ab9967c2cd345ffdbf3c4283d95bb23c77a82a2782f381634f5dfa48f2b75071

Analysis

max time kernel
240s
max time network
244s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2025, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mediacreationtool (2).exe
Size

10.5MB
MD5

b2ef653a8575cebf20a4aabe17b70b6b
SHA1

a686304500e45ebf945c85b9de9085e6b58604c0
SHA256

ab9967c2cd345ffdbf3c4283d95bb23c77a82a2782f381634f5dfa48f2b75071
SHA512

dd293115d1f1b4474f5cdb03884529ea9e887f2420df8b4b050cb6f0e458cf8515c6dd33b977c20c680c088d6b4728f922df74f0f2475b2762f4f4377971f21b
SSDEEP

196608:A5bD7KOunIMtG90JfG9o1/9nxRnI2UHafMeF0pbhoFpS9oBDh:G7KOOtu04m9nxRI2U4cpbh00QN

Score

8^/10

microsoft defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
3364	SetupHost.Exe
4360	DiagTrackRunner.exe
1904	mediacreationtool.exe
1840	SetupHost.Exe
3840	DiagTrackRunner.exe
4780	mediacreationtool.exe
2428	mediacreationtool.exe

Loads dropped DLL 26 IoCs

pid	Process
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
4360	DiagTrackRunner.exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
3840	DiagTrackRunner.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SetupHost.Exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\diagerr.xml	mediacreationtool.exe
File opened for modification	C:\Windows\Panther\NewOs\Panther\diagerr.xml	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\diagwrn.xml	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\windlp.state.xml	mediacreationtool.exe
File opened for modification	C:\Windows\Panther\NewOs\Panther\diagerr.xml	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\Eula.rtf	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\setuperr.log	mediacreationtool.exe
File opened for modification	C:\Windows\Panther\DlTel.etl	SetupHost.Exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\setuperr.log	mediacreationtool.exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	mediacreationtool (2).exe
File opened for modification	C:\Windows\Panther\DlTel.etl	SetupHost.Exe
File created	C:\Windows\Panther\NewOs\Panther\setupact.log	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\diagerr.xml	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\diagwrn.xml	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\Eula.rtf	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\setupact.log	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\windlp.state-old.xml	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\windlp.state.xml	mediacreationtool.exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	mediacreationtool.exe
File created	C:\Windows\Panther\NewOs\Panther\windlp.state-old.xml	mediacreationtool.exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	mediacreationtool.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\mediacreationtool.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mediacreationtool (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	SetupHost.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiagTrackRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mediacreationtool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiagTrackRunner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mediacreationtool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mediacreationtool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHost.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mediacreationtool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHost.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	SetupHost.Exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SetupHost.Exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SetupHost.Exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133810732232724828"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{896EB706-C0B7-4822-AFF7-9EBC2E0647AA}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA	SetupHost.Exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 601305.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\mediacreationtool.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA	SetupHost.Exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
3364	SetupHost.Exe
932	msedge.exe
932	msedge.exe
4036	msedge.exe
4036	msedge.exe
2376	msedge.exe
2376	msedge.exe
3672	identity_helper.exe
3672	identity_helper.exe
2904	msedge.exe
2904	msedge.exe
3408	msedge.exe
3408	msedge.exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1840	SetupHost.Exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4008	mediacreationtool (2).exe
Token: SeRestorePrivilege	4008	mediacreationtool (2).exe
Token: SeBackupPrivilege	4008	mediacreationtool (2).exe
Token: SeRestorePrivilege	4008	mediacreationtool (2).exe
Token: SeSecurityPrivilege	4008	mediacreationtool (2).exe
Token: SeBackupPrivilege	3364	SetupHost.Exe
Token: SeRestorePrivilege	3364	SetupHost.Exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeBackupPrivilege	3364	SetupHost.Exe
Token: SeRestorePrivilege	3364	SetupHost.Exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeDebugPrivilege	4360	DiagTrackRunner.exe
Token: SeDebugPrivilege	4360	DiagTrackRunner.exe
Token: SeDebugPrivilege	4360	DiagTrackRunner.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeBackupPrivilege	4008	mediacreationtool (2).exe
Token: SeRestorePrivilege	4008	mediacreationtool (2).exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeBackupPrivilege	1904	mediacreationtool.exe
Token: SeRestorePrivilege	1904	mediacreationtool.exe
Token: SeBackupPrivilege	1904	mediacreationtool.exe
Token: SeRestorePrivilege	1904	mediacreationtool.exe
Token: SeSecurityPrivilege	1904	mediacreationtool.exe
Token: SeBackupPrivilege	1840	SetupHost.Exe
Token: SeRestorePrivilege	1840	SetupHost.Exe
Token: SeBackupPrivilege	1840	SetupHost.Exe
Token: SeRestorePrivilege	1840	SetupHost.Exe
Token: SeDebugPrivilege	3840	DiagTrackRunner.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3364	SetupHost.Exe
1904	mediacreationtool.exe
1904	mediacreationtool.exe
1840	SetupHost.Exe
4780	mediacreationtool.exe
4196	mediacreationtool.exe
4196	mediacreationtool.exe
4456	MiniSearchHost.exe
2428	mediacreationtool.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3364	4008	mediacreationtool (2).exe	77
PID 4008 wrote to memory of 3364	4008	mediacreationtool (2).exe	77
PID 4008 wrote to memory of 3364	4008	mediacreationtool (2).exe	77
PID 4120 wrote to memory of 4040	4120	chrome.exe	83
PID 4120 wrote to memory of 4040	4120	chrome.exe	83
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2896	4120	chrome.exe	84
PID 4120 wrote to memory of 2900	4120	chrome.exe	85
PID 4120 wrote to memory of 2900	4120	chrome.exe	85
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86
PID 4120 wrote to memory of 740	4120	chrome.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	DiagTrackRunner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	DiagTrackRunner.exe

