59c7db4342856a8b2a9e89bef68be3d0b89e263f1002dbaeaba9f7d6619e2245

Analysis

max time kernel
153s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2023, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SlackSetup.exe
Size

112.6MB
MD5

cd7971f914ab92638694150f4b0e445a
SHA1

c20c1d562044db829d4d2999fc4403c760583332
SHA256

59c7db4342856a8b2a9e89bef68be3d0b89e263f1002dbaeaba9f7d6619e2245
SHA512

3d1e1681b63f4d1fdfde9583b88f3fcb79fe6bd6e163611f42a3270ad4e04ec119ec7bacf120c3623b0556bb41689fab90fca02dfe44c58f9221ae2a793718ce
SSDEEP

3145728:MzVwsehQ5oHOfgWBKkt0ba0+ti1OmHF1QTNKAw8inSMPw8Y6FxfE:sGmt10+wOGFCpzopTM

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.slack.slack = "\"C:\\Users\\Admin\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup"	slack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.slack.slack = "\"C:\\Users\\Admin\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup"	slack.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	slack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	slack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	slack.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 12 IoCs

pid	Process
4164	Update.exe
4632	Squirrel.exe
1820	slack.exe
2700	update.exe
3688	slack.exe
3472	slack.exe
2880	slack.exe
4348	slack.exe
2656	slack.exe
4532	RuntimeBroker.exe
4380	slack.exe
4104	slack.exe

Loads dropped DLL 26 IoCs

pid	Process
1820	slack.exe
1820	slack.exe
1820	slack.exe
1820	slack.exe
3688	slack.exe
3472	slack.exe
3688	slack.exe
3688	slack.exe
3688	slack.exe
3688	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
4348	slack.exe
2656	slack.exe
4532	RuntimeBroker.exe
2656	slack.exe
2656	slack.exe
2656	slack.exe
2656	slack.exe
2880	slack.exe
2880	slack.exe
4380	slack.exe
4104	slack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	slack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	slack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	slack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	slack.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\slack\shell\open\command	slack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\slack\URL Protocol	slack.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\slack\shell	slack.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\slack\shell\open	slack.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1820	slack.exe
Token: SeCreatePagefilePrivilege	1820	slack.exe
Token: SeShutdownPrivilege	1820	slack.exe
Token: SeCreatePagefilePrivilege	1820	slack.exe
Token: SeShutdownPrivilege	1820	slack.exe
Token: SeCreatePagefilePrivilege	1820	slack.exe
Token: SeDebugPrivilege	4164	Update.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe
Token: SeCreatePagefilePrivilege	2880	slack.exe
Token: SeShutdownPrivilege	2880	slack.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4164	Update.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe
2880	slack.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3316	SearchApp.exe
4792	SearchApp.exe
4020	SearchApp.exe
4292	SearchApp.exe
3464	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 4164	3900	SlackSetup.exe	88
PID 3900 wrote to memory of 4164	3900	SlackSetup.exe	88
PID 3900 wrote to memory of 4164	3900	SlackSetup.exe	88
PID 4164 wrote to memory of 4632	4164	Update.exe	90
PID 4164 wrote to memory of 4632	4164	Update.exe	90
PID 4164 wrote to memory of 4632	4164	Update.exe	90
PID 4164 wrote to memory of 1820	4164	Update.exe	91
PID 4164 wrote to memory of 1820	4164	Update.exe	91
PID 1820 wrote to memory of 2700	1820	slack.exe	93
PID 1820 wrote to memory of 2700	1820	slack.exe	93
PID 1820 wrote to memory of 2700	1820	slack.exe	93
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3688	1820	slack.exe	96
PID 1820 wrote to memory of 3472	1820	slack.exe	97
PID 1820 wrote to memory of 3472	1820	slack.exe	97
PID 4164 wrote to memory of 2880	4164	Update.exe	100
PID 4164 wrote to memory of 2880	4164	Update.exe	100
PID 2880 wrote to memory of 4348	2880	slack.exe	102
PID 2880 wrote to memory of 4348	2880	slack.exe	102
PID 2880 wrote to memory of 2656	2880	slack.exe	103
PID 2880 wrote to memory of 2656	2880	slack.exe	103
PID 2880 wrote to memory of 2656	2880	slack.exe	103
PID 2880 wrote to memory of 2656	2880	slack.exe	103
PID 2880 wrote to memory of 2656	2880	slack.exe	103
PID 2880 wrote to memory of 2656	2880	slack.exe	103

