hxxp://arc[.]net

Resubmissions

18-05-2024 23:38

240518-3m5aeaed2w 4

18-05-2024 23:38

18-05-2024 23:35

18-05-2024 23:35

18-05-2024 23:33

18-05-2024 23:09

18-05-2024 23:08

Analysis

max time kernel
1433s
max time network
1413s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://arc.net

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

taskmgr.exe

description pid process target process

PID 6988 created 748 6988 taskmgr.exe ArcInstaller.exe
PID 6988 created 748 6988 taskmgr.exe ArcInstaller.exe
Downloads MZ/PE file

description	pid	process	target process
PID 6988 created 748	6988	taskmgr.exe	ArcInstaller.exe
PID 6988 created 748	6988	taskmgr.exe	ArcInstaller.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 15 IoCs

Processes:

ArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exe

pid	process
2196	ArcInstaller.exe
4520	ArcInstaller.exe
4424	ArcInstaller.exe
2508	ArcInstaller.exe
4092	ArcInstaller.exe
2492	ArcInstaller.exe
5224	ArcInstaller.exe
2128	ArcInstaller.exe
5656	ArcInstaller.exe
4196	ArcInstaller.exe
4864	ArcInstaller.exe
748	ArcInstaller.exe
5868	ArcInstaller.exe
8172	ArcInstaller.exe
6296	ArcInstaller.exe

Enumerates connected drives 3 TTPs 51 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SearchIndexer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe

Drops file in System32 directory 3 IoCs

Processes:

mmc.exemmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\services.msc	mmc.exe
File opened for modification	C:\Windows\system32\services.msc	mmc.exe
File opened for modification	C:\Windows\system32\services.msc	mmc.exe

Drops file in Windows directory 5 IoCs

Processes:

UserOOBEBroker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\en	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0021	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007\	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en-US	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\en-US	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\InstallFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\000E	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Security	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\en-US	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\en	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007\en	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\en-US	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0100	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Address	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0005	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\en	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en-US	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumber	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0010	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UINumberDescFormat	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\en-US	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	explorer.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exeWinword.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Winword.exeSearchHost.exeSearchHost.exemsedge.exeSearchHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 7 IoCs

evasion

Processes:

ArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Colors	ArcInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Colors	ArcInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Colors	ArcInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Colors	ArcInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Colors	ArcInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Colors	ArcInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Colors	ArcInstaller.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchHost.exeSearchHost.exeexplorer.exeSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ce7282779a9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e25f002779a9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f643a72779a9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6a78a2779a9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fe41a2479a9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe

Modifies registry class 64 IoCs

Processes:

AppInstaller.exemsedge.exeSearchHost.exeSearchHost.exeexplorer.exeSearchHost.exeexplorer.exeOpenWith.exeStartMenuExperienceHost.exeOpenWith.exemsedge.exefirefox.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\MuiCache	AppInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1078"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1078"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15261"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11026"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9877"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39020000000000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1230210488-3096403634-4129516247-1000\{52AEFE47-C9D6-4FB9-A76A-ADC6EE40657A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8223"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "15404"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5507"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1045"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8223"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11026"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13250"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11026"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8223"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1641"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1078"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "15404"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133586187385918919"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "16276"	SearchHost.exe

NTFS ADS 6 IoCs

Processes:

msedge.exefirefox.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Arc (1).appinstaller:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\Arc.x64.msix:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\SigmaOS.dmg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 336171.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ArcInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Arc.appinstaller:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

explorer.exeWinword.exevlc.exe

pid process

5540 explorer.exe
2440 Winword.exe
2440 Winword.exe
6228 vlc.exe

pid	process
5540	explorer.exe
2440	Winword.exe
2440	Winword.exe
6228	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exesdiagnhost.exesdiagnhost.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exetaskmgr.exe

pid	process
3608	msedge.exe
3608	msedge.exe
396	msedge.exe
396	msedge.exe
3616	identity_helper.exe
3616	identity_helper.exe
2736	msedge.exe
2736	msedge.exe
4064	msedge.exe
4064	msedge.exe
5980	msedge.exe
5980	msedge.exe
5980	msedge.exe
5980	msedge.exe
5800	sdiagnhost.exe
5800	sdiagnhost.exe
3944	sdiagnhost.exe
3944	sdiagnhost.exe
5708	msedge.exe
5708	msedge.exe
1860	msedge.exe
1860	msedge.exe
5636	msedge.exe
5636	msedge.exe
6320	msedge.exe
6320	msedge.exe
6816	msedge.exe
6816	msedge.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

Processes:

msdt.exemsdt.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exevlc.exetaskmgr.exeexplorer.exe

pid process

5880 msdt.exe
452 msdt.exe
2388 OpenWith.exe
4376 OpenWith.exe
5208 OpenWith.exe
6964 OpenWith.exe
6228 vlc.exe
6988 taskmgr.exe
4608 explorer.exe

pid	process
5880	msdt.exe
452	msdt.exe
2388	OpenWith.exe
4376	OpenWith.exe
5208	OpenWith.exe
6964	OpenWith.exe
6228	vlc.exe
6988	taskmgr.exe
4608	explorer.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
4932
2332
6876
6156
4488
3616
1220
5176
3748
3544
7988
3104
644
4416
5352
4008
2056
6024
2504
3276
4788
4036
5004
5252
6616
6824
6828
6952
6248
6588
2284
5204
2872
6324
2344
4356
7124
5416
1060
7200
7192
7196
7216
2244
4984
1684
1200
7812
7784
7824
7852
7804
7636
5440
1100
3148
8144
8132
4164
1492
5280
8036
8020
7692

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

Processes:

msedge.exe

pid	process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

mmc.exe

pid process

2632 mmc.exe

pid	process
2632	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ArcInstaller.execontrol.exesdiagnhost.exeSearchIndexer.exesdiagnhost.exeArcInstaller.exeArcInstaller.exeArcInstaller.exesvchost.exefirefox.exeArcInstaller.exemmc.exemmc.exetaskmgr.exeArcInstaller.exemmc.exeArcInstaller.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2196	ArcInstaller.exe
Token: SeShutdownPrivilege	3404	control.exe
Token: SeCreatePagefilePrivilege	3404	control.exe
Token: SeDebugPrivilege	5800	sdiagnhost.exe
Token: SeBackupPrivilege	5800	sdiagnhost.exe
Token: SeBackupPrivilege	5800	sdiagnhost.exe
Token: SeBackupPrivilege	5800	sdiagnhost.exe
Token: 33	4800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeBackupPrivilege	5800	sdiagnhost.exe
Token: SeBackupPrivilege	5800	sdiagnhost.exe
Token: SeBackupPrivilege	5800	sdiagnhost.exe
Token: SeDebugPrivilege	3944	sdiagnhost.exe
Token: SeDebugPrivilege	4424	ArcInstaller.exe
Token: SeDebugPrivilege	4092	ArcInstaller.exe
Token: SeDebugPrivilege	2492	ArcInstaller.exe
Token: SeBackupPrivilege	424	svchost.exe
Token: SeRestorePrivilege	424	svchost.exe
Token: SeSecurityPrivilege	424	svchost.exe
Token: SeTakeOwnershipPrivilege	424	svchost.exe
Token: 35	424	svchost.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	748	ArcInstaller.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: 33	6240	mmc.exe
Token: SeIncBasePriorityPrivilege	6240	mmc.exe
Token: 33	6240	mmc.exe
Token: SeIncBasePriorityPrivilege	6240	mmc.exe
Token: 33	2632	mmc.exe
Token: SeIncBasePriorityPrivilege	2632	mmc.exe
Token: 33	2632	mmc.exe
Token: SeIncBasePriorityPrivilege	2632	mmc.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	6988	taskmgr.exe
Token: SeSystemProfilePrivilege	6988	taskmgr.exe
Token: SeCreateGlobalPrivilege	6988	taskmgr.exe
Token: SeDebugPrivilege	5868	ArcInstaller.exe
Token: 33	5248	mmc.exe
Token: SeIncBasePriorityPrivilege	5248	mmc.exe
Token: 33	5248	mmc.exe
Token: SeIncBasePriorityPrivilege	5248	mmc.exe
Token: SeDebugPrivilege	5328	firefox.exe
Token: SeDebugPrivilege	6296	ArcInstaller.exe
Token: SeShutdownPrivilege	4608	explorer.exe
Token: SeCreatePagefilePrivilege	4608	explorer.exe
Token: SeShutdownPrivilege	4608	explorer.exe
Token: SeCreatePagefilePrivilege	4608	explorer.exe
Token: SeShutdownPrivilege	4608	explorer.exe
Token: SeCreatePagefilePrivilege	4608	explorer.exe
Token: SeShutdownPrivilege	4608	explorer.exe
Token: SeCreatePagefilePrivilege	4608	explorer.exe
Token: SeShutdownPrivilege	4608	explorer.exe
Token: SeCreatePagefilePrivilege	4608	explorer.exe
Token: SeShutdownPrivilege	4608	explorer.exe
Token: SeCreatePagefilePrivilege	4608	explorer.exe
Token: SeShutdownPrivilege	4608	explorer.exe
Token: SeCreatePagefilePrivilege	4608	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeexplorer.exemsdt.exemsdt.exe

pid	process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
5540	explorer.exe
5540	explorer.exe
5880	msdt.exe
452	msdt.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exefirefox.exevlc.exetaskmgr.exe

pid	process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
5328	firefox.exe
5328	firefox.exe
5328	firefox.exe
5328	firefox.exe
5328	firefox.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
5328	firefox.exe
5328	firefox.exe
6228	vlc.exe
6228	vlc.exe
6228	vlc.exe
6228	vlc.exe
6228	vlc.exe
6228	vlc.exe
6228	vlc.exe
6228	vlc.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe
6988	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

MiniSearchHost.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeArcInstaller.exeAppInstaller.exeAppInstaller.exeOpenWith.exeWinword.exeOpenWith.exe

pid	process
4856	MiniSearchHost.exe
2196	ArcInstaller.exe
4424	ArcInstaller.exe
4092	ArcInstaller.exe
2492	ArcInstaller.exe
3372	AppInstaller.exe
2300	AppInstaller.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2388	OpenWith.exe
2440	Winword.exe
2440	Winword.exe
2440	Winword.exe
2440	Winword.exe
2440	Winword.exe
2440	Winword.exe
2440	Winword.exe
2440	Winword.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 396 wrote to memory of 4480	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4480	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 4752	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 3608	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 3608	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe
PID 396 wrote to memory of 2088	396	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://arc.net
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1f0d3cb8,0x7ffd1f0d3cc8,0x7ffd1f0d3cd8
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
2⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
2⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5872 /prefetch:8
2⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
2⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:4224

