Malware Analysis Report

2024-10-19 10:52

Sample ID 240525-wka58acf3x
Target 72c70d9be05436cec566889e324abc1f_JaffaCakes118
SHA256 2a329aca11ad3ca4971d2451667f37785d349cd32a8f3f624aec20e9710d00e2
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2a329aca11ad3ca4971d2451667f37785d349cd32a8f3f624aec20e9710d00e2

Threat Level: Shows suspicious behavior

The file 72c70d9be05436cec566889e324abc1f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Modifies system executable filetype association

Registers COM server for autorun

Drops file in Program Files directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies registry class

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 17:58

Reported

2024-05-25 18:01

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Command Line

[/tmp/72c70d9be05436cec566889e324abc1f_JaffaCakes118.zip]

Signatures

N/A

Processes

/tmp/72c70d9be05436cec566889e324abc1f_JaffaCakes118.zip

[/tmp/72c70d9be05436cec566889e324abc1f_JaffaCakes118.zip]

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 17:58

Reported

2024-05-25 18:01

Platform

debian9-armhf-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 17:58

Reported

2024-05-25 18:01

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-25 17:58

Reported

2024-05-25 18:01

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 17:58

Reported

2024-05-25 18:05

Platform

win11-20240426-en

Max time kernel

340s

Max time network

342s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\72c70d9be05436cec566889e324abc1f_JaffaCakes118.zip

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\~$UndoUnblock.ppsx C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
File opened for modification C:\Program Files\~$UndoUnblock.ppsx C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
File opened for modification C:\Program Files\UndoUnblock.ppsx C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\msinfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\msinfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\msinfo32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\msinfo32.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1688946391" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31108900" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ = "IFileUploader" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\odopen\ = "URL: OneDrive Client Protocol" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\FileSyncClient.FileSyncClient\CLSID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\odopen\DefaultIcon C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ = "IMapLibraryCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ContextMenuOptIn C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ = "ILoginCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\system32\msinfo32.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4752 wrote to memory of 2972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4448 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\72c70d9be05436cec566889e324abc1f_JaffaCakes118.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Program Files\StopExpand.mov"

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Program Files\UndoUnblock.ppsx" /ou ""

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.0.1122405631\808677796" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71904360-0e67-45c2-8f57-7f9c28ec225b} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 1864 121afc04d58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.1.96039743\672192893" -parentBuildID 20230214051806 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e39f6bac-1466-4b56-b3cc-e7d6553421a9} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 2388 121a2e85c58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.2.1688796407\1213836383" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2685732d-c369-4b44-bf92-e7d93ffb308e} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 3132 121b314cc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.3.414714579\882837839" -childID 2 -isForBrowser -prefsHandle 4260 -prefMapHandle 4252 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f684f9b-8f81-4bff-bd19-c1e500d88e9b} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 4240 121b82d1f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.4.466667377\826092363" -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93e6b57-0fa3-4c90-a544-15e4a456a9d6} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 5084 121ba5cbb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.5.1608478955\1550906097" -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5252 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374d048a-fde0-4e2e-8398-b3400348487b} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 5236 121ba5cb558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.6.239719277\1771328661" -childID 5 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf35e1c6-3eb0-44f6-92e4-c4e7f5a322a1} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 5420 121ba5cc158 tab

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2972.7.791749261\1125062092" -childID 6 -isForBrowser -prefsHandle 5944 -prefMapHandle 5940 -prefsLen 28251 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32395307-0cf3-44ae-8797-ea03fca7566e} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" 5952 121b6a87558 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde5d13cb8,0x7ffde5d13cc8,0x7ffde5d13cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\UninstallGrant.ods"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\StopUnlock.cmd" "

C:\Windows\system32\msinfo32.exe

"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\BlockOpen.nfo"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8347213540286285252,4984750328301035406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39d7055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
BE 2.17.196.160:443 metadata.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
N/A 127.0.0.1:49908 tcp
US 35.164.250.149:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
N/A 127.0.0.1:49914 tcp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
US 8.8.8.8:53 240.83.221.88.in-addr.arpa udp
BE 88.221.83.240:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
US 8.8.8.8:53 th.bing.com udp
BE 2.17.107.120:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 2.17.107.120:443 th.bing.com tcp
US 8.8.8.8:53 120.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
US 2.17.251.5:443 aefd.nelreports.net tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
US 2.17.251.5:443 aefd.nelreports.net udp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
US 8.8.8.8:53 s.bingparachute.com udp
GB 23.214.156.24:443 s.bingparachute.com tcp
US 8.8.8.8:53 24.156.214.23.in-addr.arpa udp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
BE 88.221.83.185:443 th.bing.com tcp
US 2.17.251.5:443 aefd.nelreports.net tcp
US 2.17.251.5:443 aefd.nelreports.net tcp
US 8.8.8.8:53 aefd.nelreports.net udp
US 2.17.251.5:443 aefd.nelreports.net tcp
BE 88.221.83.203:443 www.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.133:443 login.microsoftonline.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
BE 2.17.107.107:443 th.bing.com tcp
BE 2.17.107.107:443 th.bing.com tcp
BE 2.17.107.107:443 th.bing.com tcp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
GB 104.86.110.104:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 20.189.173.17:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 222.197.79.204.in-addr.arpa udp
GB 104.86.110.104:443 tcp
US 8.8.8.8:53 r.bing.com udp
GB 104.86.110.104:443 tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp
US 8.8.8.8:53 235.83.221.88.in-addr.arpa udp
BE 88.221.83.235:443 r.bing.com tcp
BE 88.221.83.235:443 r.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q6G58NOJ\update100[1].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

MD5 12e109743bc418d1a9ab37ab3fd413e1
SHA1 3a7455ae533f4a6437d94b9d389c5a1d02a7f331
SHA256 c6e0650b8f16fe280609fb71d5c5751d0b538a2e5da920af2a70cf93a6fd6b29
SHA512 f2d674739bd133553a242044b42fc187005f096cfa0d5d0275b059f17520df4ad09d0c528f04dfeae69e561d24f5a08bf10e6aaaca92b33c2b035846d6849e9c

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

MD5 418e1d460f81206714d712db070f563a
SHA1 6aebfc0a73131bd6ee2df842debfc24cdbb62a83
SHA256 b7ef65396bce3b271e452f320f9e76d018358c8a8328d2839c46367fd10051d3
SHA512 dafc0360acce7b7cf6f7fd448a2fa35fbcf66abd61a4b54c313f4b7a949972e7ba8e015d9a54c699dd5ec10e7101cae0abab8ada473d0f0cc67860dcfd0a3a35

memory/1028-74-0x00007FF6A76A0000-0x00007FF6A7798000-memory.dmp

memory/1028-75-0x00007FFDE0440000-0x00007FFDE0474000-memory.dmp

memory/1028-76-0x00007FFDD9DD0000-0x00007FFDDA086000-memory.dmp

memory/1028-77-0x00007FFDD8880000-0x00007FFDD9930000-memory.dmp

memory/4040-81-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-82-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-80-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-79-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-78-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-83-0x00007FFDB9460000-0x00007FFDB9470000-memory.dmp

memory/4040-84-0x00007FFDB9460000-0x00007FFDB9470000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 ffebe33d0bd9667c38c2c2430d462993
SHA1 92b15887d3608b6f98fb1eac7fd7545c580335bc
SHA256 57cb7a0eda2e7fbf7781aa63b840b11995c3e6e1b136a3d819d75fc0f3de0718
SHA512 2b59bd90f4a7f0c7b06c90418958b0662179a46b918dd67c6ed70ed204ac9693f7183e1a9ac01fb14487771153025f580c8f0d772ccbe79d7c8e8b233cfc8d69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 7a9c597a9c50eb00b47e1a40bd65727c
SHA1 12a54f0dd4a71f415dfc07fa643766ef4eb00332
SHA256 8dc7d6b6b107c692a81fe9badd397bbc8810c404184ca7e1239b68caa71eeb55
SHA512 d3604bc47c907db4cc3568c9aaf07946c59abea0b35ebdb9b66c6538d5b2f89dbfde73e33e68213a0cd425743b5d10d28e7871152a635c5bccf334a6169ab297

memory/4040-102-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-103-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-105-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/4040-104-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp

MD5 a5400217a98647eef5240f7759158fde
SHA1 285dceb9b2770ea87546560efc6afaa8ee008ec5
SHA256 6e17c087d5bd77296415b4f5684435b8aad2f0b427276e8299469ccbed809945
SHA512 82f89f1fc516dff265e7617cfbb641953dfbf293a892520fa504fcaf75739f344c02fb32181469083ef611ecd84706a108d676d0a86e0b15be28ffc55fba0b98

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

MD5 9f21fb814408e2d2ce1cc1fe867ca60e
SHA1 3b4777b5a732f8b4ee91847bfe8037a42b4c66d4
SHA256 8175cab76132eeeafc1f44bf3a612071ed403fd16c8d81021b4a479eb932080b
SHA512 e8d41d4e3a89c3722fc8f30edafbcc9c7be20c4672c1cd951c5f26498888d2de033650710625e07586621eaeaea8c274cdcb5b4a2c9c007f999f9c45ecea6f0b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 9166e8eb2b81e2049aab11c4a6618dea
SHA1 872a394b6b25b6541beca5d055f937e96a01b27f
SHA256 6f385a37a0be54abaeb08bf76f6acd6c4b701178f024e798b6e836d5a8166e19
SHA512 b43e449e0af486815c791d0283b9e24378c243ecfbdbc0acfb3c7b2d16db4a5ba21ed112b49e7b29862406bcc992d1de2ffc1576bdc0b8652d27cd10abc7c26b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

MD5 1a8a54bef98e808280dd0efe83147706
SHA1 d628485258a6f7963a5576a75d90bda81d7ef5e7
SHA256 6cc254986472dc0de601fc655bb430e0adaf61e3d1a6b90d8687476de69ad62b
SHA512 75f4ff4113d5e95aed677fabfa42916ffd70dfc62d4657cebaf8567dee4b1a502003a3743c7cc640b5b176675fb41a5f7083980dc8822d96bd380979bc9e0666

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7024e3775386748064020f219f588963
SHA1 20648ff643885baa04f86cde0be8eb3d183fc175
SHA256 07202427831d8f1c9e3d54d48d30eefaef72dee5a4f54d95c214efd437f2e59f
SHA512 618a4f4d9bec5555dd59f83a323fe41c8b976ca2853bbfc5b4a78e51815cc2143c52a82ec2ba7a76300831691f3851c023bb88cea375bec2c81bf042d5fba822

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore.jsonlz4

MD5 5c98526bd1d627064ef1978a22b6ae3e
SHA1 1dd274793079ed82e518b679f9f1fb07fecf7dc7
SHA256 a5bc59c8fbe8072f140c229359550a58f1f2ff34ed12ee9d6190180c27b06553
SHA512 0d0c6234beaf600703f572e9b82c411a373e4dbded1bda772c1a5ec31f0bed033ee637fb1a662cf90674f176c82cff659cf56aa3219e36697d76bfae1206a902

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

MD5 ba4b5072b2eff9a9ba64dc0be291e7e2
SHA1 8e55ff6975a84a64663b822fceccc717f274d47f
SHA256 d88a0265beb71a535d5da4d594e08ff9a9f2510e233b118656138de75f57e507
SHA512 4d80ea0f4f03dd29fa4a76ae6d971ffc0fd09522bef1de536ece96db4603c74832189f7c0297d7ab03414745777141fcdfd34e3b3d8ccabed51f8882eb38a0fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 704d4cabea796e63d81497ab24b05379
SHA1 b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA256 3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA512 0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

\??\pipe\LOCAL\crashpad_640_BCVOWRWVLXMTCXRN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 de47c3995ae35661b0c60c1f1d30f0ab
SHA1 6634569b803dc681dc068de3a3794053fa68c0ca
SHA256 4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7
SHA512 852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c5ea20578e8d5a9c38ca3971477c4f6e
SHA1 85b06b1469b2da71c672fa09ce303c10098392f2
SHA256 c45f4845d5437833aa66b2588748176c7409d9389425d44421606b08ee45e6cb
SHA512 fcd43c60eaae9280a3fb032ed203e3ed7a0eaa296c878be15bae28436ba8020e40de24183a288bdc8e77ea969534d6e6c5a439b4dcff77d2b5999d7237ae56f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 59873c7e37a707aa2012cbcca8cf087e
SHA1 796449dc9c1399a60eceea6538d154e6b03810df
SHA256 62a5c86d56cfe6bf2962425e50c111dc8f2e7fa6e2830452bc04cf8f13babd78
SHA512 5c37f3ddc3bfc3c28ef68794c1dee54597009fe75179ad40140c768447e3dd5369091803d1e03d87df7c3f5aa762d2927ce60cebb42afab1fbddbbe939fc1b1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 a87d58172bcc6f54887d05d07412b192
SHA1 ac559750f95ef153d0a07f21090f31645d90f723
SHA256 c0459caffd5d48db1b09a98a7dab4aba3679237db73e642edefc69a32515b277
SHA512 f4ebd2dbe18ef5e5ccaadb4278bf79f5d8e489beceec1cec74330a20b7e0e8bc62b5e3cd0ed406541042f27b749bb3c4c0e09c6a62bf396c769350b828ec9c21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 17773a6958e14fa8a37bbd44b56af2c7
SHA1 d6258b47e81d0775b36f0718fcb9dd6a00791b37
SHA256 97ed46d4e24078bb1fc307095dd8530e6ab3403ad84fa58aeaf47d8a2cdfc250
SHA512 e82331ebe862edf44d8c8282cd6db9c810961d8b001c90415d83c81d8f3f5b99ab8f2352eb551a6b8aae300f6bf1c3a07164962fba6e95d709354d1ac7304a56

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 40e9619d99602b99c94489a2146a6da7
SHA1 32c107a46f1baf3ffd512eb26de2a7610c43ea8b
SHA256 9734b54bb42e2149bfa1106e45fc52c83d9e3eeb9dbb89dcc4dd9c07fcbd4a55
SHA512 8adb406cdd74b27797d32e1b45c980ade3be3052c7e316db95b355743ad308913f992b7f6baba2961b990075821a944b5c83ae3ac5053c7104199bb988a6d215

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8b83c7de06d50f6835342b43db633d7e
SHA1 9098f782863b47810a75d87d9a09ffbc845d3af2
SHA256 dbbcbfaa68dddf30d7a302e00091e04e075ad55142c1297769fa77540eaa7346
SHA512 215472eed3ff10de3eae5017a94ded2b7722d9de9fdac7b198ff5baaf5210e473b3c324605a236b59a196524b8dfe6599a056186adc83c32fd2ac6bdcd96c89c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b25a5.TMP

MD5 7fadae615259b10df838cff9326db508
SHA1 e4d6624f6441172b8dcc643dfbb8c13f31562548
SHA256 90487573c7272509e58ce546a2053e808493ab6ee0623cf66132eebed307c631
SHA512 5299cef4011685001d2a0206dc85c1efb51cc57db315458268982fdb3f7c9129892e1ccf68f6350c6b99edbfd30cbf6d648848658808439b53c4699932993730

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 de20dc5564076e180d2bc303aca16365
SHA1 6882a41aeaf25c290484c21194b3a26895c922dd
SHA256 58ff6ada647e354a09efb9ee2d8fb91ee1f6b7bc6ea846261d6049519981d9dc
SHA512 e2ce8798fc9f7c0e42b1e8d132c37527707c17438e8d431b15311a09ff87f2c782bf94f44d70700a1bf259c2b646093ea149d75398f6ffbbc7ea0dcd410cbe05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fbd1d963b5c5496f65079da853dcd65e
SHA1 9f057e9e1674ca028a9c43504bdcb4e33cab6958
SHA256 7100d68975c4cdc86d957b90dcb71038d73d022461ff3647ca7437c1ec18095f
SHA512 b14d60c414e4fcfebcf2c5261e3bcccc413423be2ede99173f4ab78d03bab1fddee4dcc92685b364411809b4ebf65eaf7807924abd8f48f69e2f8e310f356c3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e6c24e6d2c68a71a158cd35cc2115bd5
SHA1 4f8597437191715654b293f03ac74a9f05f411e2
SHA256 5ae1699ab84c16128f91c5e4217ba4b28a5ffbc303aea62d938651a8bccc1783
SHA512 38efbc23484b5046ed1fc0658f2221385bcf5aa2c11b96472b3741749bd041f7ff7af2bf6716e697bb2d308e2d43e931741c96259fb8d2cc7f4d51e857a747e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 01a58162e85de7e0572e5be1e07a84dc
SHA1 d294da4c2a5c0af48ded12f0a1107aafc426f54b
SHA256 ff23ffd073136c7f3edf3c64b03868ffdafa489c70aa62287e76c1ab153c3923
SHA512 196a98cd06574dba7ebcc9ff4621edf56f4542a21e7216980469936c7292ef885f70a09291dd0a7040144f72fc2fcdd3d8b6eba9bcf3fdf974493f0596cbe325

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ac113116bbf1f4c6cd032f32927b3e03
SHA1 368586eb5765a3f3957f992ba4de2ff8f2f35c7b
SHA256 41a39c6bbf5e2d4a1ca861600e9c96b1cb9a9c8e1c2cc45f1984c70e8731e794
SHA512 6e8dae061dc090c6bd041cc83ee095a47f82c055418f5efca87c26968e24191eca89a2384eb853acd1d62748dd728ee727716498ca923ddb883b36d5ffe67681

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c8244df693c38e3bfa92c0b6fa19fcf8
SHA1 26ba7e53d84b23eb22f82730c628c218d3de4d95
SHA256 24233eb680958572a593dc8eef22ff2d9057835422c6683bb0e21bed0dbd642b
SHA512 f4377e7d722dc80fef5bb552ed7edafaed833d19722035014ff113a47b8f8b4617443fe748876c7f598507d5763ca4055624db2e709e07a6a958d98f0992521f

memory/3372-501-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-500-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-499-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-498-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-497-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-502-0x00007FFDB9460000-0x00007FFDB9470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A0AD3B35-A1F2-42F6-BBFD-987ECEEDA9B2

MD5 96b2b3b2c85df58feddbb232a89ffd8a
SHA1 beb69ec6094763b6cfe8fe2faa4c0cd445932216
SHA256 7e8914b88047061d8c88ac31b2d4de8c7710bf9c0cf505d276b3f8622d4392ea
SHA512 71c0497bcfc0d88e866b77bf4c242bdfa73e5cc02e81e72571dd02df1f2a02a280c617ca35438586fe25a031d0f9be9f9183c323a73d18fc39266a619187b086

memory/3372-504-0x00007FFDB9460000-0x00007FFDB9470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8b3e634077e4126e804b960d6458d969
SHA1 3f95b639ba7b57c6020e933a6b34f816bd8b5e4d
SHA256 a69dc4febd69f21072ba2f14019fdc8a17b4d69cc9d117b729ef15e48adb9211
SHA512 ee752996bfa1d756e8f9d37181a07d8eeffab610c8fdb94470b7c742536aef971b215bc5e06836981e02ddfae8934b8f2d78b2155819bcd23c559c94497976c4

memory/3372-530-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-532-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-531-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

memory/3372-529-0x00007FFDBBA50000-0x00007FFDBBA60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 aadd17b5d0d20496473515a7fedfce49
SHA1 8fe88fe9f4aff3ab5da9a0587c8bdf76efa4155d
SHA256 13c1c477e64670dc0d862457db6f71a0533f0eb127c87e2c69e26389e5dd0523
SHA512 1484a4d14ed920cdaf0a8dd2261db6b8c660fd46e6340d529e5a823808025c4397b3482a185c062f68ca2292f2c4ad551d1e3b533878bab21e82e63d28853606

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 bc467a18f66ae6f103a955eb1457d9cd
SHA1 fb59d3acecd41aa2b0aaecec04a815cc75aab3af
SHA256 b70a1379445d5963c516c025370b40e00ecdfebcd798a1221e6af0d490a80396
SHA512 a223acb151744b97d9f4e51fd74dcafda85ec060adb79a2cf9ed943a600719d9aba2f02003451cfef7273b9682df3357baef918f35f0a290d75f5cb9814f2803

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6d7146d472408b06fa4fa21a9871a29b
SHA1 ac6966adecc590b57085e5fb24405a787c1060f1
SHA256 84b157d77fd975c3ed59b26069737ba2733a226d1e0c71e2d24f8a535e0b7fe5
SHA512 3acf0489c8637b2b6ff1668756722796895807c820a9f6db0df15ab68009a84b5eba86d19722258bbd0f21b38e7baccf1c1c27c5a5c3580c5af4c921b2b9f0c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e6028d6c1947503c460cb4efeafc1ae9
SHA1 d524bf4ed853feae1de608f6ebe245187c0baed7
SHA256 e065249969560730e5e141ddad1c44af169f696f72be9b1dbb234c7491970362
SHA512 4eb4d0e3d3ff6fa4d80e3105b88b0b5f00fa4b0213a5ccada6ef11525932018133e849a3d5a0b0014a010b2d762581d347ee15f3eff822e2aba71f1893c3be8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 111eb6cdb2b31828beb411f0c5656d24
SHA1 f0856cb557b77f9c0fcdf344328d5ca5a6e85f6d
SHA256 3b6ef97d5908cc08caeb787cb2c29209a38fe10056675f028963d7fbce7cc277
SHA512 d939e07ed6cf4f70462351c6e1c6b537936e066a3fa5407cd2763d00d5cd4a47a8c607f8f49bffcc9e657d8e1b9347177a23bb8cc444f9c17e2fef98aaeb07ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8771e019baeade358abe5c1cc65cca26
SHA1 210eeadaaf0c006fd87e7bbfe2744a5ba6c4798f
SHA256 0c32848e49b479050ff858111b403e77a92b0bbf02836e137182101b63c0938f
SHA512 ecf0d64ab67a0e6fa7eb097ffd6af755bec9712efeb73210f057d6c3fa507cdf87bd2a277cd6424bc38fed3b03a649ce29c38c707833a68669c14e6d8ba067fc