C:\Users\Admin\AppData\Local\Temp\SlackSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SlackSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\slack\app-4.34.119\Squirrel.exe
    "C:\Users\Admin\AppData\Local\slack\app-4.34.119\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:4632
- - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
    "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --squirrel-install 4.34.119
    3⤵
    - Adds Run key to start application
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Users\Admin\AppData\Local\slack\update.exe
      C:\Users\Admin\AppData\Local\slack\update.exe --createShortcut slack.exe -l Desktop,StartMenu
      4⤵
      Executes dropped EXE
      PID:2700
  - - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
      "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --type=gpu-process --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=1804 --field-trial-handle=1808,i,5294783839772782554,3463403302760696255,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3688
  - - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
      "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=2248 --field-trial-handle=1808,i,5294783839772782554,3463403302760696255,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3472
- - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
    "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --squirrel-firstrun
    3⤵
    - Adds Run key to start application
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
      C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Slack /prefetch:7 --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Slack\Crashpad --url=https://slack.com/apps/sentryproxy/api/5277886/minidump/?sentry_key=fd30fe469dbf4aec9db40548e5acf91e --annotation=_productName=Slack --annotation=_version=4.34.119 --annotation=plat=Win64 --annotation=prod=Electron "--annotation=sentry___initialScope={\"release\":\"[email protected]\",\"environment\":\"production\",\"user\":{\"id\":\"69940f77-523e-4eae-8aed-793bb597d883\"},\"tags\":{\"uuid\":\"69940f77-523e-4eae-8aed-793bb597d883\"}}" --annotation=ver=26.2.1 --initial-client-data=0x460,0x464,0x468,0x45c,0x440,0x7ff75f2a1ef8,0x7ff75f2a1f08,0x7ff75f2a1f18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4348
  - - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
      "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --type=gpu-process --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=1844 --field-trial-handle=1848,i,15295063275967851743,15579050229847298702,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2656
  - - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
      "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --standard-schemes=app,slack-webapp-dev --enable-sandbox --secure-schemes=app,slack-webapp-dev --bypasscsp-schemes=slack-webapp-dev --cors-schemes=slack-webapp-dev --fetch-schemes=slack-webapp-dev --service-worker-schemes=slack-webapp-dev --streaming-schemes --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=1980 --field-trial-handle=1848,i,15295063275967851743,15579050229847298702,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:4532
  - - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
      "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --standard-schemes=app,slack-webapp-dev --enable-sandbox --secure-schemes=app,slack-webapp-dev --bypasscsp-schemes=slack-webapp-dev --cors-schemes=slack-webapp-dev --fetch-schemes=slack-webapp-dev --service-worker-schemes=slack-webapp-dev --streaming-schemes --app-user-model-id=com.squirrel.slack.slack --app-path="C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar" --enable-sandbox --enable-blink-features=ExperimentalJSProfiler --disable-blink-features --first-renderer-process --autoplay-policy=no-user-gesture-required --enable-logging --force-color-profile=srgb --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3044 --field-trial-handle=1848,i,15295063275967851743,15579050229847298702,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --window-type=main /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4104
  - - C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe
      "C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --user-data-dir="C:\Users\Admin\AppData\Roaming\Slack" --standard-schemes=app,slack-webapp-dev --enable-sandbox --secure-schemes=app,slack-webapp-dev --bypasscsp-schemes=slack-webapp-dev --cors-schemes=slack-webapp-dev --fetch-schemes=slack-webapp-dev --service-worker-schemes=slack-webapp-dev --streaming-schemes --enable-logging --log-file="C:\Users\Admin\AppData\Roaming\Slack\logs\default\electron_debug.log" --mojo-platform-channel-handle=3224 --field-trial-handle=1848,i,15295063275967851743,15579050229847298702,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,CalculateNativeWinOcclusion,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,LogJsConsoleMessages,RequestInitiatorSiteLockEnfocement,SpareRendererForSitePerProcess,WebRtcHideLocalIpsWithMdns,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4380

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\7f0573c4856443db941f8dbf33870bc0 /t 3844 /p 3800
1⤵
PID:1788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

Filesize
1KB

MD5
6eb96c16eb677b6a8c1df381a0497a1a

SHA1
d4596baadc2d4bee89d57e1718ab30c0b7d563ec

SHA256
e96331392d474ca0fbc51036c7d55aa3a37aae6b074d50ebd106a277b0cb4097

SHA512
3d472d56ceb73a3df3f65eff6af088b3a81ab553153cbda925091500a6543cf83e84872f2bc81f218deddecd8f3c9868d784c2fe08ece95f915138becaecfb0b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QVHQQQV3\microsoft.windows[1].xml

Filesize
97B

MD5
e403893cb1eff096a3a681a4e18bfc57

SHA1
2b77a9b05a98def1630f2d224077297c5aa719bc

SHA256
5a67e1471e50d3e01653afe33268399829528a3d7c0e41dcd2d1e0c66670d066

SHA512
c8da1987035c0ee26cf94ecac9436d2e4abe7a512471231666e7e1e25b48b9aa033ad4a68075e7f4a83c9a5229718906a15dec6a15c57d39a7e6d3bd99ecd564

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133396118633113712.txt

Filesize
76KB

MD5
1461e49d90bb60546adfb2f39177495d

SHA1
a0e4cc9de3e07bf1cf120004b98594cc00a16f00

SHA256
b670688ee42cf9ad0785819f1c2d22b05e4dc8a83dc4db911cf935d47eb04d8d

SHA512
c1e35bc7f05632198cc2484ed9008696f4a7e78072ad56affcd5b8fa2bb656eb8ac65b8991ba3f2b406f22ee0d7f0857ab20fe543bd71fec174d9f598a28ebfb

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
79B

MD5
6062f2f5a88e3bbca71a44a53b1ea94f

SHA1
f41314745ec4307e3549ae5f73c170ab9c7e45b1

SHA256
df5beefdf35853697fc563c862563e29b0d8ad5ac3b3fd9e7795d88c7b878c8c

SHA512
fdfd11716f1e26a5e49ec23b195f661eb4aae98b32c71aab3c0577b509ba00ded1eb51000be4bc17bf6ea443bb32bdddde976d572dc0abd41af71584d527dbb1

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
b5bb52087330de17cc2ef4996adaa813

SHA1
91444500058b636edc23ce2edcebae697372d70a

SHA256
4c89d344f42e188b27e1950057a31dbba9d56254441dd61dbdca50363c1bf327

SHA512
eb7473c544018c11b885cfcbaa9d1bfdbe4a40e74b6ef7142eb05220bb37dfe83c63f5b2b613b568a1cf593e12388d2f15481433259e9695d3b2f41dbfd4eaf7

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
b5bb52087330de17cc2ef4996adaa813

SHA1
91444500058b636edc23ce2edcebae697372d70a

SHA256
4c89d344f42e188b27e1950057a31dbba9d56254441dd61dbdca50363c1bf327

SHA512
eb7473c544018c11b885cfcbaa9d1bfdbe4a40e74b6ef7142eb05220bb37dfe83c63f5b2b613b568a1cf593e12388d2f15481433259e9695d3b2f41dbfd4eaf7

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
191KB

MD5
0b6b63cdaeae40f461aadfdef1d526bc

SHA1
b7cccd3328769552e9e8e0860ba933e9f6eb562f

SHA256
a23577728f09e8f4b24d7b03d2cb3611428d6acd2efb72db28289c7901e42fd8

SHA512
a07b77ad039762f5235348189767955a1ae5c37ba6a9697161855afab966d3e75e73337ae0853499a09b2bef74a5d8cfc00cf2525e165cc77ee82497bc6bb223

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\slack-4.34.119-full.nupkg

Filesize
111.8MB

MD5
313d61bb91b55eee15017309c4772f0b

SHA1
10084278169228311377216f75f09f0fe04bb750

SHA256
7cd848224e496ad2a21069ed17520eeca8752f9c45eb917ff66417d737ee1b2c

SHA512
9cd8409a174d11573d517b87b09495d606e656e7c267b6ae709dcda4dcab08c0305aa185754e61a09e950c37638b4b54fdd682a91bef9ff91f278ac142ea1761

Download Submit
C:\Users\Admin\AppData\Local\slack\Update.exe

Filesize
1.5MB

MD5
b5bb52087330de17cc2ef4996adaa813

SHA1
91444500058b636edc23ce2edcebae697372d70a

SHA256
4c89d344f42e188b27e1950057a31dbba9d56254441dd61dbdca50363c1bf327

SHA512
eb7473c544018c11b885cfcbaa9d1bfdbe4a40e74b6ef7142eb05220bb37dfe83c63f5b2b613b568a1cf593e12388d2f15481433259e9695d3b2f41dbfd4eaf7

Download Submit
C:\Users\Admin\AppData\Local\slack\Update.exe

Filesize
1.5MB

MD5
746e090dcdf5601d7a511d69b89cce07

SHA1
e264c49fa76e402ac9b2da469f69dc734612168d

SHA256
c0e5751fd2d019384be092f76754d8c18ab448af88baff6a8a8df01f98f27e44

SHA512
aa8cf18c125d9035394303302ea15694abaab86d192a741c09c3d3c55b30d814d96c84f1b38654b3a706e14c169b73fad2913fb504f6ed4c9cc91e714630f096

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\D3DCompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\Squirrel.exe

Filesize
1.5MB

MD5
746e090dcdf5601d7a511d69b89cce07

SHA1
e264c49fa76e402ac9b2da469f69dc734612168d

SHA256
c0e5751fd2d019384be092f76754d8c18ab448af88baff6a8a8df01f98f27e44

SHA512
aa8cf18c125d9035394303302ea15694abaab86d192a741c09c3d3c55b30d814d96c84f1b38654b3a706e14c169b73fad2913fb504f6ed4c9cc91e714630f096

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\chrome_100_percent.pak

Filesize
132KB

MD5
e4cbb48c438622a4298c7bdd75cc04f6

SHA1
6f756d31ef95fd745ba0e9c22aadb506f3a78471

SHA256
24d92bbeb63d06b01010fe230c1e3a31e667a159be7e570a8efe68f83ed9ad40

SHA512
8d3ea1b5ca74c20a336eaa29630fd76ecd32f5a56bb66e8cef2bce0fa19024ea917562fd31365081f7027dde9c8464742b833d08c8f41fdddc5bd1a74b9bc766

