d53a7858a392b314ef7e63d5d8d2f7fa8b6067dc0b9cc926adf219c0c4c0b768

Analysis

max time kernel
600s
max time network
452s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZOD-master/README.md
Size

1KB
MD5

6e4616e9582ad27dadf48c5b62b53cca
SHA1

49c76a22735223a85cca9f46c62b346c7e74db78
SHA256

e6452e165b2c3e6056191326033ddcf8fcab36907bc6fe417954d5cb818a54e0
SHA512

86763d4487f75e182fd329c58b400a86c9fcbd5476748ee321a10d493b9898cabc96855d1f5a04a2258db149aa79ee870f2f2fcf351cfdce843ff497f025e3d0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5164	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
468	vlc.exe
5476	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
4908	msedge.exe
4908	msedge.exe
1496	identity_helper.exe
1496	identity_helper.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
8	AcroRd32.exe
1516	msedge.exe
1516	msedge.exe
3064	msedge.exe
3064	msedge.exe
3044	identity_helper.exe
3044	identity_helper.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe
5676	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
3592	OpenWith.exe
4752	OpenWith.exe
8	AcroRd32.exe
6068	OpenWith.exe
468	vlc.exe
5476	vlc.exe
5676	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTcbPrivilege	4844	svchost.exe
Token: SeRestorePrivilege	4844	svchost.exe
Token: SeSecurityPrivilege	8	AcroRd32.exe
Token: SeTakeOwnershipPrivilege	8	AcroRd32.exe
Token: SeSecurityPrivilege	8	AcroRd32.exe
Token: SeTakeOwnershipPrivilege	8	AcroRd32.exe
Token: SeDebugPrivilege	5676	taskmgr.exe
Token: SeSystemProfilePrivilege	5676	taskmgr.exe
Token: SeCreateGlobalPrivilege	5676	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
5476	vlc.exe
5476	vlc.exe
5476	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
468	vlc.exe
5476	vlc.exe
5476	vlc.exe
5476	vlc.exe
5476	vlc.exe
5476	vlc.exe
5476	vlc.exe
5476	vlc.exe
5476	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe
3592	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2224	3592	OpenWith.exe	99
PID 3592 wrote to memory of 2224	3592	OpenWith.exe	99
PID 4844 wrote to memory of 4988	4844	svchost.exe	110
PID 4844 wrote to memory of 4988	4844	svchost.exe	110
PID 4908 wrote to memory of 1256	4908	msedge.exe	114
PID 4908 wrote to memory of 1256	4908	msedge.exe	114
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3624	4908	msedge.exe	115
PID 4908 wrote to memory of 3092	4908	msedge.exe	116
PID 4908 wrote to memory of 3092	4908	msedge.exe	116
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117
PID 4908 wrote to memory of 4668	4908	msedge.exe	117

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ZOD-master\README.md
1⤵
- Modifies registry class
PID:1944

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ZOD-master\README.md
  2⤵
  PID:2224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\system32\dashost.exe
  dashost.exe {ae13258b-5798-45ea-928385ac30ebb159}
  2⤵
  PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UseGrant.mhtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc376046f8,0x7ffc37604708,0x7ffc37604718
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,13468241744588692854,8987750441121279383,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,13468241744588692854,8987750441121279383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,13468241744588692854,8987750441121279383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13468241744588692854,8987750441121279383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13468241744588692854,8987750441121279383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13468241744588692854,8987750441121279383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13468241744588692854,8987750441121279383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4752
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\MeasureAssert.xps"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:1748
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4D2DBC1AB9A96F43C2FA5F6C607F8BFC --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1CAB82F5C3985B782B8A83DB6D5B9C4E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1CAB82F5C3985B782B8A83DB6D5B9C4E --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1812
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BBF1CDF728C4904E128EE139873977E9 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:732
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1070CE8EC95CB7A82D0A4CE36C330E96 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:192
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C4DB7B9740C0FFFD53686153E9F3630 --mojo-platform-channel-handle=2508 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1032
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=72797B372FA3E44577196668A832CB3E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=72797B372FA3E44577196668A832CB3E --renderer-client-id=8 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.adobe.com/go/SetAsDefaultPDFOwner
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc376046f8,0x7ffc37604708,0x7ffc37604718
      4⤵
      PID:2492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:8
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:1460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
      4⤵
      PID:3308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
      4⤵
      PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:2744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
      4⤵
      PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15168990556661645971,11578312423156549234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
      4⤵
      PID:5220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:6068
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ClearCompress.clr
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5164

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SkipRename.mid"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:468

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GrantTest.M2TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8bc23e42c0947c940e5a9f3eb9316b8a

SHA1
5de7c6f75c0ba054a22ac0c23d29a869adbcd365

SHA256
cf5624d0120703c1a5b635b233b18626e23d1a95bd3a234d1fb24b8b73d723dc

SHA512
3a34271dd3a7eab2a87c26d0fe3a4802dad23fb8b81c45f6764e97bc6a5ad2fe34accb518d69e3d68127f372cbf5e1f974e6627781fb5b3dbaf45e7223659e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
56f370073c9d8866796326fa3c34a83a

SHA1
9c2d75adb667d91eab12c74dbee2e18e5066e1cd

SHA256
7fffee6734e4183c563eba70ca5327f97dc9b071c79ee0be6ba6aff0b260302f

SHA512
b9c2212eb640f8025452e42b8719576f6c68450295b095319f2712ef301632d592b092b2adc1ae9d8fe6c9c444ce5242b126899f3514d2bc02d9d7fadd84b0be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
96bd2266b673c8fa89baf9eb53429a3c

SHA1
52d1a194b005eb16d7ff491bd1e0f09f107bdfb8

SHA256
da670c2e52c2fbd5edab908c7465a1ba768d07419f98d720bdbab5c9cebacd21

SHA512
b998ef13295887f4ad47135f033876f4f47c735a48afaf2839c5d64fe0f6f9910dd8b7ff7377fe015f3281e5da250ad471b9d76ef5dff9f7f96c74071cb3fd43

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
9ceb081d9a936495f9baabf31c3302a7

SHA1
c94fcee54c74eb767124d463d67cecbe8b5db7c0

SHA256
a8c8cc0ff1fb80966042f3af98140ed65440fbdcf6a8dd6a4b6331ef320e9881

SHA512
387f184859da1337efa4f2e9808bfa3e5e10edee8a05a741b6eb2afb8b42a188734d299575d05c80e8289c61a5e52ba76f689412ca91611433cd31a96ee39ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
477462b6ad8eaaf8d38f5e3a4daf17b0

SHA1
86174e670c44767c08a39cc2a53c09c318326201

SHA256
e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d

SHA512
a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0715362bd2034d6bd0110d76b028887f

SHA1
153a3a1f456856d13b60511168892127074b1353

SHA256
8e9e2b4853e560f2b63c8ef66ba4048ce938a2c2b4c5eccb4ebc243962aae86a

SHA512
1e3aed0f4ad0f377631c09b0804a869bf4328a5f91c7c6d79d3b92f788c5d5e91f1d8588f715b577299ad331e009b973caad9ada92cd7ef69173f0e8c8901bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b704c9ca0493bd4548ac9c69dc4a4f27

SHA1
a3e5e54e630dabe55ca18a798d9f5681e0620ba7

SHA256
2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411

SHA512
69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
723245dad74f40846fd918c7d74b56e4

SHA1
cdddf0966e5b166560ac933d22e33f72360b632c

SHA256
8521ad7d433307b9601d754bc4d229146a1bca5df9e870c4ba938d44571afd35

SHA512
61a95799ff1b0ca7439f0a04a853425bff8c043364e6be353eafcc8015a9fe5760b179e581ca42957d88912c71b4af624fd84724039f16055cf784673cf1adc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
b476a466c591fc18a39ace50c143104f

SHA1
a0da30269a2d26ee85cb70f378464ec7a6552eaa

SHA256
3f47c703e90bbb8db156e8235d4864b4669fc6abcbb8e3ea7f93ff755f6b6db2

SHA512
db2ec1ffa51320bcc1a7a9ac91d790b4a1a6b80d2d1134769d45b33ebf24b1c523f93fc41f978339e3fef1aecca81f22a021adaea2eda807c31d6c335d1b4692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
954a1097690603da40235b01a333ec29

SHA1
79f818354248620e92eed66eab3640ae2ab72685

SHA256
bae83d4ef40e0778efcdadd1f988d5e60b27d51722adc77a611a22b344234b0d

SHA512
4f665426a01640605eb8e53bd7cb8ec0d4da11a3209ac2a12e46fa948dfb8420d6001e63d7ab1ae37b2e0779a6b5bde2954a2828569949dfa6eeacb74f1bf191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
493B

MD5
c7b29adf8deac5cb55449765def89029

SHA1
d762b230acc432bcfe2b0fcc03c5aaace045efea

SHA256
08eb40cde1164dd072bb54b755ce4cd2b167190d3d4921e282b64a2b08ba6245

SHA512
026c5c755c27f954e53bfecc01297c72405780dc98be6e597edb348b0820446350fd53b6a4fcbe5e7dedddf3191670df12af74cc3f5cebf701244792a4e87189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
07ac77f584384909f0fa6db10f10f754

SHA1
b174e9125523a9398756cc6db9f5a4349e021177

SHA256
f07b8203951083a9fb815996dbdf706869004d2e7f00248eb3bd2dd83f3506a0

SHA512
ae540c8ff01205930f67200e3be4584fcb02a6b67d9d7331aab29ba6b431dad7d4c434002b33337e90997ebaea20d19963b9fe73bbf4890745595e4ef2d4b7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
05f5d57e0899360db7fac7df3c810e5c

SHA1
a522745ee5cb3608b9e63643a426a67d47406e4f

SHA256
a63acdf08ee80b272e54d846b20434417df888e330d75ff0e25e388509a3764c

SHA512
8c30fdcba3e79fafb6863a87194db0e004adfe445eaa27e257495d46f8d1a189fde27f622112001d2142f5810ee7685303a640aa341d721470012ed56b40c179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
761482479c12577c719057bb7f25efd8

SHA1
e748385aad9e7a376c7bfe6bb589ebef54bb1c2a

SHA256
f671f76eeac96d23ca15c1ce4731f4f9a36eaf4f4f9e0c4175ef731ab16373df

SHA512
abf46b8c6e21c1520266c15c9185d4fa46b6940317bfa075a6a20d5c1f902889fc31def05e931cf2fe792b682b5f6f7cdd580d25ea555402904832676ff16b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b7970222636971ba626240623c0c835

SHA1
f818f21c539fd27dafa65c73670ee04ddb2def95

SHA256
964d93fe771368f373e483f88647ba5b4de00ac70ffa3002b639c346a7d0575a

SHA512
4531d088dff11f96db402e1f4db505df6750e6f131e03ecf053d7f9909fcfb4303c27b28659247497dce39bfe1844de51c63c7205590d12814974640fd0a2b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6981ae5580ee02d0108e6464e716c9aa

SHA1
30c11b5446a008616fea26434aef500cd4c125d9

SHA256
62bde0ef5e6a14f6b6f9a5e7f327a67477533b842b6d522789de491b5bdf86a3

SHA512
78100ca9b93607d42a7f644590085bdbe6196f569f3e8ca7fb817f8d9b1755ee863d99057fa5af90326dc5085c7ef6c3fdcea9e4024615854772c838b7083a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
03a8da4abb70096d260811e57a300752

SHA1
0a4f49799426b6f7651ec245d5f5d48291d93583

SHA256
a82ba628cbd54b27d5959c6394e4959954381780add1fbde8d1223df3accf503

SHA512
993e77236880120dbf4f895183126add72e0954d650b3011856dd7f0c2a0d39539f892052ccdb76e0a3964a60dfe50e8dd3bd63f1986a58087518aa99acecf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a745ef066f75aa59c81f647a4d5ac4c

SHA1
5c57a44abd25f1704bdf0ee1fc4833c71e60e6b2

SHA256
45de7303fe0c460557759c931a8aaab08a96bb904dad0b522eeaa3206e90b88f

SHA512
021c989759e394b259b5fcfffe8920c1e4e93401ae5cfdc3202d88a6655420ee5afd950a3f515f85283c164dc5da156dd3b0b5852f1c31c369fdd5676637e510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ea62814c87f05b8f49ff641de7c61383

SHA1
74fc832af387f3e83e96af3c0e483f2374462b32

SHA256
f0153267bf4ad2de1628cc0e24c1ae5da1ed2ff2c76a0f4265592872be362c77

SHA512
e8a3ad41f1a09356a8120379e2ccae1d45743b51a91c92ecb8a7dbc5e6bb7d5c200d7d7a965456757e7170aabaaa76625339a4459c1996c2634fc3f31af062cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
01b91229a776e18cd35d4a146b79de71

SHA1
f273eb0dfbece6a069715d43b9061e80f1b912dc

SHA256
29cb042f8046a142948aa22dcc1596e8b0c2e209c7f22db16d324f2b191e2122

SHA512
b322515204bede4413e574fe97cd6cd439e8203667350d132e91d13563522b1f0447b42efd25d7ae04b6aa42cb4d351b18f404dafaf2348714c9d2ed25d31c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13363402673025936

Filesize
1KB

MD5
17909def8a64c455a0553f9ac83c7ef2

SHA1
fc8052f6d5ee17bf0768fe052e44b021642c9195

SHA256
2d80e603a56ded3df37070d2a056f9e4ba696ee3f6a51f990941cdde1adfbe51

SHA512
d8d4493ba05b46e8070dde67da610a3a9889450ad658f3bfaea80803713aa98f860d5818c8ea2d9847a3d24ed068299fcd5c0e4a4016bcc53c05ab64d124188a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13363402673218936

Filesize
1KB

MD5
9128266bf5096924159cbe87d3951c87

SHA1
130978cacf25e6d6032e39b576d522a924a6aa5f

SHA256
b7fc29dc4af55f7799b58c7e7ddc4cf960882e07df0171a6eeb7b2e4ce022e78

SHA512
79ca6a6642b322327be381dd1dbeef9d5ba1efe80ea4ffe163a1ab26babcbae18cefb917db45b8bd8a2c3cd55cfa6286adf84ed26bfc883c7bc11732a810e9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
d97eb0a35d4cf97f6a9a731076455144

SHA1
50184e6cdf5c04794ce55a8878bd6cab829c9f8b

SHA256
2b3656641ceb8b4538db8492aacd7186e129f93f213f20ed815b7cfc677add50

SHA512
305a9b4363c14d22282cbde4918b0a5a54b89a17d7d63c0a7ec4fcdd58c124edb236b81ae13965d041f1172affafd6c4d6bd610675979e8030768575830240ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
5123b76678af7ff61a977e260118d97d

SHA1
59a5442a7431a86991cc1b2f19a51adda781c81a

SHA256
2f26ce336e06547a1daf81a70e119ed10578ba4f351f75e11373e985d889251c

SHA512
bba52ecb4ca1c9267aff343dec8a35029e8d3b4028a6c8f2d6232a10092230ed9e6aa12aee8f4a0761f7fb23c2ffe9b4a3f497085e15ab95fabefc20f2031a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
b21e85ca9e3076d444585c3ab8c7a44f

SHA1
9a44b8c72beb14c3ca7246a4aedc80758b077c42

SHA256
aaeb77bd9d5781515e80743a6421ee1e9dd502e51009cf63c54122170eac3006

SHA512
48803c4f5b296f886495adbe2a9adb1775316b3916762068c7804fb3a8604423755b1396de97d8ee74914843e1397cb1c54cf7252c103df6b7fff10b30ecf955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
531337d73e426a4f42fb98b783aa6afa

SHA1
43c4a11224063b09355be6c867986f0142b102b8

SHA256
dcca83e4a8ead243242a3c66b9901c7412e6da7a6776fd5d3ffed87f660d433f

SHA512
496e9db8c329ba81f58d62760aa55548c61c1b8338c4ad46cd53d166df0a11740ff82efbd8d1df16b79f300d0ed37f73ea122708a01a76d99cb77c6210a73ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
7477b2094cdf5e21a91038a2e8c45422

SHA1
0007cf3e5440dd7fcf82b4bf8f934698897169dc

SHA256
17e1537678be7b3d3afba4308f601c936740f93e37ffc537c62ab464cec6c340

SHA512
1f52a09898e3d858e8373b744b6792674f8b37a98f61cf19e00c4d887ac638d6f6af9615e11f6e1da28f7764338719d03fc2dc227139583be809cda6f3607589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
9cc59d5b5f79bacaf75d1159b5004596

SHA1
101c788b9f2146c7d82c92b403c175930e8a5023

SHA256
cf0bea4ffb1083c688502f0136a7d1b6cd3931faf52bbcbaffebe9634a920177

SHA512
2d51a9d7b0e6b243a8686d00a0ed519c6e6b6a5a2cc4f4be5a3353da28ca77073458841ae9e72f49bb7af980b2934008fe70fe34ae71c01b1137997d52818dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
51deb3afbf5e7881bf8b7ba0fc88ac7a

SHA1
65aaee448ec33838e67814afb4b58e85bccf81e1

SHA256
ae269b9a46078cda8731bcbf43a437659a5d648b9d4328af46f093e0b85ba528

SHA512
b685962a9dc852c5df282c46c936bfc6449523a1708ea2373255e33ab214195018d141def51dd64d27b4e0927aabec81e871ab3a9595070261cdcec3eba8fd69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
f2ed65f0ee237825a891d0913126804e

SHA1
2fdaac4a9720dd857c2458331b45c62f22f88fde

SHA256
d649e35c117f5a18ac65eab34b994402f0818062b9639096cace6e3b2ae97861

SHA512
fec372659f4dfca8cff3ad0f5256549eb93e40f5f1eb649aadefa8f4570fa9c31bd9ab494c35ce5905226206dbb0bb87af82a1bd86bebf9257d7a25fb48b85a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
9b449eefe2efd417b26cf07d2f8ffb18

SHA1
c7dce6391cbdde8a1b5cfc7428e867038ec0e810

SHA256
f4e00935edfbfe09a72416d0d280a856944be168e57d7e5c2b74d8f3b4663a65

SHA512
fa0480d078151b7b6c7ce723cf2f9c566acd18ad41b6db06882394a506bdaceb005b66acee37754071f7e9bd5f2c32c1d55769bb585bb0addd86be0bfb3d4f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
32aa69b9570f71e51dd1395373a9dcd1

SHA1
e37fcd1193186bf6c82084395e566c1788c976dc

SHA256
84a159e70555743bc67378887b4ea7d9423f42bde124588525572b7c4f49ae4f

SHA512
b04a4f05a5220a6c3472664301c6dbf6bc54908c36252e213a485885c709ebb9da50a49d9618bf4cf771a1d72b9ed28c5c3cadce92e7e0d6d8b62c7344050bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
4459bf26eebf0293b75c624cdf1c6b23

SHA1
2a0cf63d7d2a2a729b1b84e221955a5ab46f2e47

SHA256
2ddd13a6fc974d25f11c33a905c39ba8b6d266f7c58a93a41e5ada5975c821c7

SHA512
f9246c653ea54d90833734d359ebba743e97a7978639a8c48f64f2b026affed9281e65a44d12af2224e0493df1e3ca3dfd8fd101bd4c5170471b5dd6dbaf8f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e1a1a21415a49c27e5e854869f08c00

SHA1
8641e6a963051ea4ed5a7610139cfae0ec09c1cb

SHA256
586f2d16d0fbd9a047319a1896dca30a3163ce607807feb611a4b1a8f5bc7eef

SHA512
627b8eaab1edb7bb928da3f0e2c2e9824464c296a1a1ef1ca92f59091078365fb1e8e4fe45314273a652ec6a89550e1b31257c86f3536df22a9bedeeb0f10169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2b1bb3de5b00293b08d127eb9452d8b7

SHA1
a013a64ce238e9152563cb80fc13107c7ac004f4

SHA256
5b5997ca046c0b23fbb91505203b3a70a904ecd194265cbf36713657a88215d6

SHA512
a7c2902171e34fa34770abc3324362447584215a7955cc3c921dcf95224c774b14e99e5401e2df39911ba96b4ac8abcadfd41d590eca2c515cd0f260fbd4ebc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f2c15af0c73f1cc2b4b4115d1edde0a

SHA1
b2d588a5651f7685f3be1fb113b2949d171c262a

SHA256
23cfc2d34dda9ed6081b488627b0d6e797c991658db0b1565cd97690b33324ac

SHA512
5b6986794d65ed5aa7fc15a9e7ac6f2e221bd10a6c2cc6f2275ef28ab476113b684d9eabeed81fe73fa544839b1129ebb8590847b54b936d6dc93037001c55c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
6eafe06f2c6f78b1a5c304f182948ba7

SHA1
5efd5618278c73a658dc82885812329df42557d9

SHA256
a9200491fb62fd1b83ec0f3ac4952795202a749fd1508b1151b4a1a93e0ca6ea

SHA512
a7b0cce7b10d2514bab6d9572989a9892afe1e703d01d0b5816f26996ddbe76330dfd28b9e25efe940391c3e550d5a279666ed41d45c7c5f3bbbf826b6fea678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
5b5422b6b8b17e63a69992f07175fbf6

SHA1
055d5e435eda007f1fa0810b8ecbbd036c2e9370

SHA256
1a792c29e3bbd98ae8c78d1d0afd34577744d71ee1d14b4da4cfe6d9223185ee

SHA512
d24bae4b0af8d866d590c4cd178194881c7a802819d6484b0749d81179c4d843fbad14965ec33d916adf3501b9ee035019f7fb79b12f302face1c8b4befe4b4b

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
530B

MD5
2d3fbc7d768b00210301950114c4d8a5

SHA1
4075156ed5064e7e2b187defdb505d9b2f4fff65

SHA256
c85b00fc92660e61eb4493f393776a53db525350a1d5444b99607aad73bab39f

SHA512
4a3dd3b0f895d5d3279c3c48ffc298acad8f8556318bf1d3267abd332ebb12631427332b74a418f5ea4f6ecf39843af985d093369eb1437b3e5052973ac31e70

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
memory/8-579-0x0000000003EB0000-0x0000000003F00000-memory.dmp

Filesize
320KB

Download
memory/468-630-0x00007FFC504D0000-0x00007FFC504ED000-memory.dmp

Filesize
116KB

Download
memory/468-629-0x00007FFC504F0000-0x00007FFC50501000-memory.dmp

Filesize
68KB

Download
memory/468-633-0x00007FFC4C5C0000-0x00007FFC4C601000-memory.dmp

Filesize
260KB

Download
memory/468-628-0x00007FFC50510000-0x00007FFC50527000-memory.dmp

Filesize
92KB

Download
memory/468-627-0x00007FFC50530000-0x00007FFC50541000-memory.dmp

Filesize
68KB

Download
memory/468-626-0x00007FFC50550000-0x00007FFC50567000-memory.dmp

Filesize
92KB

Download
memory/468-639-0x00007FFC49070000-0x00007FFC49081000-memory.dmp

Filesize
68KB

Download
memory/468-640-0x00007FFC383A0000-0x00007FFC385F3000-memory.dmp

Filesize
2.3MB

Download
memory/468-638-0x00007FFC4C3E0000-0x00007FFC4C3F1000-memory.dmp

Filesize
68KB

Download
memory/468-637-0x00007FFC4C470000-0x00007FFC4C481000-memory.dmp

Filesize
68KB

Download
memory/468-636-0x00007FFC4C550000-0x00007FFC4C568000-memory.dmp

Filesize
96KB

Download
memory/468-635-0x00007FFC4F600000-0x00007FFC4F621000-memory.dmp

Filesize
132KB

Download
memory/468-632-0x00007FFC47B50000-0x00007FFC47D5B000-memory.dmp

Filesize
2.0MB

Download
memory/468-625-0x00007FFC50570000-0x00007FFC50588000-memory.dmp

Filesize
96KB

Download
memory/468-624-0x00007FFC39430000-0x00007FFC396E6000-memory.dmp

Filesize
2.7MB

Download
memory/468-634-0x00007FFC32EE0000-0x00007FFC33F90000-memory.dmp

Filesize
16.7MB

Download
memory/468-656-0x00007FF76CB50000-0x00007FF76CC48000-memory.dmp

Filesize
992KB

Download
memory/468-657-0x00007FFC505C0000-0x00007FFC505F4000-memory.dmp

Filesize
208KB

Download
memory/468-658-0x00007FFC39430000-0x00007FFC396E6000-memory.dmp

Filesize
2.7MB

Download
memory/468-659-0x00007FFC32EE0000-0x00007FFC33F90000-memory.dmp

Filesize
16.7MB

Download
memory/468-631-0x00007FFC504B0000-0x00007FFC504C1000-memory.dmp

Filesize
68KB

Download
memory/468-622-0x00007FF76CB50000-0x00007FF76CC48000-memory.dmp

Filesize
992KB

Download
memory/468-623-0x00007FFC505C0000-0x00007FFC505F4000-memory.dmp

Filesize
208KB

Download
memory/5476-704-0x00007FFC4C3E0000-0x00007FFC4C3F1000-memory.dmp

Filesize
68KB

Download
memory/5476-697-0x00007FFC504E0000-0x00007FFC50521000-memory.dmp

Filesize
260KB

Download
memory/5476-690-0x00007FF76CB50000-0x00007FF76CC48000-memory.dmp

Filesize
992KB

Download
memory/5476-691-0x00007FFC505C0000-0x00007FFC505F4000-memory.dmp

Filesize
208KB

Download
memory/5476-695-0x00007FFC50530000-0x00007FFC50541000-memory.dmp

Filesize
68KB

Download
memory/5476-702-0x00007FFC4C550000-0x00007FFC4C561000-memory.dmp

Filesize
68KB

Download
memory/5476-709-0x00007FFC48760000-0x00007FFC48771000-memory.dmp

Filesize
68KB

Download
memory/5476-692-0x00007FFC39430000-0x00007FFC396E6000-memory.dmp

Filesize
2.7MB

Download
memory/5476-696-0x00007FFC47B50000-0x00007FFC47D5B000-memory.dmp

Filesize
2.0MB

Download
memory/5476-698-0x00007FFC504B0000-0x00007FFC504D1000-memory.dmp

Filesize
132KB

Download
memory/5476-693-0x00007FFC50570000-0x00007FFC50588000-memory.dmp

Filesize
96KB

Download
memory/5476-694-0x00007FFC50550000-0x00007FFC50567000-memory.dmp

Filesize
92KB

Download
memory/5476-713-0x00007FFC48350000-0x00007FFC48367000-memory.dmp

Filesize
92KB

Download
memory/5476-712-0x00007FFC38670000-0x00007FFC3877E000-memory.dmp

Filesize
1.1MB

Download
memory/5476-711-0x00007FFC38780000-0x00007FFC38900000-memory.dmp

Filesize
1.5MB

Download
memory/5476-710-0x00007FFC48480000-0x00007FFC48491000-memory.dmp

Filesize
68KB

Download
memory/5476-708-0x00007FFC39B30000-0x00007FFC39BAC000-memory.dmp

Filesize
496KB

Download
memory/5476-707-0x00007FFC485F0000-0x00007FFC48657000-memory.dmp

Filesize
412KB

Download
memory/5476-706-0x00007FFC48660000-0x00007FFC48690000-memory.dmp

Filesize
192KB

Download
memory/5476-705-0x00007FFC49070000-0x00007FFC49088000-memory.dmp

Filesize
96KB

Download
memory/5476-699-0x00007FFC4F610000-0x00007FFC4F628000-memory.dmp

Filesize
96KB

Download
memory/5476-703-0x00007FFC4C470000-0x00007FFC4C48B000-memory.dmp

Filesize
108KB

Download
memory/5476-700-0x00007FFC4C5F0000-0x00007FFC4C601000-memory.dmp

Filesize
68KB

Download
memory/5476-701-0x00007FFC4C5D0000-0x00007FFC4C5E1000-memory.dmp

Filesize
68KB

Download
memory/5676-677-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-678-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-684-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-685-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-686-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-687-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-688-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-689-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-683-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download
memory/5676-679-0x0000025A471A0000-0x0000025A471A1000-memory.dmp

Filesize
4KB

Download