-5152-0x0000000001650000-0x000000000165E000-memory.dmp

Filesize
56KB

Download
memory/4344-473-0x0000000004B50000-0x0000000004B70000-memory.dmp

Filesize
128KB

Download