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\chrome_200_percent.pak

Filesize
191KB

MD5
99b95d59d6817b46e9572e3354c97317

SHA1
6809db4ca8e10edd316261a3490d5fc657372c12

SHA256
55d873a9f3ac69bbf6eb6940443df8331ebd7aa57138681d615f3b89902447e7

SHA512
3071cfeb74d5058c4b7c01bfe3c6717d9bb426f3354c4d8a35bd3e16e15cde2f2c48238cb6382b0703b1cc257d87fcecfb84fbf4f597f58e64463ceede4366dd

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\ffmpeg.dll

Filesize
2.8MB

MD5
e81341126c914b9ae7149e7f95c6052f

SHA1
3eac9c43dec01e998eedd6969e6c344a44496ad3

SHA256
967196066e1994cc213fe4407f00bf6b39a3df3635b9dff7bff470271664a7a0

SHA512
ffb2b101f32cd62cbcc449b88f882b1e2a39ebe69256633b60e0cb28d9ef69311289ad5fc3e77180d5050cde9bfbc850e7a31cbcdfa8639e7d72e10e0ca0085c

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\icudtl.dat

Filesize
10.1MB

MD5
62880b7d351a9f547b62b8da6c97ce25

SHA1
057f11003013cfb3f1c63e6bdd4f2f9949ff0104

SHA256
7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f

SHA512
0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\libEGL.dll

Filesize
479KB

MD5
2965128f667127bd87133cf3370c4885

SHA1
e435cd1184d57e8b44334995e2880d926fff31ec

SHA256
decd682561f311ab73fff231cf5978eea9dc15a1164eb2f0b482d8a65426e15e

SHA512
470e7ba168b2f1e5a58810102e27a122a9ba77612028dfda7a2f5687aa176d91292347db07149bf6d488ae91d78b789f0d414686aab2f61b0a9d6a0bab2a7261

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\libGLESv2.dll

Filesize
7.2MB

MD5
d2274f0143f42ab1e775cb239c687eca

SHA1
4f85b769eef656bffc9f83edbb6063910cce687b

SHA256
ba125c5a2f82d2ba0d71765bbdb2aafabeb14d22d7596f4ea680e345f148760f

SHA512
98be5c65d9ccfdb6cfba0ab9ffaca04d98431769483a0e26c197486876b426e215c2e8c4232e54344764ccc699787f82180e690a71a1399d5b4bf8cb93b6e9c9

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\libegl.dll

Filesize
479KB

MD5
2965128f667127bd87133cf3370c4885

SHA1
e435cd1184d57e8b44334995e2880d926fff31ec

SHA256
decd682561f311ab73fff231cf5978eea9dc15a1164eb2f0b482d8a65426e15e

SHA512
470e7ba168b2f1e5a58810102e27a122a9ba77612028dfda7a2f5687aa176d91292347db07149bf6d488ae91d78b789f0d414686aab2f61b0a9d6a0bab2a7261

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\libglesv2.dll

Filesize
7.2MB

MD5
d2274f0143f42ab1e775cb239c687eca

SHA1
4f85b769eef656bffc9f83edbb6063910cce687b

SHA256
ba125c5a2f82d2ba0d71765bbdb2aafabeb14d22d7596f4ea680e345f148760f

SHA512
98be5c65d9ccfdb6cfba0ab9ffaca04d98431769483a0e26c197486876b426e215c2e8c4232e54344764ccc699787f82180e690a71a1399d5b4bf8cb93b6e9c9

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\locales\en-US.pak

Filesize
391KB

MD5
c9c2abcb04e1ad5f1a20244da8d595a8

SHA1
89ca81da21900074a5ccdcdc852768277b2b620b

SHA256
0364c73f320e441b03cb2afcaaca3ffbfac51a3559dcd0ff99a1accf82c7f762

SHA512
96bbf21174f56a111a2fc6ec024ab2f143945306797e77d773367a7fad42b7828ebb7b08d0dab76858d9fa340bf3205be403bc53df9e5e4e390058c94a751ffd

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources.pak

Filesize
5.2MB

MD5
e037bde583680b45e721ef781286f218

SHA1
4b4b59bd9a3d66e0f20cfab14aa8b991a65954c2

SHA256
28c786c6f6a15cb0016aed34a783c6eb1ff947169d3d15fa3c05b2d55b7004ea

SHA512
9adefff5e7e7a08ce3005843aa44f148cb11aa0654d2db55387a0a2c109ab20ded343cfc20ff84cfcecd42571cb6966d57c77a1f7ca10afdf80f7c305dae9c67

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\VisualElementsManifest.xml

Filesize
314B

MD5
ed88a7d0341f744783742c50f767401c

SHA1
2979ad3394b19381d266b268ac159e109e9e9e86

SHA256
c3859fa55f560e5fc1fde20eea83948ba4048aaa735d3f1ac692abf3ac603835

SHA512
81b7c3f35db0d3193deba3048481fc22ba7fc2215494ecfde30dd73ae26a62a90577c366a6f0cb2c2fe25b58576e5e23156c6a2f0cc5f84be9d88ba773fefcc6

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar

Filesize
19.6MB

MD5
ed2c4e5a83657e52cf1886123b3155dc

SHA1
71067a9c21f72b56d4428b5d733f22b17b61273d

SHA256
8370a2eb51004313e5469062a9d75434a53a064441a2e28177a9b00968e7a3d5

SHA512
c26a696784f3f37d5f3d34b28d348137239ba0cf4c9d9ba48784212748e3943c506a68f186f0e8953b074834ebaf36893496561edbc7b0f34761049ebbca90f1

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\dist\resources\slack-taskbar-rest.ico

Filesize
11KB

MD5
ffbe7e3f32354e068f94b863820c35de

SHA1
f5acb7376feb2421b7faffd2b23f3c091345664f

SHA256
6678f55e545c2181ba1cfb5427eab880662d028d1614e2de263cb9e8dd3b7ab5

SHA512
cfa640cb259ce5f4a7ecc4695b8fe6cc2d8282b46533ac8be9a0d40f35b927a59315b8fd1c1473b7c04339a6380557975f2ec3ce840c9cfa705d4528078b1d2d

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\@tinyspeck\slack-desktop-utils\lib\binding\napi-v8\slackdesktoputils.node

Filesize
142KB

MD5
4afb770ecbd1313b9a48df232532284c

SHA1
50d75cb10bf9960b23cc498f8e5dc2d5fab8e259

SHA256
d13020bc83763db037087820beed305c4d62957bbc32269d32c3967c34aecafc

SHA512
ff6ec4138c28efd5d274b5aae6c95d6733090d8ffa6068a64f51dfd07beb1f47d8795f5f271b39705186933022e6d107d2abb380427d5f7b7156fcdf2f484082

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\@tinyspeck\slack-desktop-utils\lib\binding\napi-v8\slackdesktoputils.node

Filesize
142KB

MD5
4afb770ecbd1313b9a48df232532284c

SHA1
50d75cb10bf9960b23cc498f8e5dc2d5fab8e259

SHA256
d13020bc83763db037087820beed305c4d62957bbc32269d32c3967c34aecafc

SHA512
ff6ec4138c28efd5d274b5aae6c95d6733090d8ffa6068a64f51dfd07beb1f47d8795f5f271b39705186933022e6d107d2abb380427d5f7b7156fcdf2f484082

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\@tinyspeck\slack-desktop-utils\lib\binding\napi-v8\slackdesktoputils.node

Filesize
142KB

MD5
4afb770ecbd1313b9a48df232532284c

SHA1
50d75cb10bf9960b23cc498f8e5dc2d5fab8e259

SHA256
d13020bc83763db037087820beed305c4d62957bbc32269d32c3967c34aecafc

SHA512
ff6ec4138c28efd5d274b5aae6c95d6733090d8ffa6068a64f51dfd07beb1f47d8795f5f271b39705186933022e6d107d2abb380427d5f7b7156fcdf2f484082

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\electron-native-auth\build\Release\electron_native_auth.node

Filesize
122KB

MD5
6559d496900b9de3c5ec90081a727df2

SHA1
5881f3a70e0e1de294d5f8efc34f8f6425c87fcc

SHA256
4652ad363e657d05f85a2dd4498ed156c7bdcdc76665dc8031887ede78164bbf

SHA512
3908a38548f9921535a09ee3cf05e84b63ca51b1981672850e4186e4454f08b4276cb57be73f6e75ea8a972fe365e7b75fd7c02dfbb8eddc15d235783511c59d

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\electron-native-auth\build\Release\electron_native_auth.node

Filesize
122KB

MD5
6559d496900b9de3c5ec90081a727df2

SHA1
5881f3a70e0e1de294d5f8efc34f8f6425c87fcc

SHA256
4652ad363e657d05f85a2dd4498ed156c7bdcdc76665dc8031887ede78164bbf

SHA512
3908a38548f9921535a09ee3cf05e84b63ca51b1981672850e4186e4454f08b4276cb57be73f6e75ea8a972fe365e7b75fd7c02dfbb8eddc15d235783511c59d

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\electron-native-auth\build\Release\electron_native_auth.node

Filesize
122KB

MD5
6559d496900b9de3c5ec90081a727df2

SHA1
5881f3a70e0e1de294d5f8efc34f8f6425c87fcc

SHA256
4652ad363e657d05f85a2dd4498ed156c7bdcdc76665dc8031887ede78164bbf

SHA512
3908a38548f9921535a09ee3cf05e84b63ca51b1981672850e4186e4454f08b4276cb57be73f6e75ea8a972fe365e7b75fd7c02dfbb8eddc15d235783511c59d

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\file-handler-info\build\Release\file_handler_info.node

Filesize
118KB

MD5
79074b9ac6e59e9c7049579d76ba64eb

SHA1
e74194adb0d5682c658cc5d4a93dd496418d6a35

SHA256
b5aedd374ad54f322cc172b87a243365ca4a645255a23fea32cbe83b2c3c578d

SHA512
2bbfac140dc389a3bf6f210149f5d8e351e3b68a68726bb159592d531a3d098396fe61a2a4fcf1ed1bd0dc03026d8a231ae95a24e0247d72ec117175b5b2a6dc

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\file-handler-info\build\Release\file_handler_info.node

Filesize
118KB

MD5
79074b9ac6e59e9c7049579d76ba64eb

SHA1
e74194adb0d5682c658cc5d4a93dd496418d6a35

SHA256
b5aedd374ad54f322cc172b87a243365ca4a645255a23fea32cbe83b2c3c578d

SHA512
2bbfac140dc389a3bf6f210149f5d8e351e3b68a68726bb159592d531a3d098396fe61a2a4fcf1ed1bd0dc03026d8a231ae95a24e0247d72ec117175b5b2a6dc

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\registry-js\build\Release\registry.node

Filesize
623KB

MD5
e713a864ce7069564b1edee358f97ef9

SHA1
2217323b63175e468b6019ccc3bf5f2fc6b112ad

SHA256
a433947796bb5b6ac8dad4ef7fe8819177879d3445f45d1dcdba3ae0eb2ecce5

SHA512
c8c43bb31cc09a8bc5715e57761d154809d5311d9a24ab6792477a55f36d7b4d9c9ac9cfff8425e009c8f7893edf8325f72828fdaadbafc0ed441899bd06c494

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\registry-js\build\Release\registry.node

Filesize
623KB

MD5
e713a864ce7069564b1edee358f97ef9

SHA1
2217323b63175e468b6019ccc3bf5f2fc6b112ad

SHA256
a433947796bb5b6ac8dad4ef7fe8819177879d3445f45d1dcdba3ae0eb2ecce5

SHA512
c8c43bb31cc09a8bc5715e57761d154809d5311d9a24ab6792477a55f36d7b4d9c9ac9cfff8425e009c8f7893edf8325f72828fdaadbafc0ed441899bd06c494

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\app.asar.unpacked\node_modules\registry-js\build\Release\registry.node

Filesize
623KB

MD5
e713a864ce7069564b1edee358f97ef9

SHA1
2217323b63175e468b6019ccc3bf5f2fc6b112ad

SHA256
a433947796bb5b6ac8dad4ef7fe8819177879d3445f45d1dcdba3ae0eb2ecce5

SHA512
c8c43bb31cc09a8bc5715e57761d154809d5311d9a24ab6792477a55f36d7b4d9c9ac9cfff8425e009c8f7893edf8325f72828fdaadbafc0ed441899bd06c494

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\resources\slack.VisualElementsManifest.xml

Filesize
407B

MD5
65c570af6152c9a67fefb5e6f58ee91f

SHA1
3f36053c57c8ff634fbbc4c38912c75af041d7fe

SHA256
30f0bebabce27efef16580fbd9300eab27fd1ea7ab8123eb314fe9a83887637d

SHA512
106fa7daab27977f9efe7136579202679252e4e3bcfd373c2bec59c2462ec9ac76e90b54cd1fa89b1f7a72b411f5337a8854f193a332471fe3e5bd2a61f77346

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\slack.exe

Filesize
158.2MB

MD5
648b30bfaa6904c84f972284e7fbd849

SHA1
adf1158c793e1d64fac8056941940db561d8495a

SHA256
98c5b2b3ef9699dcb4e6e01d30ea164d9724ed807e76a0a37651e843b5edb2dc

SHA512
75f02ea1d294dbcee0d85e49afa8578e7f4e549b3c2fab8710fedbae74e18d8251a09740dc78f787277d9e64d0dc52f1f825cd40dbc92bce6a1a91306cc96867

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\squirrel.exe

Filesize
1.5MB

MD5
746e090dcdf5601d7a511d69b89cce07

SHA1
e264c49fa76e402ac9b2da469f69dc734612168d

SHA256
c0e5751fd2d019384be092f76754d8c18ab448af88baff6a8a8df01f98f27e44

SHA512
aa8cf18c125d9035394303302ea15694abaab86d192a741c09c3d3c55b30d814d96c84f1b38654b3a706e14c169b73fad2913fb504f6ed4c9cc91e714630f096

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\squirrel.exe

Filesize
1.5MB

MD5
746e090dcdf5601d7a511d69b89cce07

SHA1
e264c49fa76e402ac9b2da469f69dc734612168d

SHA256
c0e5751fd2d019384be092f76754d8c18ab448af88baff6a8a8df01f98f27e44

SHA512
aa8cf18c125d9035394303302ea15694abaab86d192a741c09c3d3c55b30d814d96c84f1b38654b3a706e14c169b73fad2913fb504f6ed4c9cc91e714630f096

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\v8_context_snapshot.bin

Filesize
581KB

MD5
b291a4e181d0fa1f65010e13b91c5187

SHA1
aa9b5f3665c02d4d3d77b1fc5cb5f052d1802db0

SHA256
535fe8389ba233e57182fac05f96f612d04187d3cf7ea8a2702e4e28878e97bb

SHA512
730269dd2a1a2fe889d470c2a71af03fa529b5346b2b24aea953843db9d080c541bfc548bc12dedbac052d62bf262b10ce88e75bf8815a7424262ca0d58f5afc

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\vk_swiftshader.dll

Filesize
4.9MB

MD5
ef63007b2cf1a2003cf0052551183023

SHA1
b93946dd445c24b028f7e7d9a5bcaedd481d751b

SHA256
7daa6d81d24816bf9141a5379afa8b663ec897e014384fd4feb2ac3743620363

SHA512
d6a41a57e7eb840487cb3bb801245b989a248afd2b26e0e6497a3c1a618274d676f1c559ba572e7f66d672413670572aa8c256f6ea519736b5a6028be09dd8d2

Download Submit
C:\Users\Admin\AppData\Local\slack\app-4.34.119\vk_swiftshader.dll

Filesize
4.9MB

MD5
ef63007b2cf1a2003cf0052551183023

SHA1
b93946dd445c24b028f7e7d9a5bcaedd481d751b

SHA256
7daa6d81d24816bf9141a5379afa8b663ec897e014384fd4feb2ac3743620363

SHA512
d6a41a57e7eb840487cb3bb801245b989a248afd2b26e0e6497a3c1a618274d676f1c559ba572e7f66d672413670572aa8c256f6ea519736b5a6028be09dd8d2

Download Submit
C:\Users\Admin\AppData\Local\slack\packages\RELEASES

Filesize
79B

MD5
6062f2f5a88e3bbca71a44a53b1ea94f

SHA1
f41314745ec4307e3549ae5f73c170ab9c7e45b1

SHA256
df5beefdf35853697fc563c862563e29b0d8ad5ac3b3fd9e7795d88c7b878c8c

SHA512
fdfd11716f1e26a5e49ec23b195f661eb4aae98b32c71aab3c0577b509ba00ded1eb51000be4bc17bf6ea443bb32bdddde976d572dc0abd41af71584d527dbb1

Download Submit
C:\Users\Admin\AppData\Local\slack\packages\RELEASES

Filesize
79B

MD5
6062f2f5a88e3bbca71a44a53b1ea94f

SHA1
f41314745ec4307e3549ae5f73c170ab9c7e45b1

SHA256
df5beefdf35853697fc563c862563e29b0d8ad5ac3b3fd9e7795d88c7b878c8c

SHA512
fdfd11716f1e26a5e49ec23b195f661eb4aae98b32c71aab3c0577b509ba00ded1eb51000be4bc17bf6ea443bb32bdddde976d572dc0abd41af71584d527dbb1

Download Submit
C:\Users\Admin\AppData\Local\slack\packages\slack-4.34.119-full.nupkg

Filesize
111.8MB

MD5
313d61bb91b55eee15017309c4772f0b

SHA1
10084278169228311377216f75f09f0fe04bb750

SHA256
7cd848224e496ad2a21069ed17520eeca8752f9c45eb917ff66417d737ee1b2c

SHA512
9cd8409a174d11573d517b87b09495d606e656e7c267b6ae709dcda4dcab08c0305aa185754e61a09e950c37638b4b54fdd682a91bef9ff91f278ac142ea1761

Download Submit
C:\Users\Admin\AppData\Local\slack\slack.exe

Filesize
303KB

MD5
d5c932142cd9f4c181e78b74cb9ea7b7

SHA1
6ea6e7506129ab49c4abb6929b47265b731a0041

SHA256
0edbee9a6bfe0cec949bdf182c8c137777fa1a5d21160768bfa75258ca36d79f

SHA512
0c87818179342fe2f6ae3dcd05f8a36de1b218d8e1064f65dc85d5fcdafc52cd50f0d90b22f7877778b1f17bde8ead5b89a04d5f848c84eb8ee0127a6594ad4a

Download Submit
C:\Users\Admin\AppData\Local\slack\update.exe

Filesize
1.5MB

MD5
b5bb52087330de17cc2ef4996adaa813

SHA1
91444500058b636edc23ce2edcebae697372d70a

SHA256
4c89d344f42e188b27e1950057a31dbba9d56254441dd61dbdca50363c1bf327

SHA512
eb7473c544018c11b885cfcbaa9d1bfdbe4a40e74b6ef7142eb05220bb37dfe83c63f5b2b613b568a1cf593e12388d2f15481433259e9695d3b2f41dbfd4eaf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\Local State

Filesize
434B

MD5
4d550d5ef4db8818cf33c53760101788

SHA1
ec8f01a02fa572872bc3c0c5c85c08054264fe97

SHA256
031f746ad4b475ee222af08107b1ae2c289d417c626e79c501bf14f0200be47d

SHA512
0caaf9e9e8af8e4826970b3a9804b3671f5b54f271d8ff4f0de45df10012b4eb480c1c0b577064aeb2adf7e737cda4fa307159f0e80cbd596e2f9c10e370ffa7

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\local-settings.json

Filesize
39B

MD5
7bfc3641e823cf3505b3753f6bc1b019

SHA1
ed86adde6366afed961644f7e1f4a22f588ac624

SHA256
dff6818b1484bef303f9940d7c92d8b49efc58dfad79eb23e2beb5be0c16c6b9

SHA512
5ea8f710cb000352533ff6de9d027c9d826047cd101e44a1f8af686a6d21480d0d0797a5152de70e4f70a0e47d01ab3f313e27baa20021c9c69e181e22d9e5a8

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\local-settings.json

Filesize
39B

MD5
7bfc3641e823cf3505b3753f6bc1b019

SHA1
ed86adde6366afed961644f7e1f4a22f588ac624

SHA256
dff6818b1484bef303f9940d7c92d8b49efc58dfad79eb23e2beb5be0c16c6b9

SHA512
5ea8f710cb000352533ff6de9d027c9d826047cd101e44a1f8af686a6d21480d0d0797a5152de70e4f70a0e47d01ab3f313e27baa20021c9c69e181e22d9e5a8

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\logs\default\browser.log

Filesize
824B

MD5
415c892c3ec9eb4d974c487cac7345dc

SHA1
17cfefe6cbb9985e4fd11166bef0592fc7809bba

SHA256
3b45af36ba316a2bd1d71a61b742487e52519360a8d4b1cb4db913a2b1742107

SHA512
dc12bbaa079bc5e3af0ae5aabe68eb230fef10c0e8441761e420302c2368885143fffd5bd3f9427135461ca0ba545804c1f8b40f08befb35daf4ff892736cea5

Download Submit
C:\Users\Admin\AppData\Roaming\Slack\storage\root-state.json

Filesize
3KB

MD5
8b751e5114784f7a5c42bc520f70ac9b

SHA1
6b9e6313ed797b544fb600a80140fde56795da4e

SHA256
7c6c38678602b04e19ce68a8b5250f2bbd62ae031bdac1ba3bc932d67db6f90b

SHA512
1e1e375a490b2b29faa063f85daa01fbf2613e1ab7e4353dbb60ccfbd3bbdc910872f135cbc882237361dd08bc99d315914976749c1e25eddc4fa3ee2fce22f3

Download Submit
memory/2700-337-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2700-314-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/2700-313-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2700-319-0x00000000058F0000-0x0000000005910000-memory.dmp

Filesize
128KB

Download
memory/3316-499-0x0000026BE5160000-0x0000026BE5180000-memory.dmp

Filesize
128KB

Download
memory/3316-497-0x0000026BE5470000-0x0000026BE5490000-memory.dmp

Filesize
128KB

Download
memory/3316-495-0x0000026BE51A0000-0x0000026BE51C0000-memory.dmp

Filesize
128KB

Download
memory/3464-573-0x000001E8D9E60000-0x000001E8D9E80000-memory.dmp

Filesize
128KB

Download
memory/3464-575-0x000001E8D9E20000-0x000001E8D9E40000-memory.dmp

Filesize
128KB

Download
memory/3464-577-0x000001E8DA230000-0x000001E8DA250000-memory.dmp

Filesize
128KB

Download
memory/4020-533-0x00000159D08B0000-0x00000159D08D0000-memory.dmp

Filesize
128KB

Download
memory/4020-536-0x00000159D0870000-0x00000159D0890000-memory.dmp

Filesize
128KB

Download
memory/4020-537-0x00000159D0C80000-0x00000159D0CA0000-memory.dmp

Filesize
128KB

Download
memory/4104-433-0x00007FFE55F70000-0x00007FFE55F71000-memory.dmp

Filesize
4KB

Download
memory/4104-434-0x00007FFE567B0000-0x00007FFE567B1000-memory.dmp

Filesize
4KB

Download
memory/4164-7-0x0000000000F50000-0x00000000010C8000-memory.dmp

Filesize
1.5MB

Download
memory/4164-272-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4164-8-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4164-261-0x000000000B440000-0x000000000B478000-memory.dmp

Filesize
224KB

Download
memory/4164-263-0x000000000B410000-0x000000000B41E000-memory.dmp

Filesize
56KB

Download
memory/4164-357-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4164-347-0x0000000006D70000-0x0000000006E02000-memory.dmp

Filesize
584KB

Download
memory/4164-9-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/4164-278-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/4292-558-0x000001C289690000-0x000001C2896B0000-memory.dmp

Filesize
128KB

Download
memory/4292-556-0x000001C289280000-0x000001C2892A0000-memory.dmp

Filesize
128KB

Download
memory/4292-553-0x000001C2892C0000-0x000001C2892E0000-memory.dmp

Filesize
128KB

Download
memory/4632-275-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4632-367-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4632-288-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/4632-273-0x00000000008F0000-0x0000000000A72000-memory.dmp

Filesize
1.5MB

Download
memory/4632-291-0x0000000002D00000-0x0000000002D10000-memory.dmp

Filesize
64KB

Download
memory/4792-516-0x0000019228200000-0x0000019228220000-memory.dmp

Filesize
128KB

Download
memory/4792-514-0x0000019227B50000-0x0000019227B70000-memory.dmp

Filesize
128KB

Download
memory/4792-512-0x0000019227B90000-0x0000019227BB0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads