Resubmissions
02/03/2024, 23:24
240302-3dxh7sac7x 702/03/2024, 23:23
240302-3dfkpaag29 102/03/2024, 23:20
240302-3br6psac5v 602/03/2024, 23:18
240302-3acdvsac4w 802/03/2024, 23:12
240302-2663nsac2y 1Analysis
-
max time kernel
103s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:18
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.google.com/
Resource
win10v2004-20240226-en
General
-
Target
https://www.google.com/
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538951127437666" chrome.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{DFF4091D-BDAB-4991-80E7-26486C5E3884} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{C1A56D66-2A9D-41B4-A83D-5B698136ACDA} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{9D1B6855-F5F9-46A8-AA8C-D9D4C726FBDC} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4024 chrome.exe 4024 chrome.exe 764 msedge.exe 764 msedge.exe 3444 msedge.exe 3444 msedge.exe 2720 identity_helper.exe 2720 identity_helper.exe 4312 msedge.exe 4312 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3476 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 4024 chrome.exe Token: SeCreatePagefilePrivilege 4024 chrome.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 3476 explorer.exe Token: SeCreatePagefilePrivilege 3476 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe Token: SeShutdownPrivilege 4720 explorer.exe Token: SeCreatePagefilePrivilege 4720 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 4024 chrome.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 3476 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe 4720 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1368 StartMenuExperienceHost.exe 3156 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 4884 4024 chrome.exe 86 PID 4024 wrote to memory of 4884 4024 chrome.exe 86 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 1352 4024 chrome.exe 90 PID 4024 wrote to memory of 4208 4024 chrome.exe 91 PID 4024 wrote to memory of 4208 4024 chrome.exe 91 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92 PID 4024 wrote to memory of 3964 4024 chrome.exe 92
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.google.com/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cf599758,0x7ff8cf599768,0x7ff8cf5997782⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:22⤵PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:82⤵PID:4208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:82⤵PID:3964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:12⤵PID:2580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:12⤵PID:464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:12⤵PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:82⤵PID:2088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1880,i,7166151925092308680,11383908116482682638,131072 /prefetch:82⤵PID:3092
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff8ced546f8,0x7ff8ced54708,0x7ff8ced547182⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:12⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:1332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5496 /prefetch:82⤵PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵PID:1320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3792 /prefetch:82⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,11297853462879289605,4049664888644776602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2484
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2080
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\677f32100aa6401d9e0ce75e79e7f826 /t 3576 /p 34961⤵PID:4712
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3476
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1368
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3156
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5108
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4388
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5048
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4368
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4956