C:\Users\Admin\Downloads\ArcInstaller.exe
"C:\Users\Admin\Downloads\ArcInstaller.exe"
2⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
2⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3972 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
2⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2420 /prefetch:1
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
2⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7096 /prefetch:8
2⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6988 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
2⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
2⤵
PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:6184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
2⤵
PID:6716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
2⤵
PID:6724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
2⤵
PID:7124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
2⤵
PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:6320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
2⤵
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
2⤵
PID:6664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6756 /prefetch:8
2⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:6472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
2⤵
PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,14976723307881975769,10354859255127058799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
2⤵
PID:4696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1656

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:5040

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:5540

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.IndexingOptions
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll
2⤵
PID:2460

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5436

C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -id SearchDiagnostic
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5880

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5csukvim\5csukvim.cmdline"
2⤵
PID:5520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FBC.tmp" "c:\Users\Admin\AppData\Local\Temp\5csukvim\CSCDD5FDF7CE5A547A7935B821A7EF341C2.TMP"
3⤵
PID:5652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4104

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 828 2652 2648 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
2⤵
- Modifies data under HKEY_USERS
PID:4796

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 828 1496 1484 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
2⤵
- Modifies data under HKEY_USERS
PID:3372

C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
PID:1932

C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
PID:5184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3180

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\ArcInstaller.exe" ContextMenu
1⤵
PID:2060

C:\Windows\System32\msdt.exe
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWD5EA.xml /skip TRUE
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:452

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\ArcInstaller.exe"
3⤵
PID:4644

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
4⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\ArcInstaller.exe"
3⤵
PID:5912

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
4⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\ArcInstaller.exe"
3⤵
PID:3060

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
4⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\ArcInstaller.exe"
3⤵
PID:1216

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
4⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3xndica\n3xndica.cmdline"
2⤵
PID:5732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD87A.tmp" "c:\Users\Admin\AppData\Local\Temp\n3xndica\CSCD636289135D6442B9B1A65F1F55747D5.TMP"
3⤵
PID:4628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nd4es15y\nd4es15y.cmdline"
2⤵
PID:6012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD936.tmp" "c:\Users\Admin\AppData\Local\Temp\nd4es15y\CSC892BFDB93DED4CD48A606B938317F45A.TMP"
3⤵
PID:2816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5nxatabo\5nxatabo.cmdline"
2⤵
PID:1912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE47.tmp" "c:\Users\Admin\AppData\Local\Temp\5nxatabo\CSCB2E3200FEF854DDE989C6AF092181A47.TMP"
3⤵
PID:5564

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1772

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2756

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
PID:5224

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
PID:5656

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
PID:4196

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
PID:4864

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Arc.appinstaller"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Arc.appinstaller"
2⤵
PID:4852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Arc.appinstaller
3⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.0.829243537\1531369904" -parentBuildID 20230214051806 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3094249-8124-4981-9ef4-631d588d83d6} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 1524 2a3704f4e58 gpu
4⤵
PID:1864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.1.94844845\1760717807" -parentBuildID 20230214051806 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78ea914c-aff5-432e-aba1-f447614ae8b1} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 2392 2a364788d58 socket
4⤵
PID:4684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.2.1995182042\1921510398" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3040 -prefsLen 23028 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b343cc10-3e52-4f11-a5cc-7c21543e232b} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 2944 2a37434c258 tab
4⤵
PID:2888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.3.1839150130\779929322" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1f0d733-029c-4cc2-8cb3-538cbaaf5354} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 3660 2a37711d258 tab
4⤵
PID:5756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.4.990250196\393935876" -childID 3 -isForBrowser -prefsHandle 5196 -prefMapHandle 5176 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcbd56d3-55aa-47a5-b854-4963ddf28311} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 5208 2a379218558 tab
4⤵
PID:5480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.5.1984275501\1251245109" -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79a4db09-db2f-49d1-8f80-7e4e845f798a} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 5328 2a379215858 tab
4⤵
PID:5520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.6.1401875763\1838673675" -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc44e2c3-8b23-483f-b543-2f5786332947} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 5564 2a379216d58 tab
4⤵
PID:1176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.7.1810977479\136653620" -childID 6 -isForBrowser -prefsHandle 3572 -prefMapHandle 3580 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7c64401-9a4f-4aba-959e-748d52114299} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 3784 2a364740358 tab
4⤵
PID:236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.8.1689784508\1517480426" -childID 7 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed855857-43e4-4521-87ad-13f63665ea08} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 5928 2a375bb2858 tab
4⤵
PID:332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5328.9.963850937\1018989113" -childID 8 -isForBrowser -prefsHandle 7040 -prefMapHandle 4332 -prefsLen 31326 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d863b9-ce00-410f-8904-425ea8e6cd91} 5328 "\\.\pipe\gecko-crash-server-pipe.5328" 5868 2a373f97958 tab
4⤵
PID:5668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Arc.4rNqQtBL.x64.msix.part"
2⤵
PID:2004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Arc.4rNqQtBL.x64.msix.part
3⤵
- Checks processor information in registry
PID:4496

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:6528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:6964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\SigmaOS.dmg"
2⤵
PID:7052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\SigmaOS.dmg
3⤵
- Checks processor information in registry
PID:4352

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" C:\Users\Admin\Downloads\SigmaOS.dmg
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:6228

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6240

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\15ac124268cf4a72a9e7bc05ddcd91e1 /t 6252 /p 2632
1⤵
PID:6884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:6988

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c36cd689e4fb4d579bd504d751e821a1 /t 1444 /p 748
1⤵
PID:6628

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5248

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4f0d057da4a741eb825451e209a59286 /t 2368 /p 5248
1⤵
PID:2912

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:6428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:1500

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:6964

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
PID:8172

C:\Users\Admin\Desktop\ArcInstaller.exe
"C:\Users\Admin\Desktop\ArcInstaller.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:6296

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5472

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:7504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:7500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
PID:7944

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5240

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5600

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2424

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4056

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3232

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_FBCEF2048DFCB4EE55D00BA204530C64
Filesize
1KB

MD5
d031b4b1200ddd0c1b04fc98f9dd35d8

SHA1
33449303b6cfb353f5a1c95eb33921180b2b44b5

SHA256
77828b4497c2fa24db5dd8510bfde049ed0661454864dc78429e8db1f9265356

SHA512
5ef5a6a14edadf1d4639804c16c98e42e4f3dd7cb477fb3bb97c61a3ced987d9eff1329f53c47279cda9e90e7be1948c2cff7f8c16fae3a2e45dd27b80adbefa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize
1KB

MD5
fd57dc83774eae03d6417f502bbbd541

SHA1
a138dca1d0794bb72ed7abf1a609c7cac7ea57ce

SHA256
077432b79a6fbb63bdbc46bfed9ea4ee4d53458b3221cf1d621f62426239ba93

SHA512
2f10cbee8cc6edeb2c94a188aba75b0c7398489abc4223eb68a81943c969db7584d21f4c55003e309fb31ec50ebaf494c7e75873c5535fecace6bbc711e2ee3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_FBCEF2048DFCB4EE55D00BA204530C64
Filesize
536B

MD5
59c45434815c3e9be8700dd35688bf53

SHA1
425f85dd9fea8332fd07191581b7317664ea8a68

SHA256
43295e1d4a521e080152e7b5ce6a56e85ef5077e591d05eff419dea0ec75e1c9

SHA512
54c7c73a69bc1176151f1e7755c4fa549c082518985c310418d2ae9bc593bd49a7669ce772f590b8a90af7edc8fe90de04acac62607524f6bcbab4caf1b422ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize
536B

MD5
f4bb876a622e520f16ecfc7f6387d757

SHA1
8a703745626720d7bd1062378bad1f5c07378225

SHA256
63ec4487d11bc9496fd9e76ce1086395281d2cb3915f44ec3749a7477aa8cd99

SHA512
a97bdf429f57dbf2768fb81027f91fe16d1460129e730a6a64bbae134c7ceed2a0e592c1f96b6e43f31aab608e68d7ad60bfa9367450da401dc981a24810a584

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\352735614\2024051823.000\ResultReport.xml
Filesize
7KB

MD5
0377af9c9364713b6681c7688dc1fd8a

SHA1
88677121165a63eb7c5bacf97095c39f82c6d464

SHA256
36ab039dd0412ad5b6fd6aa8ec3238b42ca71b1ffd1fda088d4632bca74305d7

SHA512
d3621cf0e6409e4b0207203f8f3ca3c28ead80251a31c8717f27f2bd67550e3b31c40e29ade2c81f1a6246a669bbf462b768679c7c69d69b32887d0d0bb3a13c

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\352735614\2024051823.000\SearchDiagnostic.debugreport.xml
Filesize
22KB

MD5
4ce5cfeed9a55ee251c35d6a56c91386

SHA1
5db206f28703108e08b0ed6a922efe0477b071c9

SHA256
1e7bbd2e0032b106d612b7c53fb7ab4567e3329d6622c5bd564e85ad43c55db7

SHA512
ab237e1f319de77fdd8d954feff383d943cdcc46647f8284171597fcb8cbe215191bb9945a60e3496d1f720c2e80d719f80fa1da474ba04a6f8f9b0216571cef

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\352735614\2024051823.000\results.xsl
Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024051823.000\PCW.debugreport.xml
Filesize
3KB

MD5
60c101efcec45e0b2c79654bdbd1303c

SHA1
1df527d102f89d8db0a052d099c898701eca3a23

SHA256
2cdfc307214469102fbab67021c74d86ea30cefa251f40dedfcec48d9f9d15da

SHA512
a822674cd48288665473d02a009c2bd36bdb5cd6e976e74c55a881b96d48f0476a812967e124ae4f45cbff0fd66783b11e5ff08db2a135b5ac4a64fa4779585b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log
Filesize
5KB

MD5
30bf69e8b737b6826c20e8b6c8023d6c

SHA1
149860beea18718440eb8be683d96d2eb9fbec15

SHA256
7799e57c34a86fe0ce250adb37d6667dd33badc857d68beaba44f8bbeed402cf

SHA512
9ecb4d5ab9c1b43c2a5f1c8c4eb26ee19eae916640600c814287a48344767c843386b50b73a76edaecaf43ae1f42f982d3723524e6312041710a2eea1b39152e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000067
Filesize
20.6MB

MD5
96ff357f6b6e025c4fa822c6f3b86682

SHA1
5c365415423ab246aa97e05455d40480bdf432f7

SHA256
fa390bc97fae584ed6dbbf323c7d1eed0ee6f9094fd6107d203f3de1554415a8

SHA512
a0afab692fa902e8a190e5c90685f2bd1efec202873538ebebe21ce1d6257f61c571197bf36efbd2f7bd83e1ebabbe4c6cfc1dc162e6b72084087918b9672c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
c8b1ff13cdef1715c2b91a1e4ddd3723

SHA1
f087bbbf59fd052f9f9449a319280fa1331b27b7

SHA256
2cb8d53433c3f333ba770864b10390da58485558eab7d25f4d90cffad98e9006

SHA512
93cefd69065957d75b75e462cde86c71b7b75011d8c08c427412ee7018814cd312325e09e9e3ee2d2af9e57f74a1f307ea668461d92fea24809cd530aa3d82d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
ad42e546e526ded7540fe10743f319cb

SHA1
600e3faf44fad6ada5b48e3581b296ceed0e5f96

SHA256
8341d3a5b363f3545b465419c317ed45d2577fc3f7062539b3dce265ca70e357

SHA512
5f95c8309e00ef70478e81b7a88654f30a8f6ff52ff53bfff40107f8d6295b48af5230d47773481562112aeff7b2abfdbdb3883c477b2287caf48eb4a1d8358a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
744B

MD5
4b3b44e105e7b28ea134b8d1894363a0

SHA1
62b91e7d307d1172af8ab5c52e15be5de99bcafa

SHA256
005d26a736d237396899148e2ac419f3cb19aef980b256ee4919925e32a4c0c6

SHA512
53ffd0b00f47df53a922f3f2a8c43541e0a13c4ef953e6493b9199dc09f8e52f82042d973a2695a03ee089aa2597867c747f7595b361ceee15720558fa5513f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
719204b5574a40a20128113f9a56cb3c

SHA1
1b51c70f7abdefed7811d433b2458610a99d06d2

SHA256
9f8699cd2b7af938a5849d1c29aa0c39a0feb4a70c6e2dba27b92b83ff945f40

SHA512
10d2d5ff3345f3cad39782377d3cfa081be1a8397c9f01731c8d612c795cfc4bcf2a2701d17b57217db1033f56cf59327351d13da6b403fc85bf531c3eec0027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
7f9d82b1bc3bb100354787bbaf372aa1

SHA1
50381d435ddac2d1e158f5557651c308fb7e72d2

SHA256
41d9c582fba4167554473cda418843538613ea20604fa9f2e67886d5efad59e1

SHA512
8c5639b282a8afad28b213c552cb5838824cd9e81689bf1d45f6acc3fabc70f4215648ac34635146c9b78838beef383c6434bbf962d134f550924e655dbfa97b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
e04a7b2549354889ee55d7f3b0a2a0b8

SHA1
f480f9c1e90c20bd27d58fd1d1a8a5a5f6585ecf

SHA256
f0e3f7c323b65f5533fd021e0f0d8c557c64db354ed7aa3730fb0ffedc5c82b0

SHA512
7c377cf5dd446e1283b855a6523994cf055622d7998df22d98688d2a09c2375c20ad4b51baac12f796a70278f26a6b18d261062f58fdfa6c391d5327271c4cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
fd672ec35a6dca754f39ab6524224398

SHA1
a3150824a789e8da9d9311f98e6f6f265f897a86

SHA256
5e33abde3158bd93c3c3fe8a99ffcd736b21b0109afe0f1d927bb29d4c25f1a3

SHA512
d9959f77bdc2afea22669252da51b0568d7d8ba368f40fc8fa8d4f304c6179b5f6fdac5d93e5fc943f7b5d0b1f6fccfba46b7ea8752afb5fc9d0537235750902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
853B

MD5
dc92a005e982781b7c66f8db3b40ce01

SHA1
5886e01eb87cbb53e73160353836d8b213002996

SHA256
27d148ef916f0a380e20f43dcefd591a98c15b382ca15223f95b505b87034b17

SHA512
08493e3211c8ded9ea0a81cb6d7b4ecd2be99c38746d4a56e928104533a64e829aef6403ca1aaad9ceef948ce4ecb9b4f0bc612ef5826815baca9bbc999ab7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
175B

MD5
32decc01d47603f2f3c10d947a7d2e0e

SHA1
6cdb26fc64e1fde0ae0dba0148c515b8c0940766

SHA256
965ca00b20dbe582a2cae2b3d445d4dcae032aada222ff632cc32aadadd21db9

SHA512
0c439113b5a7ba8b594db36a7968ffdb2152f0dc7bfcbb9c810358700ab58142e87cc0ab1bb7e696a8a78adeaa2b4cef7386ee39e892adf9e7df107e9a74cbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
49a71194897122782ee9668591b14bae

SHA1
8db3719a31a485aa66823ba31fb664dcf7b83766

SHA256
457753245632355d0f128ee377c0eeaf93c61a7b75b433a3e8b08137beec13e3

SHA512
77d0a6f5051b3c5f2369ec24820a1aaaa9d7d60aa7d59f41b2e30e460fb1e53515c36f1b9ff288f3d0b2d703c6cc4964eeb6e3dbd59bbbbb9430544b6cc01ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
afa2e856c4d92c8a1042e8c1b17c089e

SHA1
51cf7a5a0b1725da4dd65b7a7d74211076623de2

SHA256
0ba8fdbb772a9a2901c66ad18e22dca8bd4e02e5633a3bd7ef4e2ecb4f5b1464

SHA512
4ba4d2dd6917bfca49763b905117639ce9043033f58890d0b016d28facb686d899fad299fce9271a48d89282071e64553df21d3ac74c512276ec69c45781357e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
50c49db45bdd5709f37e7a608c8d05e3

SHA1
2489399d5eff4c0f20d27ef79314f98072ab2188

SHA256
ce174f3df175f7cf8bb95ba0b8d8416acb2de199b5f3491df469828f6c74bcdb

SHA512
bcb750cbc2ddcf1782cc2493e8a9871a252d408206b703a4b616bb6ef80618e59c3aa2e63f643f7c5a3b825599556fc6752e2b41cd1589048e9a61912c70f484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0df26387f6237f7745e808ab6cfad448

SHA1
0e10697326f00bd214c4ba6e3eb45b1f8f149a54

SHA256
4e7434488ee94f13f1aa0c81270e0dc27594e12465dbad295058d43215f2accb

SHA512
9dc76475437d8cd8c78d90e5c586b6f64caad85c2dbcf17f437c91be472527ba69b19ad3728e98c3afb89331f6b9d91595066f22e88c6c69923f79713b90a50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
efdafa7ba3f5cae0be5ae2098bad1e46

SHA1
92b0afee81250cee598b74cb345d33311cf29467

SHA256
d980dee7308f78242494e546f5bf285f70175dc7f143c9429d3808b471f7b6c4

SHA512
91360cd8b386ddccb63a0c047122bf0074b1ce1c1f43cb21e55a66124133538bbae41ee04db5effc75a322c33fde3c00600370b5425a3c5cec90e8c35485298b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d0d0ddf04c6ab6ce66720ea0626aa04b

SHA1
e84cf5841c5ec014a0eed868523b61654843c6bc

SHA256
b892667223681525af96924845e8178fd40d3e1355cdff0e9c6e0a54c4bcb4f6

SHA512
8a3a0717d0cb508ef543af150af9766b5f931595723a58ae554104f97f3b55cca3b8c9551af6382aa97701949c94c87d0cfc2b2aca0d8f281d7eb9f83986ddc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
baf8a7e71966479d9b98e445aa077bc1

SHA1
b68fe3f1d81585fe336f98fc773f622d22f50402

SHA256
72abca36db7fb3409548322b0f27694b32938f426e2fff35aaef774e8357f4c1

SHA512
db518791bf0676cb5f1914c097b2cee918034bb001ae576aac8b2d7a8c2d28bb97bbb686f50f64d4dc89f0332c77de53d8ee955924a36a575e3a33cde172e647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
20c9fa7648b77dedae1b63fd1557769d

SHA1
991517048c1118623ab0724d2cc484f011d050d6

SHA256
0e85e7f33bc0648d3356e0c4b6a01b33713592cf38e9c835908653423a2dad44

SHA512
b6093249f2c6503966823f5b36248a5f9997ce2e85d1c48da64cc6aa892cec82489cfa7005a1de1fb9869cb5b1472d44543c72e80efe5c8d1b8792c8699512c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
689c469d64f801e8eea1579fc2ac6fe9

SHA1
d1fa1d56e9dba201c1ca1a523eae98b66ebb9be4

SHA256
5412cf406e69996f7c4c4660171dbbf73f53090f75c3ed06c91b73d7e58cdd99

SHA512
1287466ac559e85892746537fa0ea73f57a949e2cf3376f130925a50f58537f12ebe270e02b078371346bdea7b353517259aae88058e1eb524aba21ffb905f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f3f44cbadbad070791c9626f2ff7f135

SHA1
04657472f3dab7053ace4ed11df9e5882dd7efbc

SHA256
d8de7526d7a325940b754c9a888f29c08f67c370f5cd0a2f5b0cea9388055fb1

SHA512
ca688e0a01bdae50fde65f99976ef1190c58465365541a64d5004dc1348ba0af621753a374a87a9aec002fe6dc22f3129ebd0e7a520f1441ceff0ca0ae554ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
bdef5cf39ca4935cc1fe04c4cf05fac8

SHA1
f0c8cec5debc33e9734e0e377e2fc10ee130868e

SHA256
523c4b94d134340ad85cd3b403cc82eb670924df8e8cae2f23e7f009b7ad1102

SHA512
8dd1a141097411839f895a856d94209fef7e4bd6d69895aa5ba9ed915ffed50c2c7ffcfdff12fafad3aebff7e71ec800fb6ff0991b11b8226f519decba0387d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
c1a730d47e3a4a88ddb0ea9940ead664

SHA1
e6ea687e5fac53462d4da6a44c22f097e637a63a

SHA256
8288dcd6040ef17e5f041b7bdcfb31b06b8e43c3a65e6d6fcf3feff21dc922c7

SHA512
a87a39b2ba3c56921242b5d3d5a7989f32a30eeb9d67c1f78400a51c4dc0f8e428fb96849aaa521a507d6071593136141eab75dc6868ba3f26b9bad58fb596e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
204B

MD5
c699c75dabd8c189a8e412df9ec899e4

SHA1
01d6e165e1ef41084b4f5ce56fb16ca79acb1172

SHA256
a67787f869567d1dd466e184a6a0867cce8c061bdc3ae5a9f5df190b6e9b5584

SHA512
99f8caac7e23375158743ef6e92c7adb56aaa3dd17f86e1c82b159a290c825ca370a1b58749f434645cd234e3d2ffa23e2bd90e73d1c8ddc2c7387544d79d712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
90d39d7e31747b4f72f7ec5eccd3a0b2

SHA1
214dd8f920cbaf97fe90d3ad675193a963666ba5

SHA256
048db9e6b685b8c0918ba51d259fbae9ed9ddd5104c985ed321a53a71c8541d2

SHA512
4fedf3214b7809baea7aab61660fa630fd277632bd097347e2ca8cc3a265cb539ab4471487cf0afda8327182e39a7a32267b8fa74384e754b9bb0914bebe03c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
1c6613d316118637472a476d1db46265

SHA1
2aa04bbfb0f7ff9e13047e23b03ad34534b192cc

SHA256
5e8d9d1d0db88fa234ef8ff7f1ad51637094f9b9694eff6e752e96ef30b5a916

SHA512
60acc531263e83de39a2404779823c6c54b6501c707cd144a8fb8504dad760a4512d7965e1420a237edea7a8c27e524f3e4c61318bb90ea1b8aec026dc4c2e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe600c97.TMP
Filesize
204B

MD5
d44620484fb41e16574c3f51894e76bc

SHA1
bd10c69608fbbf45121d36be124d92c3cce60577

SHA256
ffef3296c89ad079c764088cd48b282034a5cf88655f42d1124660c88c802224

SHA512
450ba7fbb4f0bf3508b3711873f4e33258e7fa630fb4a5bbc5ef7c5a61731f062f16e82dedd572184bf7d02520ed8354e93bfc753630714c08ef8bdcfab3d85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
cbbf1dce7a21a15d32e25e1de61cfee5

SHA1
96770a1091a38690226aa5644fe59b23b148dac0

SHA256
f6b20969ef780ffcbed7015023b23cf74f738b5a282ed7b46890a3b10314dc6c

SHA512
8cb8efa18d8f9292941b38060cd1c325f681fde9e80afe2ba9782d7310bbc65566e795e077705bb5dc4ce861dcb64d3c4946d08b7da661e6df94d38aae01f3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
17a217f3f7167a0fbb9b794ad2e616b1

SHA1
d95806b855a9b7fbeca53a56a2377c5113863ecf

SHA256
e3b77f863a2f99bc14c1f38b19375d70853232d7bf5690032768cdebc9998e12

SHA512
3d200d032651ab2b0e852e75a93432f440716a8c86a4f6fa22a43e697f3fa937c723f1e345b3d880c5496345e0b0cf2497fe8c586bc5c5c6cc0946fa78d55deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
138f45391b4040ca99ca7f78374c9c05

SHA1
c99a9267d7ce3377fb329c9699077d4a4d62be45

SHA256
64de6167703d64a7ab12ca21967300b20f2e474de580985ca0cb4902226728ab

SHA512
86462d7f559d77f1a7b3ace50c312ebc3820e347e3749ca35798f9e4908dc1848144ac39c3bc65225f5fd8c388eb4b98ececc706707915531aa0f89aeb1723d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c3912ce752c0f8565c9b07c5ba44ac10

SHA1
703ecd013e52e82bea9167e50760ee5429f14364

SHA256
f8df6fddd4b98d3da57b7883b33f2b07b2b9e5807ac36f6331d99f317d870fd4

SHA512
645fcf8511750f5b62cb7843028a50b1ab3891bfbde59a28b6706952c8913b2dcd8a10d225faf06e67bb39aea86edb4dd1f74a96f52422eef2d338a1abc6717b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
3670b52c41e433b5df665d2654ee88cd

SHA1
03fc22e294ffc9e4fc14bd2e90719e3515040ff5

SHA256
9e79368a6815a62655d60679c110bfae020d1a36d7e49975651977e68e1db4b0

SHA512
b28f0eef7b3cd853c986de62b640e46bb46665d83b8f22b6ddc8f38770062458be7c90e980a5fddcc33dc71a9e043777f9e5cf24353b58fd9ac068a670fa8ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
551bc56e11a83f5707db2da58c64a854

SHA1
d20874ae74a365c8c5bae835efd2c6cbb1fcba54

SHA256
030e30fcbbc9218e9b983181d1bf3abe2d56e975e023c6ab5889d90fe81ed048

SHA512
f5133566a910cc6fc7abb376b604fdb2b1623f8d35e8fbb9cb7336a92777b67557e0b8062e968046833d3bf9861a39de41f5eeaab40374cae15f3aa05e66a9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c699bc68a54ada5e1d2989b024a9869e

SHA1
bb2eb43b8c54a1d0416210f3d9f03b77cea9132f

SHA256
c0192d4a85a1e06c1e470c3784f11ac9516b02bc26c0a919a04ace53c827ac3d

SHA512
ae101f355e01ab828b76779c8d16eb99892e7b48fa55f4f7e1b404dd840ace5bf53b2c639bf72c15b470b01a50f70dc73e25175d75a02a781e13f3f1ed223bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
57fe714addc6a34e26013ff68f473752

SHA1
909d527a04d21ba1c2baed98e4c64eaaac8b7309

SHA256
dad01074c0ebbe97c8158f4ea2ce26ec43c3b5a2426a7a9c50284dedb509e67e

SHA512
e4063a5de337a16ba303af093d237e9ae93c029e511820fdc0d151293bc5d24dbc45d038ae5a7327fc3d213ef2192dc256fbabb6aebac5adb155bb0ad05cddc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
316b671ec6244f4057719c2367d0e142

SHA1
8882368cd6b8a0e19a42c82ba7d3cf9dfa41eb3b

SHA256
54696f435cf9a8a731aaa165898576b034a5219ae65484ad06394221a9abb663

SHA512
1f14a14abb6656dc77638a05147faa86f7aece00cc2aeab095a60f070a52302f68f78451f78d763d5d09b9a0be904481a7b13238db7ad3fa8c9330601fafd858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
6ab6b4aed52d48415759421623398f6e

SHA1
b0df3adfb9cba5e6e9774068b0a772001541d1bd

SHA256
86c4392e4c670faef178e57e5b28c8ed19460e1dd1cb21cb85ecaa13b9b629f0

SHA512
c16bde4a60429927fd8a6ffc3ed44cf61b4a14c62166545d1301a97bcff0a59eb9d44b103575785a349d255423cbab1f453129800638e3dee999332b995f971a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\02LW2E0E\views[1]
Filesize
3KB

MD5
a726593a8261930e4786375106fc6bfe

SHA1
13916b1e1825549e9c36c64e35baca204a83ef95

SHA256
e6bfdfbb9a0649ea9d38de4255c355c581097e6a1035a54943260b22ad45f172

SHA512
b093a2513b2c4f8544093d6e983ec580e14625e1529bc3db22c4011980cdf44a78443c22289b11a6ed0afae2786d480f94b354b71496ee022e439d2bdefbedd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PCRE1VQT\views[1]
Filesize
1KB

MD5
bee1758a485085bb8a121eb74ba7e96f

SHA1
8024492e1126b17f832e36c932d433200180b693

SHA256
edcad5b1ce8a304b70b8c9ea57d4aeab740d979ffa59243b943011cb1ba4d57e

SHA512
bb1fe94a523ef108c49f75da187fcc28bbf80d72233454c329134bee2e12268d3da344a622987b081612aa2a1edac8b91eef27619c7309517ac52e7aebf32f1a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
5b2a5b7fea5736ab83fa582514a5740c

SHA1
db95d31af0fc64b8b9c35d57d8503979f7ae8f5b

SHA256
4344504c1bf96829d4a65b5cbfd7086631319e5634901083e8fa4e82b90e198d

SHA512
190059edea7f517814aa9ce095cc758b55d9b3a402e2cc6af528477e9d968178eb56deaec7bb5d81922b4789f1aab6dd9f7c962a6bd0208c99ec48f3ff4fd527

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\cache2\entries\B96E12C8CA3A0B0336E0151FDB8ADEF70623220F
Filesize
214KB

MD5
2f12ff4f1bb4a8583c1fd7451b8cd446

SHA1
a42474b342d2537356fe4e2c47117c24133a882e

SHA256
a05c967400d6798cb660dde1bd10068b1b901d7c71468c3b50ba52ca07c7adc3

SHA512
ab4f3315c52607392d28caf594f0090328ce3b94dd2365efc5f97d06034722aec96e123436c89bf752706aee04ccb90f73dfa962d1fde3252e553a3375996bea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
Filesize
13KB

MD5
b6e40cfcf173fc57cf069aae86d2d263

SHA1
0b8f04d00bff429688e6e036f5085188c4f87827

SHA256
23aac0a8246d881816d0f06edc80f9ba499b934141b49666f2066d546b3c7590

SHA512
390cfb113f9b3af8f7049b9ce21345fb600e40c494e20f8dd15f8ab9594d2b86032d674ecb8287cf673d1db57080f318de6a71653bb942463ef40113a026e17e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\cache2\entries\F5C7ABC81E250F292DBE8694180CF0365FC9114A
Filesize
60KB

MD5
00d3b45918fff909702b1b2e68ef2572

SHA1
c370b836ad7bfd1608495e4103c7178cab77ecfc

SHA256
18e746135ce9f9cad9d39d9c426f8f92e355dfbecce625a580af887aaabfad22

SHA512
06f59f2bef5da5cb41d0c2c2e4342cca0fbd621f231b0caf745739a863bb38011d3f3c75b4f9d2c129bc38fd31b30b855afc4a3f1844d171d2c4f98a4de3768d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt
Filesize
917B

MD5
f9f6593ed34e521029e30faabec307e1

SHA1
0b77228c7eb8408a60cde5817f4f4ca4545b9bbe

SHA256
2285d898da270dd835a36189355957d61864479b763dfa3c461a4094731b60b2

SHA512
4321b70eb192e4a5e9f077b1118290ef3302cf5e95a96972d71cc14cb8c6b57b55d973146d9d28f05a2c0b576fc0457e6b56a4a302ab35523f9f8b7fbf5b77af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt
Filesize
917B

MD5
edfb05a13bfdcd7bfdae1c9ec858f2af

SHA1
2253c4ba1e9511d80fb8fa83899e63fe56acb201

SHA256
5195051526abaaddab93750ccf2137c10c7806372f4fa3a039c652dd7c5bfe25

SHA512
019f8ebd4378f2d0e012340dea90cf67a6178d36d6b386ba71203856cc9330d4ef7af49921f6147856b3d6d6d2411c96f9bf41ef161bcba90501227f7430dfe9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4BIWV20J\www.bing[1].xml
Filesize
26KB

MD5
ae5552c48a1a76355b966a78ebe6a108

SHA1
f6ae28d2f9e68c6bb0d25cda742269365272f90b

SHA256
df4feb8b8e342ebed5d0aea693963e9710c58ce74767345e72be366e829dd814

SHA512
1d6534dbb2f9197b7ec621dd719256529d9b4671ffbf744f0e9fe86d01764990ed49a477351d6256f43bfe99c47c70ee1fa3bde5954429a6b11e41e9ffad76c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4BIWV20J\www.bing[1].xml
Filesize
14KB

MD5
a47a8146532871ef3f3af030912cdc59

SHA1
b21a8c0bab03414dababbf02ceaed8bbf47846c8

SHA256
b157dccb8e8470537d94c5960625abac2a9a80df97caa88034d52cbdce122f64

SHA512
9fefa5b698098b2f0782bfd1c6a2da4b8415378bf328305c2d29c2628821b2aaff44d03487126afe183686ac6a085eb5d8e3a07c58cc4a7ebc29252e48c53dbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4BIWV20J\www.bing[1].xml
Filesize
17KB

MD5
f4aef7470a62e2f29937329b1e74b5ea

SHA1
eb47daf623a054fe05097a7d4e62de89c082bb9d

SHA256
216a2a552c0218915978115502d13ef7a318764bbfd54247e79f772297cce39c

SHA512
e9ee20faf066710e0c20bf2801b2a6a3547fdf5c8cc1fcf6657235e0c5964f74ab686cfbff0c4cd5549a831b81bc3d1f5cab752db2cb514355e821871ceb3bd5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4BIWV20J\www.bing[1].xml
Filesize
7KB

MD5
a62923cd25be9c3194469352524910ea

SHA1
e76f4087852649fb3d742f453d79f36a2547fb4a

SHA256
03d6e5f13e89063b34552751a5c423970948e02f288dca7cdc4b24f673664c68

SHA512
bec979492feda26b520751c4fd2e0b41676db3be684a83b8bf44902f0ce01b43ed12322371a489ac5dc37ff235c2550d31c26c7ce174c30da8ee0b79f98c740c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4BIWV20J\www.bing[1].xml
Filesize
2KB

MD5
f7a7d9d0717dd530a54da290c4283438

SHA1
9bd3d05b6b1f31ecc3637559144c0db58e5ff04c

SHA256
fb7811739b42cb72e723ba8fb26f3b74036a4bd95991a599f2f4c13fa24f1933

SHA512
d877b24d096c586cf0beba152b038d21fb0a4b0d177fe4954a860ca46888effca40f9b99271ad6c934bf913d51c30067a0257a86b391e5dcee32d66bdb22f07f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4BIWV20J\www.bing[1].xml
Filesize
17KB

MD5
0912a748a6783e594136f0ea62ee1692

SHA1
4d32ca1438487c1b9bb7d6edc3b2b8f6c068bfc3

SHA256
a9a4612b95afce8c00bad8e08dbde862a683f4876ccf6f4bcb1bffb8e1057fe5

SHA512
6916c1d64c1d35ad87fc3b2ff14ec30a6c9571801b07d520fdabebe0d3d3266fd1b8440c3033391306c38fab578ec9045960d99681e39fcfcd401f06b1dabfc2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
e91ba7113b9ee73bf73cfbf795374b4f

SHA1
beef122500329c4babf0903b183e7ecc933a234a

SHA256
71d02f8625c90f7c9499fcbc6f2335fbacf9a5fdc58b475e0ffde696de5a9c98

SHA512
7c7644a911b218d20300a51c288182312bf57e48c78faf1791c0f710451bd907721d64f3f6d26a0cac77fa7ed088b0bc084d272f4416299122adbec9896586e7

Download Submit
C:\Users\Admin\AppData\Local\Sentry\7F91F275957D28EEE48F184E0B2D9ABD48A5EFF3\.installation
Filesize
36B

MD5
70ee1aab14c8c696ce59d220275e57bd

SHA1
f9f76bbced1794ee79c4711d92b8c9ccfc3d872e

SHA256
74429e03e7b2cb32d1f787b102549bf66e9ebbb658b6d97a96c3bd50abc6e1a1

SHA512
58e6eb234e6a360531eceae62c54963a107a20681fa3b50124beea72d4a93db3e2c53000479201816b699736744c7e375e56a29d4a43d52d5e79bad2e6af9326

Download Submit
C:\Users\Admin\AppData\Local\Temp\5csukvim\5csukvim.dll
Filesize
7KB

MD5
a74dfb186d99827d9378d5c9c143f887

SHA1
b496cd89bc1aaf8e8e42d2e67682783c5a6f771d

SHA256
22037b1828d8267b6bb7265b9ab484875783b83278966e3e64bcd74c27162e19

SHA512
2ebd59edcf2a0968d1512aa9241c0f42e78cf744934f8ec92b6c2198cff4c6da80607c45141eb2ea6019672aa3b09c1e16120856073623cc15e2c195cad19688

Download Submit
C:\Users\Admin\AppData\Local\Temp\5nxatabo\5nxatabo.dll
Filesize
9KB

MD5
81c486a6e90a85f0552c334cf74177c3

SHA1
1cd24df109ebd5a441d93026c23173f6af42aa81

SHA256
ee072e52e30dcd81fe9e932afcd71b8c531d6d509a66badf00f356ec909b77af

SHA512
1b9e59e6cbb79b488a2e441d1cc0308b0d594e502c1c771248700a05560cda608751cb663f96b5fba046ac811de5d7c5433ca24a9d44ddcc8dda2164016bd9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWD5EA.xml
Filesize
718B

MD5
3ca522f75cd474657a844f4bb1e011eb

SHA1
110a5710519f3ce3aeb4b616bcf87cefaca72f12

SHA256
28f5c179159d4012a83ddcdc112158bd7890e98590671ab956447059bb9c6145

SHA512
f34cf8e4aae3b0c1c3a5b406a131c697830e17e2c3fe9297598987ab649e639ddbb63b5021f69b13fe8ddfa2a2c5582920ee8a0befcc3d17c1c1b070e8d9094c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FBC.tmp
Filesize
1KB

MD5
8ddc788ef36dfb9a3e0124c84cebf26a

SHA1
9fda86abd9b48e4b8f789b28a754797d740215c6

SHA256
6186ee22beae909b8f3c654f01f06470cfce5d588fb306c94e380fc7462cefd4

SHA512
0ff883a2e0ee7c00cac23a062cde299c2892af8b0d516fc0c07ec7ab2f16e86a588e1ec8d90d7cffed48d90d01e9b60db7ebbc6c09d055697267428e1492f6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD87A.tmp
Filesize
1KB

MD5
c95e6dd9b4194cab586c6b979212e23e

SHA1
a36fdc88f1716cd32c319d943dc8385bd84f9f56

SHA256
8af4d1b7ab4c0b584b9d64554d7b5be69f07cf23a524358038a926933f845a7c

SHA512
f5493e4a6b5ec390ad52ef4278166dc2e5e31e84c3e1bc3611c83546deb7463a6c9a04fca760f8dd9e8b48462fe84d5aceffec52c4dd6d732e02d98867049505

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD936.tmp
Filesize
1KB

MD5
d8d4f600b1c57b77bd4329d1dc0ae90a

SHA1
98ce66689dd390809640f65a94d330ba84ffb58a

SHA256
be45507fe658e3bdae9056ff851a39ba5acab837933e50323e54710c07ad7a19

SHA512
cb01a0eef12db313f67421b4661e2499d6b92122f92cd9bca24ca381a790d1b61c3bba798f42c51b0799a6306193a3428807b30305f78b0259d46065a1987a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE47.tmp
Filesize
1KB

MD5
283f5362573a45401d17d1e0199bae73

SHA1
2a75459d0ca8b22a2ca3d113b5d3f49ce6310837

SHA256
6ae36377d2dc869996190d1f2118244faf19ae66e7d3a948b74937251b860ddb

SHA512
a477f503098e5233e439df6bf1db8743ca379315ab457c1548a919726ee778a0553abf40d9120baec69d1bfd1b6d2ed8493517feacc8c3d140955170a35091c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqw4k40j.yw5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\arc-install.txt
Filesize
8KB

MD5
2eed66c0611f7722cb99e7098850a0eb

SHA1
b23a9363829815bf40f19a3ff3fdd56418ffd101

SHA256
ebbba50cd1a733562d2e4e9dfb1d232a459ef6f8b773879722f24480502ea416

SHA512
3d0d91202d018d3e32256ceee426363d37a50a7be4cd16863172fe438d849ab3df46da2b51b48a7dcc7e6b0083dc4a16cecff589fcbf6d8fbb7666ea39d67713

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3xndica\n3xndica.dll
Filesize
5KB

MD5
08624c2097c079fd9cfe1b9b48050425

SHA1
dfc85df5d60ed1be9588846afc1dec32dbe49927

SHA256
da4bdba7b4fc67830df8921e158b4bbcecf3584dc34a75bc2a2e1d04c8d8a86b

SHA512
b7f10c3431e06c0408f134d2bf06450799bc15757792b0cdc39fa72ba517f4ed8eeaf2300927e507b5f2e307717234fad5c22759466a147fa31854a380529dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nd4es15y\nd4es15y.dll
Filesize
3KB

MD5
f49b378b3cc3d8b3148748e41d34dfb5

SHA1
cfca7d7083d38054a5932fdf7502834a7d064a9c

SHA256
87a6f31706fc17e4936f9de622e6bf1c23c6aa5261bb94593195e5006afaeeee

SHA512
6d95bc69d1b46b707a091212ab0e7d9adde3abe4f8b4214430ba7b3dfd22e90624edbe047a465912c6e9b27427b49f736a2286647375d248c62f8a37696b43bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
231B

MD5
ace0e1450950b3d953bd60131498fa31

SHA1
abe39673fdd0436b3f45c6554c0bdce681b0da79

SHA256
380caa9d1b9a205452f1f6485d98ecc566756225042773ae224fe38dc23c26f5

SHA512
50d3e27c44f1ba2b25a86f841eb60636c0b8408c030947008ef5c1a9f32cece86d5032813bc030b02f27d8dfcbfe8dc5a47e4a5ccc4fe90ec0952f24aa5bd7f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
15KB

MD5
5c405e84fbced13a336fb76fb704d4c6

SHA1
e47c12f547d351dd95e38bfb7adacd1c183701fa

SHA256
b67026c855b93a698207709ec3d8cc534479c7704e3d102ceb37e529bb28fab5

SHA512
5e569ee29f68c168fef9070316b6abccb276108038f810ea57a2b68a4129c79f1f10aab99599e960b4cf7eba2ef619bc16507fb890326c8d8e66c511f663731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
15KB

MD5
ffcd93fcd58c8507137782f4dc1e7b6b

SHA1
1e68d630d67f8efb82b5ff5471a39810c2821742

SHA256
dcd4e97f97ab1e87fadff88ce043e861d2f7a05231d8dae6c9cb6600cea47c4b

SHA512
97616f04b6f5203d3d4a60280a36de8b5853d5a1717699c2d90ea2396197d49203c327fa5fecefe73c317c2591c3b804165879218b0fbf984119ceb1e2adbf35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
12KB

MD5
e5480388ff3e22f6bd1fbbc1941fbb80

SHA1
e9224f772e8cf7bf26b7f9b942c242f55014ebbb

SHA256
c01704b45a4a52059632d2631cd2e3a4249339d6b8c6fe5284e34759e53b6884

SHA512
7ebeb815d145e7985c0f0d1c59b51a8dbf7a9c6f12cf19c2f02544a4c42af178692cb7cd3e2bfa58162f3c0d0065ad7bccb2e4a998e940c6f94fa7a8ddcff5b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
15KB

MD5
8f9c255067baac841a215c2b1ad32946

SHA1
73b59b49be6ed155eeb5887039db93a86f92f80a

SHA256
51a5cdd1a362e9db45aa8516a5221c010de59f0f4e076b05c4d4f3ae610f584e

SHA512
71ae7cd46771d7c226b17bc4321a5540b3fd549ac5fa8f7af9568f02fda8ac9b7095c543d7eb57a31a635bfc3c8987f5521f8a7d25098bf62a72b905019decb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\downloads.json.tmp
Filesize
655B

MD5
39f826797365d64a0675616da710b72b

SHA1
030be4823578b3567ffb0a56cb89be5d3919c8bd

SHA256
c23e5be2f0fa8e50aa168e80533f31788eede390c351485a6d8cd9475881bebb

SHA512
1e7efa8c9f0b680ad089234cd33beb2738fda73d7e02c223448621880194a7ec01f51fc46d4bf07363353c52af1c3c581df6f828e556a7779bcb056b460c65e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs-1.js
Filesize
10KB

MD5
b2bcbd9e578d0af753fa504ebf81b62a

SHA1
cb69c42ac7abc64478a19984b814d33b43e0f12b

SHA256
f3685c21c043c13de5839495581a66e167be128bb88ed7a47695332600dd6978

SHA512
faa7ad69d68c485efca018e49859c62f0c2e50f5a15d4dea45254a03417649b443a4cfea48755e7959e86eace78e2ae3d3f333acf62181d36ff6f35392dbaa1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs-1.js
Filesize
6KB

MD5
abee1d7e7e7e8df140be469b8d0444ad

SHA1
06212b5395a3cdd2bbc433ae30bf4d11aedb2814

SHA256
33eac7bbf4fbb2aef8b6b2e0dd59cbc45b692cac18de45711f24a71d36cfccbc

SHA512
161e6fbb26e85592a87e69c4cfedce3977a91c0f1ab396547294f5a9fc2eabdb16aa739e4b62d220ccb569976d2fb8655a74e43f7cf4c638d3589f20eaa49f94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs-1.js
Filesize
7KB

MD5
0f4cadf55f9a9ddd4169b4814caaf2de

SHA1
63b9ea71149ecb658584d9ef883467ff501421fb

SHA256
0bc07b57ba3535c54edff3955e380d9249fb46a23011b6669e34e35f3d634a68

SHA512
63e66f681a74af35e93816afee64a4d58cbe9b3aad8ff499cd9486f84433cf087c382efa598cc3eb795b513230e87285e4100ba1509f4ea0ba6d62b56c502d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs.js
Filesize
9KB

MD5
258224148e0ba859c330054371071fb9

SHA1
a1ede383ef10d6b89ac403882983e04857101af8

SHA256
83ef3b7edefcf62e1488968682be7a47593d5304f93ba41dac62e2aac4d6ca6c

SHA512
c0e4ca060266547d547c74d9d6526deead2002c4b085f374e2eed35ac6a9f388f031c1311393d95375e83ea66992ad9a0296a309bcffa3ee3ceeac5cd6c21b70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs.js
Filesize
6KB

MD5
72c337bbc436365ce74509f4158f932d

SHA1
35fbee3f15b8d4238d518b14fcb6d8ed14f3ff68

SHA256
88e7a20172188065de17b6e2c252b3cdbf8daece77ad575a4d2b005a91ca9705

SHA512
e8eba6aa79b23835e4a1ef58deee10815439efd725482de13b30b1357cc069aace859f588f5b676b756f95db85ee20715e0818b8e889014af8145b830dc4c883

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs.js
Filesize
7KB

MD5
414078af08b46b22963d4f62062f1c05

SHA1
b13c3aba5aa5d42f5e14c2ea8405069a450b92f6

SHA256
5684f31b2898fdb7e24d395c167fc093e5ad54ef32e4425425009b9436a9a737

SHA512
384a6bf9e0761bdf54fe7733700948fb2bb5a5d3126e643a2c3674d3875489ffcc7e3fdb3f30017ec7a208e6fc7ad3dbc51436cb5fd9c14d14034e95a4029777

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
18a9080c2d5b125e6e920ca2b9dc21df

SHA1
9e961d5048e04be0db8ddd29cdcbf4ffc996292b

SHA256
870d17f381c238ce1cc5b4017b64f61216552a81dfbec219581567ff0d7d158a

SHA512
8e8a665ea6df582b7cf409aa24a929ba10ca7b5ec39957817d980925a68b90cc2aa5690cfaab63fa0ce3b4d27c473994a476dfb03f8f928c7e3b9654ee934aec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
a5e73cd234b9b9b7fa910dd303c438fb

SHA1
af0be2b46f832c88b4282458e71cbae1469bbbbd

SHA256
d42e77df8577884de4f0e377f5273d6e8ad1ff2766f5f864dc973a00787dd00f

SHA512
58aca8cbf140df5fd3df598f9b12cb3a1a679f53a1c7ebd04674dddf6361855e0f4581f6ed86df45cd2c30de9acea7dd6bd478aa90014db403f978ca0e7fbf85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
bcb10cb2264c288a31b6d8efa4f81dbb

SHA1
1d4f296f633dd1104643d86669a74a7b30a4afd7

SHA256
eec7cf6e61c6f58a70b776fc69eedb08f2312400a24c4ffb7f3f2678657eb4c5

SHA512
09407fea06bda9fc3d43ccef8cf332dbca8cf4479eeef8189770cdfe8189b9be5ef8722bab62dfb6da10cbf522d80048083f138840fcf153a195ea7983ea874e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
02c7db7b1dd9b4f102896c9af2e44f30

SHA1
8a518431f37b25cb06063b366be4216626af90cc

SHA256
90613a415a33d02e2dd4854a6e9a444e3698532400d7078d2a1612b5ace8f53a

SHA512
0232026fda4649de227ab80d514bf10d2aa08d4dfb4e9530e696dbb0751f934937e2a4646397ccf3719e78ff4121abca121a7e9b544bfe21b4999440fdfd7200

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
0c4ccb443646ea8aa8ad3d1e80fb948c

SHA1
9194ac3497b6002b034a6d38225168934fbc94bf

SHA256
fd227696472c42abd08c4fe360f95a72f72f56fb17ff1d32c63dec3115647d5f

SHA512
656afaf6a37988e74b17c02d58da714fc670cd2ddc179717cfd6c7ad85350a463c4d999eecf197fb74f0546bddcaff77473d37e064d95e6864fcfe171859d4a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
4346c03572ff1fe95f882b5c9b8eb9cc

SHA1
3f9e078d212001c3ec7aa128d38474a891c361d9

SHA256
48d2ccae26fa47ce17dfb2797fedc97f4706f526118d10d5286a82438b567425

SHA512
3aa14bcf83fc1dff4592e02dcc857b7069c0300fbb10ac160bfa4533c0f8ba08a71e01a03524ec3f58705b3052633543101bdd5aa8c3e8d941bbbec40f1f9cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a16ec37355a0a1b080e14592b7e1aa79

SHA1
efa4bac2236df80b236869798d5c93901404246c

SHA256
f540ee90bac1a3f0f058e9fad246561bba915c10342dcdf795f7c4c3d5b1bd05

SHA512
58225b12c10a2a062cd163db9f1b650c623a73a4766422224c24bae94a6b915dbbca124ee580d490d6e2de7111f4096ce17f55e0802bbbc963e4a6f07011adc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a0718d3db793608832af5b7e14e286d9

SHA1
be8e02a70b518866e6121bb1755a6487adbbbc8d

SHA256
2a3b1177655d63b59a4e3e4039d823846a0b236355cd07c42b9e2c83a3fb1883

SHA512
e385142893875ddf70d592a791eadef0c6665a7faaa5306a977e785a247ef3e6f7bb1b708826007602d36e2dfdd7fc9eca01816a165f22786347f4be5e7290f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
6550121e9d7f11744dfd4b33df88c25f

SHA1
f5dd7476c7408856bdadfd95c44b60c717b6eb2c

SHA256
b17ec5e747bda00cebc8e28ca117ebe4bff3c6a3a560d848ab6454fc3c5eee2a

SHA512
7a91a8287f218f9020c2a55f1f2ade6e823bb69d03318c77e960877861b83dc9809867491bca0cf07fe958e18d958156f650850a6c68851f0558cd893921d9a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
d87507031585b7fda88591482ce0b4be

SHA1
45eb9fcd2b433b6c88e0976930097cd5ef0fbe22

SHA256
7b62f70e31fb0cbd8904f4d24b34f22520758a82aca0647cdffc938b38511906

SHA512
677f03a6dcd9b4f6d9b6176a56e0dc93de22fc51cf3e96796496de18409c41f33277056a6c974864df1aaf015bbca0d967c73694bcd77933bc47cb8c45a3a546

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
a9fd2ff3401c6f9b03498a89989a0a45

SHA1
8b9e3feaea5dc4563538680509dd875c5b0f119e

SHA256
d3c13a10076f71b5b7c28ce6b59b55daa8c2ca359c19e1acd707e9f3ae3d5f74

SHA512
8f363a3548f57d2eb58f8dcfc94f2476759c1d70afa39f957ea85e5edc24db01236662ffe1e12cbd8df64873e0b4f19a7457464052d4e9b078f3414cfe46eb81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
5005e3157b37a0dc322cfef5591def5f

SHA1
257a9b9c0f10e62941f8f7ce09722dafd3743f4e

SHA256
1223b58821aebd289cc9dcbf5e8c74754d9c7c07878a1e6c5c77b6c704c826b9

SHA512
6a7f04ec9ae2e945e537b5489c6c3e5bc0c009d145ca0397542087f8cf637081b7e175fa5ab8ce02b8f6001ca27f0eea9234418a58e4aa75357aecef5df5a5ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
1f5d76cde2d04d08ff3aa4f488754d8e

SHA1
19ff567bebdf08787d8dcf4a4dd797644adac37c

SHA256
eab350d2d9c23980e94973fa1abf943829e4f3bed9ecb04fac58e8a9854984c5

SHA512
b1407a40255efa59cd5f55f86487d86a8423ec72d3b6a226e72af4a37633131fcd31ac840dd97002d1c2fa395f45a067c4eeb1e75aed5f0b1972cea38238d0c3

Download Submit
C:\Users\Admin\Downloads\Arc (1).appinstaller:Zone.Identifier
Filesize
130B

MD5
4d174af0b44f8354b7886e52679fb99a

SHA1
7363a2e36488b07bfa76e85af072b4b5cce12878

SHA256
12611f0b598a6b6507ddcd7c5c3f5a17f1d6b43fb42b2b6c0fd2ec5e38cb1065

SHA512
6d697aa0dad36eb6444130966eb68a72a2ca0ef3320a77d8100c169bce8f74d6a3a02f242b7bf05178f90d1e865f18520cc52652a9ea4de16c8222f1f2e0d3fc

Download Submit
C:\Users\Admin\Downloads\Arc.4rNqQtBL.x64.msix.part
Filesize
216KB

MD5
39e45211ada1566e95a9d8f187958a80

SHA1
d62be767e044dccaa4378dfefb13ea9e59809b81

SHA256
99ece6cca459798325ebca713ba69dafc237d61a35c340a44a2efebe25dd05cb

SHA512
aeda8d5220f9fdf83f59689fab49203d152579bbab29a8e1154604abf58e22c8f276591e119ce98b8b8bda6522d3a0ff078f45b9ef103a677e9d1cf91707a055

Download Submit
C:\Users\Admin\Downloads\ArcInstaller.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 336171.crdownload
Filesize
1.7MB

MD5
327394a452bc590a8dcc35499ec21060

SHA1
799eaa40f88bb3a2a5b385e6fb51675c0da69981

SHA256
20fe34797b5d870900402aaf927136076111bec331d6bfc443b86d66c551243e

SHA512
325529f6fc4421e299c9e23139b43647301c90d7c2d6524f8aa64e52b5308bb9d67125e90847f740494da06140dc5753ec73269b117c3687d788983bfeb4e02d

Download Submit
C:\Windows\TEMP\SDIAG_186472e0-a088-43ea-8ed2-3fdcd83182b5\RS_ProgramCompatibilityWizard.ps1
Filesize
49KB

MD5
bc7352030b944153ebdf390256a923fa

SHA1
ebbe66184a2759eaf0c87bc78eee60d369155c25

SHA256
1bdcc214c4731e55cb09e91610ec35e2f9448cebfd6057f7c1a78e1ccc351b0c

SHA512
23870e6d58f747c52645342c51f9db07ab3522b411ee9481005c66081302564dd1c25347eff7800aa39034b28271a3ea4d37e220f50d666aa8651cedca176e9c

Download Submit
C:\Windows\TEMP\SDIAG_186472e0-a088-43ea-8ed2-3fdcd83182b5\TS_ProgramCompatibilityWizard.ps1
Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_186472e0-a088-43ea-8ed2-3fdcd83182b5\en-US\CL_LocalizationData.psd1
Filesize
6KB

MD5
d58f931fcc39e7d196ebe18daaa0b5ee

SHA1
6e6c32a212ff5e665246b8b0f695bb33bf2b5629

SHA256
549151948bead16c74ff4a8789e3954dd9a30ea81fc823dce2c9fd0c851a14fd

SHA512
b7a786732c520e3a08684b7d17902c662b44010652fc7640990a94e0aa76461a5e44796c2d8ae88a09f287ae19d8ef1b486c735310546a39087da9f32bec4cf2

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\CL_Utility.ps1
Filesize
20KB

MD5
1173d06163023bac8a1ea0a4af28a3b3

SHA1
8bf13ff0a368869b8738b9e76b535f7b9fb0b2a8

SHA256
3304a9cc067893e7dfaffa5736919a60ae3a4315b6fec849ee78749d03293d6c

SHA512
dd2c314a5c9e50971c3556e2f066a5d32aa4b6ceb0a80eba19ede987962fe035ddcf9a641d67a256765a7c888990ef9ae66eedfafde0da2cc4b733078927afe5

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\RS_StartIndexingService.ps1
Filesize
548B

MD5
bee0e781fd1d15c9655351e895d83b57

SHA1
e7c78d9d7be5dd7143463c59df670791d2bdbf75

SHA256
7427b56e830c07b384d9db51c1e1b2c6dcd7f9add44b1f87c43106701eb6bd23

SHA512
f3889a65783ba3ba12f17a8e7956c848fc0b8e8e620d4b81b4698f9e4560586358d303a171e11110841bc962521ff29c7b63db184b6a33d87c8907c5b0eea4eb

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_CheckPermissions.ps1
Filesize
2KB

MD5
b2600e4d733b92f79370faa2ab00944e

SHA1
4ab735b8d7afc733111856b51a814fa661dfebc7

SHA256
c9ba0a243d584a373b63be4db08e884f6eb806670479ba55fc7496a4295be5fc

SHA512
c6a8e81c15e0ffcc0bbd9b672e0521b7528bd8a83e9fb23270a586562e1228d909f3f9e3fa9b0348a6d88356cab737066085133491048484a7dae5aa781c06da

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_FilterHostCrashing.ps1
Filesize
913B

MD5
74dc6611ecdd7f0d4038a1cd32ad0e94

SHA1
d6505f7e6a1739b1ea3e7fee48281dcd5f86b812

SHA256
c5250dedba4642742eedc65a3b63f912de7590743f191e44464b106034be91bc

SHA512
e767167802800b4e700716b663dc088b4485b9ebedd7c4f35ecbb716940e7ce9e591993b7e9c3bf1e0a1e20db83373a64a87d12e9c9895cf1db0515cd79181cf

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_ForcedShutdownInRecovery.ps1
Filesize
945B

MD5
2fde7756bb963c60a89a51f68b7bfff4

SHA1
f87a0ead228dd93678d1f8719ddc1b25ac1d7c86

SHA256
2715e3a85955bcb75d4bb0a500981583897b2f6b660214a73a9ad6880eeefa86

SHA512
fc4f514b50d36996906135473bdfae66d6ae7da93533997f8f65c086e03e769325f1438ed673e16871de48f8e6530374c2b005494e6de27167815549a6f8ffbc

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_ForcedShutdownNoCorruption.ps1
Filesize
962B

MD5
33644f44671fdf33ef12a7d62c250953

SHA1
6ece575fb78f0ae00eb9b1da20efad462fe43fea

SHA256
e8090f2529580c00f1731f7729eecdda468ab3cf74c333380664a028260cdef3

SHA512
183fdafc60d55562ea765eff333826ffc28a80ccc4845c6a48043fb91ecf74a2f930720225bc51120fceef667756d15a9e43c4c226a69c6cc544cc9ba23cd792

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_IndexingService.ps1
Filesize
1KB

MD5
2c9b766ab087bde9ed5110161e69d18f

SHA1
841396507a55e08ea4922a160d84cdbc97fb581c

SHA256
ed8db194ce2537e63c9284f8d363cd0571f33469cbaa9b3e856ca10fa30e3e07

SHA512
98eced864ea9379e899373e026e4acf0dbabfc97afce3abd3c9517f0ea324c453ce2d939796ff357e497e8f204aa7468e18a034ccb2572939c3cd22f1ae0c767

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_IndexingServiceCrashing.ps1
Filesize
909B

MD5
8c5c6e6ee29132025d6f694593ad589b

SHA1
dd3973ad144aaaee98424a09a1e88001e4fc489f

SHA256
f2ec258da3cf74991292d99b2095e3b256a0b6a10795e4c447e0ec21d6be44a8

SHA512
f8476e0de9dc2d0802ccaa51a4f40b7b92646b08a7b3ab6516f6ab8569cb849858036bfdc2435df13f92dfe49a0f2b77cae866eb976c32f77152c99604399634

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_ProtocolHostCrashing.ps1
Filesize
931B

MD5
54645b0f355de9378f1a1781fd36cba8

SHA1
27d019305bc8759235eade5fa72518e76ad26e1a

SHA256
7d16cb850f7ea651b29661b7aed037fa003e4f33265fe78545222b349a0fdeb4

SHA512
b7feabf2ba494d059bb232705198da3155793c181317f04a16ebdd56094bc6d1d88ba4858746851dfa27ed8dc8370a4870671a92a4ebcd34416e83f4bc1969fd

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\TS_SearchApp.ps1
Filesize
926B

MD5
92e6671071de3ccce626e72b785c877a

SHA1
631e3490881c4d70635e7a6c1afc637c3810edb5

SHA256
c1f74e45e75c3f07ee042b0504bd81f5425cf4423f987d302cc2b16917d19e83

SHA512
406286b6a66d09c4256e787fcf8125495de659c53a87fabe19bcbb4633fc4195ac0783a04ba35acc1b0ca14e5dc8330181b5d79f7b84e7021a32c837b0a36275

Download Submit
C:\Windows\TEMP\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\en-US\CL_LocalizationData.psd1
Filesize
5KB

MD5
c88bcca356a16e897353ee8dc7c851f7

SHA1
edd7e9360620cb45536931fcaad0acb2950a5f49

SHA256
e8d07b2de2d97002aca0ed4e813ab448f79a4e67c75876ee137eb6bacc8ea3a1

SHA512
4d8401b514e6ea97671b8905a84a7f20fd6918f93f1f0e7d9a654d999ce2606e7398401a8508e8141e02ceeb2d68a76962f38e4742912576a1a9ab9c368dd5cf

Download Submit
C:\Windows\Tasks\SA.DAT
Filesize
6B

MD5
f1a6cd5adaab953a6764ea364e17bfb8

SHA1
c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

SHA256
12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

SHA512
da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

Download Submit
C:\Windows\Temp\SDIAG_186472e0-a088-43ea-8ed2-3fdcd83182b5\DiagPackage.dll
Filesize
72KB

MD5
88895bb8b19e01ce09c7cdda7a7c9963

SHA1
5082b9b7f54409b32e5dfc6c6fb2d422a6b1b3c9

SHA256
09d7f874834a65f0a793179f77731791a6e05ea3f00ade08500c9a793e2a86b7

SHA512
55f447011b48ab307df0c55bd96d9a00eaf1f292e9eca38d9c42aa3b224abcadde3be106db41edfe3e61d315fb1c737268f035df671468f7133ba51e9438b018

Download Submit
C:\Windows\Temp\SDIAG_186472e0-a088-43ea-8ed2-3fdcd83182b5\en-US\DiagPackage.dll.mui
Filesize
10KB

MD5
2f99591ec8160c1608d8f0fce949c958

SHA1
4b99e1e78db2cdeefb3f4c694a3fa3d9a630e96e

SHA256
d4ac085f0929021bc580ceba5de8c744808d98c03d1015fb76d28290c12e8517

SHA512
550528ddeba6bba9ce3017f101fc7ddfa51080cce031f6f9e0484479734066318ca03b3837f18f5c12b4468459bd32f555dccb0558e596f284e2800117834e9c

Download Submit
C:\Windows\Temp\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\DiagPackage.dll
Filesize
88KB

MD5
901dbc7aa324836845b957d9c3868978

SHA1
cb82f741d23bba36fa3239b06014dab36caa2826

SHA256
17dfa7a99648a78519f32f8fc34c61474542cf61a7f0d6563e5870099922c228

SHA512
5ada8303bc1501b9af9fc3c7b9f6dfc626bd8b1d7ac56e56a70cba9998b8632d4c3ac301465ed5127265c69c71ab5b45b78d310cb0ba431b3705d2b2f6f8a268

Download Submit
C:\Windows\Temp\SDIAG_eff98bc2-11c7-48ce-b487-730754ba5247\en-US\DiagPackage.dll.mui
Filesize
10KB

MD5
b06942b6dab39c611163bdb232b5d8b2

SHA1
4e222f61b477b0d901e15e9652ecd780fdb72318

SHA256
62b7009e794d7f0c2e3b4935cea103be2614c8d70e020deb109ec9efb02656a4

SHA512
8428647b7df071c1156ca2ebb9a90fe450d925665a6ebce3ddb6fd31ec5240b27c72e1e57e33f298b8b1b7d327836599603903b291f4386c0b2cc4f5de240e46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5csukvim\5csukvim.0.cs
Filesize
10KB

MD5
0eea33b69db62360738c8964db492126

SHA1
2f8eb272a91cf56452751b93b626c0f23b2e2838

SHA256
8e876c825da65dcce9f002ea31df537981c848ccb2fd404dc8922e135964404f

SHA512
1f442c08d7ee78e4bbd488449e5dbdaa341b992093727ee62664fdae01828e9d606290834ef329297771710e810ead559c03ceda73798de9e2ec372a0bebb793

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5csukvim\5csukvim.cmdline
Filesize
369B

MD5
aa524d944b71d4d5f4ac45446a6d4e5f

SHA1
11944ffd632b62491c84ba65b7a0f4f6f48a04f7

SHA256
8dd19ae89c0ec5f34ab5c01d03dcf6fd6e481597d58f4e9acf62e9359edfa514

SHA512
d39f49767bed16f4497d35644078f8f090ed10650f9c37caadd47b8bd4dae067f0e44300173f645820a2d3cc68f0b5556223e7a80a4bb1e5bfa72eb5164bf30b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5csukvim\CSCDD5FDF7CE5A547A7935B821A7EF341C2.TMP
Filesize
652B

MD5
b590ce4b77a5d99cfd217af53faba28a

SHA1
c90c7a512da897e730abfac0383c3a53d180952f

SHA256
3e628035913e4f4c4eb6cee1f431e54e6f41fc625f9880978eefdabfb5434a68

SHA512
7ab2f7fc9c16662f76bd9c913033e9c1ee9c906ce09d2361556ee308e3481a3bbce44f409ed9dd0f948aff847aa019316e548be74fa1e13176978b9c61853351

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5nxatabo\5nxatabo.0.cs
Filesize
11KB

MD5
e3b98db82e90c1c2ef81b5e15ffbaf85

SHA1
b64d16c7092ea9741bcdcae150f675de640c2079

SHA256
f05e917780a64aaf4814ddeab7a268e0e85042bea7557e5f5e9d589d97a58e12

SHA512
e56c0788d12e97d71882f8c8c8eaeb3e887dc97486c725af8e3e75fd64731c911744d9beb6cb99cda4ca5ff471486f77dd2cdd36371ed2edff0cd8d1145bb292

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5nxatabo\5nxatabo.cmdline
Filesize
356B

MD5
bfa7e711d434a04a4c198b51cd1a330b

SHA1
b8d2727e1859400211e3f08a7bbacc4367509f9e

SHA256
78dcfb97162d0f9a5e576a548ad15e3d3a2480771c3934e9f2b7477bc6041785

SHA512
a8e27348c03e05efa9c1ddbadd1e0dbeadf7b15021247725a8f5758c9e26d671330ec0d47d3b0855633bc4d6c70b72e3b7da45561eb405a1c51c571e1fcfacfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5nxatabo\CSCB2E3200FEF854DDE989C6AF092181A47.TMP
Filesize
652B

MD5
0df21f8ef78f93cc7f7a2cae6dc718c4

SHA1
2592afefc03038ab4b37e99baa691a1df72f0bf9

SHA256
675b5e5d12987e8a071ecbd91494b503cb7e748c26b717c5a519ce8e59475345

SHA512
a320b0985ec85464a7e475e620ea11d5630cbc3d459b3279bd062e0cccac8d62d878cf617685b3fb6621e1a4554094ca61891a78343f399cfb2eb542a9211628

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3xndica\CSCD636289135D6442B9B1A65F1F55747D5.TMP
Filesize
652B

MD5
bd530d205243a92587ad1f1bce1dc03e

SHA1
63fca1c47c6127c2978e7def3ae664fc64904113

SHA256
488ab723697bf3fed7e5941e8a8b5e5bb17fdfe212e5ad643ad7645c9c2a83cf

SHA512
5c9912b01dee55f415ecd67b7f7bc3617904f8bb8101704da4d71c7486e63762387b6038729e70e5dd09eeac90f26305a761a93e52090b90fd428fc67b3a68a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3xndica\n3xndica.0.cs
Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3xndica\n3xndica.cmdline
Filesize
356B

MD5
3ba1d2b08f982613e99c299b6e4500f1

SHA1
3bba4ee1c2fb11875d6f9367d74589171834ae7d

SHA256
2802467bd3fbae844c01ee6f306b63571313b998c3becbc3746114a80af5631e

SHA512
427a45441288eaac866e37b8cdf19babb20e6fb0fae20c2b0dd97cbf70be4c672abfe945d5989a99a2c938d98d1a9a42a14d47eccb4d6be2ae89f0e1a2c00102

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nd4es15y\CSC892BFDB93DED4CD48A606B938317F45A.TMP
Filesize
652B

MD5
0cf55b1befdd1635215a287a48c30720

SHA1
89caf38befb1daf6dfca121ae3b16824e376706e

SHA256
d2ed23428938f93349f8f9ff608f8b1856a0db4793317d0c24703a0d398c4198

SHA512
4c2aa366c9078b018220d03741263b04e04c907113171cab076d455fbd2841aec2df085631d47ac260da8859d546f5792edd9d4c8a9ae7fdccc8d15fb5fd93c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nd4es15y\nd4es15y.0.cs
Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nd4es15y\nd4es15y.cmdline
Filesize
356B

MD5
620befa9620444efc0cfeff35e706ea2

SHA1
025cc8253789685fc36a42d8a922344b0cc167f5

SHA256
7817a9b7b3eb81ed124d3c699f42367f50d21e5e61b021ff9e7ab90c86a7d0ed

SHA512
4b919c3a7cf767926c00d775abf905e95a88f93fb507259fc1a561060c628af3b8826b98c11170e5b12cc1a618c8666ecb816bc58a499374f8243eda1aea997b

Download Submit
\??\pipe\LOCAL\crashpad_396_UFGEUOBHIWJGWJCZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2196-194-0x000002BBFD230000-0x000002BBFD23A000-memory.dmp

Filesize
40KB

Download
memory/2196-190-0x000002BBE3630000-0x000002BBE3638000-memory.dmp

Filesize
32KB

Download
memory/2196-183-0x000002BBE17D0000-0x000002BBE1988000-memory.dmp

Filesize
1.7MB

Download
memory/2196-184-0x000002BBE3570000-0x000002BBE357A000-memory.dmp

Filesize
40KB

Download
memory/2196-185-0x000002BBE3590000-0x000002BBE3598000-memory.dmp

Filesize
32KB

Download
memory/2196-186-0x000002BBFC4A0000-0x000002BBFC54E000-memory.dmp

Filesize
696KB

Download
memory/2196-187-0x000002BBFC550000-0x000002BBFC5D2000-memory.dmp

Filesize
520KB

Download
memory/2196-188-0x000002BBE35B0000-0x000002BBE35B8000-memory.dmp

Filesize
32KB

Download
memory/2196-189-0x000002BBFBF20000-0x000002BBFBF46000-memory.dmp

Filesize
152KB

Download
memory/2196-192-0x000002BBFBF70000-0x000002BBFBF78000-memory.dmp

Filesize
32KB

Download
memory/2196-921-0x000002BB82810000-0x000002BB82886000-memory.dmp

Filesize
472KB

Download
memory/2196-232-0x000002BBFBF90000-0x000002BBFC0AF000-memory.dmp

Filesize
1.1MB

Download
memory/2196-203-0x000002BBFFAF0000-0x000002BBFFB28000-memory.dmp

Filesize
224KB

Download
memory/2196-204-0x000002BBFF430000-0x000002BBFF43E000-memory.dmp

Filesize
56KB

Download
memory/2196-202-0x000002BBFF420000-0x000002BBFF428000-memory.dmp

Filesize
32KB

Download
memory/2196-201-0x000002BBFFB70000-0x000002BBFFC2A000-memory.dmp

Filesize
744KB

Download
memory/2196-200-0x000002BB80000000-0x000002BB8000A000-memory.dmp

Filesize
40KB

Download
memory/2196-196-0x000002BB80180000-0x000002BB801BE000-memory.dmp

Filesize
248KB

Download
memory/2196-197-0x000002BBFF3C0000-0x000002BBFF3E6000-memory.dmp

Filesize
152KB

Download
memory/2196-199-0x000002BBFF450000-0x000002BBFF472000-memory.dmp

Filesize
136KB

Download
memory/2196-198-0x000002BBFF3A0000-0x000002BBFF3A8000-memory.dmp

Filesize
32KB

Download
memory/2196-193-0x000002BBFF380000-0x000002BBFF38A000-memory.dmp

Filesize
40KB

Download
memory/2196-195-0x000002BBFF400000-0x000002BBFF416000-memory.dmp

Filesize
88KB

Download
memory/3944-896-0x00000253E3530000-0x00000253E3538000-memory.dmp

Filesize
32KB

Download
memory/3944-882-0x00000253E33B0000-0x00000253E33B8000-memory.dmp

Filesize
32KB

Download
memory/3944-911-0x00000253E3590000-0x00000253E3598000-memory.dmp

Filesize
32KB

Download
memory/4796-579-0x0000015C4CBA0000-0x0000015C4CBB0000-memory.dmp

Filesize
64KB

Download
memory/4796-580-0x0000015C4CBA0000-0x0000015C4CBB0000-memory.dmp

Filesize
64KB

Download
memory/4796-578-0x0000015C4CBA0000-0x0000015C4CBB0000-memory.dmp

Filesize
64KB

Download
memory/4796-577-0x0000015C4CBA0000-0x0000015C4CBB0000-memory.dmp

Filesize
64KB

Download
memory/4796-576-0x0000015C4CBA0000-0x0000015C4CBB0000-memory.dmp

Filesize
64KB

Download
memory/4800-491-0x000002ADE5E00000-0x000002ADE5E10000-memory.dmp

Filesize
64KB

Download
memory/4800-506-0x000002ADEA2E0000-0x000002ADEA2E8000-memory.dmp

Filesize
32KB

Download
memory/4800-474-0x000002ADE5CF0000-0x000002ADE5D00000-memory.dmp

Filesize
64KB

Download
memory/5800-468-0x000002257EEF0000-0x000002257EEF8000-memory.dmp

Filesize
32KB

Download