njrat | 3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8

Analysis

max time kernel
91s
max time network
268s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 20:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

pisun.exe
Size

54KB
MD5

45140e967970cd63521eaa76dc4db7d7
SHA1

aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
SHA256

3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
SHA512

d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
SSDEEP

768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg

Score

10^/10

njrat bootkit defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	67f704a732034a84961aff3c37da684a.exe

Disables Task Manager via registry modification
defense_evasion

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe

Executes dropped EXE 3 IoCs

pid	Process
2168	607d50af925c4dc4b5423f530dd3c54f.exe
1504	67f704a732034a84961aff3c37da684a.exe
2444	e61431f0fb1e4d8eb359eb3b14941fab.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1444	icacls.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
8500	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	67f704a732034a84961aff3c37da684a.exe
File opened for modification	\??\PhysicalDrive0	e61431f0fb1e4d8eb359eb3b14941fab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1292	6028	WerFault.exe	168
3440	12064	WerFault.exe	476
4352	12072	WerFault.exe	477

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AtBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bthudtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pisun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67f704a732034a84961aff3c37da684a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certreq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e61431f0fb1e4d8eb359eb3b14941fab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auditpol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BackgroundTransferHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CertEnrollCtrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
10668	PATHPING.EXE
11152	PING.EXE

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
8576	ipconfig.exe
9356	NETSTAT.EXE

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{5FADB249-CF02-4678-87C4-D44CEB212B52}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
11152	PING.EXE

Runs regedit.exe 2 IoCs

pid	Process
3508	regedit.exe
7400	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1504	67f704a732034a84961aff3c37da684a.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	pisun.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: 33	4728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4728	AUDIODG.EXE
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe
Token: 33	2740	pisun.exe
Token: SeIncBasePriorityPrivilege	2740	pisun.exe
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe
Token: SeShutdownPrivilege	4612	svchost.exe
Token: SeShutdownPrivilege	4612	svchost.exe
Token: SeCreatePagefilePrivilege	4612	svchost.exe
Token: SeSecurityPrivilege	3016	auditpol.exe
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe
Token: SeSystemtimePrivilege	1504	67f704a732034a84961aff3c37da684a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4228	certreq.exe
336	Calculator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2168	2740	pisun.exe	83
PID 2740 wrote to memory of 2168	2740	pisun.exe	83
PID 2740 wrote to memory of 1504	2740	pisun.exe	84
PID 2740 wrote to memory of 1504	2740	pisun.exe	84
PID 2740 wrote to memory of 1504	2740	pisun.exe	84
PID 2740 wrote to memory of 2444	2740	pisun.exe	87
PID 2740 wrote to memory of 2444	2740	pisun.exe	87
PID 2740 wrote to memory of 2444	2740	pisun.exe	87
PID 2444 wrote to memory of 3340	2444	e61431f0fb1e4d8eb359eb3b14941fab.exe	88
PID 2444 wrote to memory of 3340	2444	e61431f0fb1e4d8eb359eb3b14941fab.exe	88
PID 2444 wrote to memory of 3340	2444	e61431f0fb1e4d8eb359eb3b14941fab.exe	88
PID 1504 wrote to memory of 4956	1504	67f704a732034a84961aff3c37da684a.exe	90
PID 1504 wrote to memory of 4956	1504	67f704a732034a84961aff3c37da684a.exe	90
PID 1504 wrote to memory of 4956	1504	67f704a732034a84961aff3c37da684a.exe	90
PID 1504 wrote to memory of 3444	1504	67f704a732034a84961aff3c37da684a.exe	91
PID 1504 wrote to memory of 3444	1504	67f704a732034a84961aff3c37da684a.exe	91
PID 1504 wrote to memory of 3444	1504	67f704a732034a84961aff3c37da684a.exe	91
PID 1504 wrote to memory of 1432	1504	67f704a732034a84961aff3c37da684a.exe	94
PID 1504 wrote to memory of 1432	1504	67f704a732034a84961aff3c37da684a.exe	94
PID 1504 wrote to memory of 1432	1504	67f704a732034a84961aff3c37da684a.exe	94
PID 1504 wrote to memory of 3212	1504	67f704a732034a84961aff3c37da684a.exe	96
PID 1504 wrote to memory of 3212	1504	67f704a732034a84961aff3c37da684a.exe	96
PID 1504 wrote to memory of 3212	1504	67f704a732034a84961aff3c37da684a.exe	96
PID 1504 wrote to memory of 4144	1504	67f704a732034a84961aff3c37da684a.exe	98
PID 1504 wrote to memory of 4144	1504	67f704a732034a84961aff3c37da684a.exe	98
PID 1504 wrote to memory of 4144	1504	67f704a732034a84961aff3c37da684a.exe	98
PID 1504 wrote to memory of 3864	1504	67f704a732034a84961aff3c37da684a.exe	99
PID 1504 wrote to memory of 3864	1504	67f704a732034a84961aff3c37da684a.exe	99
PID 1504 wrote to memory of 3864	1504	67f704a732034a84961aff3c37da684a.exe	99
PID 1504 wrote to memory of 3016	1504	67f704a732034a84961aff3c37da684a.exe	101
PID 1504 wrote to memory of 3016	1504	67f704a732034a84961aff3c37da684a.exe	101
PID 1504 wrote to memory of 3016	1504	67f704a732034a84961aff3c37da684a.exe	101
PID 1504 wrote to memory of 2428	1504	67f704a732034a84961aff3c37da684a.exe	104
PID 1504 wrote to memory of 2428	1504	67f704a732034a84961aff3c37da684a.exe	104
PID 1504 wrote to memory of 2428	1504	67f704a732034a84961aff3c37da684a.exe	104
PID 1504 wrote to memory of 4224	1504	67f704a732034a84961aff3c37da684a.exe	105
PID 1504 wrote to memory of 4224	1504	67f704a732034a84961aff3c37da684a.exe	105
PID 1504 wrote to memory of 4224	1504	67f704a732034a84961aff3c37da684a.exe	105
PID 1504 wrote to memory of 988	1504	67f704a732034a84961aff3c37da684a.exe	106
PID 1504 wrote to memory of 988	1504	67f704a732034a84961aff3c37da684a.exe	106
PID 1504 wrote to memory of 988	1504	67f704a732034a84961aff3c37da684a.exe	106
PID 1504 wrote to memory of 1128	1504	67f704a732034a84961aff3c37da684a.exe	108
PID 1504 wrote to memory of 1128	1504	67f704a732034a84961aff3c37da684a.exe	108
PID 1504 wrote to memory of 1128	1504	67f704a732034a84961aff3c37da684a.exe	108
PID 1504 wrote to memory of 3352	1504	67f704a732034a84961aff3c37da684a.exe	110
PID 1504 wrote to memory of 3352	1504	67f704a732034a84961aff3c37da684a.exe	110
PID 1504 wrote to memory of 3352	1504	67f704a732034a84961aff3c37da684a.exe	110
PID 1504 wrote to memory of 1992	1504	67f704a732034a84961aff3c37da684a.exe	112
PID 1504 wrote to memory of 1992	1504	67f704a732034a84961aff3c37da684a.exe	112
PID 1504 wrote to memory of 1992	1504	67f704a732034a84961aff3c37da684a.exe	112
PID 1504 wrote to memory of 348	1504	67f704a732034a84961aff3c37da684a.exe	114
PID 1504 wrote to memory of 348	1504	67f704a732034a84961aff3c37da684a.exe	114
PID 1504 wrote to memory of 348	1504	67f704a732034a84961aff3c37da684a.exe	114
PID 1504 wrote to memory of 2384	1504	67f704a732034a84961aff3c37da684a.exe	117
PID 1504 wrote to memory of 2384	1504	67f704a732034a84961aff3c37da684a.exe	117
PID 1504 wrote to memory of 2384	1504	67f704a732034a84961aff3c37da684a.exe	117
PID 1504 wrote to memory of 3824	1504	67f704a732034a84961aff3c37da684a.exe	119
PID 1504 wrote to memory of 3824	1504	67f704a732034a84961aff3c37da684a.exe	119
PID 1504 wrote to memory of 3824	1504	67f704a732034a84961aff3c37da684a.exe	119
PID 1504 wrote to memory of 4228	1504	67f704a732034a84961aff3c37da684a.exe	120
PID 1504 wrote to memory of 4228	1504	67f704a732034a84961aff3c37da684a.exe	120
PID 1504 wrote to memory of 4228	1504	67f704a732034a84961aff3c37da684a.exe	120
PID 1504 wrote to memory of 2852	1504	67f704a732034a84961aff3c37da684a.exe	125
PID 1504 wrote to memory of 2852	1504	67f704a732034a84961aff3c37da684a.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3864	attrib.exe