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD589d79dbf26a3c2e22ddd95766fe3173d
SHA1f38fd066eef4cf4e72a934548eafb5f6abb00b53
SHA256367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69
SHA512ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6
-
Filesize
144B
MD5d893f44a1d9385ea14de19f5fe94cd6e
SHA19381806beabbde7bdafaa8fecaa989b9721a5f74
SHA25649e4a92ff0f75d989de88a3ff35ff0e3149fbdf967996062a557c2f737cf6a3b
SHA51289c0617d21b47588d59505ecdb88adc596940ba0ce1e7dbe38233b4275aac9f3fd12fc34d9c0f3535ad1b9dfc56c9076b32fb4dd85ae90c314aadf98a77cc958
-
Filesize
1KB
MD5343c667693d38cdc53f43b680c9569d1
SHA1af9dbea275b7645cfb4318feb6351875a70f17d5
SHA256331c5468267a64a361dedd4eee4fef7c7afa3c0327f5b626a1f57d98ee284d3b
SHA5124ffa59b21f38b22c3c89c40f239de6998e95bd0d4bee8df157d469fdece44bea00039e86de9e3b39daf9e192d9c7174488165ccaca5a8219ac552af3e8e4817b
-
Filesize
371B
MD56d6010dca756a3caab03f34ab78c203f
SHA1812702bf880cf5d46a25921713149ae7a50274f3
SHA2569a50812275afc171be2bd38c1832bd926a883870d3d0a837c970feba2db22e51
SHA512bd30d780158b522423aac42e0096392f4a9e881733c98e29657977a029611b6fa463f9e659d1b298f45fb0c385c31742fd7e8aa88177d3fa5aa37a8813ab3f76
-
Filesize
6KB
MD5c4cff8b6284c42c3fb045ca9d8664b1f
SHA1b18846422531f5a9bb6db7a2860c5d98c1c6d80b
SHA256a3cacfc5608f5045ce8ab003c4976f39d043202732a7aac453a1031c9c7dcc06
SHA512a1f7970021514c7c15197f0bd420d34f27b5a35092d3d55d61877b66726cd616827113950da2f1a1b4805b75e47a9b41a66fab2d0b0a77ef67f47ea90822804e
-
Filesize
6KB
MD5a5543e3757ace8ff9b7aff32aaee6921
SHA12fbfba775e4a73f8326cb3c9fb84f06778a4431b
SHA2561355547c1ca383169f39682f3cae3fe1ba604ebb8baca26f267ec248e716beab
SHA51267ca73c3d2c3c3f0109bdbf64548d9d247cf92a56b04204e7af647fc4068df580d4c7723c1076a41e5a37b498250f313086227c9d495137649b4ea83d9ac9575
-
Filesize
128KB
MD51a9056937db0baf5336f0e9209bf00ff
SHA1a4e1199667b0b10c1b9aac2d9a54142adf1b16f4
SHA256cf160fcdc69c4beab03b934183df104da96100d23814ca55cca157d5934f11b8
SHA5129f16153de0d244659df349e8a97b24704c8e744f1c698b487d69dfe7e8d37724a2cf690c45b9f1a0e9be813136b10ae946e168c7a8e24d7fd4b6d282c4065a3d
-
Filesize
128KB
MD536f8c8eac4361417a47acc73063fbeb0
SHA110e7478abd76f1f05f1bd2fcbcdb00b0556570ea
SHA2562b5c3e517d0675498c4cd0138d700bd742af341130622f969257cd571fadc86a
SHA51222d8ff0c7d890a0bfc92c1a40449f209cec4453fa62bf412511773ba0f4931ac797ec886f162b3d18fa0c3aaf2629cb23ce8fe367ac8408980f809bd851543b2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
Filesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5aa46451d5407d33526ad41dd5086ef2e
SHA189f7bcbb466b258dacec5d7e6bc11634a54d3389
SHA2561c59590e644b0113487e858fa8967671bd4b629a24f9c3031d3707e021d5756c
SHA51242fc24cf9d633359770b1b5878b481b030d806bbadd181d89e030d9e5f283c1edd45da8d937fc874472a3d44198c234f9f776b8de3d904713c799999bc68dc7b
-
Filesize
1KB
MD50a41a6ab4425fb68264448e832ddb63b
SHA1441b33580d375c83c8b86d21f3c329a5e97bc6f2
SHA256a32c085bf964c47065ec49c91eebf14d971dc303c329fefdb8b187308581c270
SHA512811f8f913f83dd6bb884156bf239843e517d7fb6f37e6df053d86005ee59de71954477024f4e3ce6656926bf00a5d5b535cadeaa215843d33cff6f01a565febb
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD5250f977e3b9a67fdaad45a53b4bcef2f
SHA107224388650422d015b5d9b186f327d60a966fbb
SHA256d436b0568e5268805d94e474740a76c630a6dba8638d4cf369b031a478c6112f
SHA51282900d5e0a594b208752f8038d8d5725afd3cf759462f6da2108f0789b9ba5538ec28e1a2eb0f0da23f4c20d333726a24157e2a71319b7c1e30a5e116e325084
-
Filesize
7KB
MD5292d7a399c1784c8f4a56f62a66d7cd0
SHA1dde2ba910882b3b59ed957735207cd45b882a5da
SHA256ae1d10aed3806f5c0ff765feaf6d3b56467082d2fc6361c8b16d92b5ff2c057b
SHA512959b0b6fa22a28c1d223ee2bf17db3fae09409c470411e72faf18217292c3d35f1480ba36b30c392e1982812d868f38e906bb30876ec4a6bbce6bb38cbe1a92c
-
Filesize
6KB
MD53d39f2b5425df1ba9f91e1a4bdd4779d
SHA1c7c5567af0d4a29410de8da75c1135d2d1ff3d50
SHA25622f6a302cb6a7eb1f6483e326e4eb125985ada693d8a8be4c8765d4ad869bbe6
SHA512013c4853fb1bcbbba4d70e4e7aef24d207dcd7578d941a59d621094def5f14b9928b85285c908aba449c6c30ef7f814331db0a26fcbcfbab7cac9439c97fa8d3
-
Filesize
7KB
MD5b431be58876068a5b01c2de8e6973e8a
SHA1c8befd7f8f888cb7d76a9844f44d10affb1ca2e3
SHA256ad0f40b6a1e38c40b948301fe85008d3e79b02a65f7de1d0c17f4843a30bcf00
SHA512b241dad4b177e712c9b255edcbd5a837917467a1c0d90ed6fe7f8691fb6f28b010ce5223ba54471a8953262616207f232155f60506a6c4b173b7ff97d62dcd6a
-
Filesize
7KB
MD5602a415d70beb3c453c91ca1942452bd
SHA10d1b41ce1f71032c695991afe22fd68c64eeb46f
SHA2565b471baadaf30cc334a11acf3e13b4dd5d80f2a5c69b0c31a4eaa759421aaec7
SHA512e3dbe673e2600c7c581fe576692fe0b5b9f84883ef33cd48190f5d02e483b7af37a8af54756b3066c022e1fd776b2ce38e78e0c63bfeea6e66ca9ae9972f6485
-
Filesize
7KB
MD5d2cb43ed644169eb51fda43469b9f981
SHA1f4265a18f3baa8171acc0a234169a9ea6eeb6722
SHA2560e8befea0f58f0ac6e3e95bfbc53d39889480d03d433b01c692658b73bd46270
SHA512cc57c14fd300ec4e7d96221969e3793f5fe2bc41e702c1ff80438c6789dd26bb789552e468ea91d5860843ceb415f7fa6232d90bb90a36406fb3b9e44f31cf90
-
Filesize
1KB
MD500c9be75f31453a58d73dcff0446f1d8
SHA14f0fa863ef71a0b729491e2761c312500dbb1916
SHA2565ed0d4f22918f20ca0d7e348d5663cdcd30bdc370bf5ad40e1f3eec0c7eb29d1
SHA512cd0b768fd8379b58551ea67c1e36f5f1bdac8f2e6f27bab7d1db3282d3b3ded967b2eca6645ecef1ba86952d13591b5671c7a296f30bc625fc122efa16d962b4
-
Filesize
1KB
MD57ee7f014c410e21dff9b4927ca7e7b1a
SHA1d7636dcffa1d623dcb38bef7ecc32106413700aa
SHA256df3dcc22f75ce58ec8593fe7f8e747a0f7fbeed82526cec16335d8c7b2ae2deb
SHA51262de92a0d0f793f8414574abe22c494d97e4b2e8f399276d3130af600ead0a73b17d9f3b8dacfbdf57fae250d903dcd468edc30e18b23a6b0540f0f869b0b320
-
Filesize
1KB
MD535a69a1d0e804f05da6bb75e3c2c7edf
SHA17dbb464a1a7ebf344edc9dededc037baaaaa7e76
SHA25605c079c12fbb6c7f0bc9d7df8fc7fb5f0f8099c222018e293eaa6e02a901164f
SHA51281d364c9839b45029d3912f4b98ce825fd0387baa6334c833e340300f8849fbd3d353aea25598ce5cc5c9f84e1b47d88efe2e59c157b153fe23ace118040bea8
-
Filesize
873B
MD5d4fbac8a42f750b09b8e463c1559aab5
SHA17ab2562820ac8369b04983680d89dae733955a10
SHA25671328e689363fe1311013cd39c4a2714dabd9872f958af3e01e83c00b24e2421
SHA512a5dcb02745deea46c93bfb30ec279a72ebc434ff0b0af49d360a0b69162eed331f1d66ac0189e868113307ef8e72f556586f2d29e2ea17ea9627d159fbf07699
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53c4e75feacc39c6f3738fb64170d6081
SHA1cafe167e98b04c520da296acd0bb3a91ebdeddb4
SHA2566152fcaa51ec2b046b3aaefa63a5914dc2953dc2269fe751ec1a2f84282d7116
SHA512dcea21526cca99bde116e40131589284a17d200677a3e1dbf130c48f39ffe1deb3f51acfe9d8955577d3f762c701e698b72da833c2e439ddb3a0c194d5e3006a
-
Filesize
12KB
MD5961fafc85d0f38f2bde20660391720d0
SHA1e1a003b1841592ba56391bf50716a67c26ef4d60
SHA2565d8288d70bfadf8cde4c5e8af799757c3d4dc772fcdca25041d6f4f9c2b89d41
SHA51272e19c735febd09b6d514b710457a19f00d680c00a9e16926100a383dba34dd9b3bd23d9e2f8e477b5228409cf60beff2f8e5338536de73b17596554dd42ea6c
-
Filesize
12KB
MD5ef52b51705acb0307cc3d1f2ace72d4a
SHA18fbf7b996d860ebbb1f3688c93941850052b98bc
SHA2565a21d4ef19a82eb146f56862e7a6a941fcd444892675ecf6efde951c736b25b7
SHA512cce79a8a2487cc0d8a329502de0ae2d4c5f021f56f9869fa88fb453b21c6639cc458bdfca346767b1e53b9b8caaf75c56b8fe3f577870db1cd406c86170c326b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133538952165196963.txt
Filesize75KB
MD5e99ff4c8e55ef521ea025982a54888e3
SHA1c00b34b71cdbd476ae55969b0e6fc49f3be5c0cc
SHA256387b81b8a12110ff19c04a4c50d141404459510fb4f0b1af2c81709ee4bc5f13
SHA512730d39a125ac48968a3d26a114aaf88d7e16168b194ce9fd7827b0503f80ebd25c345bfc7b70c22771a8aeccab558b3c39379edc6c1abfb409b15be29d52b3cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD5f47aacd1eeef1a8d7349d1192033af38
SHA120788b7bd6453a657dc8deec29ff47dccb075106
SHA2566aaeadafcc6b36b6059e03be5d6f8bd3b0605e36b641d4f997e078e3fe212d54
SHA5124b1bd062037490aedd9a2d4491f9282a5f8017dd710193bd76a7fd5cd64e0955adcaeaecf2f7d7e309b36c1a27b8692b2d8ecb2d9c7e8925f2ae5a5d38c71197
-
Filesize
31KB
MD5743b44c0fc9f2e3773f1fec13a6e5ccc
SHA1a3a597d14d166a70ebc92af81e34d2beff61fdbd
SHA2568b79f7d48f5178b2cf887a06a18d8d010ed588a9d4cbc4e1b0f8f06f25a42a68
SHA512b7d564287a479a9b77d8b3b46437a361390b11b798c31c2d28e4ffb83952e9aad0a794f2613c7da7b2cddf5706826db23f6a549519bb00d86e65239d0a049c2a