fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
2695s
max time network
2700s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

8^/10

defense_evasion discovery motw persistence phishing privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET961C.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET961C.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET9746.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET8C28.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET8C28.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET9746.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET8B9A.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET8B9A.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CA38CF219C8E9782A8CBBD76643D24E4F2D74B03\Blob = 030000000100000014000000ca38cf219c8e9782a8cbbd76643d24e4f2d74b03040000000100000010000000e4e34304f4315a15a0bc0e413363721e190000000100000010000000c87364a1df5cfaa973f544a5206e8194140000000100000014000000573133394358b8d9f870ed67cd50374f92d3ff710f000000010000002000000092cfeddb8485b879cf9232fde30df21fd200fa56712c8c92908b447e1a1d33af20000000010000007a070000308207763082055ea0030201020210030e330a8ed28347bda3bb478e410d7c300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3234303231323030303030305a170d3235303231323233353935395a307e310b3009060355040613024445311b301906035504080c12426164656e2d57c3bc727474656d626572673112301006035504071309537475747467617274311e301c060355040a1315416e794465736b20536f66747761726520476d6248311e301c06035504031315416e794465736b20536f66747761726520476d624830820222300d06092a864886f70d01010105000382020f003082020a0282020100972d1d652b2ae50cac2c1e499b38c5c561134e6348ecab72337b67dfd1f7bad70054193e2252007751d9ce92967b0454f8a1957870034b465b41f478e60ff6c92c7fd735506ef2b7a81c18acc3729f8ce22cd1caa429bdbe5d5f0ac942344a3ef4bd5fb1048c47ccd25c2c4e315caa2686d3c1c469cd3793f5be068c00b91d7c673741cdaf4a05c1a782e8cc5eee6c09dd927eb31f1eca0c6cab4350196024ab28f5a59f2cbde92850042aaa6798deb5989495ba9224d22b3afe20aa721a379265049ed9d9bc86884dc7c16611e2f784c456d199760ce5d8debd916e68ffcd77c15d71dd1bd4f0ab4aeeafd2e4850c35e6e7109c58dd068e50d5ad9e3d9439e95e007aa2a06222ae6bbebf54f30953f6479fea4d566e4b73ca023ee32cae31f3d59fbeb1f99e218809971def0d1dfd019620c7b251445b6a450137c8831fec87497c7e54533845eb7705a46950a314c78212b079a36dd6353e3b1c1a93b664c2e69f3a1c339dbaaec468c32ac73a48e43daa2d5b66930cfd6ec9ebea031bd3ec04f561ff760bc7d3f713fe9b3e9ec38718750fc452df6ab65548bce5def71ff17c7ed1889165cd03602599f3851b247003f09c896300f23cca788100ce263f66a4ef827e8a718cca76e0d6fcf93e95ce359efc329217f88938b29213a5789bfaa9b471c24b5bc9aab23b68796c185dbbb840b7a074944a6960b134c7b25ed6f50203010001a3820203308201ff301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414573133394358b8d9f870ed67cd50374f92d3ff71303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c30819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63727430090603551d1304023000300d06092a864886f70d01010b050003820201009bc3d91cb63175cffbc813b2b5814e77c9940d5e0c2d10fdac84edc784495ddfcb2e4f2719af9843101e70abe1eb54300a715573ccd0433b0dd8ee13efd79eece380f233e18a82ef7b50c2e4f7cf2167e8122a01a8474bd1d3e93c20193f3a45db0afedf99b51460c0e0e8b62b82d56b57e22b9bba3a07696a2799a3fee38dee6a5308d0d429a7c64d59031e0a0e37d91febb3f2fdfa34c9b931d0ba00aa1c9438db280424c8958ef86297c18093c66fb8ac5a2922a97447eb566195def497706a8650fcd7ca6b58ae2cef3315ad47766b35045f419963564448bf06b90094a691de78716c87d58a366bc8e239066e99a81639c03f99c96c68e54aee17af02052b8e8d399499bc03646b44c675f98cba4e86a1130ddbff1d9a78221d5217c95a9fa3587c43d9fda62693aabd448814380e0c7e8a1a32d0a0d3334d33b86eeac1de3828a8b513f8279984e9aeec85544c0d5a3e9c57dfd5641a0598af756de93089c007744baf14b15bb28265ba9aa8088c3753a9c099daa36d8ce4a304e803e8728c5411dcbd182b7ba9caf83499cf3e0ac836a789f8fb26a543e438ac16b3ed277ceb0df5df6e0d0ec8634d8a4b3bbf30a96da5113c10623122820c6b316fcf6fda942642003cc09e658ce6548d55a719e85f6d76b5152c9df8efdd83f090a7ae5acbe7430ae395dcae7b8dd8e859fb7a48c5556a046bd89e2a9c68c9fe2dba	DrvInst.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\G:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.1.4-165100-Win.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
457	https://www.manageengine.com/cookiepolicybanner.html

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD0E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\SET96B8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD10.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD11.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD12.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.inf	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{16177172-1954-074d-b2d0-e0bc543430e4}\SET8C86.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{16177172-1954-074d-b2d0-e0bc543430e4}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log	VBoxSDS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver.gpd	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.cat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{116556cc-1c1b-824e-8de9-355a784f0f78}\SET94C4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\SET96A6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD0F.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{116556cc-1c1b-824e-8de9-355a784f0f78}\SET94C2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD0E.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{16177172-1954-074d-b2d0-e0bc543430e4}\VBoxUSB.inf	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{16177172-1954-074d-b2d0-e0bc543430e4}\SET8C87.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD0D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\anydeskprintdriver.inf	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD11.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{116556cc-1c1b-824e-8de9-355a784f0f78}\SET94C3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\SETFD0F.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\SET96A6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\SET96B7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SetupHost.Exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreenVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_autoinstall_user_data	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6StateMachineVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_util.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf	msiexec.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm	Windows10Upgrade9252.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	Windows10Upgrade9252.exe
File created	C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat	msiexec.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE	Windows10Upgrade9252.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10Upgrade9252.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_70px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_postinstall.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif	msiexec.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm	Windows10Upgrade9252.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\cpumctx.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_autoinstall_meta_data	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf	msiexec.exe
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js	Windows10Upgrade9252.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VMMR0.r0	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\vbox-arch-types.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm	msiexec.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	Windows10Upgrade9252.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe

Drops file in Windows directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\MSI8B75.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File created	C:\Windows\Installer\e607e2d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI83B1.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\SystemTemp\~DFF1A8016CB06BE6B2.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}	msiexec.exe
File opened for modification	C:\Windows\Panther\DlTel.etl	SetupHost.Exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI81D8.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2F45E59FB11BAC87.TMP	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI81E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI821A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\INF\oem4.PNF	MsiExec.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI96A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9387.tmp	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File created	C:\Windows\INF\oem5.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A61.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\MSI81A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C13.tmp	msiexec.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	MediaCreationTool_22H2.exe
File opened for modification	C:\Windows\Installer\MSI9398.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\e607e2d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C43.tmp	msiexec.exe
File created	C:\Windows\Installer\e607e2f.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB4A0FB8654821DD6.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI83F1.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\SystemTemp\~DF7539494B3C099BF1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8682.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox	msiexec.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe

Executes dropped EXE 15 IoCs

pid	Process
1312	AnyDesk.exe
3968	AnyDesk.exe
756	AnyDesk.exe
1712	AnyDesk.exe
1436	VirtualBox-7.1.4-165100-Win.exe
3952	Windows10Upgrade9252.exe
4552	Windows10UpgraderApp.exe
6140	Windows10Upgrade9252.exe
240	Windows10UpgraderApp.exe
5316	MediaCreationTool_22H2.exe
240	SetupHost.Exe
3484	VirtualBox.exe
4456	VBoxSVC.exe
2996	VBoxSDS.exe
3752	DiagTrackRunner.exe

Loads dropped DLL 60 IoCs

pid	Process
2084	AnyDesk.exe
1828	AnyDesk.exe
3968	AnyDesk.exe
1312	AnyDesk.exe
5236	MsiExec.exe
5236	MsiExec.exe
5236	MsiExec.exe
5236	MsiExec.exe
5236	MsiExec.exe
4552	Windows10UpgraderApp.exe
5236	MsiExec.exe
240	Windows10UpgraderApp.exe
5420	MsiExec.exe
5420	MsiExec.exe
5420	MsiExec.exe
5420	MsiExec.exe
5924	MsiExec.exe
5420	MsiExec.exe
5420	MsiExec.exe
5940	MsiExec.exe
5940	MsiExec.exe
5940	MsiExec.exe
5940	MsiExec.exe
5940	MsiExec.exe
5940	MsiExec.exe
5940	MsiExec.exe
5940	MsiExec.exe
5420	MsiExec.exe
5420	MsiExec.exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
3484	VirtualBox.exe
4456	VBoxSVC.exe
4456	VBoxSVC.exe
2996	VBoxSDS.exe
2996	VBoxSDS.exe
4456	VBoxSVC.exe
240	SetupHost.Exe
240	SetupHost.Exe
240	SetupHost.Exe
3752	DiagTrackRunner.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Windows10Upgrade9252.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VirtualBox-7.1.4-165100-Win.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3972	4552	WerFault.exe	204
4736	240	WerFault.exe	217

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCreationTool_22H2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	SetupHost.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10UpgraderApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.1.4-165100-Win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10UpgraderApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10Upgrade9252.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHost.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiagTrackRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10Upgrade9252.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupHost.Exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CLSID	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\ = "IPerformanceCollector"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4B301A9-5F86-4D65-AD1B-87CA284FB1C8}\NumMethods\ = "28"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{EE206A6E-7FF8-4A84-BD34-0C651E118BB5}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59a235ac-2f1a-4d6c-81fc-e3fa843f49ae}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5587d0f6-a227-4f23-8278-2f675eea1bb2}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{31AAB263-95EF-48A4-9CE7-EAF0D3AE150F}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3D2799E-D3AD-4F73-91EF-7D839689F6D6}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC830458-4974-A19C-4DC6-CC98C2269626}\ = "IGuestDirectory"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{334df94a-7556-4cbc-8c04-043096b02d82}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A256}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F529A14-ACE3-407C-9C49-066E8E8027F0}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d3d5f1ee-bcb2-4905-a7ab-cc85448a742b}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C39EF4D6-7532-45E8-96DA-EB5986AE76E4}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{75DFF9BE-6CB3-4857-BDE6-2FAF82ED9A8D}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D39}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C39EF4D6-7532-45E8-96DA-EB5986AE76E4}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}\NumMethods\ = "15"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{46735DE7-F4C4-4020-A185-0D2881BCFA8B}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E578BB9C-E88D-416B-BB45-08A4E7A5B463}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4376693C-CF37-453B-9289-3B0F521CAF27}\ = "IStateChangedEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2B2}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D2937A8E-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxSDS	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d05c91e2-3e8a-11e9-8082-db8ae479ef87}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB178A-7485-11EC-AEC4-2FBF90681A84}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFDE1265-3140-4048-A81F-A1E280DFBD75}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\NumMethods\ = "12"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4680B2DE-8690-11E9-B83D-5719E53CF1DE}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A508E094-BF24-4ECA-80C6-467766A1E4C0}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA05E40C-CB31-423B-B3B7-A5B19300F40C}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A06253A7-DCD2-44E3-8689-9C9C4B6B6234}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1474BB3A-F096-4CD7-A857-8D8E3CEA7331}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883DD18B-0721-4CDE-867C-1A82ABAF914C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\NumMethods\ = "18"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\progId_VirtualBox.Shell.vhd	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ff5befc3-4ba3-7903-2aa4-43988ba11554}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d782dba7-cd4f-4ace-951a-58321c23e258}	VirtualBox.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 284428.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA	SetupHost.Exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 833291.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 787274.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VirtualBox-7.1.4-165100-Win.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 152498.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Windows10Upgrade9252.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3968	AnyDesk.exe
3484	VirtualBox.exe
3420	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
488	AnyDesk.exe
1312	AnyDesk.exe
1312	AnyDesk.exe
1312	AnyDesk.exe
1312	AnyDesk.exe
1312	AnyDesk.exe
1312	AnyDesk.exe
1312	AnyDesk.exe
1312	AnyDesk.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
584	SystemPropertiesComputerName.exe
1712	AnyDesk.exe
3484	VirtualBox.exe
3420	POWERPNT.EXE

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 62 IoCs

pid	Process
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAuditPrivilege	3720	svchost.exe
Token: SeSecurityPrivilege	3720	svchost.exe
Token: SeDebugPrivilege	1312	AnyDesk.exe
Token: SeDebugPrivilege	1312	AnyDesk.exe
Token: SeDebugPrivilege	1312	AnyDesk.exe
Token: SeAssignPrimaryTokenPrivilege	1312	AnyDesk.exe
Token: 33	4936	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4936	AUDIODG.EXE
Token: SeDebugPrivilege	3124	Taskmgr.exe
Token: SeSystemProfilePrivilege	3124	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3124	Taskmgr.exe
Token: 33	3124	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	3124	Taskmgr.exe
Token: SeShutdownPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeIncreaseQuotaPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSecurityPrivilege	6136	msiexec.exe
Token: SeCreateTokenPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeAssignPrimaryTokenPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeLockMemoryPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeIncreaseQuotaPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeMachineAccountPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeTcbPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSecurityPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeTakeOwnershipPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeLoadDriverPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSystemProfilePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSystemtimePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeProfSingleProcessPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeIncBasePriorityPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeCreatePagefilePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeCreatePermanentPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeBackupPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeRestorePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeShutdownPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeDebugPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeAuditPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSystemEnvironmentPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeChangeNotifyPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeRemoteShutdownPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeUndockPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSyncAgentPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeEnableDelegationPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeManageVolumePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeImpersonatePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeCreateGlobalPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeCreateTokenPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeAssignPrimaryTokenPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeLockMemoryPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeIncreaseQuotaPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeMachineAccountPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeTcbPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSecurityPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeTakeOwnershipPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeLoadDriverPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSystemProfilePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeSystemtimePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeProfSingleProcessPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeIncBasePriorityPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeCreatePagefilePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeCreatePermanentPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeBackupPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeRestorePrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeShutdownPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe
Token: SeDebugPrivilege	1436	VirtualBox-7.1.4-165100-Win.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2084	AnyDesk.exe
2084	AnyDesk.exe
2084	AnyDesk.exe
2084	AnyDesk.exe
2084	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2084	AnyDesk.exe
2084	AnyDesk.exe
2084	AnyDesk.exe
2084	AnyDesk.exe
2084	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe
3124	Taskmgr.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1712	AnyDesk.exe
1712	AnyDesk.exe
3952	Windows10Upgrade9252.exe
4552	Windows10UpgraderApp.exe
4552	Windows10UpgraderApp.exe
4552	Windows10UpgraderApp.exe
4552	Windows10UpgraderApp.exe
4552	Windows10UpgraderApp.exe
4552	Windows10UpgraderApp.exe
4552	Windows10UpgraderApp.exe
6140	Windows10Upgrade9252.exe
240	Windows10UpgraderApp.exe
240	Windows10UpgraderApp.exe
240	Windows10UpgraderApp.exe
240	Windows10UpgraderApp.exe
240	Windows10UpgraderApp.exe
240	Windows10UpgraderApp.exe
240	Windows10UpgraderApp.exe
5316	MediaCreationTool_22H2.exe
5316	MediaCreationTool_22H2.exe
240	SetupHost.Exe
3420	POWERPNT.EXE
3420	POWERPNT.EXE
3420	POWERPNT.EXE
3420	POWERPNT.EXE
3420	POWERPNT.EXE
5784	AcroRd32.exe
5784	AcroRd32.exe
5784	AcroRd32.exe
5784	AcroRd32.exe
5784	AcroRd32.exe
5784	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 1828	4284	AnyDesk.exe	77
PID 4284 wrote to memory of 1828	4284	AnyDesk.exe	77
PID 4284 wrote to memory of 1828	4284	AnyDesk.exe	77
PID 4284 wrote to memory of 2084	4284	AnyDesk.exe	78
PID 4284 wrote to memory of 2084	4284	AnyDesk.exe	78
PID 4284 wrote to memory of 2084	4284	AnyDesk.exe	78
PID 4284 wrote to memory of 488	4284	AnyDesk.exe	81
PID 4284 wrote to memory of 488	4284	AnyDesk.exe	81
PID 4284 wrote to memory of 488	4284	AnyDesk.exe	81
PID 488 wrote to memory of 572	488	AnyDesk.exe	87
PID 488 wrote to memory of 572	488	AnyDesk.exe	87
PID 488 wrote to memory of 572	488	AnyDesk.exe	87
PID 488 wrote to memory of 4796	488	AnyDesk.exe	89
PID 488 wrote to memory of 4796	488	AnyDesk.exe	89
PID 488 wrote to memory of 4796	488	AnyDesk.exe	89
PID 3720 wrote to memory of 2072	3720	svchost.exe	92
PID 3720 wrote to memory of 2072	3720	svchost.exe	92
PID 2072 wrote to memory of 2152	2072	DrvInst.exe	93
PID 2072 wrote to memory of 2152	2072	DrvInst.exe	93
PID 1312 wrote to memory of 1712	1312	AnyDesk.exe	96
PID 1312 wrote to memory of 1712	1312	AnyDesk.exe	96
PID 1312 wrote to memory of 1712	1312	AnyDesk.exe	96
PID 588 wrote to memory of 3124	588	launchtm.exe	113
PID 588 wrote to memory of 3124	588	launchtm.exe	113
PID 2100 wrote to memory of 2776	2100	launchtm.exe	114
PID 2100 wrote to memory of 2776	2100	launchtm.exe	114
PID 2828 wrote to memory of 692	2828	control.exe	116
PID 2828 wrote to memory of 692	2828	control.exe	116
PID 692 wrote to memory of 584	692	rundll32.exe	117
PID 692 wrote to memory of 584	692	rundll32.exe	117
PID 3712 wrote to memory of 1940	3712	msedge.exe	125
PID 3712 wrote to memory of 1940	3712	msedge.exe	125
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126
PID 3712 wrote to memory of 3096	3712	msedge.exe	126

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	DiagTrackRunner.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:572
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4796

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1712

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3968

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2ca65e72-52b2-ea45-a257-54ff4c73f416}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{81135008-1036-4E2E-8C07-572A2B351A16} Global\{D60A0EEF-65D2-4DFC-A7A7-689312A1F82D} C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{35dc5b48-07d9-2e4e-b3b2-4d39b42fa6aa}\AnyDeskPrintDriver.cat
    3⤵
    PID:2152

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2872

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3540

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:648

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:4380

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3124

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  PID:2776

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\System32\SystemPropertiesComputerName.exe
    "C:\Windows\System32\SystemPropertiesComputerName.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0df83cb8,0x7fff0df83cc8,0x7fff0df83cd8
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5513320589334789369,2206989829454887882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
  2⤵
  PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff0df83cb8,0x7fff0df83cc8,0x7fff0df83cd8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6960 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7112 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7380 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7684 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7416 /prefetch:8
  2⤵
  PID:900
- C:\Users\Admin\Downloads\VirtualBox-7.1.4-165100-Win.exe
  "C:\Users\Admin\Downloads\VirtualBox-7.1.4-165100-Win.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- - C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
    "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5508
- C:\Users\Admin\Downloads\Windows10Upgrade9252.exe
  "C:\Users\Admin\Downloads\Windows10Upgrade9252.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3952
- - C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
    "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 2260
      4⤵
      Program crash
      PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1348 /prefetch:2
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7452 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,3446723313166378814,7722053080343644372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5196
- C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe
  "C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5316
- - C:\$Windows.~WS\Sources\SetupHost.Exe
    "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
    3⤵
    - Checks system information in the registry
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    PID:240
  - - C:\$Windows.~WS\Sources\DiagTrackRunner.exe
      C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      System policy modification
      PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6136
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 63808D7B40313F4413B88109A60B8400 C
  2⤵
  - Loads dropped DLL
  PID:5236
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4928
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 069AECA2A68BDFE03D4C374A85D6CA54
  2⤵
  - Loads dropped DLL
  PID:5420
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0D3A68DB579060E8CF19C02A5F5F9F33
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5924
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 22265D274B4C5F2CBB074768B3486D5C E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 51ED3D7BDC28B6F19F247E96C6DD22E3 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4552 -ip 4552
1⤵
PID:4188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5552

C:\Users\Admin\Downloads\Windows10Upgrade9252.exe
"C:\Users\Admin\Downloads\Windows10Upgrade9252.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6140
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 2084
    3⤵
    - Program crash
    PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 240 -ip 240
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1996
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000140" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4448
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000184" "WinSta0\Default" "0000000000000188" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5380
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000188" "WinSta0\Default" "0000000000000140" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5540

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4496

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4456

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:2996

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2436

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5784
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4E33CAA8940C0BEA5FCD24F81003C910 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5552
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0BD5B80194C887A30F4445687FF2F274 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0BD5B80194C887A30F4445687FF2F274 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5696
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4624DC4B318E32D6ABC70D908D9BBC86 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=318B0286277B5F3E07A216169B036D9C --mojo-platform-channel-handle=1852 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1196
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=37CBA26A4057FC0FAFF43EDD1AD31279 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3404
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E8968D3185B6E4994DCB08595A68195F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E8968D3185B6E4994DCB08595A68195F --renderer-client-id=7 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff0df83cb8,0x7fff0df83cc8,0x7fff0df83cd8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13078370394634849170,10828563971835009972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4164 /prefetch:2
  2⤵
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

Filesize
192KB

MD5
b5a6c0038a2056bb54ad250624e75288

SHA1
b0156b45204ee3f20f03cf5843d69a220b0826ec

SHA256
978d579defd4a98ca8470e004cc943432a610793ca0dfd8c96c20c7be1caf6dc

SHA512
474410fd1f41d3470610e53bc703b456f770428af96c7b8ba3a2500baa7e42f9e4af8903bf4c57729594e4d7103aaf834bdd600aa31ca30f529f36884d7109c4

Download Submit
C:\Config.Msi\e607e2e.rbs

Filesize
2.6MB

MD5
c1502fe12787bb7967044ba519b9c848

SHA1
c6f5cd330771056a09bc82fe568c2c5388b04685

SHA256
25cb48fc6dfacebf265371087ad52f81a678a415bce4bd5882b2694cce10b5a1

SHA512
7008bb1f3f8f3a8f8e1674a6c4a0c4bf3606dd8fa9335650ed09f5cb5e0823807427a6dea4af71875d6be07248de414081f39dd90cb200b14302b74cb12ae97d

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
5.3MB

MD5
0a269c555e15783351e02629502bf141

SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d

SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
ab38a78503d8ad3ce7d69f937d71a99c

SHA1
00b6a6f09dd45e356ef9e2cacd554c728313fa99

SHA256
f635cd1996967c2297e3f20c4838d2f45d1535cfea38971909683e26158fb782

SHA512
fe8e4c6973cb26b863ef97d95a7ae8b1b2dbce14bf3b317d085b38347be27db1adc46f5503c110df43e032911e5b070f3e9139857573fffdafff684f27ef1b8f

Download Submit
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Filesize
2.7MB

MD5
8c2f0cb4fe0669d72b6fbeace9e375a6

SHA1
3ed426c730b7eab2068ced89f6aa1d8bdc4ac75c

SHA256
8672723927495625c1dd5fe5eefefc00cdeb2905db982522758ae2c5734137bf

SHA512
ceed87c3c8d418b8db827a52f995449ed114396a2b445528ee7e25343c01085d17308aab46a29d45d254b38c6ff0cf85e6ab31db34eb9ce20be60a0f2bd52873

Download Submit
C:\ProgramData\AnyDesk\cache\device-id.cache

Filesize
312B

MD5
f7778199131696693cc6db4f5cc93c61

SHA1
b235fb1f0d36272514ff984c4e1185e7aa7aee58

SHA256
f0bc1095f01433e408892672d2c0d111b71924e6497db1b5522a3bae2bd9f691

SHA512
48c51e026d60194ed6711eb29ee90596d03eef2c5e6912ce76ed6f9906ae60fbd955a4e7d88ca033e3b7dca16951b4cbeb42becfa2cdd387f724ef5253fad3d6

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
8500accb1edaf1ed44160d656b321834

SHA1
cc4646ee28e7909f98a867e820458b3636bf24c2

SHA256
0e0dbfcda63bf473ab958c33003e35d0e78cf85c20606ae0931546ef52ed9d55

SHA512
6c1b0bb85ca74889d2828c1b6e06d65278f3524d1ae06aef9fce0e073e5e4e64a15128a51582f3c1d721929223502ccbc3be5bcaaea28bf87bbd2ddc0be283b9

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
889B

MD5
5b31bf825de25a433cd19656859012bd

SHA1
cac821538d7564714feb7de78576ec3929044a27

SHA256
84fcdd821f871845dda6d343a85cc3a80a26d6bf5cb45672277a55e7622e0a61

SHA512
7800fb1ea55c4c8e2174d4b40b02297df854b47549aa2ebf3d678b52f3e7d512994113a53bdcb8d79dad0aefd1d151f569ba520890c1945936692678e7bcefd8

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
950B

MD5
586b191536c86dc4df625da7b9927068

SHA1
194119e3e2268d3a1fb435b74bbd569171fc8967

SHA256
f9a1acedab674674014ac7def31eca52e5ce2f7326add695320358d572840953

SHA512
24ef0f68fef28096b149b534e6aa458cf03e64c232627d545d5575fd9d07b4af6f62fdf31b913d64ab476fb8bd547b08a5acec86823fe5c66617d1e5eae50e03

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
950B

MD5
5fac066c7b50b6d4e1c2affa4c7a21f0

SHA1
62f2007e8a97cb8072ec91a1fac77076adf00271

SHA256
af10d00e7bca8b37af79a1b462885375e9467846ead436f9ebc1773d8fdf0abc

SHA512
8d3bd052c6361dfd7d92fc67ca60e273541fd26e8a7945c7047017e4ef6083dd7f9a5eb806a70e16e29d8cb443dcf15d8fb17204ba8b5d8f8f24a1dac4aa4ea7

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
950B

MD5
10286682a5c89125c3a38411c6d30439

SHA1
cd913e56e06bf503b028c59dc3535bc23a7f76cc

SHA256
831708d4324e18899b8e5faf1da62fa381524f85ee8cb2fb77456e91cb4189ac

SHA512
e26cbf2e66491cdbb54c12cb0af6c6df6d85f48b34901fb316f60006d21f6d50242b3945c27133cd410dc9b516c26062e112d0366802acd8515b51c1171ee55c

Download Submit
C:\Users\Admin\.VirtualBox\VirtualBox.xml

Filesize
1KB

MD5
d9d28bd2ef7192fb0efb99607d7a0807

SHA1
7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

SHA256
dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

SHA512
e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24945104fc04a4953f05407e71df7533

SHA1
f20efff1d294ec306fa5b367ffc2b96c69c9fb1b

SHA256
13f3f502278dc178379e2720017ccd5d13d7fc11d253907795bcea7c30b160ac

SHA512
f24e37d054858b3a9a80f8981c6c841e0c3cbe7aef9eddfacc24c5ddf8d2d084bc1cb1c5dc99cbb79cdcad22dde4ecb4c602f0defa7202f732eb602886fe6b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab88f3e6cee8593b15f4b19429473290

SHA1
fd6ff2a4fcbf05b6c40fb3f11210c7a635748050

SHA256
4cc880fbcfde015dda6f503ee3343fd71df571d7dac737dde6f9ab5f89b5aa59

SHA512
f81870cb7e7dca67f4408ddaa3c12a0e0354bedb23f88ed0da8df77097f36f253d3196bbef05c26992a38e3a10a34991f50c95ab6614392c8e9d5b48e021c169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\88516f70-6b79-4e17-9d45-6adf745fa14b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
20KB

MD5
a4f3afc86190a2d47f56664367af370e

SHA1
57613bcb2a288ef2508e847e7ba35d52f2e87de5

SHA256
52fd14eb766bc6676dd81e3bb50a4dad1891bb9a47e38c3ec620aa6c2b487c42

SHA512
bae75c59141ee60ef1fc2c745117fafea3d386b64f2f67c1022909f295228578bfc5e5e49de5a2f2efd57e75affc0a7d09fbee8fa50aadd82aff446773fc690e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
22KB

MD5
cb305d32beaf3b4efc542b29d4da4449

SHA1
1c0c1232c8b371c6de1d587a24551e28b571abab

SHA256
cc9bd19cf704eaf02ef7d4716282725fcee3a86c0337eb7d36cdd88b6b8e19cd

SHA512
4e7a310c179315661f9c1d2f1f30e122e6956fc28bd0c89eb103f48e0ba865fa57d9eec474e09a68ade67387129432bba24ab3d8b159902d930b558c8e485135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9e6611ddc1011231847d06dd54bc2775

SHA1
25470744dee8c88bb206745f4f3b88b14b9e7d21

SHA256
5dd2a290e0451a45e87c076d3451c41d34dcdb9972de2484c18642a30f1c4759

SHA512
d852d6ae2a20faa33a4a40f8c5eacdfff9d4c689a174f01780eb288b60b3873dec1f8cd15b83a4192bae732d0ddabcb6ca0a8113e919b481a00c553374f0b4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
0b148a7047ca7fc61f768a7e9ec7f4eb

SHA1
a26ec0f88a57b3bab2cead70a4b92c0cbff72ef6

SHA256
4d0eb654574b0de0eabf90a947a5756bcccc15105e4eef4f9c3a6cc3f0ac86e5

SHA512
f69b47a8ee5d12093dcd9204170b9e55a73dc4e7eff04478e82735b2b283937cfe206bb93d2af309777c6a91daa79aafe8bff9026a0003b41d80d0d8a9f0db49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8faa8f24ae02ef170513d745b1f35f1f

SHA1
f77a5964202e8e07c300f78521b74043226bc587

SHA256
ff6d96608dc77d3ea2a456ae461067d63a17c29a21ce8e7e95e71280085bc2de

SHA512
5bbcacd38b1b982b36724512df24993b30eb93945ab379de955e86b6c8c9bdd0a98226c7dd574594443ffafa5d5b330793e407f2157ee00456e34e12f72b3ec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bfddcbc545734d76da96c37cda8f7118

SHA1
7fc99b2bcb708a2c8ddcb98d961fe8403e6e698a

SHA256
e0f7291bebbe8c2ce7e2764eabdb1f69b7bb7766a47f9100d82a24631159af5b

SHA512
bae268f08b3bc5e7869952b8074e8780ab7a611d082578c74a4373055085a31db40ae62b28f8bc89b5ff9e1b8c914380bbd0d442cbfa09d1b44bbe6ed2a1606a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
da95d6d0a7605bd909a9ec1b72d29c76

SHA1
6c6872686da98776d4790ae1ec6cfaefb07cd5e7

SHA256
b08f69ff751d654d0654da75e1b8f2a3f0754cabe80232810518643e077402bc

SHA512
3e707817081826a303926e3c733e6430270a4f47c3b59f93f094eeea761d69c38363340123aafb78a6cddb8b6b92459a9c13404f90aab062b4bcc33ce906cd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
eedada54d139aecdcd8fbd126b625690

SHA1
bdce8db4f4748344d9a1b65ace8c0523d2eed4dd

SHA256
bfc4ac1e958a2588bb05784eab39d31458efe7f6fe4525cd6ee5ed722e5b9f9e

SHA512
36f0bffc49619ecd9ab0b81fe9728a028ba3b635b3d8ba63fd14149e2a8f13757eb71cba6385f292989c8317d3a8a05d403d71df550ed2ecfd95af05c391dcd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
e9e52e7fd6f81c620688a6956a38b48a

SHA1
a1c87d4d0cc3bf87463ca59b81f82d572932b368

SHA256
35a407741e1ade92d4abe5b12b0a9fa40e93356729a501f35fc790f2b1b2b57a

SHA512
8288cf651a6d89c85aa080dcd0fa885354b1c07e5c8d2cc7a20b837a4389d7420ef3c8660becd520c0a0282494777417672801a898c07df81c7becaadf5bed9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
2907b7f3ba040d7e733481697a7ab245

SHA1
9bc3cac49e6de20c18b9d58feb60d3d45e8c7b03

SHA256
20c88f1692af0fa11d84caefc0e4f8299d46c6ddb0d61d5c145f12ea9d69ffcb

SHA512
d2b8d8d386acc6c2c54a8f8aeb23f31cdb734577c3f6c404d6574dd1eec3d563dc52fdfedf8bfd97a5714ac5ef9c1af93aef499158480e968e965e02b9a4391b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
c0d81d5052fe2b85f1be65d4bfdc7e26

SHA1
7b8a691119864486472830cb5798f2977c852d09

SHA256
44628c1ae5c25708ac035b7faab956b975df945fd329ec80df2c583c37ded06f

SHA512
a1a42102a327ba7bb6fb887b6111812b38d565f63b212bbc4790b2de04c020860101cc8d93668c63cdd734623a736f7205096c907858ea3330a4e916458b117f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
8376449e9f3ab5e671d5913290253386

SHA1
345f471c5a2fcdded76c3c47cdcba483c541bce5

SHA256
9d0c30d0d6cc438d6cf3540863c0c4f43fb7d497b047ad238cc62ae1c5f509f9

SHA512
03bf304e6b4a3e3a93d0fa2f3a05985ba9ea920a92bfdfafd65e7b58ee77760bfe56c142b185db82dc9d5b363e315b93dd429ccd6b647017108e43aa59dea5fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
07bb2495735bb80cf23dc380cd38ea94

SHA1
fb5fc0a0b78a2a08774eff78bc2403db019490c8

SHA256
194b55450b5355b55d7354565af97e50296cfe369542906c2b6c5a994c839c03

SHA512
d7ca319982c59c4059316e1994803505ee584c1cd8a11ba1e7fbb1a7190657a983ff60f801d5ae8cdc8c6a0039034a478127b2d1e1a3a48ca43177888ca09d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a8ccf8812a962c4f02cbd8950729dd20

SHA1
8f7945b1a7e8de87e833340a7fea8af2ae5985d7

SHA256
afadd3ad1fd3e1e7f08c908caa59bd83c750af21c5af982eb5861c7c7507b6e0

SHA512
e13813ed20977491e7641b823cff6ba49f11b90e9be2892056619e493bde3d669ca13cb572c036e6112049b86d90fa610ba2d17a5fa8ea1ee5f8defa4db10543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
259c2cc91474378096223f3c927391aa

SHA1
6389c176e4ea043578f011ae7bd2af8fee29d286

SHA256
8bb296fc23287381ca9515e50a1ccac03a754bcb4826b1d2a859942fbbd130b1

SHA512
958518e88901cace6e88aa9b9a653b7a1d0ef8d95a2820ad256cab295f658c8bb056225e47b98e9212f6704b95c953de6a693ba17b984396bd232e6353b19b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
4424a484a52842a88c44302304be47a5

SHA1
6a18960634c65082397ceea4bc405db64baf59ba

SHA256
24aabc750e4d9d3ffcd655e85d758c7bbff2852e6d94388c935b81aef66d3e4d

SHA512
395fa00e28addb5201da78cc17bc463a0a81167fea42698ac70aca84c06c4b465f93e2389b52abfe0379a143145d7d704f860286f265cc40d2f1c101b75b448e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9854f199588dcca0bb4d54191a8821f5

SHA1
ed614dbddfffb765689ac21a869a9485cc52fa81

SHA256
44405b81c079b2e6e54083e87a80d25d8c3c1e3db7759258dd84c9343769a279

SHA512
5353b5262d4b75540609676b1b775c5aaf0cb44725ca5b58a1e8cdbd36e9539eb82526cab882ecf84469b70e88927c4400a16919f9a5955d5f19a9ab188bdd33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
3f76abf8029863094c2e5e88a185a880

SHA1
3b1b10524a1dc00c0ae6307d0050b6999d79473d

SHA256
0631b1915283cbff24e0682f73aabb7a5d536479afec642f30649e29ba2ce55f

SHA512
2dc46f200e7b89c9ef6eaaa8c1bedc790ed1b0c8394015987137da55c0cd454e3fc6472cbdfea8a37f80a60feb503d9693a42982b25ff56ca77c572cf0d805e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
84045858a02bd49b4ac25922d5d4c860

SHA1
a69f0f842be5123d9371482ae37d046521858e2d

SHA256
4d0f596f8fbdc7b2b510a6b6cf0321dcfcb63f1d2e3db8a95e47503ff1583096

SHA512
4b0ee57227f262ae8126a767cfd0042f81547958bdecf5600980a0ecc06ec4a7eefec1457bfe07d663fbde2db2b0ee466d06547a2ad6509d117cbc733af265e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
06460bad5971b1fa82a317b5188ffb8c

SHA1
353985e0291b34a300ca47a84c33c18e67e34c3c

SHA256
f64a099fb37154e20f88d021a98f5a08c0c0f45343f234b6f05932c08810bb2e

SHA512
bbe382289e59dcff15ca427b9b3ccee0e27ea93ea80a693c9752fcd2c0c81725d0a4b97b9ba8f1a3926a199799aeb1ec4e95a4aafb83eff44ce3e5b4af6100aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
2d885cfc9cc71e1635bdf179ca314f28

SHA1
d6e2e47e2444a4bbf3727bac0b32bae7bfee136c

SHA256
b71ac0014a86fe2ad8958e82a8c66081ad109fddc8877c98b36795a0836704e7

SHA512
3f6a6bbde6e9bb2db6c865a2a6c0ba7fe97445328d112030220c22d472d562890cd978fa38ebb611fa408a812407e62de5817787f523cde16e7ceadc690104f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
3402b7c8c97eb62a67fb7e39774ebd5a

SHA1
780e8e7ca9c39ec48a9e7df1f6aff843d66b3d39

SHA256
49d40e3b2882416db75e64c6fcf7ad0c883e4f8465c0706c2703b054721f99e9

SHA512
f6891e1b9a11099a478439b7fa06a084da9be09b9cd0346fe9d2e23fa360549ff3b020b943c9a3af2c33676239af5a620ec893f8a41ffa3b7a087335db48a424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
86422efb6736beaff815ec7c4b8c68a9

SHA1
867b6c6c501c5e5cc29b00a16c95c2c381e5d990

SHA256
9fc0a7d477bb64905614b26debb6f9073581569f6dd2ce5fea3c92fb80861737

SHA512
5d28ddb9f28b55529a6addae167e68c5493aac4a68c20ba72c6a8b7462648a801e52a7c64d0a81c4cf58f34f98f73e6bfd57cbbe7338f3ccad04647c7803f039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
befa29313dcee8c6f979b62d51ebd4f0

SHA1
3617f0068b33344277aedf7470da5511653754ed

SHA256
ec07f266cb50ee7455cdb9b8bdcafa7c20141f0938098d655d1a63206b1cc471

SHA512
0127b1e44d5a228a9c2ccfacbab9f74b4e2018035cfe24d46c78036571942dfb2bf6ac793ff0bec2d56533ccaef44e244a0cd6da4d7ea883e781518387a2b81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
20423d0180407e9928406f40186e6b2b

SHA1
b631b42d73172e8ade3cec7f4b383accfee6f232

SHA256
73339a70862078a67be5395bc38397043b26e9c6a85abff0b8460bb5af2d73ec

SHA512
9e4aa021503a504225642fae5eb0c58ae0c2f1c4483084bc9212ebd84d699a9a243baa6b3c90240456395f18be7ce3e1d1b46d999c2af3be8c1bf5fee9ba28fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
55bdc0e58b2f9d6bf33d9ac08b05d916

SHA1
802f6ca8527252f53d5e847cc1201a3bd466c512

SHA256
73f97b7ee881e4ef6a337f3003f2538a991eb6d2fe505d54704c5016e1ea90f5

SHA512
511d16b17e0b9735f0ff8ee018f003bd3d25db2bbc92394d1fc1367c283e1b991804d7f6fbeb588368e47bfe2ef5f469d91bc7e4286acc4e76fa794bd965fdb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
478d7c9a58e53f72dcf8c358e14bde11

SHA1
d7b4f2d930474e3b94f4feaf31f61f91166475b8

SHA256
da13c1c1964843c36d0244baa3899e8dcbda0a64995987f0341a6fa837227f52

SHA512
1be763725498351a578a6d9021f6cb0bb337e36278c51f0d2a655414a64173831feae1b29064209ca41e0fda696b09c747709e1eeb62af030221f0045a743ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
b1afe64230ad9126bd89db92d406d3fc

SHA1
d2ccd302e623711b87648368dc00e163402c8200

SHA256
72936a1d9461b73704aff147c0ef723b65d09a44b775dee858c60444bb3c783b

SHA512
694d276aaea6eca18f3462539b42c908bd8270fcc10c59e9d0babbd4240f6a727ac1dcccefdc4cc1276da8002387674b659fa990bf6f6d9f59b5723dadea5cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
57787a88f5bd8cdb6092f3b3fcf47710

SHA1
07293ee8e4468911c0fad80a4da21f654d3bb4d1

SHA256
291bfde6f32ef4de7bad1d001c6cdb2dcefd1ac0235bbf01981c9829598fc2b2

SHA512
a574a7cc955d02bdfac8723b0bf0d11178cf18898d657cb94b660768f6cd285eed2b4ee1f08a3e8029f25c2bb6b4234ef1bfa1a0f890d57adb4accdb4dacb18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
6fe32796ea023a240e5e6436c76a9304

SHA1
290ebac28c0b4a48bf1b5a4eb7bc8378d06d6151

SHA256
96733d3fe9060c98f377bdd7ba1f8ae6fde1ace053ee5cd2540693ff88cbc4b7

SHA512
c4758e181512127e48bcac7fd3f9cd07737185fd029898c9fdc0227a4aa15200f19eeb55a1e1f557aa43550c04ecee8d249f344956ad7db40a30642e758d2518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
a4644797380f36e99786b2c6ba1bb198

SHA1
ebd186b8ca7fd5c58ed86afabfdf5f5753947945

SHA256
94c801007db2a648b5f0e52ce7b2157d1bfc400f33da8fd135c55d9b9578f96c

SHA512
f7c12260b3cd03632de43f974ed8aa68b74c1a17fbbdf3fb2768ecaf0a5fe485331ffe1a2c8a68f2a507b95387d31c859d8dd86255dd45251dd57b85419cd5b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
3f7b39a10dd6d4144d4ddc9a88e20cbf

SHA1
efabe598a70ab3b0e925e6f8718dee5112e543c8

SHA256
91a764dd1b5317887b348569a5d370e56fc2ba51a909cbfae6f6f2874c73c5b8

SHA512
699864f716979724a5156dd1a8c0731bb17fe11dbfb0899d96320cd05c5f4f2da5a738bbec4b7de49fe1a7df26b2db01c382412efc985ac4cdb508a13d57ad49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
25413759adfc343616a2d6d6f073e1ea

SHA1
8d31e58645d4e5e547ec5061d2c7ad6613c394ee

SHA256
0cc22992ccb7d3e1ab92f54e7e78aa8c71545b2b154913533be5adefdd81a62c

SHA512
d6f670e0e90f92814c2893737ae0a2902dae9d1685b51d9dde234d58d973fd214be158be8af5ca212ef785fda37a6c8e3d34e119e57541f8fdd02e5cef85137f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
0b160a043afe6b5919ea1f7f607ca93a

SHA1
f838f75363407abcf7199846cd88d5cec8ccd58d

SHA256
fd78d86b8e4d22348c7d6e03b02915dd8a313cf00c25c24b216557739f16dd9e

SHA512
b1a531d40618f05399d06967fd1a9e9a3299642d3feeedbb083d830dfdb38ecb4243b44d108d38123b462a46fd43fdb2959217ac368285186b9d3f3ac823af9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
978a9d7aee0109992305bbb1591a73af

SHA1
e849c548b087488c146cc306943810ec703c3536

SHA256
88c579c897fe971af0a9aa0869174b4f910e3d7f3f9a30d2e4ff970aaff9d289

SHA512
62fbc228f716dc261b2c464cedc9a330ef46876da22a60d71ccbfb00d73b95d076d1ec01493c6dd7be898b5160f942c929b5ff031a006b2c0d48dc417482fc5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d875a16afb27a6459e7504ec43bb0683

SHA1
1703a7700984a08513c85752e46f07c4ace734b2

SHA256
385c4bd801434cbb0f5c0d24a80dc0c09013be7e50505a9c76f4c31423aeda0a

SHA512
ed40a444e1e65de72ffcc21eb6c113a46886ef0ae18c28450ae5c4c9e7c33962aaf6dc49c90acd2b2f6e422cc8b3c3823ac54343d9579b0ca245d859ba32a29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
20c30774be424893a8cd129e197f9cb4

SHA1
3be2ded9b6d80d1ded248bf66f6f12ea10c49128

SHA256
0cd1bc180db8c370baa5e4e9d396ade6721afac583f4f7039c4a55a7bacaaa47

SHA512
de93e8c72700dc365d37c3ab1a5c6f9dd5803218e65b7867085636e20265923647c34b2e84d7dbc45e17e35a85a1130a9314be2f887ac558ac9fdc572b86e254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
047cbd7ea6db582c84d91b143496843b

SHA1
9c7e66465fcf4702ce606d80f8304cd42cb86d55

SHA256
3de602288adbee7b1d5af5b725f61970503811b096c4937028d9c00aefe67fdb

SHA512
721ad2abac93b86bde74799cef078d1573919b5cbfc04d7190fe57b3f2cb1c85511f80367de28d42b36e11003972dbdfaa870c46272cfc2309f14339944819d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8dfccc9b7a3a2210c39262e24d9b005c

SHA1
16c626ba64c3def70b4f6e1421254e7dffb7df88

SHA256
317fe9612fc4d48fcbc019f62001d8b1d264f5edd237d9950a618d856d031484

SHA512
aaa70e5a61e9f71247794355b59b3afff76b581da8dba19da19be79c1aa1034395005ea6a5d8ea6bda87c11a66c68b2e10655131bf739e86593b3d787c292aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
3abe71efc917c0a1decee7646ce55461

SHA1
dbf2d849917ac11e58640f4af99b11713f54d725

SHA256
5c7ef13572c9e8e72cdbca13b5f1b7c2576810ced3c7a168bb02e773f611354f

SHA512
cbedde14e305f257ccf0170b53aeea8f5df439cab047162b59b2ef49a3ce60806639b4a2931a1716d19f1880e47358b7a070963d30f5fd6ffa06f69d82d12ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2e79f7b0607439197157438b519f4ea4

SHA1
90fe79904cbabd7329b3eae7f6d306d8003e9621

SHA256
9072a0f474e3b8a2a094de55ae79acf26e55a1acc43fdb7c1547518539d71c30

SHA512
5c770d2f8433a3d2c6ef3717a01df24bb213d60c412222bb8433f884c1ca812d46313e057300f7059baf668be20ff385b046b48d36fc9063a42e3f597e4d9d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d805e.TMP

Filesize
538B

MD5
8635fc5cd8f459fdd5817eabcff3cfe8

SHA1
131cc916c6bb74f3e47b1a6b9c855881a8c62b2f

SHA256
95cd16c8dc792f15f3649322a4228681dff09e3bd269dfc18a452b7e90a342b1

SHA512
289a3b9a1634f9786f5635ac47d2113b7cfb19b77c83332a1acc536eee2c0596012386c6fe62a3d516c49f447cc1cc7bf3921a81a9e4370097096c02cb2842f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f3b63cbc945b9f3f5e4ad3fb63a8a54

SHA1
2dba7ff80c59bdde86ed5d7c57f2424a776d12c0

SHA256
ce850504d3a4321e030b149fcf898a72fb5435664991ef651e1f3810af42ef27

SHA512
9f20d10c9d958ea2c1e0ed14fcfbb287f496452dd1ab50bbdf3943ce2772848a8cbc1158f125ba7c67cce576b9dc1d26a47cc099b9dc94b300f49f6a205038ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
28e5405bd2cfef65e081f30975b8e2de

SHA1
cd68319f55ac107a8ad80cb72be5d28e373b7366

SHA256
cd76059552bc020e67a567e208e9002565cd3b34652eb1e38bf4e14345fb530f

SHA512
db43c063e36e22347476c7bccb592da1c522ab46bf97e21fcb97a542adeb662834f6c9104e9d0040fa2dc408f9284b5b5fb7094cdf1771d9875690848eba28e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cddd20e035d70e2577002dc73bd35e3e

SHA1
eeb7b0ee2d3522e4a502b7e6f4ba2a6e81bc4ddd

SHA256
ad76f6205ec7aafd2186998c5b99c738112c6b4e6562aef80784c63e65b2b5fc

SHA512
f6648faf4354701afde1570ff49ef5aa0b22e5274ecc32fb15168f43777b6cc2a0749512433a33a74e037a9ac70dd6a910a1daa8ff85a40b3037a65d719badc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
35ab6e1c6ded5e50b6998adfeab6e8c8

SHA1
5c9485fd7d11e6694676b4644a9b660ee6ec1af1

SHA256
73b75dc45cd2edc19c39036b10d6f6b7e143a84846a8807f07ac1f2c2bb1450a

SHA512
73a6ea406451ff6754915f2a5866e4961f1eda63f25d46e71c024f9e5a222b5a7c305543a84d512314cdc8c856da3670f72c351ecc520222d16615214e711e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f160155b2a01885bfb8f939b4fe5ff3

SHA1
e7e702a72bf131e06e40cda574b31fb63c4225d5

SHA256
fedb87de63f622ed26bcaef6c64a9c83b2a36cf6d8ad2fc90f4dfdc2ae84707a

SHA512
a0b4b5a6e83e0cc9f99e7b4b4a81d31e664e06c9c7bbe4880ce41e48c2bee61d6eeb2fa1dce9edaee6cf59a65edb693426b06f68e3fe30c93549bad464bad44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7bcbe44ce8a8aa9085838f7052681f0

SHA1
6cbf703845512e980f5debf7cb241048700ba3fc

SHA256
d74ec8010e50b9edea612d98a6720c5d1f8c8b2ca2286c61086bc29f453337c0

SHA512
0e974f311d70b56a1a9856643ee0ddb4f197563a2bc535867a877d5da2349064bb9a27eb2f74212c80f1077b82f72c2cc201dee053199bdf1676c0dc370fcca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2989bfc87d582c205c4d452c90283baa

SHA1
365d75464d34cbf1d3286326782d9609d690df18

SHA256
5050d8c974a0fd95c536a8a9eea58ae20b3c2d4422876b9e791144969032f24b

SHA512
417cbf04f18b79f52590ca268f47f73d55bb3f38c8253cf527e8ed17ab624369f4a30878d5bd2b0ffadc08648c4ec0df0f2a1b70d6eb1f6d59b464fc45965c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
389a6e6e6f892c62cd92b2362925e84e

SHA1
153927b2c300f4f4978d62bdf4b28c0afca8146a

SHA256
bfba998150e917ab148056d3a00d18e1fd43cd20b6514cda8075ff4f83efbf22

SHA512
ec59ebc72aa0d299bcd70242d02dda428427343ea79f3910af9535ac32d7544addf80dec0a3644a46c95f09178a1132f4abeda0c467192926dd509c0f2a0d848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
de01c25f4d588ce902202bb540887424

SHA1
e17cd82abe5f3272e726ad40e140c58b6b66ec0f

SHA256
067ddb278e97c324b1b9f24327b8f958ba293c74cf31beb294efac54352954a5

SHA512
7e69680f4e17edf40fdd249076e56c828b4b584fdeb14bb63466bf6d851b6fc9c7887b3288c349183c1ce7f33be687e186437158edc55f2ea131446765685b49

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9f7e2e7b-612a-4d2e-8eb2-80e92d15a027.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI834.tmp

Filesize
330KB

MD5
170b0049505e4312e410dcf1e683f0a7

SHA1
be2c41ff3c49a2ad7027df74d1107327b145e8d4

SHA256
67a1517109bbbdd924511a7896bdc1c245a939ec6fbe926e9077837b93848450

SHA512
dc5493b399e6781dd7bb28981e8835c4c004be9479b47b92cdc7300c1228bde4ee172f14be40155d5da7b71782b5f1a940a80d7aced8b610571c062873da3994

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU2678.tmp\appraiserxp.dll

Filesize
363KB

MD5
cbb270591c9a1bfb1b10559ab672f705

SHA1
fed0d59d60709b5b05b9d31030ea7a5422767a7e

SHA256
770a9a15e1eb8e2729f23a3d262b55bef16e4bb7822a2d16eeac3db35a116d7f

SHA512
67c4154d47981f22965966aa823dc0e05872b2f6d8fc7d80b4130f1cdb8bf9f326a20980e29c085e2940fc1f7b033b85d2eb192f5bda2da136364a842ea20f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU2678.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\ESDHelper.dll

Filesize
59KB

MD5
c61dcf4db82482a4498fcca646a6c640

SHA1
981bf318813c54e94efe04cc20dc6ac070adcfe9

SHA256
c98289454cdcb2266e82204af73a799b09458a899cdd8366e24fbb613273c0ff

SHA512
6b26c8e4c1c15f224a5d196524f35583f1e2f878fa2532a199be068d89c06bdbafd2ca3e740b1ed104844d760e62b25d8a6d589c511ed6fe2713b925949ab2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\GetCurrentDeploy.dll

Filesize
404KB

MD5
410fac98056ab0be74e4539a4c0eaaff

SHA1
10a66618bd67f26b3b6e418df4aeb93f0e599c2b

SHA256
09ec6dc5cb94160b2c4d9f1f4224a7dc1951f227dd311acb1bc4335f23db9b24

SHA512
84999daecb8fce1c4c76ac2527278ca7896c5e90ec37754bb0f10f3cb391adc338cde923c51a3ffa90d49ebbf0516f7632889970efb20ee6ea797185edf74222

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\GetCurrentOOBE.dll

Filesize
126KB

MD5
c062b03a177cf1d25b91d0a911784533

SHA1
dd96534252e07bb6db047bf990a3caed70e05cc3

SHA256
396df40adac039f8a6847b7c8efff7dfead7a77b93e12b0b141a4cfa808c0035

SHA512
27850b93c3f33e1c6672cea4e0a1d572375f0dd8c9f2d3521f1060123eacdc9da456447afcc23ca751222941e09d611fdd80d236b7620b15b12c16f133d6e41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\GetCurrentRollback.EXE

Filesize
64KB

MD5
d705a34a869ac46e3f07c9be3ea1693a

SHA1
b21847a23ed6d0b7c04c0519ef0e11b5e422c3b1

SHA256
0436deda2dbbd46d74e4a83b5897ba26a3ec35a9ab77d4b46e7477d9cdd213b8

SHA512
cfe243ab1385ee1086c50f434a934654b5bbc6fb4e9b562bf1738c2f7b50a49f22e748d2b71d9f69bad505272de70e4be09d8cf13475121defec1e6aeb923479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\WinDlp.dll

Filesize
1.0MB

MD5
87bc3d50a51cae672f2e3ed50691e5b5

SHA1
8da385a349012cb8e2e56b320d04fe4a1e56e14d

SHA256
896994df8e63229dc8c860f40cfd92c6fcea6e684ec0d51f111c812eee7349ba

SHA512
504d89b40935dc266af46438fb391f9e3d9a925fdce6c5daebc34e5c7fc33ced01ebd32f8da083c41f01a2766dafb9102b02b2800b1cb1ab3057413a6d9ca8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\downloader.dll

Filesize
197KB

MD5
5b62ad6ae42f32806062ad1bcb3e2de5

SHA1
8d4a543eac9643931fcb620cd588e2cc1067920a

SHA256
96f7b268820511abeeb6bbfad0918cf9161366bc2f558ef7f011331e7de1d6f3

SHA512
af5bdbc5019b56eb9a32b6d264388e309e36013d43dbe09c61224ba6fabf1ff905371bc5b6ddaa0d5bfedae99cc5a7051f13fbf26cc756793799e568094eabcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\Microsoft.WinJS\css\ui-dark.css

Filesize
262KB

MD5
c9674190d140117be506a070c4ef5be2

SHA1
51db8cf46f6ecac6cab85a52402fd66c035e837f

SHA256
1e8e74e5a29f269157c043718b43c10c6f8beb806a6d2b3f3f2dd542731fd196

SHA512
9d41b784a377dc9a1bb61e337ade6acf7f841a672609626697925ace30f8fc574e58ee54388a76b446a84d4ba6de46d72e0b7cad64ada5bf5664c28df09ca585

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\Microsoft.WinJS\js\base.js

Filesize
1.2MB

MD5
221c534deb612992681b0a2fb55bc5ed

SHA1
1ac3eb5a4ea6a0d876f8077e87357fccba472323

SHA256
7b67ab12bd5dcc229ea7f197fcb7723b1c41a517e198fad31020d8fea42e9715

SHA512
c9bd493fad305eb4c881eb6c9aa1daf672ec3531ca4871c44f3383b48389db24232b6dfe35ab6e82a5c8bc1a38f68b57fd30e2fab35bd6237d751285fd74444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\Microsoft.WinJS\js\ui.js

Filesize
2.9MB

MD5
b02d15ec9159d708837121c9685fa551

SHA1
577edd3d56f6a92d5248b35cd76a442b2c1caf37

SHA256
d23519634fa23488b7151ff1c31cc81e9531033f669d10c119f375198d02e22b

SHA512
60305cd9baa19a7e526f4ee9eac425f17563ab4dda0c861cc163b64495e72b547258ff7e804dd7c9820bd3543b2158109b1f72775096a2ba36ce02ad908f8a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\block.png

Filesize
919B

MD5
a132f4d4f23f1bc40cfdb88223b1c74a

SHA1
11fc3eea08765c7dfa697cd9cacd18f7a9900181

SHA256
35825ad138cec97d3cff27cd8d139377e6ba4d0a55b473b59fb4f5f4b9508be6

SHA512
c5284f403c6617947545b0282d935d7e3b2ccb30c67d85920907b7cbd00c01e4c560824c3e7d77a51e97a646aff806879f76e418973a66e2fe1086b8288326b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\bullet.png

Filesize
174B

MD5
062f3f1fff1deb4e8abe7a16c8aa6398

SHA1
c943234ce3e553a05be711da23cbafbe459c5988

SHA256
f67ac334038896e37ca126ac4dbd1fff51cd0ffe8c99ed1cb709d64864b72392

SHA512
c6bf7e63476f4ba36aa09a133bff02c6d68503361d9487d598b28a0bda631a496810bb9b0ba8c89efbfe16bb53693a6a81c93da1d00fc923b655a070d5dbdd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\default.htm

Filesize
60KB

MD5
b2a06af2867a2bb3d4b198a22f7936b3

SHA1
98a28e15abdd2d6989d667cc578bf6ab954c29f5

SHA256
40f468006ab37ef4fcc54c5ff25005644f15d696f1269f67b450c9e3ce5e8d23

SHA512
eefc295a7cd517c93bbeadee51ab778f371be8b21a92b0c06339da2e624abd19c34907e0a8965e6bfe81863752c56cc509fcf015a3ee986d208a5fc7cac8bfc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\default_sunvalley.htm

Filesize
54KB

MD5
66b63e270cc9186f7186b316606f541f

SHA1
35468eeefc8d878f843bbf0bb0b4b1d43b843cdf

SHA256
00f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f

SHA512
b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\eula.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\marketing.png

Filesize
420B

MD5
0968430a52f9f877d83ef2b46b107631

SHA1
c1436477b4ee1ee0b0c81c9036eb228e4038b376

SHA256
b210f3b072c60c2feb959e56c529e24cec77c1fcf933dcadad1f491f974f5e96

SHA512
7a8a15524aecdb48753cc201c215df19bc79950373adc6dd4a8f641e3add53eba31d1309bf671e3b9e696616a3badce65839b211591a2eeebb9306390d81cfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU7776.tmp\resources\ux\pass.png

Filesize
1KB

MD5
5a7499645619886bfe949250e1807415

SHA1
152295cf08fcf1e21e26f05969cbb02bd22a8af6

SHA256
db27bad6e59128d58031706c83210ae780a9261e01af6fde6323bd30f7a97b12

SHA512
201fc4fa1aa035cf09872d6f335d94c97433b79af343d532d0dd5c6ab6ba60b5a3a3b60f466e2c7107c19e04ffcdfa8a016842b4f29ea3ee6dd3d60304d8d8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CA65~1\AnyDeskPrintDriver-manifest.ini

Filesize
252B

MD5
5cda10b02df931ebbad3d0fc9d9509b7

SHA1
f04b7885bfac4bee938d047f6703c58d4087facd

SHA256
ca33091bbdfd87bb3acca1a3eec96d3948a0830d9bc7bef3c40e15055e4c9a03

SHA512
99cfc18278eb4726b44caac07f1cec7f877791290cecd003417f1ab06716c5d4c004f2dea767676895db0e96dfa2023661d44684bfe990d5a97fc03e60dfc6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CA65~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
299KB

MD5
a4e4b05588899d7dc1d70c651cfce2d2

SHA1
c280c7f97e02eb582f09805451e5b17c34d0e119

SHA256
76a784f5561994bf302f0d65576efc676866429497a16a611ea38f8fc8939396

SHA512
428bd7da6d77af8413227ae3382f707436dbd494e9ead7a3d002a175ba64ceab71f76fcd94581c3f2532809fa69af1eb29a56e48a61d37fe42dfddbe4fef0278

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2ca65e72-52b2-ea45-a257-54ff4c73f416}\SETFC17.tmp

Filesize
11KB

MD5
ddf4ac6ecd52467516b31e0939b8a030

SHA1
bd452adc22223981b67dc4d665e3a0e8cf470c09

SHA256
019677297ae01db991a5c122ae582424e51d41ef7bb81fdf26269afaaaf5ae22

SHA512
a63b7dc23f8a8ae697aadc564e947fa5a8d3429f319ea72f5b0cbb77c51bd4f7d15450218360d6a742e2f2e3187745eff71f237079bc01fa1fa5cb6fb3c7402b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
971351ead5606c803e955cbc00b613d1

SHA1
3f4308ae175b6dd81c2c787b55d052777ca1f7a7

SHA256
3a3fd0d11a40426002540663f88d7f56d54cbb719cc87c7825d88c97946d3c69

SHA512
ae60ceca22a5d8b1353a21189c0285cd6aa5479dc539d542a123ed7a73c1ad035c6bdeed64ac296f8cc29f1a049897fe13e814669d0f81eb652d0ebfdd08cc26

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
30KB

MD5
c49ec046162009d86c32318166c8f9d2

SHA1
957b4e4b146ac6319a4b2ff4adfb06560b3eee11

SHA256
e1925df73b0ddfd7bac3e3082eacb0fd101a774dece44a0adda860f8324c0867

SHA512
bdd2fea3d8f571046824680e3cc3f70e432883fdbcee421b6445ef9f6e0a607ce81358e48fb240d724aa1456ab7957daad4cf7f2fbcbca278c7a2a25e20b8069

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
39KB

MD5
a0d8b8826e0c8ef04fbd96eebc50de76

SHA1
0cb0f8d27be47c44e836541637018ea4e7c28d03

SHA256
777f060d1b437b4721a619d940cbe905cc8952c05a436cc07aad60b75ad465bb

SHA512
471679fb3327c88e019c022bc5cb5697bca41f1c49ca510c4e88d49b6ddc1c19adac26b2bb630183d856baccab5470d8422490fd11fdab78c72b490e8d8ddea5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
41KB

MD5
ea3ccd467cb4a1be939ab58dade65042

SHA1
00f7ef94848c034a60ff4c3ee0c4c459f5718823

SHA256
4fb9ccd70f0b5dff785c1bcf5b997d70e7a2ba664fc5a8560a7db3cebef9865e

SHA512
044a3c770a50fcaf16083764241c7dc8034a4f878cda27541409ddcbbfc36fc37c5a6fd17c8d6c5a758ffde290e839dc37f5caecb2f0b4c6f63bbf955e22730c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
46KB

MD5
766be383db0f74500602cfc989370e19

SHA1
d188810cc8976a0d446acc9e74133e0258d31b4f

SHA256
42de92251322c4180ad221e2f326e07b61bc5bfbf4bcc99e591acdb06aeca2f5

SHA512
8d0c5742545a97b4789fee19e0ef02473d051952b0646a383ec209fa850fac9fbc256755d51f3648aa3ca5b9288573e5a655667ed9daf3c8e6bf238130015523

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fe62433a4b24d57b96fa13488a2c3f78

SHA1
23d5c0a2d19a8b9a08b3af4ae21a63842e00cd6e

SHA256
34a689a75b50f07018a1fbd6eb57179822ad9d8509e803013f498a1c39c74f70

SHA512
08c4bc95cb903b331ceadc34e793d342a515d1ec26d1e6f425dfd9c760024b0e4c3b19a8ff95ba49ebce9a5859e236413aadec3ece58605168c8ad9e66d9ae43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
765B

MD5
064cfc41a9d86ec803cdea4731c63560

SHA1
4b905d7ab9ef31e145c1a4c2de6d740f649152ec

SHA256
e1b64c5564e463146d6e8fc20ae1bc44de6f272735f2a54aa839774055870704

SHA512
019b7598651156a0563dd468d338146086bc3e576ccfe141cb1463b352e379dbce62d265b58e13b5b47f54adac9464f76cf89c2d0c85df32c1a3daea362d1d98

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
1eea585cb991c10271a76e19ee81110b

SHA1
9aadcfe121857e8bd9b7d1a2c9136091ffb1aef1

SHA256
44744ea3fa3cded35ff9aaeb5f24d43b0d3cab6dce023302a5ec5f95febfcf48

SHA512
25960b21a328b2840bf6821e849b7f2c18610a3bdbe3841de3d105d17cfcfbf0a3031fb3e14e0dad4a5c80bdf1212659a11c358e2bc2b269a823709aa4b013a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
9eca52fc1e7523b705e6f82afecb7128

SHA1
3bae356a3bae8349cbf2a003de5a1700a937696b

SHA256
2ba3b8c1ba95bf88fa6f07772da582b17a9b59dcee7dd1e613f9f2581e2c80b2

SHA512
945201666a61efe95a9f91dcabc2f09286140edac9ea8cbe276a85928ee77fc3d2b8ff1be43f9d7b52edbe6a71453224561adbf4019d91615ccf531bd62a04d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
02bc3194c98e842c4b34e06dbf4396c2

SHA1
2324f568d279e9c43ba7b8220f81d527f22ddeab

SHA256
ed72f2b2b0148dcfbc01b4fa0ab4b3a3fbac979c812be48dc59a0673e5ad8003

SHA512
0dc0b2a40538841a4a4a01e45ff1cca1a57adb4996ebb8c2a8cec3aef6f99b344cba921c1242df51b50cc21e4ce2fead84e39d7ba8293aa017d114aa496f7640

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
49b0e16439664cdf3da8360633f79a34

SHA1
32707ab7e6e5ef2ae734b70b7b2c50f18dc03a39

SHA256
c0d6543a878f3cc4c1e8d883918270c676ad56471203cb8e0b569682cd8222d3

SHA512
5269efc961e6da50089b85f67f247eae712439c671d50a4661edf801613424183bd4b363c084bb50c7a7732f86b614c84049d94cd9ae5a7c89b01fee2ad87a40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d8e0eaf8418e0bf0c53d91063b9458f5

SHA1
c167b04ce9d9ef36a6f544792beb2e0ea059a5de

SHA256
243a5016786491ce37d4cf84de59bd2ac6f7b10f16a2c41b15c674c223745171

SHA512
02f717ff6319ae297a14c755ac9b1d7559054daca25688440019f4702a4f62b36b125b362e9f683c5681a95192cd03544b0a35d902c8de87dd8a579b11805a88

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
317b73f9724bdb2c92afb076725a9c0a

SHA1
1ee82eaa257c6e9b768bb608652d9a1a69d6724a

SHA256
fbcba5aa5ec0224ca7dcbba86aef5906cc575e595eae72647e3d9186d8f71711

SHA512
b474947445a94f4d18c5722050580d6650edf261a7a5d10d02ef12142099a18ec871db122526ea01344418e28d9aecca87057167b00ea411871bde92c3196a6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
33d2197a39121630eb367775df50c3f5

SHA1
8ce3259a8a0e44107bc72bfe5bf039135c2d5132

SHA256
18578a434a434229c68a2f12d6bbeef3524a6d3fc3f5f6147c04a9f8db030bea

SHA512
23b0800af35dfaffa835c3cce163bf7a19082631f1dccc6f2ba8abf6b6959e6a2eec741823b0da4fbcb690170e5ec96399114a51bdf6e54ba424a49f1e04416d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
428c805fa82d154a91bc8ee4750f8a0c

SHA1
76868446d30e0ec3dc3f4a2d68ee2b64d5306172

SHA256
0d49928272214e186c6bd7f25e8471f83fa19708343c91a68ccedcc70108153e

SHA512
14874459f0037c0bda743dff805742c6465ee81250a56ce9506f500ad718ab83f0d6b367af9f389fe90f480229399b07b6f9dd63b123bb2166784e9a370bfd57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
293ecfdf4fb846aa25041c8270013a8b

SHA1
1dca51b7f6f453052f4e5d097a28ec100fb9dc5e

SHA256
884af6151e3eb3551668b18f092fee18935a24f93e4a457fcae60b92590bba14

SHA512
967e98afaf0525c7f09825b15b5030e244967380a0d2e29a2003cbbfdbeba6e5abd2ce5a87688972cd1e3393752d73f7fc6d43acd4b884670397979e32567ecd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
558ca8ddd36f1470b1f5a8d327a3f98a

SHA1
464b4724529c518e17eb5031dedebfd65aa3a22f

SHA256
322988862e93951ca94b8b7954353882b8be3dc1fa2461348657d7dc3fc0a52f

SHA512
c6a851c8652b4922a308db86fb6e748c9401f7b64c056ca8cb5c5e8a09543f572f3d634b17868e5a7ac358a2b649e1ec8a427f7fd4ac55f4d6ffd85df6cda055

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2d03b701197c8d7127d8ff619fcb515f

SHA1
22aa3d2471f76afbc31d381fbd53ec7a9d4bb5e8

SHA256
25d20fceab5fe0273dcfa71d891d4886576b43db098e245cbbe5cb59fbad02d2

SHA512
01dfcbcc394059a3730f233a94f54ae9747df641218f2764c5f3e6d2d7890b19bf4921db28511c26131d9cc149661ac10122a7704edc14a0ac22900d8518c920

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a354d66ed5fee397dcb645e0c4943710

SHA1
ab06ed247af5537d6d0bf93763b7123fff9d5db6

SHA256
0758b3e29b64f86136dccbed94485ff91da3af26806e640885b8904524c0ee33

SHA512
cb8de079cd8c46f2659b32fe610bb5a27c671df82c8f7e138e418a5e6df9d16d09868885d63b25867ef1f0c306e0536f9658ec6766f6f7034f073e16adb7ed93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
234751350ecea62e46e7a8de41d7923a

SHA1
45572f7871eed04efd23eccb2d8e2040c54ea48b

SHA256
3520f05fff53c3aca20681f95d0c46c2acb0405abef6d0430109fe838f92a493

SHA512
12becc39a0224944f7477a2aaa4a1d6240b5c09c605298f042f9ea07b87d31a6e52763d6d452c0beb7ae42cb7eb7dacfa435ca7f5f6642316390166afe55d584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
22fd79556dcffe53e009a71007038865

SHA1
9da9cbb314419174a9725c7ef3ec4c9ba4d98a00

SHA256
0b00446358d92504fb26c4b8c72e4f8ab44bace0f3639ca4920ee343c365656b

SHA512
e3301857a82d6795ff32b719d84583decefc79ea3d41d5f16c95ea0df3fd3471d1b8648c7f1ef030e2d381a89a8a2255921b07da7ad0813fbcf8959970bc6039

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
10ff6b0b7597ed6c2c1be497ab4b4c2e

SHA1
a8f315be69237fc9eadd3af021ccef1439e9bb42

SHA256
079b6487b29abe698d24a2cc604aba24a1098170ea91829a8be2807a18131ce9

SHA512
ca0f23810752184e2dc82c72603436f89238e2532450ceb0277c7246f9a101adf17fb5826e735b5898d053a4aaf054239926b1c95a4107f473cce9b305f73bc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
965e61dcdc3d96d55928d0971d5d8336

SHA1
101d9d6ef471ba1b2fe335e79790b4fbfdd214b3

SHA256
94e0b55bbd40c1794dceb026d8abf05da466ba57adefb1190b812d4137b92a78

SHA512
7b65ac59c8d222277d4f238bcd6c7203e1d5dbff2fa21b3c776f83f6ebde32691e67ca533868b2df465d25b20d4ae124479a906ee83387db76d59b6cf1b2fc17

Download Submit
C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe

Filesize
18.6MB

MD5
aa2ad37bb74c05a49417e3d2f1bd89ce

SHA1
1bf5f814ffe801b4e6f118e829c0d2821d78a60a

SHA256
690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5

SHA512
fab34ccbefbcdcec8f823840c16ae564812d0e063319c4eb4cc1112cf775b8764fea59d0bbafd4774d84b56e08c24056fa96f27425c4060e12eb547c2ae086cc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 152498.crdownload

Filesize
3.2MB

MD5
c0b25def4312fbddbcc4f01c6c0f5ba6

SHA1
8d16a183d61233e7d6b6af7b3cafc6645ac2acb1

SHA256
c0424d0ae06ca1e6e0249b40d33ac40d74075856d543ec0924884664fba52b79

SHA512
8c67619747bb108dae5661688ec8fa4c62bc6ac38ee6ff14a4691aab04d7ddd870fee4262cb30624a6bd85ac1f7595af05311496b0336f979e7e5f797791bc0e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 833291.crdownload

Filesize
10.0MB

MD5
d634fcd62241a93efd88315091cced44

SHA1
f1baad89da31bf3f63d07e9cb1517e371101dde1

SHA256
e60928dee71b11866a826bc474a72b928327d1378ea80319819217cebcd53b2a

SHA512
93d37c89215f5123168d2d16dc74da5a36375d914201562b2701783f82bb50c4488f2a1330d7567fdc734db1089f87369b61e86188401c55e8c4fbc4bdaaff70

Download Submit
C:\Windows\Installer\MSI8C43.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\System32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.sys

Filesize
1.0MB

MD5
0809df0b4b50b73e67b73ce9754fb482

SHA1
5bbf156438c6f53b426d451800ad31c18113d30e

SHA256
70c9a26893e09801ef872a8d93555454b520f60867a99df501607346a60f1352

SHA512
da9dec78d03ba2db5db957dd45e926e17fd4656c3e9823f1e0582968a2f9f4d97d4cc9d9e3587056c74e6384260476617310ce13259b72b1cc5c0a6c175501c1

Download Submit
C:\Windows\System32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.sys

Filesize
190KB

MD5
bd852ea819ac44f17b4beebbd568f212

SHA1
e2f549d235e5d2c6824c7dc50bb09c6c083dd304

SHA256
1c317b5c535efe02446d8793c6a473e3ed51f06881b310906344e9e3bc5792b9

SHA512
e162dacdba163feebf91acd43792aa2669cd4e7f13f0fdaedc1554492e8135ae104aad06c651959f20581d9bb2b49f3d6a559bbabc43ea8ab6ed06d850931f01

Download Submit
C:\Windows\System32\DriverStore\Temp\{116556cc-1c1b-824e-8de9-355a784f0f78}\VBoxNetLwf.cat

Filesize
11KB

MD5
c0261377e9c8115d9e67db2dcfe1143c

SHA1
115916d3fd1ca02bd1fbb5db9c846f0a9ac9f3d5

SHA256
c47acf6981dfc65fb25166e3df07fdcfc55c4eeddb79e3b8d1a066ed2596334a

SHA512
348d638710b14fdf509009d6e8bd7e0576bf3ce9144dbfd07b95c773653860284a0c2e1b8d5ffdacf097bf4328082a79fa457e1eeb65c4752b840ab17346236f

Download Submit
C:\Windows\System32\DriverStore\Temp\{116556cc-1c1b-824e-8de9-355a784f0f78}\VBoxNetLwf.inf

Filesize
4KB

MD5
351856254220eb250d62f4547e9aeb96

SHA1
c7a72d9f7b783ba54b5d8839279dfcba689a7c11

SHA256
c62c8264b3add792c706a4e76b643fe969b69ec902651b5d31974c42a026e619

SHA512
4e6bc35063cb16c602dc4c6080c8ca8b48dedce63d01db7efe7576e24a82127ddfd4ae00f052a81e4779d517045e8477ec61a7cf71c378fbe491aec54504c2e6

Download Submit
C:\Windows\System32\DriverStore\Temp\{116556cc-1c1b-824e-8de9-355a784f0f78}\VBoxNetLwf.sys

Filesize
250KB

MD5
68c5f8884313e9c5ad1d54fd7181f140

SHA1
40e747ce98f899fb8beb31dacc2cb261092ad6cc

SHA256
de4a67670417fe97e0207d40f38317104548d4ee77bbbf50f269dfc8ef655a9c

SHA512
6433586185dd5d07ab9cf7141d64a55a33fea3872e6b2616ae0dd8e75820fd0eac7593cff39fd6262dc0b1c779c8c3a8a7bdbdde2b95e9e1aa74d3613419ee7b

Download Submit
C:\Windows\System32\DriverStore\Temp\{16177172-1954-074d-b2d0-e0bc543430e4}\VBoxUSB.cat

Filesize
11KB

MD5
ef3a8a5be39b7310aa1cae4f4e589208

SHA1
bce823d3ff3b7a4a5a7cc8efd693d3b36ace3e78

SHA256
b7a5d4285826327851a864698a938478bfc3a983a4386f7f70cabad9f7e7c6c9

SHA512
751c7cb03bcd6ce52d6171552ae3678a99076f0d5d216d3a95374b97b4cabcc338d155be9b8f84459ad755de875cfa0badd5018a85837e73e9a6815ac031f944

Download Submit
C:\Windows\System32\DriverStore\Temp\{16177172-1954-074d-b2d0-e0bc543430e4}\VBoxUSB.inf

Filesize
2KB

MD5
81785d890d8115416554e545e3963651

SHA1
470cea23f5c8a0c64c84aceb35a0b8288d70400c

SHA256
c88c2da48932b247196ec915eb7e72403063376b4d8d35b582c236fdfd912bcb

SHA512
3a39f0d368eb15e73c69008b19f0b9561a56cc4ebdebe7d8cd2a57fa975d954a7660d2de2b74fe769dd0d78dd836d3033624109483f2e7784dbb470d38418ee1

Download Submit
C:\Windows\System32\DriverStore\Temp\{16177172-1954-074d-b2d0-e0bc543430e4}\VBoxUSB.sys

Filesize
176KB

MD5
696b58e28b09b0ebaf4f27901a52e0e1

SHA1
eb1b5166c42bb96983889c873f45a1ef7ee62295

SHA256
1ff96c3462cf14e27da3c82b3c890972d48b2b9ecc168608ef631b2ade2bb95d

SHA512
f57171a2b8236daca57d152d8c6b5cfd3e45f2037465c14410c44b510f07ae18bf777b7599c9f63293f9ac1e7322fd473db0f2a69172860d44046d43fb5bc39c

Download Submit
C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\VBoxNetAdp6.cat

Filesize
11KB

MD5
5d3b6f1bf4205e0f41aa7ab4f0d1e954

SHA1
c5343a49ba2c8496de6a10c1ef13c4f45bc5aa7f

SHA256
6573b7f11080594cee694c545edbecaf2f577ddd996c3d1d6f5304847bd45a6d

SHA512
47190629218759c840e37f6b283bba8154c8fab6e8bee16b1f088848038cbe42dcb23fde6615d5e2d8b5e27a0c1f75377e76fd1b8147624f6293c8cb7a5f9acf

Download Submit
C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\VBoxNetAdp6.inf

Filesize
3KB

MD5
39d54baf75931606454607628b8cfd56

SHA1
0c0af5bcb13fa4f9303adcaa5e1bd863850d696b

SHA256
c96d4504e9fa5a7cbafbe01b3a436848b7ea8c95690a533ac7d4453b5ebd17db

SHA512
3dac9f6f911e2a1daf1b04ff6ea2f1e23cc78fa53e67d4fdd26e641e290921f5da9bf9c4f6442eaf418bdcd4d3a9f1dc5fe558c4b3d34db7773ae451ece3b66b

Download Submit
C:\Windows\System32\DriverStore\Temp\{9497d979-e038-9a49-9992-1dd356a9572b}\VBoxNetAdp6.sys

Filesize
240KB

MD5
83e6380b648c6fa9659094bce716d9ba

SHA1
a8a97d3dcba0792644c29f04b832ddd4ffb0e35a

SHA256
7786fa5fde0234b77fd4fbc131857fac471b1dafd42ccf6f38b3012da3b8098d

SHA512
251613f93fb624da3c6daa30ca3b1ff80351c421639b3ee034898bcfa8dfc32c04af1370d0e470aa11c20dc64eaa8ea142bc31e544fbb358272efd2316ff73f6

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
107KB

MD5
3e4faea0b25e83b1ae76db64c1e09dac

SHA1
eb29788edf345fe973206c3c5530fce91bfe5676

SHA256
17448db48f04666356daae824f880314498ca7c85bb0e27eac15c1e4eef6f97a

SHA512
599f5105656d5e77293a4ae850bff20ae5cb7cf56bed01c3c16a55a803ded98ee005d01c6271ca583a4fbe2d5eec6263199471718b3c034f2c30d39f99387723

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
567B

MD5
8accaa9aa32148aa2bcd72ff14880618

SHA1
a1226a1c5c92e41ba22b382debc0f9a754b92c05

SHA256
aa0b5f757b3d83d19c973fddc4e82722b530d9aedec51f6a540a91126e4cc0dd

SHA512
026e07faf75a5be8c96ae59a93302a487a18b193b5d915aba5822cc27d2fd1f70fafb9239b34df8280b060f85bcf3316d1d4d5f1b21c8557b187affaf490a3bd

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
22KB

MD5
24479253cf8300bc751fcf1b599b11ff

SHA1
070e03f6a607c07468332189a2af82b1258f611f

SHA256
b7ed09e5141965dd3f058e87513a778d6b76905a98299a44a96303f89f76f877

SHA512
7eab3f61b4dcfcc4e80efb90078b5c306eb5240711ee07379626e77e50009a77aab79feff43a2b85e7bf7f2fc2f62205fc2ce095e99582170aa89134efd7b92c

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
1KB

MD5
4fd72ea7caab0a5701ae754ff971977c

SHA1
6a432aa100f0214cfb0578140882e0a8a6ca473f

SHA256
9ebbdb3a72bc8f74f71559ce9b069f46e362ffb506cef791f1e40bf624856cfd

SHA512
7003d768d51b46c979924e02ebfabdc56b465865751914ae42fa1fcc5e3f25560fc2ed851c5c19a8768f64b9df5949b8c45cde65bee4321227eac1307467a4b7

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
140KB

MD5
493064af94247b271eecca1b9ae654dd

SHA1
95f32d864f6f6913aa435cb53f88016093c53648

SHA256
510b7fb3af6c02f71a20c10fe8be8c2d42054f93cd1bd01a58aee31760655a1a

SHA512
5b3f0643426ef4544e35315affacc1af4da45d9c9d99b61b6ce0a387ecaf6a752f0e7e145698f3f2320fd9a1b53bf99b0661f2d3d852d858d3481cbd790cf496

Download Submit
memory/488-189-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/488-305-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/756-503-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/756-387-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/756-450-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1312-448-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1312-507-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1312-516-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1312-234-0x0000000004A40000-0x0000000004A5B000-memory.dmp

Filesize
108KB

Download
memory/1312-231-0x0000000004A40000-0x0000000004A5B000-memory.dmp

Filesize
108KB

Download
memory/1312-217-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1312-501-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1312-235-0x0000000004A40000-0x0000000004A5B000-memory.dmp

Filesize
108KB

Download
memory/1312-520-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1712-458-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1712-504-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1712-510-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/1828-38-0x0000000005B50000-0x0000000005B6B000-memory.dmp

Filesize
108KB

Download
memory/1828-11-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/1828-181-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/1828-194-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/1828-41-0x0000000005B50000-0x0000000005B6B000-memory.dmp

Filesize
108KB

Download
memory/1828-42-0x0000000005B50000-0x0000000005B6B000-memory.dmp

Filesize
108KB

Download
memory/2084-183-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/2084-10-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/3968-508-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/3968-330-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/3968-449-0x00000000004C0000-0x0000000001B02000-memory.dmp

Filesize
22.3MB

Download
memory/4284-193-0x00000000009D4000-0x0000000001AD6000-memory.dmp

Filesize
17.0MB

Download
memory/4284-184-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/4284-192-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/4284-179-0x00000000009D4000-0x0000000001AD6000-memory.dmp

Filesize
17.0MB

Download
memory/4284-180-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/4284-0-0x00000000009D4000-0x0000000001AD6000-memory.dmp

Filesize
17.0MB

Download
memory/4284-7-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download
memory/4284-1-0x00000000009D0000-0x0000000002012000-memory.dmp

Filesize
22.3MB

Download