C:\Users\Admin\AppData\Local\Temp\mediacreationtool (2).exe
"C:\Users\Admin\AppData\Local\Temp\mediacreationtool (2).exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\$Windows.~WS\Sources\SetupHost.Exe
  "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3364
- - C:\$Windows.~WS\Sources\DiagTrackRunner.exe
    C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4360

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80155cc40,0x7ff80155cc4c,0x7ff80155cc58
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1724,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1716 /prefetch:2
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4460,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5340,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:2
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4880,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:840

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4884

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8013d3cb8,0x7ff8013d3cc8,0x7ff8013d3cd8
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Users\Admin\Downloads\mediacreationtool.exe
  "C:\Users\Admin\Downloads\mediacreationtool.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1904
- - C:\$Windows.~WS\Sources\SetupHost.Exe
    "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1840
  - - C:\$Windows.~WS\Sources\DiagTrackRunner.exe
      C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6976 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
  2⤵
  PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1036

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.microsoft.com/windows
1⤵
PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8013d3cb8,0x7ff8013d3cc8,0x7ff8013d3cd8
  2⤵
  PID:4756

C:\Users\Admin\Downloads\mediacreationtool.exe
"C:\Users\Admin\Downloads\mediacreationtool.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Users\Admin\AppData\Local\Temp\Temp1_mediacreationtool.zip\mediacreationtool.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_mediacreationtool.zip\mediacreationtool.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2720

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Users\Admin\Downloads\mediacreationtool.exe
"C:\Users\Admin\Downloads\mediacreationtool.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\DU.dll

Filesize
137KB

MD5
acb297cc72322fb2b3d0f24b0c829b43

SHA1
a434036186dde1bb2c2a8864ee71a9b3b20bab22

SHA256
98c437d7f250778a7a5c38b885f7e1994f088ca210ec944e3300a2896488648e

SHA512
e09807beed476aa5f28ef94015eac5330f75fb4e15e09c49f690381d656a4acd5c12b3350f1b30ea5e7e19e7218b6dcb0e48c6a611568b8ff00f04fb598deba2

Download Submit
C:\$Windows.~WS\Sources\DiagTrack.dll

Filesize
901KB

MD5
6c3f6a6bc5ede978e9dfe1acce386339

SHA1
3b7b51d762c593e92123f9365a896ed64ee26a7a

SHA256
b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c

SHA512
3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

Download Submit
C:\$Windows.~WS\Sources\DiagTrackRunner.exe

Filesize
77KB

MD5
76f30a1e149792d2542a253b920cbef6

SHA1
9040e0873df5cc2a64b850d1b8159b77528ba62c

SHA256
488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159

SHA512
ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

Download Submit
C:\$Windows.~WS\Sources\Diager.dll

Filesize
57KB

MD5
ad667ce37e222222a71bf8da694bf012

SHA1
0d1fd0063a43f0c00126c626b9af25a6e66fb08b

SHA256
255a4157c25da2db8a5e5a1505e3b7630be496316066aeb6e82f1ef671a21460

SHA512
37807d8cdaafad7d7970d3b530784eda27573960446f32d25339d1a594390db291716d604c21cb4f26327ac94a9dc805d6c465d328a35bed4feb45caf50fea30

Download Submit
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
3.7MB

MD5
5ff880b8888b3b2041fdf0ea70b432b0

SHA1
5705fb3a154e89761809ca447e5fbfac77e389eb

SHA256
fd0000749c4f0bb62e7a1863a2c63d52a8e312722f4f534d48a75a4c6f799011

SHA512
21abff0b9cfa637861062b0683435cbc07a528ed5235ebbc51a9b5c30e0912c148e6e5a9960a27a2a3f95f4af303356b61f68510a37d9ee7d4530c54828354e1

Download Submit
C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

Filesize
192KB

MD5
8e351c1269f6e16ba989e21094e1b1b5

SHA1
19f212c34d17d71eb4480a866114119076740b32

SHA256
8b8611fa7ccc94210aa37fbed8c4e3cbd57d0b41634ad52f7fc40076a2c7264d

SHA512
bfd0a2e265a2d88b7a8206a7fc576c5c719d61dbcdcfb0da4f7a1371ea552a71ac26ef078fdde231b70d13f739019623357f67411a6f508bd4d7fa77d4db821e

Download Submit
C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

Filesize
128KB

MD5
82084825c83720703d73ffdc24c4bf8d

SHA1
bef7f5b1f2585448a14f372e11220ecb9b05afb2

SHA256
145ff7e896c93914155e8cba8fe8212d5abe91d3ffe4478d102bbda10fc27bf3

SHA512
8b13de9569cf9468a9eab093b28ef76e151e472195af04449c12c68a4a222647af1849e7ae18e07f2c5a3046344632034bef1bbb0876f3c90ad15859e49655bb

Download Submit
C:\$Windows.~WS\Sources\Panther\Eula.rtf

Filesize
199KB

MD5
cd28b51516a9309b350607dc57faca76

SHA1
c9f8e72f1184dac6ad40a94295a594a94b1e48c4

SHA256
7fbf900fdd0eabe63def6c5b432b5d3ff51f8ec9af7d9e9ab3a9d7441d032c22

SHA512
7c7cb19b814debcdd5a1717f2039492ef9fd018ddf5ff0647cfb13fcff550eb20f44960ce239033e8bef4bffc0d2668e9574f2aff3b4385606ab1aecc1e1de12

Download Submit
C:\$Windows.~WS\Sources\Panther\windlp.state-old.xml

Filesize
460B

MD5
4f607776a1c8fd8d64bcd541502b36b4

SHA1
7a441983fc00acac6048e76a55110e1d32f3a750

SHA256
7008dce109754e1b6b3f0c9d43c37271d69ca67ab581d11fb26a9abb49107f69

SHA512
a07867b4c21649009779e6e4a94f6de5ab95c721ffef9d5dd44acf747012940325335ca24e91ae0e043eface05c7b551b43e20aae0ec46c2c709c47a88890516

Download Submit
C:\$Windows.~WS\Sources\ServicingCommon.dll

Filesize
807KB

MD5
7647226025e2f1696a167d2a635aeeb2

SHA1
410d51cc71fbb5c054fddc8a491938533917a656

SHA256
8dbc67ea0c162517b55499b986946c55856610562a54fa6cbe851fe0fd865535

SHA512
85a7bcaa201970cd6c3048838fa24b11903206d4205769a550857d9650bc84f512d89297ee58419db866ce69fe46ee4826ae72af1fa8ebacd1e63b9ff0e1392c

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll

Filesize
2.5MB

MD5
49f73880545587129d0e76ff958ff421

SHA1
758ee02c9a0b7e68a3fcb3ac2cd1a7b57c804b25

SHA256
eb9d28baaab8cd902177e1db5c41975ceb926f56baa42876cd7b15410b320f22

SHA512
13fbf6e2ed58772fbb34fbc823f9bf0c0175def1c925abb0db5e91003e186475b5970169dd050891909643537aa78df0ae18c997394b2be2826476f4ed29c35d

Download Submit
C:\$Windows.~WS\Sources\SetupHost.exe

Filesize
697KB

MD5
e4d5415ab31ed174ff7eaf707d006971

SHA1
15a624a55b71849f46ac1326fda1cbc3faca5ee8

SHA256
f967f52583c71d6b7444e4bf3de31287f03f164f84ed56e3416c8b81a9c699d3

SHA512
af8c31235955455ebc80e2a50e2bcad7589f9a075a08c0674b2f16f5e30cae3aee981ccfff50ab48b965cfb6c9ce4380402142d47b074b8dddb78f3dffa93e12

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll

Filesize
895KB

MD5
8841dd93dd8cbc0104a0fa0be3ab276f

SHA1
06e3e4f198526a1cf670f8dbf9a16b9d07fec5c2

SHA256
b25f86c8349de51bff360ce48a22b84056d4c35536037f443d304d2054ba8784

SHA512
29c80526ff01d3d60243bac49f07bdd80c2f63aed1b1d2ba04ec79ae7bfe3f871aa8e88caa5cdb58bd5f36395c22a26b91b4be0f4d26ba301cd3e3d85905e681

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.cfg

Filesize
22KB

MD5
cd678b1258ff4a0bc040084427934330

SHA1
62d06976e76081e76b6cbeb51d16b1416b7bbed6

SHA256
602752bb1e5b1b0be45a187cea81362eba1010bac00b631d67081cfb6516d500

SHA512
ca9c4be3e62fb92f4703b10f65e08b2045e52c781728b4757cd79e531edd5c3c468e1bc56edfd8f74bdf4b2d79d767c59dc18cc30c7e8515c89a1751c338b21d

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll

Filesize
7.0MB

MD5
199fc0a0977b155f6daf1fa88df565ae

SHA1
5b2c674b7213db1a66bd245c2fbf0827485af819

SHA256
05ada1ec86d60c0a6bad54741d758a98f8c0d362f54f521f212d9e1f5cf81bd0

SHA512
8dc11b297c224ce38d6cc350e18c5974a4d170e143ea2c1e1a7ab299dce440a78b449ab26626e2a2834c2cb5c1e2d2fe554ba76d7fecf2c21a9ac77bd1ab796d

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.ini

Filesize
95B

MD5
372c99091db217e258dd1fdb1aa6378a

SHA1
e8fb4c1a7427359f939daf30619c53af6b3529ba

SHA256
a53644e2cbd10e39afe1d14f7d9e0bb9a46052060210ada2bc34d522a7d4f3c0

SHA512
eaff061b70106ef63647bd81ab780e16ec96c400264b98507af5f80d6d685eb05f078764a374d57b7e38bb2e84e08d8e7be0304666c72751d647b28732518b0b

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.ini

Filesize
95B

MD5
e13a79c22c8a2252e5c126ecce7eeebe

SHA1
9b3c35a11e7e9dfa18a59e7856f0261d20e438b6

SHA256
a7a26b96076d2aab3297bd161522fe8cc250e35b902e4de1d24c1472229b9def

SHA512
5dc489d36390d7331c351c93ac65dece4893e66cfb6699198291e87e33aaafb38e6bb00c33cab1ed3a35db57b94c86b0db9761feed8805e7323cbdce2f704486

Download Submit
C:\$Windows.~WS\Sources\UpdateCompression.dll

Filesize
348KB

MD5
01419fed1286b656a8f7b4a17e751ad4

SHA1
93610a57188be9061fa24a57b7e2c7c7f8d2eacd

SHA256
b729c87bd59af4d631538f080be29cb005fac00301212fd1719a33dd44632aae

SHA512
fbd5dfdc6176a712ae4c1b908b573c1a544ee198420ff1a0fdac116c15c709004cba908d2d0746d77879fe803428b7307bbc6cc27431eb94d78341e46baa0ebe

Download Submit
C:\$Windows.~WS\Sources\WDSCORE.dll

Filesize
201KB

MD5
c8e56f10d4fe40caa360d8ac5eb1e3d1

SHA1
2915ee618c77a2bce62f7dc2579fb8d792db1ff1

SHA256
e83436e219af407cb1d725ca1bb5f3b390f42cc88ad7c2320e7fac1932ed9188

SHA512
de023e42f067d29c28a554c18478bb2d3736d9380fcd2795890771f4060055de6d5b10dbe6da1ebdeaa49bfdf9c5226f57abf2070dfa36921dfddd36a9f92dde

Download Submit
C:\$Windows.~WS\Sources\WINDLP.DLL

Filesize
1.2MB

MD5
2b642417613dc061ca3003c831de3790

SHA1
af556f999d146787e5cdf3bea98e419bfe778b56

SHA256
e77f50022caa3c9805774fb078454b68b0692f1bbf96216d3af93e3501c688bd

SHA512
6738612ab25c3e69b9c825fc299d36098aec4a9725b85c9dd5dee6dcad5b09328e3aee115d2b693492d2f1a65fd3758e913d684ef1a4f1775869bbbfc66ce90e

Download Submit
C:\$Windows.~WS\Sources\bcd.dll

Filesize
112KB

MD5
983de88fca9e5ffe647cb60e7aead3f8

SHA1
46b7f455d8641b0c9d90ce7ce41dba9b944f8ca2

SHA256
bdbc66e911bb95b9ccc8c7d4ad74a5c5a050cce6d26f278a9e758768b2ad5f7e

SHA512
1cd15970f33c6d5af0b6860cac82bc11991cecd28eba1712d4ba2a9b445099a378ea5e4429d4702c013e747c678df0970df02ffac900e9781dda3dc989e775f8

Download Submit
C:\$Windows.~WS\Sources\bootsvc.dll

Filesize
226KB

MD5
5a71c3e7ac88b90aa793fe0556bbe59b

SHA1
24a345576d252184d831ff463facadfb6abf1692

SHA256
c90e2e02256f59ad4cec7e16d0c519005a4fcdd6a78470a96bd9205f69d4dae3

SHA512
f42b7220e347124e3e4c6f08ca0c30c97859ce0057227b1f12be055baace1d152e14793f814dccdf178a063658a23f1be030771bcf973c5580521fb98b91d635

Download Submit
C:\$Windows.~WS\Sources\hwreqchk.dll

Filesize
294KB

MD5
8bdcd3a20ae0f8d18f5ef55dc8658dc3

SHA1
9460f616a186ca91dd877dcf0dfffa2038f5b41a

SHA256
2282903acd07406e998343cabba123b58822d86c3ad53edb6caed3b4d155a793

SHA512
a3ed7f723206d6809958248064dadc657408a7d57e0cd2f06000559b96c0e252b3a11684aba4d4d9a762372652caef6dd17055b59d1d7aa407c3d4dda2926a8c

Download Submit
C:\$Windows.~WS\Sources\pidgenx.dll

Filesize
859KB

MD5
76c5abfe6d7ad6f85c6c2c08f3f6d487

SHA1
701df3c07adffd62d35aa6668d46fb50ab37f617

SHA256
9c5b71b3e4d82d301ba36b6f3d94ffce6fbce393dbf1636bd07bb2a06a090783

SHA512
0bf29c30af247fccfedfe00a0c2c494fce16023e92d707a238daceedbc9c06e2e911a2168cf5fa656acfd9b01dff3abec4f330e23056a5fc105798da6e221522

Download Submit
C:\$Windows.~WS\Sources\pkeyconfig.xrm-ms

Filesize
637KB

MD5
890f414006b7b1027275fd72acf29d11

SHA1
f1436472ab575cdd393429349da95e7e4cfba53e

SHA256
a8e446dce8ab21c8efb42c9c98c1d695d82e1800486e7eb63996d0085fc7b681

SHA512
dda752eb2a947c779bb682e7adb26c09c54664afd216fd2b5650ea4a8d8493fde5b34b69ab54335ca9b40f30ede66a89ace008aa65d6c411e7e95dee791b9e03

Download Submit
C:\$Windows.~WS\Sources\products.cab

Filesize
28KB

MD5
9c068bc050d124d83e41f0a2d1289a5f

SHA1
7a7631f5494a1551cf21692532b6f23e9ea8271e

SHA256
2201bccdfb68908ea5e9d543d32e1bac1bf2ee9ed7cdd05c1b50478a7d2db36c

SHA512
75c9e31f392a901f2feb56d22ef40ff9b0b140cd643e76397685198731635ff3f0afb933926700237c364e924a979c39cc62cae69fc842f3ed733541def6bf0d

Download Submit
C:\$Windows.~WS\Sources\products.xml

Filesize
1.7MB

MD5
422836153cffe91fbe766a551b5c144c

SHA1
274507329a6714ae93e673a9e4be6295588cd069

SHA256
2145715a5e7b2698b84e72b0a9f7b847803977d76e4d1bf13528e1bf0c271653

SHA512
b9d3463bdf2d92adb0333bec7a4bf02bbf315881430e007cb2463030776db3b9525b7bcc42da7d50604484206f1b06e5024d9a50e7f93ab3f754ccccce191a18

Download Submit
C:\$Windows.~WS\Sources\unattend.dll

Filesize
165KB

MD5
fec4e0ade7809898c1e5e47dfd4e272c

SHA1
687560baed6ad7a45f47f78cea3a3e203e5f4854

SHA256
c1bd94487e3d4f331ebc6614ab04409639aeb223939224dbd3f8bcd1337c955b

SHA512
c1d57084be78ed00bcf21a0ee673b060897ebeb4be9c3a71bbb7545e35e304850a3c882aa021c10e2ac8d902037ec1c486437a5e98b5ae91cd58674252076b60

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
808KB

MD5
598878bda0cd9cd4c9e45813ee15a660

SHA1
5c92b6675ef1a3fe6c0a154d5d97b36e03719392

SHA256
9e8e14aafecd40f1ec955be958a39906dd508f9678bf15a73c8478967c209dd8

SHA512
a0ccf747591c3ecb4e49e3300fa0c5d31a1220d4a7e19a7b4886431d1f59fa18b9b279fde6021692c246fb654448ffe6ca1603f536a09582ac857cc5b9b72949

Download Submit
C:\$Windows.~WS\Sources\utcapi.dll

Filesize
30KB

MD5
4de8526a7473c40fd5d09f8f3e9acbc0

SHA1
c9bc9d2bfae9f8bd134bf1d016165fb8682fa214

SHA256
ba7d7bc704fd3250ed35e449eae366c168e76b7636dbd1889b958aa123642074

SHA512
b8b2df94c015aa8b6f35713ae5666479f050090668f69958256e01bdd1b908582d83b7c646eefa0702b152c4364becc0296a1498e4e2283950cfe6289550a1a0

Download Submit
C:\$Windows.~WS\Sources\wdsutil.dll

Filesize
238KB

MD5
f8eb9622154b98ad11416bbfe7ca2542

SHA1
5e7f8b6657c071b35b3b3daa29d7f0f0c621edcd

SHA256
0f86bec1966f94e261bf0232b6c2499b1fd546d90c0c80c3be075b5df8ba566b

SHA512
2a671b85a3ed219d4fd1e017fb268a52eae5f9905d82ecf22e91efc7876f75cc574c9b2340cfb758df552ab3d2d78f1e00a2bcc56c644468603646562d2fcc27

Download Submit
C:\$Windows.~WS\Sources\wimgapi.dll

Filesize
676KB

MD5
27bd588cd3b091344e024fb6872fe6c8

SHA1
14ab86dffa0db393b76f7f17ab7e6f7e091cd9b5

SHA256
da779496765d62bea7957de515f425c0f83cac12a5fd8b1272b2e18296cbe119

SHA512
840bb79349de33afbf8b20caaa2fbd7908e4f632bf6cfad3fd5e5baa79c18c863b7398e698374480b6b93fa126fd0fc9d0f86b9b93d7a12bd7b28f64b6905695

Download Submit
C:\$Windows.~WS\Sources\wpx.dll

Filesize
1.1MB

MD5
8a9fae3d0884aba527273a5074077fad

SHA1
3958652c95e6bdcfec47ddffdbc8d5a5c796a380

SHA256
358027eabf6e5d58a78efb96753a9aa1e758d996ee56b4ae5a832974801755ae

SHA512
34be7636bd9fb035d84a614a1b05dee236bbb5ae0556c6a16589f04550d69a89435fcaf1be21d61b5f408d5c692473793bfe3f7ba6380849f9fb838e3c1136fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
db881a63036e1e766d79ddd2461dae42

SHA1
63d943a4971bcad6e3ba47b43988ec4eb7d4339d

SHA256
5448197d87905c4317b60ca9dcd23c1464cd4723a72414837f43ab884f507a77

SHA512
64c9c870991e6c46a54328b2784aee889fc0df661407eea0dfda6b8474319ded12e1602e8dd349d900052ecbe1958f0475c81f7f0dad9b555babd662f10f4fe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1f865578293a4404452ee5b1fc68a96c

SHA1
9559a47a85d33fc8e0f87b9deb5c3e2a9469852f

SHA256
4d6bdb6fdd473902f2c9d9a436bf44e186dedfc39d3bd5291e810c839a8dc440

SHA512
430921ba23be56c29364447b7ae52ba9d7eee706da94b5a27f1ebc608de11bc79aa486d68a5db5ca66149efff09acf8f1b4a80f95510b270921ff519e5619ed7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b71b874ca2110ae4108a0d568dc4ae7a

SHA1
e247e645a779899d1c82ae632e8c9baffa28ce1f

SHA256
ae876dfc3f17a1c1f96813159cc98380a304e9749462f541cc9aba5e2fdd1fd2

SHA512
f87162f748a4a585fe625980b031c5936e725bff804f665b7660d01dbb4f2fff9c9f495054cbfb5639d36f02d68afc16196605a0793a983446c706026fb6c6a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
dfdb03681684449cc067bed9c6c397a6

SHA1
bb98ef87841830240d8c9b0e18ab0ec008fe3303

SHA256
a8f361a0c6ec3b7a72193070dc6bb5b0914ee9a8a29c83f4ee9cdac22f4d5123

SHA512
58c672a11c2ae035927eafa07c96d3a314dc9e7f751207b86bcc5d949e6df269a33342508e73daa72187b180e992658ea65ff478ea65acf20526c262f5ef8006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fc483a198012e435da577464739120a8

SHA1
24235baa93951b94c9eb13224704d7eabee55d03

SHA256
77123c57064f2a87fcc2c04cbe1b5dc83802681e6e5d9bb64e7ab1e7507c1858

SHA512
0646975be38fef4d866ee93ee873ca27d0d02e4947301c3e1bee835e5d0fc95dbf220087d3fd74a4797ab469ce58e50107735eb71e5b731c8e8151b57e8d6bfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cdc09f09e2d774d8176754a0122185db

SHA1
36ea5e8e103797c3b972a4e97c2356d04dc8bc10

SHA256
8a1b30965b72d86ad7efec812a760f9820ab0cc5ec05573d096de14d7f7f4978

SHA512
a560d1437d563fd35cc7603b1b6ffd00fe8b63ddd76743d3fa7753027e25cdc954102aa013d1d19bda50b6d46c0535ffea3b159ccf228f6130c68748f9056a87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98c2a7de17fa3a0c1bedc0b0e87645d7

SHA1
0948b3ff8cfde1590b2eaf63f4d9732b30056611

SHA256
a17e69d4ff668d0d9b712297b608dcf340787c42df7d443eb6719bc407cbda97

SHA512
1227caef89447b7e20d2ea4d445c8a84465412149c3057b18898ee96acb2d30b88ac35114e311978e65368acd7cd34712bbedcc4dae7a636bc0aab5fb4a565e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
00dc315af28ec8dd66c6544ee15564e5

SHA1
5be7dd8dd916cf59cf3e9e0ceb0f06603a7fbd08

SHA256
8d57bfad8d777513f107d8b612d806e0a3961a9eed630ae76c17e795b1a93713

SHA512
a0f0e227c505f38dd3437acadad955b01cbee3b0631e120fc20237ff391ed62740d4cc5f8fb2abb25527b9351c0f79df066caca17ce1a3e7aae9e6ffc5fc9552

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
72699efac6bf4749415a71ce45395bbe

SHA1
d6963db87ea7209ef36c8fc539ce359a802b2b7e

SHA256
fa7571cf3fd74318fd2390bc409d1923507200d28546e37789f08c3ada419b6b

SHA512
945c6ecaa69553059c8e82bf061698362b9f039d828bafeba19dabedb9518073111be72ca8cae4fe5da0b40a9128a678fdd56cf3b797ab6b12dd86d0f4c708fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f5104140dc7d60f576f27264953cb943

SHA1
eed2ff59a4ecb5880beae3b4698623dab14eb1c7

SHA256
2648bc496a50926e2fdfa3dcc9001d8f61b0b8e02ddb8749bacc9bc7c8f5371e

SHA512
4aee622906d6241313743e3a26b1cd7232099c93ec11826d88f1fec48a62d831e9917ff328232ff49830f82e2e04d706b49cdba752b173be04bc4192deb17069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
8eea20a25c6f482842ba3793bd750d9d

SHA1
7082282e5b68138c6c62ff250787de38426d8e5d

SHA256
835ddb02cbc7e423ee8b25507637efac4051ac560a22e1fd7d24e0ec59d4e5c7

SHA512
75095354be19c40103ed8c31296eb820de83bf5aafc8d582149777c740b27293175121ae23322ae1bbaa6395bad139a825f459d430dd637f80d4b9b8c8e42037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f7549a824e1fefe42d63a9dd4984ab6c

SHA1
5d9a265c97623a8d6c83b806555972d0bcb50f4a

SHA256
29ef8fe3a4e0136c4ef0a0eb1581a288cefcac5cd299f574a99799485f059d86

SHA512
4173f61543a6f892294082e78a56b3cb420961fa85cd1ef38f87876979783e0bb5ac1fda176779b25fab5e505001c6f5255c87aec412eee464bf49bf12268a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\64c683bc-9793-4b19-94c5-5a24410a636f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
14d4c8bfeaa350855f36b6120eb47861

SHA1
0e95c581987bfc65e4f2b0a896121f49bc5b8b2d

SHA256
0fbecb749911819cb011d3e84920eeb0a0b5ed15ecc55765a92dc1db47c74ea2

SHA512
8a1c134eef9962c035b1ed83d168c2c7aa496243ac8886a9ac50a8102a08db4a0c7ec7e000551518b9150617840805160992c323a2f2bf91f704430c890a9405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dbfe9ebcf4d36d43d183f75b80f00f38

SHA1
bff526b716eb7fa735347e34d33f5c258a71094d

SHA256
0bbe7e12533091755a2ba99f2fa7992f6e6cdcefa0674fb58967d58a6afe280b

SHA512
6c7b3105472dcf1c61fcefcd34eb270cc10006cbade0abf2a7affc24da94821f1d7b8c26c76e1ccf058a98d47a5791a3b96a8f13803d8fb898f051ed3b0c4689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6eef78f553be85ccb4b08fc46e3ea3ac

SHA1
87d45d845440a25af340f8455dcbfbf30f6fb8c9

SHA256
40e8695722f12c4258137dbc110ea44ee70f1f6754d58c7275e582134fe4b89f

SHA512
1a9d73ef702dbea62321025aa2247ec47e131c1d461a0f0ce2a872a92bfbcbdc5412edc437f5c058a7f25b2fd023dcff4a3fd3872f06ab4ad87e1335328ddfb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
84c467f6547e171aa70fd5c6e3fc77d9

SHA1
5a37a436fb238efdbfd2a88fbf8282a84e3b3ff7

SHA256
bd94c657224fb9cef85c3ac66ebae6c7d7c0c14dc6bc68709f8474ad8f230eae

SHA512
92031bd15eee5be00195dea02889ab28c84092aacd07a09bd377bf643656c460c9f725d0f1bfa9803540deac8f8f07da65abccaafc7c58d1ab3334b027e8bb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0e0c4d4a647d417a0986b33331a93361

SHA1
49a858a5ca7a7ab4e9691b9d251581b1af66b64e

SHA256
26582a34e91f561d50b72ba9e37b552639a4f6e689f078f1f23a4cc0015d0ed9

SHA512
4f959c81203e2fc5c41f8aeeacfda5e18efc96dd3d3a8689f5040819dc197e8ee7830966588f0235fa2cd8e1a5f7be70784b1fff910752de1e962dd81b246e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bf4151f5c83444c142da5575a0ab3d86

SHA1
bba50ec733fc3b7037172ca23119edf8f9b031f9

SHA256
32e2479e7dad2d538d33326855695d9a731942e0a4e6a2d6d7611ea8284e885c

SHA512
064a0d21ed6eb0dc3ea67c636e7a83748aeaad841e793dcf7288688b398f50f81e2a97b7051e71da628295879c9621ef5381b9bfdd009b205231ce63c18c776e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8e51593bd76f4cee7dd62c96a71b85f

SHA1
dfd1734dfa3224f20ed952d889ff1f3d3728fd7c

SHA256
cdec7e8ee82af311d3f9ea3311e9258a8b371eaad2ae71e8094f8cc78d744c9e

SHA512
1f8506ee666c31d286ad9e41d0502ea1d80d488ab5c3e116df4ef49c7175b7d18275b8cce8e12b0bcf64f3aaf8f84170b69f1af67bce5bd85ea3323d674e3727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d0ca2fe734ebd6806acfd33138d2d0f

SHA1
4ef8c1fd4aa78218ff6d3f35a43a71aa0098579b

SHA256
391b2ba14d217f48b141c1f393a1e72cc3ab994f80f5ed509ccb6a9b1d8f3e7c

SHA512
011d3bd10b3c7d84883baa2dbe182b296d0b60f771537815b1d2bf2317b39be6852225094830388b865470c3135c23c42e1587fb92feed885369bb7254c7e330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cd360aacb0df05cfaad43c45fb1339ed

SHA1
38cfc68fafd79bd928e80ef3a120dc782f948591

SHA256
223146d5152c17106e6ce07eec298a1eb7bc14baea15f4694a6235217da0391d

SHA512
1237fda449b82025c1a9e0df29851cbb04ac8a57c575cd2982c6332a50e4811a7062b049fb433c2cd9cb6b703911146b28ab4bf260643bd249dc85b0a6447b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
debbe5b1ac7603719ce253ab9bcb7f2b

SHA1
9b65afd300804f03570837474e849f8678477f84

SHA256
ec892ea9c8f253ba93c16660b923f2941e08fd35b923653ad550f5ea39270001

SHA512
21939d2bdddaca709addf94f4dbb2ac6dad2a2fbb79d6215ae97a1ea3f804843aeca0d41b67d1e81df487deb37dd42cc045c2ffbbe29b7f2cad147334dbb7dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1364904569bb3bbaea2f410a6cdf61fa

SHA1
adeec7eb14af0881be3fc25abd2a674caf3ed0b0

SHA256
8f75e50e2045196670a02e5caf57bd7daa73af769a6fbcd919f99ecd4691a684

SHA512
128c194fe05950ca2f41e73e08b42207249f11d497c50dcec72e6b37c2179e3b402558bafd2676bd40bac157b5957a9dc3445d26561f1a26b5b0a5afe4554dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58751b.TMP

Filesize
2KB

MD5
b3a04f7d675622103303dc39190740d7

SHA1
c1d7a553fbad0ebc2a47cf1b586df062167809fc

SHA256
b53ab385b8444d221ab9afd3a9942538880e102e1a7d86bc4d4a56d7c67c0b88

SHA512
06d53b41a99d3d3bb83b057b69c46d19b1018c7d2432c5572ab13db4858d3359680fdcaff9a8816fee492748c38c6c9e5b509f89ff9b7e27ca7fee72b3402924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c36c508db3b36f1b2124a663c3d33fc

SHA1
89106c697d43725859ce922ab16b50061d169334

SHA256
02dc0c5a0959764a76156f68e3f66686db042a9886424883caced265233469cd

SHA512
c10325a445d82e65c9fd365436d897437d72b7e5cd9795064f3866d657beb5434f676c77a0d87dda176696c8fe0ac5dd4bd254eb20eb057dbbfdd40ad577190f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
352d0c5d75360bf327dd03d60722db21

SHA1
5fd9f16a09fd306c07e509bd6f9e5e58ad84c5f6

SHA256
e6449d72b80cd18ee31a38adaaee9b0f8e4ef5a331cb1c8e74de02a12aa31371

SHA512
1e9378a2c50aeeaaf4b10d4c255201f7b554c05ceee0d3c3946fd322571ea96572c682ccd82b40583711325e5aa7463dadff6cd16966754f9865466fea7661ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6261f695c397b2217284726ce4d780d6

SHA1
cf01081ee27226804b3937f96cc3090a5105ba01

SHA256
c4399c39b55ad48f0d5b67cc4f82bfd9cca3826547208ccf3983243c66e85d20

SHA512
17a2c1b086715e5f69bb2461883203be07084820430517ce4b20b964ba3d25c9f118b12b3d96b8c54c055f6326c7b697ab0b072a55edb52ac29d8168e2975ee8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ad7a569bafd3a938fe348f531b8ef332

SHA1
7fdd2f52d07640047bb62e0f3d3c946ddd85c227

SHA256
f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

SHA512
b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
18ebbe9c5b9d1f57828cb23f70ee4358

SHA1
3bffe5a39ea4b5dff89e2e051911dc366d6d517f

SHA256
32feacc1e37265de0ea41d7113a91ec4ea7a697d92941d747adf814039111df7

SHA512
99ea34ce3b016720a2c5d651e68eb4bca122f8cd05d9b18e4e0225b836a576517a691914c00472977570a24a9360a2049d7150d8392abbab76cd5a3d6e3fa01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4120_707162146\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4120_707162146\cbeafa20-a154-484f-990c-225504eab5e7.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 601305.crdownload

Filesize
10.5MB

MD5
b2ef653a8575cebf20a4aabe17b70b6b

SHA1
a686304500e45ebf945c85b9de9085e6b58604c0

SHA256
ab9967c2cd345ffdbf3c4283d95bb23c77a82a2782f381634f5dfa48f2b75071

SHA512
dd293115d1f1b4474f5cdb03884529ea9e887f2420df8b4b050cb6f0e458cf8515c6dd33b977c20c680c088d6b4728f922df74f0f2475b2762f4f4377971f21b

Download Submit