C:\Users\Admin\AppData\Local\Temp\pisun.exe
"C:\Users\Admin\AppData\Local\Temp\pisun.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\607d50af925c4dc4b5423f530dd3c54f.exe
  "C:\Users\Admin\AppData\Local\Temp\607d50af925c4dc4b5423f530dd3c54f.exe"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\67f704a732034a84961aff3c37da684a.exe
  "C:\Users\Admin\AppData\Local\Temp\67f704a732034a84961aff3c37da684a.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\agentactivationruntimestarter.exe
    "C:\Windows\System32\agentactivationruntimestarter.exe"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\appidtel.exe
    "C:\Windows\System32\appidtel.exe"
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\ARP.EXE
    "C:\Windows\System32\ARP.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
- - C:\Windows\SysWOW64\at.exe
    "C:\Windows\System32\at.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3212
- - C:\Windows\SysWOW64\AtBroker.exe
    "C:\Windows\System32\AtBroker.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4144
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3864
- - C:\Windows\SysWOW64\auditpol.exe
    "C:\Windows\System32\auditpol.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\SysWOW64\autochk.exe
    "C:\Windows\System32\autochk.exe"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\backgroundTaskHost.exe
    "C:\Windows\System32\backgroundTaskHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\BackgroundTransferHost.exe
    "C:\Windows\System32\BackgroundTransferHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4224
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
- - C:\Windows\SysWOW64\bthudtask.exe
    "C:\Windows\System32\bthudtask.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1128
- - C:\Windows\SysWOW64\ByteCodeGenerator.exe
    "C:\Windows\System32\ByteCodeGenerator.exe"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:348
- - C:\Windows\SysWOW64\CameraSettingsUIHost.exe
    "C:\Windows\System32\CameraSettingsUIHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Windows\SysWOW64\CertEnrollCtrl.exe
    "C:\Windows\System32\CertEnrollCtrl.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3824
- - C:\Windows\SysWOW64\certreq.exe
    "C:\Windows\System32\certreq.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4228
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\System32\certutil.exe"
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\charmap.exe
    "C:\Windows\System32\charmap.exe"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    "C:\Windows\System32\CheckNetIsolation.exe"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\chkdsk.exe
    "C:\Windows\System32\chkdsk.exe"
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\chkntfs.exe
    "C:\Windows\System32\chkntfs.exe"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\choice.exe
    "C:\Windows\System32\choice.exe"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cipher.exe
    "C:\Windows\System32\cipher.exe"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cleanmgr.exe
    "C:\Windows\System32\cleanmgr.exe"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\cliconfg.exe
    "C:\Windows\System32\cliconfg.exe"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\System32\clip.exe"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\CloudNotifications.exe
    "C:\Windows\System32\CloudNotifications.exe"
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\cmdkey.exe
    "C:\Windows\System32\cmdkey.exe"
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\System32\cmdl32.exe"
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\cmmon32.exe
    "C:\Windows\System32\cmmon32.exe"
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\System32\cmstp.exe"
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\colorcpl.exe
    "C:\Windows\System32\colorcpl.exe"
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\comp.exe
    "C:\Windows\System32\comp.exe"
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\compact.exe
    "C:\Windows\System32\compact.exe"
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\ComputerDefaults.exe
    "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\convert.exe
    "C:\Windows\System32\convert.exe"
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\CredentialUIBroker.exe
    "C:\Windows\System32\CredentialUIBroker.exe"
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\credwiz.exe
    "C:\Windows\System32\credwiz.exe"
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe"
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\ctfmon.exe
    "C:\Windows\System32\ctfmon.exe"
    3⤵
    PID:6028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 728
      4⤵
      Program crash
      PID:1292
- - C:\Windows\SysWOW64\cttune.exe
    "C:\Windows\System32\cttune.exe"
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\cttunesvr.exe
    "C:\Windows\System32\cttunesvr.exe"
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\curl.exe
    "C:\Windows\System32\curl.exe"
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\dccw.exe
    "C:\Windows\System32\dccw.exe"
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\dcomcnfg.exe
    "C:\Windows\System32\dcomcnfg.exe"
    3⤵
    PID:5224
  - - C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
      4⤵
      PID:5392
- - C:\Windows\SysWOW64\ddodiag.exe
    "C:\Windows\System32\ddodiag.exe"
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\DevicePairingWizard.exe
    "C:\Windows\System32\DevicePairingWizard.exe"
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\dfrgui.exe
    "C:\Windows\System32\dfrgui.exe"
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\System32\dialer.exe"
    3⤵
    PID:6480
- - C:\Windows\SysWOW64\diskpart.exe
    "C:\Windows\System32\diskpart.exe"
    3⤵
    PID:6672
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\System32\diskperf.exe"
    3⤵
    PID:6824
- - C:\Windows\SysWOW64\diskusage.exe
    "C:\Windows\System32\diskusage.exe"
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\Dism.exe
    "C:\Windows\System32\Dism.exe"
    3⤵
    PID:6208
- - C:\Windows\SysWOW64\dllhost.exe
    "C:\Windows\System32\dllhost.exe"
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\dllhst3g.exe
    "C:\Windows\System32\dllhst3g.exe"
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\doskey.exe
    "C:\Windows\System32\doskey.exe"
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\dpapimig.exe
    "C:\Windows\System32\dpapimig.exe"
    3⤵
    PID:6612
- - C:\Windows\SysWOW64\DpiScaling.exe
    "C:\Windows\System32\DpiScaling.exe"
    3⤵
    PID:5692
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" ms-settings:display
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\driverquery.exe
    "C:\Windows\System32\driverquery.exe"
    3⤵
    PID:7228
- - C:\Windows\SysWOW64\dtdump.exe
    "C:\Windows\System32\dtdump.exe"
    3⤵
    PID:7380
- - C:\Windows\SysWOW64\dvdplay.exe
    "C:\Windows\System32\dvdplay.exe"
    3⤵
    PID:7424
  - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      /device:dvd
      4⤵
      PID:7440
    - - C:\Windows\SysWOW64\unregmp2.exe
        
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        5⤵
        
        PID:7472
      - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        6⤵
        
        PID:7524
- - C:\Windows\SysWOW64\DWWIN.EXE
    "C:\Windows\System32\DWWIN.EXE"
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\System32\dxdiag.exe"
    3⤵
    PID:7772
- - C:\Windows\SysWOW64\EaseOfAccessDialog.exe
    "C:\Windows\System32\EaseOfAccessDialog.exe"
    3⤵
    PID:7840
- - C:\Windows\SysWOW64\edpnotify.exe
    "C:\Windows\System32\edpnotify.exe"
    3⤵
    PID:7852
- - C:\Windows\SysWOW64\efsui.exe
    "C:\Windows\System32\efsui.exe"
    3⤵
    PID:7880
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    PID:7896
- - C:\Windows\SysWOW64\esentutl.exe
    "C:\Windows\System32\esentutl.exe"
    3⤵
    PID:7912
- - C:\Windows\SysWOW64\eudcedit.exe
    "C:\Windows\System32\eudcedit.exe"
    3⤵
    PID:8028
- - C:\Windows\SysWOW64\eventcreate.exe
    "C:\Windows\System32\eventcreate.exe"
    3⤵
    PID:8056
- - C:\Windows\SysWOW64\eventvwr.exe
    "C:\Windows\System32\eventvwr.exe"
    3⤵
    PID:8096
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
      4⤵
      PID:8112
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
        5⤵
        
        PID:8144
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe"
    3⤵
    PID:8136
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    PID:7400
- - C:\Windows\SysWOW64\extrac32.exe
    "C:\Windows\System32\extrac32.exe"
    3⤵
    PID:7476
- - C:\Windows\SysWOW64\fc.exe
    "C:\Windows\System32\fc.exe"
    3⤵
    PID:7472
- - C:\Windows\SysWOW64\find.exe
    "C:\Windows\System32\find.exe"
    3⤵
    PID:7748
- - C:\Windows\SysWOW64\findstr.exe
    "C:\Windows\System32\findstr.exe"
    3⤵
    PID:7568
- - C:\Windows\SysWOW64\finger.exe
    "C:\Windows\System32\finger.exe"
    3⤵
    PID:7596
- - C:\Windows\SysWOW64\fixmapi.exe
    "C:\Windows\System32\fixmapi.exe"
    3⤵
    PID:7844
- - C:\Windows\SysWOW64\fltMC.exe
    "C:\Windows\System32\fltMC.exe"
    3⤵
    PID:7896
- - C:\Windows\SysWOW64\Fondue.exe
    "C:\Windows\System32\Fondue.exe"
    3⤵
    PID:7908
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe"
    3⤵
    PID:8000
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe"
    3⤵
    PID:7984
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "13630d1a-c150-482b-8d72-b1a5e267b916.tmp"
      4⤵
      PID:5272
- - C:\Windows\SysWOW64\fsquirt.exe
    "C:\Windows\System32\fsquirt.exe"
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\fsutil.exe
    "C:\Windows\System32\fsutil.exe"
    3⤵
    PID:8088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/
    3⤵
    PID:8140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffd7b19f208,0x7ffd7b19f214,0x7ffd7b19f220
      4⤵
      PID:8152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=2800 /prefetch:11
      4⤵
      PID:7880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2192,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=2808 /prefetch:13
      4⤵
      PID:7280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2772,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=2768 /prefetch:2
      4⤵
      PID:7252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3428,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:1
      4⤵
      PID:8096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3448,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:8064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=2228,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:1
      4⤵
      PID:8284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4068,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:9
      4⤵
      PID:8292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4104,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:1
      4⤵
      PID:8300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4120,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:9
      4⤵
      PID:8308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4904,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:14
      4⤵
      PID:9016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3412,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:14
      4⤵
      PID:9076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4884,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:14
      4⤵
      PID:3820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3392,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:14
      4⤵
      PID:9056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:14
      4⤵
      PID:9480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1144
        5⤵
        
        PID:9664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:14
      4⤵
      PID:9488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:14
      4⤵
      PID:9548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5732,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=2880 /prefetch:14
      4⤵
      PID:10916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4784,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:14
      4⤵
      PID:10924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4116,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:14
      4⤵
      PID:10932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:14
      4⤵
      PID:6320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5892,i,13214896544874215291,6516902434744922590,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:10
      4⤵
      PID:840
- - C:\Windows\SysWOW64\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe"
    3⤵
    PID:7672
- - C:\Windows\SysWOW64\GamePanel.exe
    "C:\Windows\System32\GamePanel.exe"
    3⤵
    PID:8240
- - C:\Windows\SysWOW64\getmac.exe
    "C:\Windows\System32\getmac.exe"
    3⤵
    PID:8408
- - C:\Windows\SysWOW64\gpresult.exe
    "C:\Windows\System32\gpresult.exe"
    3⤵
    PID:8552
- - C:\Windows\SysWOW64\gpscript.exe
    "C:\Windows\System32\gpscript.exe"
    3⤵
    PID:8624
- - C:\Windows\SysWOW64\gpupdate.exe
    "C:\Windows\System32\gpupdate.exe"
    3⤵
    PID:8840
- - C:\Windows\SysWOW64\grpconv.exe
    "C:\Windows\System32\grpconv.exe"
    3⤵
    PID:9004
- - C:\Windows\SysWOW64\hdwwiz.exe
    "C:\Windows\System32\hdwwiz.exe"
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\help.exe
    "C:\Windows\System32\help.exe"
    3⤵
    PID:8380
- - C:\Windows\SysWOW64\hh.exe
    "C:\Windows\System32\hh.exe"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    "C:\Windows\System32\HOSTNAME.EXE"
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe"
    3⤵
    - Modifies file permissions
    PID:1444
- - C:\Windows\SysWOW64\icsunattend.exe
    "C:\Windows\System32\icsunattend.exe"
    3⤵
    PID:8604
- - C:\Windows\SysWOW64\ieUnatt.exe
    "C:\Windows\System32\ieUnatt.exe"
    3⤵
    PID:8580
- - C:\Windows\SysWOW64\iexpress.exe
    "C:\Windows\System32\iexpress.exe"
    3⤵
    PID:8748
- - C:\Windows\SysWOW64\InfDefaultInstall.exe
    "C:\Windows\System32\InfDefaultInstall.exe"
    3⤵
    PID:9004
- - C:\Windows\SysWOW64\InputSwitchToastHandler.exe
    "C:\Windows\System32\InputSwitchToastHandler.exe"
    3⤵
    PID:8428
- - C:\Windows\SysWOW64\instnm.exe
    "C:\Windows\System32\instnm.exe"
    3⤵
    PID:8368
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe"
    3⤵
    - Gathers network information
    PID:8576
- - C:\Windows\SysWOW64\iscsicli.exe
    "C:\Windows\System32\iscsicli.exe"
    3⤵
    PID:8816
- - C:\Windows\SysWOW64\iscsicpl.exe
    "C:\Windows\System32\iscsicpl.exe"
    3⤵
    PID:7648
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
      4⤵
      PID:7764
- - C:\Windows\SysWOW64\isoburn.exe
    "C:\Windows\System32\isoburn.exe"
    3⤵
    PID:9204
- - C:\Windows\SysWOW64\ktmutil.exe
    "C:\Windows\System32\ktmutil.exe"
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\label.exe
    "C:\Windows\System32\label.exe"
    3⤵
    PID:8536
- - C:\Windows\SysWOW64\LaunchTM.exe
    "C:\Windows\System32\LaunchTM.exe"
    3⤵
    PID:8864
  - - C:\Windows\SysWOW64\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe"
      4⤵
      PID:8616
- - C:\Windows\SysWOW64\LaunchWinApp.exe
    "C:\Windows\System32\LaunchWinApp.exe"
    3⤵
    PID:8576
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\System32\lodctr.exe"
    3⤵
    PID:8700
- - C:\Windows\SysWOW64\logagent.exe
    "C:\Windows\System32\logagent.exe"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\logman.exe
    "C:\Windows\System32\logman.exe"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    PID:8944
- - C:\Windows\SysWOW64\makecab.exe
    "C:\Windows\System32\makecab.exe"
    3⤵
    PID:9048
- - C:\Windows\SysWOW64\mavinject.exe
    "C:\Windows\System32\mavinject.exe"
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\mcbuilder.exe
    "C:\Windows\System32\mcbuilder.exe"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\mfpmp.exe
    "C:\Windows\System32\mfpmp.exe"
    3⤵
    PID:8724
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:8900
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      PID:6780
- - C:\Windows\SysWOW64\mmgaserver.exe
    "C:\Windows\System32\mmgaserver.exe"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\mobsync.exe
    "C:\Windows\System32\mobsync.exe"
    3⤵
    PID:8828
- - C:\Windows\SysWOW64\mountvol.exe
    "C:\Windows\System32\mountvol.exe"
    3⤵
    PID:8768
- - C:\Windows\SysWOW64\MRINFO.EXE
    "C:\Windows\System32\MRINFO.EXE"
    3⤵
    PID:9008
- - C:\Windows\SysWOW64\msdt.exe
    "C:\Windows\System32\msdt.exe"
    3⤵
    PID:9020
- - C:\Windows\SysWOW64\msfeedssync.exe
    "C:\Windows\System32\msfeedssync.exe"
    3⤵
    PID:9372
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe"
    3⤵
    PID:9556
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe"
    3⤵
    PID:9696
- - C:\Windows\SysWOW64\msinfo32.exe
    "C:\Windows\System32\msinfo32.exe"
    3⤵
    PID:9784
- - C:\Windows\SysWOW64\msra.exe
    "C:\Windows\System32\msra.exe"
    3⤵
    PID:9896
  - - C:\Windows\system32\msra.exe
      "C:\Windows\system32\msra.exe"
      4⤵
      PID:10008
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:9972
  - - C:\Windows\system32\mstsc.exe
      "C:\Windows\System32\mstsc.exe"
      4⤵
      PID:9992
- - C:\Windows\SysWOW64\mtstocom.exe
    "C:\Windows\System32\mtstocom.exe"
    3⤵
    PID:10080
- - C:\Windows\SysWOW64\MuiUnattend.exe
    "C:\Windows\System32\MuiUnattend.exe"
    3⤵
    PID:9236
- - C:\Windows\SysWOW64\ndadmin.exe
    "C:\Windows\System32\ndadmin.exe"
    3⤵
    PID:9372
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe"
    3⤵
    PID:9468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1
      4⤵
      PID:8036
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\System32\net1.exe"
    3⤵
    PID:8868
- - C:\Windows\SysWOW64\netbtugc.exe
    "C:\Windows\System32\netbtugc.exe"
    3⤵
    PID:10064
- - C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
    "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:9352
- - C:\Windows\SysWOW64\netiougc.exe
    "C:\Windows\System32\netiougc.exe"
    3⤵
    PID:9364
- - C:\Windows\SysWOW64\Netplwiz.exe
    "C:\Windows\System32\Netplwiz.exe"
    3⤵
    PID:9484
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe"
    3⤵
    PID:7952
- - C:\Windows\SysWOW64\NETSTAT.EXE
    "C:\Windows\System32\NETSTAT.EXE"
    3⤵
    - Gathers network information
    PID:9356
- - C:\Windows\SysWOW64\newdev.exe
    "C:\Windows\System32\newdev.exe"
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:9988
- - C:\Windows\SysWOW64\nslookup.exe
    "C:\Windows\System32\nslookup.exe"
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\ntprint.exe
    "C:\Windows\System32\ntprint.exe"
    3⤵
    PID:10268
- - C:\Windows\SysWOW64\odbcad32.exe
    "C:\Windows\System32\odbcad32.exe"
    3⤵
    PID:10288
- - C:\Windows\SysWOW64\odbcconf.exe
    "C:\Windows\System32\odbcconf.exe"
    3⤵
    PID:10340
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\System32\OneDriveSetup.exe"
    3⤵
    PID:10404
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-1136229799-3442283115-138161576-1000
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe
      4⤵
      PID:11056
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncConfig.exe"
        5⤵
        
        PID:11684
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        
        /updateInstalled /background
        5⤵
        
        PID:12064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12064 -s 736
        6⤵
        Program crash
        
        PID:3440
- - C:\Windows\SysWOW64\openfiles.exe
    "C:\Windows\System32\openfiles.exe"
    3⤵
    PID:10540
- - C:\Windows\SysWOW64\OpenWith.exe
    "C:\Windows\System32\OpenWith.exe"
    3⤵
    PID:10604
- - C:\Windows\SysWOW64\OposHost.exe
    "C:\Windows\System32\OposHost.exe"
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\PackagedCWALauncher.exe
    "C:\Windows\System32\PackagedCWALauncher.exe"
    3⤵
    PID:10632
- - C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
    "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
    3⤵
    PID:10652
- - C:\Windows\SysWOW64\PATHPING.EXE
    "C:\Windows\System32\PATHPING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:10668
- - C:\Windows\SysWOW64\pcaui.exe
    "C:\Windows\System32\pcaui.exe"
    3⤵
    PID:10728
- - C:\Windows\SysWOW64\perfhost.exe
    "C:\Windows\System32\perfhost.exe"
    3⤵
    PID:10844
- - C:\Windows\SysWOW64\perfmon.exe
    "C:\Windows\System32\perfmon.exe"
    3⤵
    PID:10940
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
      4⤵
      PID:10988
- - C:\Windows\SysWOW64\PickerHost.exe
    "C:\Windows\System32\PickerHost.exe"
    3⤵
    PID:11096
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:11152
- - C:\Windows\SysWOW64\PkgMgr.exe
    "C:\Windows\System32\PkgMgr.exe"
    3⤵
    PID:11244
- - C:\Windows\SysWOW64\poqexec.exe
    "C:\Windows\System32\poqexec.exe"
    3⤵
    PID:10300
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\System32\powercfg.exe"
    3⤵
    - Power Settings
    PID:8500
- - C:\Windows\SysWOW64\PresentationHost.exe
    "C:\Windows\System32\PresentationHost.exe"
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\prevhost.exe
    "C:\Windows\System32\prevhost.exe"
    3⤵
    PID:10436
- - C:\Windows\SysWOW64\print.exe
    "C:\Windows\System32\print.exe"
    3⤵
    PID:10564
- - C:\Windows\SysWOW64\printui.exe
    "C:\Windows\System32\printui.exe"
    3⤵
    PID:8700
- - C:\Windows\SysWOW64\proquota.exe
    "C:\Windows\System32\proquota.exe"
    3⤵
    PID:9208
- - C:\Windows\SysWOW64\provlaunch.exe
    "C:\Windows\System32\provlaunch.exe"
    3⤵
    PID:10828
- - C:\Windows\SysWOW64\psr.exe
    "C:\Windows\System32\psr.exe"
    3⤵
    PID:10876
  - - C:\Windows\system32\psr.exe
      "C:\Windows\system32\psr.exe"
      4⤵
      PID:10720
- - C:\Windows\SysWOW64\quickassist.exe
    "C:\Windows\System32\quickassist.exe"
    3⤵
    PID:10984
- - C:\Windows\SysWOW64\rasautou.exe
    "C:\Windows\System32\rasautou.exe"
    3⤵
    PID:10688
- - C:\Windows\SysWOW64\rasdial.exe
    "C:\Windows\System32\rasdial.exe"
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\raserver.exe
    "C:\Windows\System32\raserver.exe"
    3⤵
    PID:6504
- - C:\Windows\SysWOW64\rasphone.exe
    "C:\Windows\System32\rasphone.exe"
    3⤵
    PID:10664
- - C:\Windows\SysWOW64\RdpSa.exe
    "C:\Windows\System32\RdpSa.exe"
    3⤵
    PID:8552
- - C:\Windows\SysWOW64\RdpSaProxy.exe
    "C:\Windows\System32\RdpSaProxy.exe"
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\RdpSa.exe
      "C:\Windows\system32\RdpSa.exe"
      4⤵
      PID:6580
- - C:\Windows\SysWOW64\RdpSaUacHelper.exe
    "C:\Windows\System32\RdpSaUacHelper.exe"
    3⤵
    PID:10300
- - C:\Windows\SysWOW64\rdrleakdiag.exe
    "C:\Windows\System32\rdrleakdiag.exe"
    3⤵
    PID:6208
- - C:\Windows\SysWOW64\ReAgentc.exe
    "C:\Windows\System32\ReAgentc.exe"
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\recover.exe
    "C:\Windows\System32\recover.exe"
    3⤵
    PID:7872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe"
    3⤵
    PID:9960
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:3508
- - C:\Windows\SysWOW64\regedt32.exe
    "C:\Windows\System32\regedt32.exe"
    3⤵
    PID:10564
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:7400
- - C:\Windows\SysWOW64\regini.exe
    "C:\Windows\System32\regini.exe"
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\Register-CimProvider.exe
    "C:\Windows\System32\Register-CimProvider.exe"
    3⤵
    PID:12232
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe"
    3⤵
    PID:11512
- - C:\Windows\SysWOW64\rekeywiz.exe
    "C:\Windows\System32\rekeywiz.exe"
    3⤵
    PID:11624
- - C:\Windows\SysWOW64\relog.exe
    "C:\Windows\System32\relog.exe"
    3⤵
    PID:11696
- - C:\Windows\SysWOW64\replace.exe
    "C:\Windows\System32\replace.exe"
    3⤵
    PID:11788
- - C:\Windows\SysWOW64\resmon.exe
    "C:\Windows\System32\resmon.exe"
    3⤵
    PID:12024
  - - C:\Windows\SysWOW64\perfmon.exe
      "C:\Windows\System32\perfmon.exe" /res
      4⤵
      PID:4644
    - - C:\Windows\system32\perfmon.exe
        
        "C:\Windows\Sysnative\perfmon.exe" /res
        5⤵
        
        PID:11776
- - C:\Windows\SysWOW64\RMActivate.exe
    "C:\Windows\System32\RMActivate.exe"
    3⤵
    PID:12176
- - C:\Windows\SysWOW64\RMActivate_isv.exe
    "C:\Windows\System32\RMActivate_isv.exe"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\RMActivate_ssp.exe
    "C:\Windows\System32\RMActivate_ssp.exe"
    3⤵
    PID:10000
- - C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
    "C:\Windows\System32\RMActivate_ssp_isv.exe"
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\RmClient.exe
    "C:\Windows\System32\RmClient.exe"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\Robocopy.exe
    "C:\Windows\System32\Robocopy.exe"
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\ROUTE.EXE
    "C:\Windows\System32\ROUTE.EXE"
    3⤵
    PID:11752
- C:\Users\Admin\AppData\Local\Temp\e61431f0fb1e4d8eb359eb3b14941fab.exe
  "C:\Users\Admin\AppData\Local\Temp\e61431f0fb1e4d8eb359eb3b14941fab.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3340
- C:\Users\Admin\AppData\Local\Temp\9b26b5617fdc47ffb97b791f2b7eca13.exe
  "C:\Users\Admin\AppData\Local\Temp\9b26b5617fdc47ffb97b791f2b7eca13.exe"
  2⤵
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\bd25332a0a4d4ce08cd88f92db082c23.exe
  "C:\Users\Admin\AppData\Local\Temp\bd25332a0a4d4ce08cd88f92db082c23.exe"
  2⤵
  PID:10812
- C:\Users\Admin\AppData\Local\Temp\2b1db6b769b4453abfda514d01f89664.exe
  "C:\Users\Admin\AppData\Local\Temp\2b1db6b769b4453abfda514d01f89664.exe"
  2⤵
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\2d0afb9f1ba44ca8be06889a4d3ea172.exe
  "C:\Users\Admin\AppData\Local\Temp\2d0afb9f1ba44ca8be06889a4d3ea172.exe"
  2⤵
  PID:10312
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9DF7.tmp\9DF8.bat C:\Users\Admin\AppData\Local\Temp\2d0afb9f1ba44ca8be06889a4d3ea172.exe"
    3⤵
    PID:8964
- C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
  "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
  2⤵
  PID:11840
- - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
    "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
    3⤵
    PID:12116
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        5⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        6⤵
        
        PID:11872
    - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        5⤵
        
        PID:10148
    - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        5⤵
        
        PID:6604
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:196
    - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        5⤵
        
        PID:11824
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:5152
    - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        5⤵
        
        PID:8948
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:7312
- - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
    "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
    3⤵
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        5⤵
        
        PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:11568
- - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
    "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
    3⤵
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:6368
    - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
        5⤵
        
        PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:7300
- - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
    "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
    3⤵
    PID:7596
  - - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
      "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
      4⤵
      PID:11948
- - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
    "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
    3⤵
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe
    "C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe"
    3⤵
    PID:7304
- C:\Users\Admin\AppData\Local\Temp\f08682deadb14e7c8598d0162cc62261.exe
  "C:\Users\Admin\AppData\Local\Temp\f08682deadb14e7c8598d0162cc62261.exe"
  2⤵
  PID:12072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 12072 -s 516
    3⤵
    - Program crash
    PID:4352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:5664

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6028 -ip 6028
1⤵
PID:5196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:6352
- C:\Windows\system32\dashost.exe
  dashost.exe {bc5deaed-f29f-4514-bdf38622f5b693a8}
  2⤵
  PID:6428
- C:\Windows\system32\dashost.exe
  dashost.exe {0b9f7bd9-8ffc-47ef-89e6cc5582b77299}
  2⤵
  PID:6588
- C:\Windows\system32\dashost.exe
  dashost.exe {0d37fe9d-ee70-4df0-92cd76cf06a670dc}
  2⤵
  PID:7148

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:6536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:6568

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:6800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:7040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:7256

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 12064 -ip 12064
1⤵
PID:12128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 12072 -ip 12072
1⤵
PID:12148

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A7891822FCFF127E4EADADE9757112B

Filesize
1KB

MD5
7bf36e11c3ec7e89e5a4e661569dcbc4

SHA1
d976935bef7de93954eb0514693b76acf9334571

SHA256
a9f611535840197a4bc874ef45cba73fe9e45843559959cfc82d775c07f07666

SHA512
f9c29a4e8065d4d86cfc43b00a1057ffe526a88241cecc7e04f56d64acdb488d6b2b17a3e52ec4170564bf430c8eda3b1861ce237676daf9bc61d82a62ba8c07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
d50237ea4e39f2a378261390cdb37a49

SHA1
dbef59c875396261dbb21a52db70de233a7bd12d

SHA256
77a10e827a44c0ed0454ef098294d73fb2656fd3b139a0e3a85eb28952f8e408

SHA512
63a157478c1ab50f3aae00d0025b213f083efa447a6f5e51a8042acd3eebbd3d1d4e77a06fa343dd9d5a4ab0fe43dccb71174cf550147dfa59ddff370abc4a30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A7891822FCFF127E4EADADE9757112B

Filesize
246B

MD5
cc0caff2ff4ce15ad513b28f2062d1fd

SHA1
7fdc8881e253d7965e93ba1d8fecd6924efec948

SHA256
22d3c6d9b472c7c7c008accfcf2b290d541a50641efd08fd4371019615304585

SHA512
c482276bdd07057a8f6c384224be5c80ed5d27002e11908d658127477a92e03eb33d283e2f7409267f17e6ec7d2c6b5676552d455578df252abd25451d5ef2a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
7188a96eab3c4efe2525f39b5bdb376f

SHA1
5f795c0aeffb13e7bedcb38511c9d4b7d54b9f73

SHA256
1ad15a1c2d95b2e4e9e6141b46b0892585c106ac2ae05b14cb51047f7c917a92

SHA512
38f4fdaa504e6643d291c3e32ec0eccfa0ddee43e774b990809f11d231dd756f4d148658361d263e3cc113ed476e742b7b7f4ecf44626eb67b9aca0c8405e40a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
01de0a41be3cdf722c88dd38a6472000

SHA1
0a7da6d11056a2a2434156a425188eb87e3c4021

SHA256
9db7c16ff945e60028098ad29c76640a2609f61401188e4a7c87a340b73d58f5

SHA512
49c388ddaec69c42efcb38c0a37adc12707b1e4f991ef6d61f5aa7385eb46e318b7c653c6ad58629b5a63921fb7e12862d7f66423653dd872d0526296470c7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5a14e1.TMP

Filesize
4KB

MD5
6af9fbd51144d27a89f143924e455780

SHA1
a371bdc12c7eea53760feabd0bd35df987ac7b4f

SHA256
9fb19b8f4a6dfcd07e8700409563f22cc360a18f7e0f173a8f6bc7db40af22a7

SHA512
44befdc8752776804b93b36a7d8bd7b84e78a444b3284d5c86b23e0c2847d9824dbcbb96f57944625c761179c742c84cc045d7edd3e63c00bc79361af23226da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
525a7a4929dec50af49c6a0103dc7ff1

SHA1
188318aa830097ab1372b76f08b58919be0b245e

SHA256
fd2cd7f9a1345e277bfce3f69faa471d7e5d9a9139797bafe8fe07a1ee518054

SHA512
02e407f7e9ba0b2081a4fe8847c1a7a34d3fa58e7005dd52c4e121287841efda6fc20f7985be06a59bf425587131141660333c5f2d4c3fc5c0ed2abe242e6159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
3d62261aba8eecf94f6219b623b04be8

SHA1
9dc0588f02c47d4fd961f7009b53cbf512dacc61

SHA256
8306298a55c934e2a936b939cc37d451965ea421f81f2db7f2feeef2e80ae2fe

SHA512
7cbd98b8b9e0910ba91489b74908d54481e1986b0b063c85ecbdff8e6c1129379aaed631c1088a1ea292fff7fe653650cf829a9f5539a8d2c3085726afd97953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
bba2a89ba3a851aaf2e935857136843b

SHA1
0f8a7ef0107d8f853741efd5ccc1c9808a7ec858

SHA256
085f84808fc19ed55487da5f1bfdb0457e2c6746c8ce1eb5c6a767a42d4e2b4f

SHA512
63d1b2180f5354dacc31e7cd75d0c98f4c38edbb7cf20747795b0d3b5ec11da63003dcf7c8f276ff9fa1e2ee3d5f101891528b0135b497c3780a8af851505a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
0ffa41017cf08b0c8357b24c15c3ff66

SHA1
c97e80bf262f5b1feaa8786f684c527ab5ee99fb

SHA256
c3fec891a4c1d9b1f1919c288b01b7d7b893fccd766c248c842b0be479000415

SHA512
faa3a8a9fcc2e3d6214b211398743137457fdb2d66e94088d3d867819ac3aa2cbc0ef93cd135453df04674b8cfe2de2fb848dd51154bd0ad40f4595f916b3664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
32KB

MD5
6a0a7191586885a901d61c87b7e800ed

SHA1
adf6fa2e80159d5d73feaf86090852e56f113cb4

SHA256
59ceadac38ab975ffce36ddca62b822ebcc7803a10cd022a54c6d37993d9c781

SHA512
a2202ebe8b2feaf67714bec7c09ff4e0f406d1d9aaa7ca7011091d69533e3464b6d9afb5c4733682894068bd8632a997edb47a822d19f57db463fdd3f408b610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index

Filesize
456B

MD5
ce3a2c55a2751cee33b4c740c495ee23

SHA1
2614316ca11eb6d6131d9a565696188c846a5458

SHA256
ce38006246adf34204e20a3e2ae22561e4e6cd5e3334d41601fa4dc973526e8e

SHA512
ec0b7ea5aadc450cb21b69f714307c1a03cfcae8fddcbbccb0964470ae7a4b14b3a5b926d93b21469659f64c1c0efb1bb7a0905db8e877a86c02e4474c959b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index~RFe59937c.TMP

Filesize
456B

MD5
451ab0772ed3a366d13227b79b939a62

SHA1
9949daa4e96df830d05800907515d1139f8f9558

SHA256
8bab8842730981ae2fee309247ad50e81de8ec0f37528e2a516c3260474f02c6

SHA512
4a491294b029c0f11d8f0ce56eb502a92364ab1478f0b0cf46976d807128ff31acb432ec41c6ca51c19b68b02245b880356ab20c06d1d47a17ee99ec2eef26c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9dfd6465-7c0f-4139-9ac0-1c7dcd3710fc\index-dir\the-real-index

Filesize
72B

MD5
b9cd09d8362ccaf9bc854dc61d1c5054

SHA1
e38581a70998ff8daf4af0d8aefd5366f0cee525

SHA256
a3b3bb1b1ec7135b1db81cb25bd2f421b7a2e3a7d93dadaee996fa53575df3db

SHA512
83cfc08eb1ea93440602b3f8989a3773326dd3450ec343a439f8760683fbc1c50d8b9798a2c08695c30bc5064adc448f9589d2629de9a45000d2f0e34fcfeadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9dfd6465-7c0f-4139-9ac0-1c7dcd3710fc\index-dir\the-real-index

Filesize
72B

MD5
008c2f3ccb40cc1488afad98a78e1607

SHA1
7be1531783e270b6a9cb3275f4da7421f09a4625

SHA256
e37d2d70e6460faee98205649a8bc7c18f682cba142a82ff1c7e3b66b610d059

SHA512
d4188ff75917b1c727fdb023678820f170e05440346bb9a9d10421135e3e1dbe92845fb11f0254965ac9af68bedc89fbb689d8fee6460685ab7b42c28b72082c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
f4f20e897476d6ea52db09a53b67202d

SHA1
3ce60767447b10702ca0b966dd0c7b39a5e93f5e

SHA256
70db3c33442935931d1526b1147976da2d7a5abc9785dbfc4fa2f9c199f820fb

SHA512
3bb188a6e98986cf0e821828f9ea0d1df93b6fced82ec10f8e9358f68a08bfc449a1088d53d346dd7f5c3a296f435b444487bed50387245ddaa3423d8fef5a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
3KB

MD5
bbf4d7a75b3672fb7a3b9491b6e073f3

SHA1
9c54d1c47ffb45971e40dd500bd1364a1ff050e5

SHA256
1e9848be76eb75236261234cef5f94a5cc5e791943d1ef9a8a9f10b4216c309a

SHA512
943293fcbe7683924d77a6f4b62559309ffdac70404bb4aed99be38c1658bfb2f2c52133d16e8e5b178b0ce5ccad708b30a2a18d886f60dd72e368118ad68e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
0fe322796257ba8a77d3c4979dfd7163

SHA1
19b4ac55f43391f8afa884500ab194c73590ccb3

SHA256
dc547eecb5948d6f2aa3875812a338acc875e9a323e79a83802824624a398a41

SHA512
b33fdfc91a3b46d52c8a9f108d262ef4e95aa32030d0336230abc62524ec3e9567de2501ade91fbadb669f771c972fa8b40e084656da9140ca3e626757948403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f939530ca70ba4d2105942ab64449eba

SHA1
b81138953db16c14252cb83c1754f478e835082f

SHA256
44b5df4f4944508fc735b2f414e87eeaa745d0c7576fa9efcd3a33a2f7b12df0

SHA512
1a370fd899b777f3de1c62b4774c25527849cca2d2391086e45f7d542e3a114ce446656d9773c9cddec1ab7f0952bbddee6c273d9393d6620eaf513dae2ef199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
22KB

MD5
bb4cb5ed5a0e0a7761795baee3ce08ee

SHA1
1ceabefec3f61f64087cffa893de79b42af8e981

SHA256
7392b4a553171497591e408191f9fa91a16bd5a13ea8496c264f91005af35a1c

SHA512
4e7190fbca23096ba234826840772f0d5aee604dda4231fcfbea580684d0c3567a72d719d2c35a80c8b82090ab624a47c3f46a6c55acdea55f1944565308ba78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
22KB

MD5
e4e4ef7422335c669ce7c8aaa7efdd7f

SHA1
6edef70c56fbe80f9228067ff43fc6f88f22ff55

SHA256
e04846fd304cca32313ae6104b1bc635382a740071815a140ff1e3f08d823eff

SHA512
77f84890150bd8fd24ee4fa2de073d2a398192f8ea49cbd9b278019dc0792cedf1c0a87692fd4bcd94d9b918269e506fc2a0df2b41f419418daa367b81cc04c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
1e787fdbc52178a680295c5fd8445831

SHA1
dcfbe97a014d362872ddf821c2b80336d51a1aa5

SHA256
ec0e09ca1bd8e9922c5f9f57b403dead34a855236ade8933d31e2670c63c3bfb

SHA512
37d8cd1a2dacd1f8cba9386ba8447c92173ca87662c41e3a84cebefd8ec472f4364baafda5a57fde65c447e25d7ed2b8d34b3de909552f2750050e6ce4eb510f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
647e92514524fd413be343081bd0f76b

SHA1
ea41641e361309163d59aaa94b142610b4e71c19

SHA256
4bbaa6deb2552b997fbebf9b97171b3409f22c2132b0eca09acad36f1389c5d2

SHA512
070e84def3b17c6d7f857fa48333ff6190995576e319063537429bda5a41c8b17f27ad84ecefc00e4c8789f9d023c47820959fb87057d78cbed95105a11ce003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
22KB

MD5
0d8e63b62cd8828b44d51efb618b04c7

SHA1
1fd4cc58b1dfc529a48f59f9283522802506c9a4

SHA256
7ce428d1496f813df639280af21ea36e94906e055f92d60a033f27feac6469fe

SHA512
dc464a7b2ee2f27d206fe603c96b626ce6a59c2046c0da0d7b81283b5c776c9728d9f90c8f42f80ec88e4184ed32553491eb20a1482a160600d69667d199201a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c82aa0ca9b3fac6c5d6427f6f4076c4c

SHA1
cf69cc522e1ae8921caa1e08854e82079b9151ee

SHA256
a15801c5f3f443bf669817b1b601e79873ed9ba758ab2ebc0542b78cfd4f624f

SHA512
9b77c1a758e2e412eeaa9ee004a30495d65688e73190abad0be4022d18f0951203c236f21f56a0db181d4aac0b4c1f5cb2d29a59c5cc42eb5cfa5c1a48b4bb92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
8cc6fd1c5ed41061cb0337cef95430d1

SHA1
1c3b81e0efa58883468e0bf7b5e11b47d6057d50

SHA256
701054d7f9da93334795d548e54587f87e432d56ef7b3babcb39763e99ff51d9

SHA512
eb19947f87d66e6e977de3351ffe25d6486990572fd0484fea1b6e19c0c5fcd35b7568bfa786b1e7204be59b05ecd9b5291a26b490182e3865a35d045d86d759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
f5aa04c23074270c0f9e53a8db0cceaf

SHA1
195d1417a0a26f6af5eda17d3def4e829bdc96d8

SHA256
06d3574b17dc0db44f56695f108195e09f3bc990d34080f71ae343c621f1d7b5

SHA512
daf787dc380a29ca6298f19e299eed467aa3b8100b1705a16f831ef66b44efae50d969b3e4f11ecfc6e3f3231d2dbd7e12fe6499078a9a1f9f42dcb896194355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\FileSyncConfig.exe

Filesize
433KB

MD5
744825e09c334ade152ce758b899f0ef

SHA1
880304dc61f1bb323c1db6ea46b804bd868fbbe9

SHA256
d6ef50b5d22c3bd1c9624f975b2a39bd3180e89a59f094becc7590efa2a6c79e

SHA512
95e64bbb4f58e0572abb76bb31e0205bdc98dca829bfb69028d9cff72052ffd317191baa28a7b52a6baec99ff17512f85cfe1cfae73aee2c84a2e1221802b37b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LoggingPlatform.dll

Filesize
310KB

MD5
55f9372e3c6951b5ee3a4e6cd248a35a

SHA1
d663527b11349e4ac6e78bf350af0032db6cb03c

SHA256
3c8f09d36d11aa745392e1d5f42afd9672b502869ab3d518ea715e1d31255d32

SHA512
018b1bc0270d02ab762a5c1ae24ff042959a59fc84032684eb819080c446214ad600fbbf9b2d60027920df88e04c65f7002823ae1b11c3dd92a427d6ad4dc5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\OneDrive.exe

Filesize
1.9MB

MD5
4592abdea88598149b6edf0acdf725b5

SHA1
0429e6697b13435dfc8c2c631d17d3140493d1f3

SHA256
28611d106d449e08374d674a3876cfac799f3b57e19e2dc283612e03623aaf67

SHA512
f3acb79214f9113b6d137c819e3180d79c54fea2f64b698d4cdd5c7101b1e5102a116f8b5b13d94d3d05d1b39ba203240ef7b59143a47fce1396b65d664087c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\OneDriveStandaloneUpdater.exe

Filesize
2.8MB

MD5
0e5fd9e26ed643ca4bd7f16f725f9449

SHA1
baf005f55fa4f455b2dfee0901e14dac9bbbe4f4

SHA256
243b6499571730a5af85d90df9ebd089a1f82c7ff97a0cb19325d213b51b7c31

SHA512
3e4ccff546fd0afc7aeffa1a520d31b22a757cbb84bc1eace529d58b765f3de03b84d5ce659527bfee0ef94579eaf2fd96058128291eb56d4915a8d8f7a631f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\Telemetry.dll

Filesize
229KB

MD5
d8483a39b24a75f34212c7ae71cec197

SHA1
cbe708750a41d91d08e764a0ec524bd74e463e7a

SHA256
dd0f93390a524918ef4717278c8fd77f9793505a314675f74da54baf98bdb8b9

SHA512
d8ecfa2891a1cc4dd927854c0fc3f49ad7fe3402047d5db46379f4923e7aefb89fc63d52e88ebc74842cf9ec096dda9d07c9d65f9350421332dcded3df717aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\UpdateRingSettings.dll

Filesize
257KB

MD5
a87c3012257c1be3a0ce588dbd57ebcb

SHA1
1c9000b3870d0164118b416ca46f0f6db1c0c6d2

SHA256
2e778b9665472b80295361e649df2b10c3b08065bc013f954d9a8753f27c9b24

SHA512
e650a89c17d3a6c301dcbbf373ae2e34ed2cbcb45b78b30ac16426e76914ebf8f500b6880e4c291b56e3d52687ee4113f3002e78b08d14dedfbb3a36bb42e3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\VCRUNTIME140.dll

Filesize
73KB

MD5
f135dfc5ac026c9b6a29854774d71d71

SHA1
65dd44ad62f23474d664567234abb619f19f2d39

SHA256
c9ccfacf80630f47611d65e370bf3148caf3d3b5d6604bc5d277220f56d78ab8

SHA512
19f0b4cfa76f13a91c4f6ccd8317b3b3c71e06cf8ffd1d3c2054ef7b8159f8ae65443de4a7d85efbb626e7db58de1d983054ad4cde56df4691a15361f08dc2f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.050.0310.0001\msvcp140.dll

Filesize
431KB

MD5
bd329995813712d94d83f8d61228cd3c

SHA1
a4b4346a1cd6fec54fe41d6aaabcc9dd120d29a5

SHA256
a33550c04e81f849fed5077e8a02e72277974d41644480e0e2f6d17aad19beca

SHA512
6b1878263895064eb3c11c50fee754552f67cb6cee6fb6fb2c9dc96e96afacd2c3db53f8f0115447e0d3b87b7e7cda6ca79328889010c9fdcb8daaad8e2c0e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
69B

MD5
52c9473193b9bddc1572ae9277c16a01

SHA1
a8a83b1fc37e4cbe1f68b104fb1c1b0f00f8927e

SHA256
3bc4df39d8cd1ae6d79bfcc522bc8cab561908cc8bb107bfed35e1128e0329e0

SHA512
b2e5361592912f9f223000c9846c59ebc25cee95449ecf776dc89d52dc06d03a130665ac622f779ae617fc2963158dbc97ec0843b73e477e94bfe03d705bff1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc.session

Filesize
20KB

MD5
70d9750986dc4a5be11ec3ddb0f1a215

SHA1
575016ff414977387e575b568d5113ebe83442f9

SHA256
6ef2d0bfdb0a19f7a92173571133ef76798c28cb7d92f0ec240a380b9599a3fe

SHA512
99aa8a26e9f52f7ae929fcad537a308650b2be5d12806b2f3b82be43f82958583f849e141f0b15da24130253a14183708cd905a63dfa5a97ddc993493eaf8099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b1db6b769b4453abfda514d01f89664.exe

Filesize
2.3MB

MD5
782f6274654b584ff6d51ca55032f818

SHA1
d6d8d66c9d204ea5455e366b4047e713e471dceb

SHA256
7b44b3e5c2decf0b20a4dcc3b1437bff44c0d0fb78224dc690c190f844927664

SHA512
ed47e666a42b28250061f4d63d90fb03705f09889539fbaf936ca35afa7d0b35bad3c7edc2091d74ca1d99ef380dc478e352e0ad4e2aa81ae0552a6b85f9b2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d0afb9f1ba44ca8be06889a4d3ea172.exe

Filesize
69KB

MD5
57aefeb4dc6a62340c9cd1ee49d043d1

SHA1
e769b03d88cc128982f5394c28f6ba31cac957b7

SHA256
6f396703789bb1d26f98023d79f1a634dadc1cd5c2f3c096a42119e022381edd

SHA512
db2a5c757f9d90da18a48cd6fdec120439b1e3ae9552c76d433da890c68cb9ff65f9c35da5f97a4e9bfbda1feb214895e7121fe63dd4318149a6aedf348c2e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\35552382bd384c91b568efeca5886d87.exe

Filesize
10KB

MD5
76386705862925ccbf1e3f711a6e6b56

SHA1
2335fae9eb828b09930a2b01910b1b594395004e

SHA256
a62e7ad75ab140bf45272989ac9b9f5937298c8c5ffdccd19323452c0e793b90

SHA512
893000f32223c67dce85c7a9f0edd315743ce56372557d432a1c6fcb19b728e7110adee7e23f7de7b6ad59f48fe632d27ebafcb0fab00a3ecad01a23c7e6000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\607d50af925c4dc4b5423f530dd3c54f.exe

Filesize
10KB

MD5
424755b9f13cdb742d503836bf09e63e

SHA1
b4cdc234fdca58519edf14fa3b0bb3a522249440

SHA256
e0e95c4be30bc2199018c4a44b4df874ee991665d0aff048e39b1c905cc9da56

SHA512
29dd79ca6d2e451da0b0597c1d6b4cd860a8641438f139dcd3ecc02ecd0a638feb28e41b2088fc2e360b27f5c343b1843889686070307bdb26077593791972b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\67f704a732034a84961aff3c37da684a.exe

Filesize
135KB

MD5
c971c68b4e58ccc82802b21ae8488bc7

SHA1
7305f3a0a0a0d489e0bcf664353289f61556de77

SHA256
cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce

SHA512
ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b26b5617fdc47ffb97b791f2b7eca13.exe

Filesize
27KB

MD5
a01537295836a4e387cc80ff394fe53c

SHA1
c5775d713df0ab96e55fd2a1c841a9c8edb6b666

SHA256
df56d29d9124be1a3df66bffab2fa3382c2b083cc2a6deb956b757cd9a935f20

SHA512
598b6963e9ed59c48c3b47fc59b0864eaaa566da304f222a09a7539954b6a8a02735644ff1235a9eb98ae0451086a531de62528aabbf7cc9879e6d48003c38bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd25332a0a4d4ce08cd88f92db082c23.exe

Filesize
245KB

MD5
601283c004aa6e4bcebfb6e844eb653c

SHA1
9c3dde5abd1056497f03f5ae5a3dc6ffed1028cf

SHA256
279a19315055e93a80c558bf9d9a7c8b4aba8fc8f8f3e812df8619e959abbcae

SHA512
feeaebc7c097c724f0cea539729729a7512eb0c75c45b7395cd1d7b3ab643f11fb8b941373b30b12d14b837ff53793fdf49fd70f524c9f6391285d62cf4a7c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\e61431f0fb1e4d8eb359eb3b14941fab.exe

Filesize
63KB

MD5
2cf51977ed60a9a59d29a72075ce52ad

SHA1
960e40eaa8445c0049d11f97abba7f4b465ad4d5

SHA256
64735679e70b0d6e67198c28df11cf449dc114df01f6c336d61a9da39448f853

SHA512
bfcad9e99ff0dfd2cd917b8160cccab3710ed9974a6c15ea7dd1b0db965a51eec5ac588a87c4bab37af60504a3deb4f11de0a4d93a0c3648673b0dc0824646ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\f08682deadb14e7c8598d0162cc62261.exe

Filesize
47KB

MD5
c61693e8d501dcdbcd2346853a80417a

SHA1
edf5803d2c9cc7807b571d9d081ca06387ee7cd9

SHA256
f0d5399c42971102e56abbcc9efd1d0b104ddb36da5bccd67e18850a1a21fad4

SHA512
8cc0fe94e144e754cf0fd0d4de2f4361adaf7fc83116fc3009272efa6df2eb0c60b04dc037ffde1581906471196ffae0cb51262a7ac731b515ff091a64da41d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB893.tmp

Filesize
33.1MB

MD5
162e0458395e973b8ec1894a050bc4a0

SHA1
28ad9acf285eeb849542baa6b7407e4a243bb33d

SHA256
3a6924971813e9cc3e1da01e150add8532de225ee25d618a080df847b64142b0

SHA512
4ae46bf949c4c40ddaa339ec7cd4b14d5a9479ffd4bbd6fe0edf013861dbf3b96d5a44e6b47aa2d95c6bd87c62932c62c3cee9009d7dee5b4c09ebbcfbb06957

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
15a633a3f9df30255e7cfa91850a4697

SHA1
5e06552c99eb486ac8b5cb9210d0a311d57c01e7

SHA256
ea55bf44a6cfb3a16306c88dde1f6f48c4db8eab2c9abd702ed26b16bdffa6ac

SHA512
0f827e7feb59660152c2ee05031063a5ea0b79c6fba3bb74b292445de87e3038c8cd68596a7a8506713439e508cf1dd78e30b554f12f6654efc89bc5b32d207a

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
280KB

MD5
6ac4fd81fc73389695a6ea86f6df775d

SHA1
d17bb07c5c1b60cbc6ffd6d2b4856d3f71450641

SHA256
76a408eab042b102e213c489f567eae3cc2a86e2e856ca4c3917cd6d756c792b

SHA512
7df1e1ed602e179a257233509671ce303618cf4a784142bd6e5b2d0ecdac8e13020e115357821d4299535e554bffe0302092c384a450ddf4fb78d9e27ac76145

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
11KB

MD5
59eea41a0be1a73baf287f3187dc8369

SHA1
7ed2313a23c1cc92beeb55f0f659356d8077975f

SHA256
7e80c5309bfe60230fac570e5f1283e69de2c38adf4616b1792289f36b90bb4d

SHA512
106ddedb339ca79673171c4180601de4fe59762ce0c12c239ff7a54144dfc1dbce8509dfeca7b4effd0f4f37dc171a47040a05ee11d5dc223cadbd1a96e96bfb

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
14KB

MD5
bbc8955bd9f73377f843e0a7642e1b6c

SHA1
202a0aaad52d2267b14cf5042b20f766cc7d388e

SHA256
407d8bff51130fdb5acffe010dde68d78f649ed6c30b73a3301ecb5c0c772683

SHA512
ba60473fe9136340e4c5c075cf041ba69140dd6a55cf89d62943edb8459b51af66e77ec25997245612b961d6b1c97a3d9ddf0bc66bb4221166676490b606d3b6

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
16KB

MD5
50f0590fc0aae3f3c50709f066be25cd

SHA1
9abe2a9275e34874a01d454ba81e3437bf7f0656

SHA256
8eccfded3dd4b5759cdefa4336e5cf381197ee2870667238308a7869cdb2b5b9

SHA512
e656df5e13e8fc35614f97a92bf5c3fd81118c3057e8a8a0bb53bde8e8926ee65967774a099f1ee6a413c00e7a7af1372f5149df7f7184980bae12abb866cce2

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
99bcdd23610358ae164ed6cf4cdd32fa

SHA1
814a8c4268a5b4474ddfd50c461e27c7f6118225

SHA256
5a7b1f24312bb707592f19d8fded811dc05208e251088b25a0f50582ecd7426d

SHA512
b558dc617049b0e8d0cc477c252118f1e43a0845bd54832335af4a36a84a33eb95e4b0a976559fef5b105a11048387f78b8dd879011a2b2f8ccc08b37d15a016

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
5c239d84e41e1df1ac18ec54c2f51a04

SHA1
60ee3155cb04b0da42f1127a3bb364a5e788d89e

SHA256
d250dda884cbbea6cc07a0f5ecabfe8ef0bc41cae1a4aaf6ffe6857aff08070c

SHA512
f66b4c55f51b63b3b45ab2cddb94c729bc28e02b269bc0a5d40df73769752f28063c020df1c3c084a8cc68d9227e15cf3db821e23761b6d732a691ba176e61ef

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
16KB

MD5
a3226739c300f71b75d69e5258776f98

SHA1
de81f2ab95fda2d03a95b29bc878cab847cb9485

SHA256
7d81cd6c52718ee1eb1fe4594819ab819088a5fa3241a5342d77e9b673d2a100

SHA512
609417706fb8a43c72e898659e1f65f14568081e50e910c83e61797c00e0392a53c6bdd4f03da62be1eac826004e8c43d620aa8f9eea2712726b6aad416f34ef

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
6c1659062765941d8eddf6883ad78e9a

SHA1
8d337ea9cbd035a0589b43a5f95e2c21b8b54bdf

SHA256
306456bda5677c03c7f102954dc5f72fe4e142dfbe7568d2f1ba0466a8c7e344

SHA512
61a2c7eb5403c5a57ed2fd26cb68a60967dbb25f771650b97b673167db792663cfe3679475c424d5e583d3f3abff8c2e1ee2e5413b372af2db7d15455f2246a4

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
c6016d276c070d35c8d2c0c5a157c4d8

SHA1
ebda2a07925ad66be4b5a169955b19d4dfd8d38d

SHA256
965d3ddcf971eee766956840b237300e0da62d080a36724123a94401f7d98a47

SHA512
a6a7f03d9c7ef5a349c9203045d5c69be7b098737f7c7bf81c192006b45815e0b94b6b42a3e446944a57a2315ef4182998d63bf12cc442b6ff65c7318b631240

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
5048c1a9ab295d6aadb0d2ceb32cf4c4

SHA1
9e933e15d7d760228f169fc6c41f886cbb1cb03b

SHA256
8017a4c7901ac536c6c9f025da8e745c5ea9d3b769d0d8bac6d9b81e43d0d69d

SHA512
a2ecdcab5564404806fb0784cda5523141b312387670fe7ae32fc062e120117fce4cf512cd61a74ce7cfbd2b5c7f26436d39a2f89171acccec0e6b3eca0de936

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
319B

MD5
62441591c3066e78ecac9438a5127fa1

SHA1
a9e2e5c111a73213073dc7093899a90d761883bd

SHA256
10c2da962c5dfc51ffabcd3823c75a2334c4b117fc2752eb725447f90ff730bb

SHA512
3a87be33f0902b7e71eadc481d9ccf75735bd7da438b16e604c0dc72fb15ffa18b641724b48a5187e4affe2b4f1d52f7d104f31a8853fd855fabb20ca71a9a26

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
599B

MD5
7d9c859620bad97e0946f8d0ff33aa3b

SHA1
bb83558aa29fff315c3b42774d8ae3eb44273029

SHA256
b96db13b65fd3c9e2385d04e0a8262ec62e0148cbc859b96979bb15e7fca919e

SHA512
04663dcee3be34ca31a3277e8f0d6e7a8cb17dae8ac2183e4d5bbfc2f617eaa5cb63bda917877a8d92a8f43867dd9819d1226ecde65d84061b1819d2f7ce34cb

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
825B

MD5
ae420462a792657366aed019e9ac2e6e

SHA1
4acddd28819687c56533acc61bd7441e6478e3eb

SHA256
2c94d4830c2867c4b55b4422319533fbb1525d52ba294e212625f8999cd03a3f

SHA512
3091bd30c3ad5935aadf1a88238053aebb24f34ada8b56c34cc917e6cf9f93d653f14fe3aae0c08bae2610d8c5edb741cd88d18bba3ad4cabb1e1bd2463c2582

Download Submit
memory/2168-21-0x00007FFD89813000-0x00007FFD89815000-memory.dmp

Filesize
8KB

Download
memory/2168-19-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2168-22-0x00007FFD89810000-0x00007FFD8A2D2000-memory.dmp

Filesize
10.8MB

Download
memory/2168-20-0x00007FFD89810000-0x00007FFD8A2D2000-memory.dmp

Filesize
10.8MB

Download
memory/2168-18-0x00007FFD89813000-0x00007FFD89815000-memory.dmp

Filesize
8KB

Download
memory/2444-42-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2672-1739-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2672-1740-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2672-1741-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2672-1803-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2672-1806-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2672-1807-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2740-1-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/2740-0-0x0000000074941000-0x0000000074942000-memory.dmp

Filesize
4KB

Download
memory/2740-4-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/2740-2-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/2740-3-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/2740-5-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/2740-6-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/2820-1779-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2820-1760-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2820-1776-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2820-1758-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2820-1759-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/3508-732-0x00000000367A0000-0x00000000367B0000-memory.dmp

Filesize
64KB

Download
memory/5284-1754-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/7912-89-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/10000-1749-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/10000-1750-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/10000-1766-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/10000-1770-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/10000-1752-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/11840-1714-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/12116-1728-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/12176-1780-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/12176-1732-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/12176-1731-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/12176-1801-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/12176-1802-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/12176-1730-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads