Overview
overview
10Static
static
3Office_201...ll.exe
windows10-2004-x64
10Office_201...te.exe
windows10-2004-x64
7Office_201...re.xml
windows10-2004-x64
1Office_201...ll.xml
windows10-2004-x64
1Office_201...pp.exe
windows10-2004-x64
1Office_201...00.dll
windows10-2004-x64
1Office_201...pp.exe
windows10-2004-x64
1Office_201...00.dll
windows10-2004-x64
3Analysis
-
max time kernel
580s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:50
Static task
static1
Behavioral task
behavioral1
Sample
Office_2013-2024_C2R_Install/OInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Office_2013-2024_C2R_Install/activate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Office_2013-2024_C2R_Install/files/Configure.xml
Resource
win10v2004-20240319-en
Behavioral task
behavioral4
Sample
Office_2013-2024_C2R_Install/files/Uninstall.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Office_2013-2024_C2R_Install/files/x64/cleanospp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Office_2013-2024_C2R_Install/files/x64/msvcr100.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Office_2013-2024_C2R_Install/files/x86/cleanospp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Office_2013-2024_C2R_Install/files/x86/msvcr100.dll
Resource
win10v2004-20240226-en
General
-
Target
Office_2013-2024_C2R_Install/OInstall.exe
-
Size
7.6MB
-
MD5
0160ee7f90b074e1260437094298a55b
-
SHA1
79f83fef9915440925e7f87c7ef4db535299aeec
-
SHA256
cc389c8aeb7a90d81aba8d18ee5e01a9700b6016d58eeb35706c5ac0d95f0b7a
-
SHA512
5c652937989d2c8453b453724c6582aca7f84f5f4007e096947b532e0ee60ff496d684b284ae7224de18b751d303ea8b1acf9e5419d183030781943db5423e35
-
SSDEEP
196608:Ea504j1o2h2JdZhzTQIDHeLr9ex044sA+3VOhXbei29w:zqA17YJdZhzEIDQg6ERVsiTi
Malware Config
Extracted
https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 310 1340 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
OInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation OInstall.exe -
Executes dropped EXE 2 IoCs
Processes:
OInstall1.exeDavonevur.exepid process 4148 OInstall1.exe 1576 Davonevur.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
activate.exepid process 4372 activate.exe 4372 activate.exe -
Drops file in Windows directory 2 IoCs
Processes:
expand.exedescription ioc process File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEtaskmgr.exeactivate.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 activate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString activate.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{25DCA3EE-F519-11EE-ABF1-CA9969386483} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099173" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4198903538" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e181000000000200000000001066000000010000200000007714dd86b42fe1b6f1447109b12bec1b1ee334ab325c60194fb9bd3bac2c96a1000000000e8000000002000020000000a536f17f8da8e8d56e55723a1fc8475b57ed511d6d5d1af80f8e703333167dba20000000b3401590b14c72d26190aa9e9ee00330aae38c07360e089e2a0c6cd398f24c5940000000c57db25b3ac5ab7a72fd10e5bf13dc6aa94f44b1cbca9e44465484801dd00cafd45275f333260549cb1aa982228eb4a9972112c0c17356586ce5e39a5ebb2bd2 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e18100000000020000000000106600000001000020000000bfdeff215914762b50779bdac5d7eb06ed50a50a83081d66b725eb4d7668a8e0000000000e800000000200002000000058a2472cc1ca861359e197ab6a3982cc6c54efc1ebc424d4921379bba94c6bab200000005306260eb8e1b7f4ba1f6d35718909568c6cb17a775c8ba69b2f6be9808a633e40000000de59abb68e1acf0f67fce27cad6b1ecfa246bff76f7311d489470625fd56080d24130d29ad7b5f194e1a000a636c37eca0baa1d453ccf24694b4c34561c0dcd1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{25D7DF3F-F519-11EE-ABF1-CA9969386483} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4198903538" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099173" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4068effa2589da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099173" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099173" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4198903538" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503ce8fa2589da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4198903538" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Modifies registry class 1 IoCs
Processes:
mspaint.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings mspaint.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4696 notepad.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEpid process 1000 EXCEL.EXE 3004 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
activate.exetaskmgr.exemspaint.exepowershell.exepid process 4372 activate.exe 4372 activate.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 3180 mspaint.exe 3180 mspaint.exe 1340 powershell.exe 1340 powershell.exe 1340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2840 taskmgr.exe Token: SeSystemProfilePrivilege 2840 taskmgr.exe Token: SeCreateGlobalPrivilege 2840 taskmgr.exe Token: 33 2840 taskmgr.exe Token: SeIncBasePriorityPrivilege 2840 taskmgr.exe Token: SeIncreaseQuotaPrivilege 2236 WMIC.exe Token: SeSecurityPrivilege 2236 WMIC.exe Token: SeTakeOwnershipPrivilege 2236 WMIC.exe Token: SeLoadDriverPrivilege 2236 WMIC.exe Token: SeSystemProfilePrivilege 2236 WMIC.exe Token: SeSystemtimePrivilege 2236 WMIC.exe Token: SeProfSingleProcessPrivilege 2236 WMIC.exe Token: SeIncBasePriorityPrivilege 2236 WMIC.exe Token: SeCreatePagefilePrivilege 2236 WMIC.exe Token: SeBackupPrivilege 2236 WMIC.exe Token: SeRestorePrivilege 2236 WMIC.exe Token: SeShutdownPrivilege 2236 WMIC.exe Token: SeDebugPrivilege 2236 WMIC.exe Token: SeSystemEnvironmentPrivilege 2236 WMIC.exe Token: SeRemoteShutdownPrivilege 2236 WMIC.exe Token: SeUndockPrivilege 2236 WMIC.exe Token: SeManageVolumePrivilege 2236 WMIC.exe Token: 33 2236 WMIC.exe Token: 34 2236 WMIC.exe Token: 35 2236 WMIC.exe Token: 36 2236 WMIC.exe Token: SeIncreaseQuotaPrivilege 2236 WMIC.exe Token: SeSecurityPrivilege 2236 WMIC.exe Token: SeTakeOwnershipPrivilege 2236 WMIC.exe Token: SeLoadDriverPrivilege 2236 WMIC.exe Token: SeSystemProfilePrivilege 2236 WMIC.exe Token: SeSystemtimePrivilege 2236 WMIC.exe Token: SeProfSingleProcessPrivilege 2236 WMIC.exe Token: SeIncBasePriorityPrivilege 2236 WMIC.exe Token: SeCreatePagefilePrivilege 2236 WMIC.exe Token: SeBackupPrivilege 2236 WMIC.exe Token: SeRestorePrivilege 2236 WMIC.exe Token: SeShutdownPrivilege 2236 WMIC.exe Token: SeDebugPrivilege 2236 WMIC.exe Token: SeSystemEnvironmentPrivilege 2236 WMIC.exe Token: SeRemoteShutdownPrivilege 2236 WMIC.exe Token: SeUndockPrivilege 2236 WMIC.exe Token: SeManageVolumePrivilege 2236 WMIC.exe Token: 33 2236 WMIC.exe Token: 34 2236 WMIC.exe Token: 35 2236 WMIC.exe Token: 36 2236 WMIC.exe Token: SeIncreaseQuotaPrivilege 3944 WMIC.exe Token: SeSecurityPrivilege 3944 WMIC.exe Token: SeTakeOwnershipPrivilege 3944 WMIC.exe Token: SeLoadDriverPrivilege 3944 WMIC.exe Token: SeSystemProfilePrivilege 3944 WMIC.exe Token: SeSystemtimePrivilege 3944 WMIC.exe Token: SeProfSingleProcessPrivilege 3944 WMIC.exe Token: SeIncBasePriorityPrivilege 3944 WMIC.exe Token: SeCreatePagefilePrivilege 3944 WMIC.exe Token: SeBackupPrivilege 3944 WMIC.exe Token: SeRestorePrivilege 3944 WMIC.exe Token: SeShutdownPrivilege 3944 WMIC.exe Token: SeDebugPrivilege 3944 WMIC.exe Token: SeSystemEnvironmentPrivilege 3944 WMIC.exe Token: SeRemoteShutdownPrivilege 3944 WMIC.exe Token: SeUndockPrivilege 3944 WMIC.exe Token: SeManageVolumePrivilege 3944 WMIC.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
taskmgr.exeiexplore.exeiexplore.exepid process 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 116 iexplore.exe 2160 iexplore.exe -
Suspicious use of SendNotifyMessage 29 IoCs
Processes:
taskmgr.exepid process 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe 2840 taskmgr.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
Processes:
mspaint.exeOpenWith.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEEXCEL.EXEEXCEL.EXEOInstall1.exepid process 3180 mspaint.exe 1140 OpenWith.exe 116 iexplore.exe 2160 iexplore.exe 116 iexplore.exe 2160 iexplore.exe 4232 IEXPLORE.EXE 4232 IEXPLORE.EXE 2976 IEXPLORE.EXE 2976 IEXPLORE.EXE 4232 IEXPLORE.EXE 4232 IEXPLORE.EXE 2976 IEXPLORE.EXE 2976 IEXPLORE.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 1000 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 3004 EXCEL.EXE 4148 OInstall1.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
OInstall.exeiexplore.exeiexplore.exeactivate.execmd.execmd.exeOInstall1.execmd.execmd.exedescription pid process target process PID 3092 wrote to memory of 4372 3092 OInstall.exe activate.exe PID 3092 wrote to memory of 4372 3092 OInstall.exe activate.exe PID 3092 wrote to memory of 4372 3092 OInstall.exe activate.exe PID 116 wrote to memory of 4232 116 iexplore.exe IEXPLORE.EXE PID 116 wrote to memory of 4232 116 iexplore.exe IEXPLORE.EXE PID 116 wrote to memory of 4232 116 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2976 2160 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2976 2160 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2976 2160 iexplore.exe IEXPLORE.EXE PID 4372 wrote to memory of 1820 4372 activate.exe cmd.exe PID 4372 wrote to memory of 1820 4372 activate.exe cmd.exe PID 4372 wrote to memory of 1820 4372 activate.exe cmd.exe PID 1820 wrote to memory of 3044 1820 cmd.exe expand.exe PID 1820 wrote to memory of 3044 1820 cmd.exe expand.exe PID 1820 wrote to memory of 3044 1820 cmd.exe expand.exe PID 4372 wrote to memory of 1632 4372 activate.exe cmd.exe PID 4372 wrote to memory of 1632 4372 activate.exe cmd.exe PID 4372 wrote to memory of 1632 4372 activate.exe cmd.exe PID 1632 wrote to memory of 4088 1632 cmd.exe schtasks.exe PID 1632 wrote to memory of 4088 1632 cmd.exe schtasks.exe PID 1632 wrote to memory of 4088 1632 cmd.exe schtasks.exe PID 3092 wrote to memory of 4148 3092 OInstall.exe OInstall1.exe PID 3092 wrote to memory of 4148 3092 OInstall.exe OInstall1.exe PID 3092 wrote to memory of 4148 3092 OInstall.exe OInstall1.exe PID 4148 wrote to memory of 2944 4148 OInstall1.exe cmd.exe PID 4148 wrote to memory of 2944 4148 OInstall1.exe cmd.exe PID 4148 wrote to memory of 5072 4148 OInstall1.exe reg.exe PID 4148 wrote to memory of 5072 4148 OInstall1.exe reg.exe PID 2944 wrote to memory of 2236 2944 cmd.exe WMIC.exe PID 2944 wrote to memory of 2236 2944 cmd.exe WMIC.exe PID 4148 wrote to memory of 2504 4148 OInstall1.exe cmd.exe PID 4148 wrote to memory of 2504 4148 OInstall1.exe cmd.exe PID 2504 wrote to memory of 3944 2504 cmd.exe WMIC.exe PID 2504 wrote to memory of 3944 2504 cmd.exe WMIC.exe PID 4148 wrote to memory of 1340 4148 OInstall1.exe powershell.exe PID 4148 wrote to memory of 1340 4148 OInstall1.exe powershell.exe PID 4148 wrote to memory of 1340 4148 OInstall1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall.exe"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"3⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"4⤵
- Drops file in Windows directory
PID:3044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- Creates scheduled task(s)
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\system32\reg.exe"C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f3⤵PID:5072
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files"3⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\ver.txt') }"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompareReset.jfif" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3104
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1140
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\EnterEnable.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2976
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\CompareReset.jfif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:116 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4232
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe" "C:\Users\Admin\Desktop\OptimizeSearch.reg"1⤵
- Opens file in notepad (likely ransom note)
PID:4696
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResizeSet.xltm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3004
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RestartGrant.csv"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1000
-
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exeC:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"1⤵
- Executes dropped EXE
PID:1576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD58f3eb06776d4e1dfe1e742cb70e22357
SHA15ab03e56d3cfe9951e9598dd72ff258065253672
SHA256bdb9f9d35fdac68cfe4a2f615e01d10dc89baec837fe7515b70a6cfedb27d87b
SHA512450c5dccfbe02ac221b9b05b7f1af43ad9c83701120f8134dca66c03c9e20e38fedd76a0e62a47943044ebb00de338fa001ab662481c12ed61902b9f838c6a27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD57c352be9a7e962f88ffc9b58fc679e15
SHA1d3a7c5a48b4258fbd2aaac9d4167cac42d093e36
SHA2564972b3053f77f6694d8fe06ed817a4466826adf0af8e74b6a46e35ddbe4ba43a
SHA512f2efbec292d18e618ca22c39506c358c06b1861f0706103aea1274733d26602e3bb7ca216ef5c9c4c89ccf76ab3a6b61fa84f7a186e64267ef7fea49c5c3e30d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD569fe9b744d7fe59153271b1ba99cd1ee
SHA1bb398a844441c106950228e0a1ec4303d0747eec
SHA25613d98a37ac4690c809d86dc1c6aa344f2a0a1af10491c7cad93350512ff601ad
SHA5128e59f38452bce95bb5272ca3236e79c8eeeea3e215d24a9d57577417fd3cfd7a16e4a7640766319275cc54d3084f3c8021b8442fc8f62155ff9e98682b383bc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD57273320b02eccf4cd8a40aec38008d3d
SHA133276b43512652daa81bdd866beea142c29868a5
SHA256211f94b774f7374fd098449f9c48c25fcc4aebd304464aaba531af7ad7697302
SHA512477bfed1334bdb3b788b756a4d5ef6f28678f698e2c1a00fa403b7a37945aa4b8ace34f7066cc807bf077ed4880e903a25171a8d082c014917c2ee6fc9d17fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{25D7DF3F-F519-11EE-ABF1-CA9969386483}.dat
Filesize3KB
MD5a20988307bed066f66a527eb0cda5a41
SHA13f3bd3e42b4eee88a894fc980cfc085c1c74cdce
SHA256c9dbf8717cbdec2780ef4f592632acc234f18403ae76798e5660844d76c44264
SHA512db670ac98800f84a8c2a703188b78b31d0483fc8326a3bab5c02f5eeb10562387a4d8fca61a22d2392f253a70bb0af1946a48d9ec9abde42a974cea0927c2648
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{25DCA3EE-F519-11EE-ABF1-CA9969386483}.dat
Filesize5KB
MD5a83a32a56f0ebce81b8b125f27864232
SHA12dfe8162b924f18f68ffbefc8a4c07e08be7a4bc
SHA2563abcf043787d414dd25e57c3635a113b50d8bf464fa91f7d98bd32a0f13515f6
SHA512978c2204a95ccf77a4dca0f4609fa08176d1b81a41a6899783d0fef021ca57e424f696f6af6bd6dd05811d881a4b4ab4dc8143398c7cc9660a3e273714882e0d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{C974629B-D4B1-11EE-ABE9-62A9A9A84F8B}.dat
Filesize5KB
MD59e094b62b44fe1557f6a5040611f7d02
SHA1ad4a8f8a1ceb817ad5f5a25e3283fb8daf4b9cfb
SHA25629d7fd72c20eff21c182211b96505e0be84c7218f61dab2ac3184b7fff877752
SHA5128f14b844c25935a11f7768dfa1e6ba934eb86145ea18f6d0466d1cf8e9b1494293f575dbf80eb9b7271b0dad1f04b7749e2eb6dc9d859c917551b9f4a7369ac1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{25DCA3F2-F519-11EE-ABF1-CA9969386483}.dat
Filesize4KB
MD576b4dba778942b63b215eecb25a9e666
SHA10d758b0cbffa5d329164ba67bd4aaef4768c3d54
SHA2561a4d56ddfc7842984c90286f500b60a58c5ab8c131a8da06288a081f164e1cff
SHA5128eaa7ba006b528d019618af0bf314420c5965ea9e3d526ef944e23e363b293f85246c4df385d95358b7280bd1481a7023d81c6a3375b7e44a1655052bc2f63f2
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\70FBCE97-368F-40A2-AEDB-ED21793E74D5
Filesize160KB
MD568591d26ec8e7d380a5e1433445331f4
SHA1c1ec9d4946041c3b64c3f62d551732505922162b
SHA2562ee722bffa8e0856384dcc52775ff7d7ec82ba1eb20ecf5b65b7dfd8909b99fa
SHA5125e8e8d63f13c58d32b059a72b6f7a3c99e9f33bdc500c17e5689244a862f3539edb7960f1f14776ccdf483b9997de607ad1a313cbcfa3232fdfab0993e150d31
-
Filesize
323KB
MD567f36f3c0ac40b3318b0241f929fe06b
SHA17b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA25659f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5d2dd03ac0df602a823e95671112e34eb
SHA18c5b2141114dcbb8803c5f9190632b87a18e1c36
SHA2566a84bf76df017173e58a7ae30c5385e69a8b35f71737b62c16abe22093253a1d
SHA5125f8437c722120ada5b4585e3fb875260dfabfcf5e3d66220bb0e2683ed7fdade6c959f5916079d00541b54ce504859c3cab1e1fdb6df2a04b1995895d659651a
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5b09071827226634b930790d58a65bea0
SHA109b2596e5b3ac413b9dcd78d4ff3cbf2a2de1056
SHA256ca57a374475c90348233201e5b216243447a7060255fae1e7fdb9647546ee821
SHA5129f4063b8c300b53f141b371a494643fc0b3424072a5c119bbb8fa4184367c9e734074dbb790d6d07030b94d671789c5c62422a5b203ec3ae11a3d506d7d8a32c
-
Filesize
15.5MB
MD579b79c931da142894da7ba535f00f624
SHA143e1ba4454dc112425eec454d46af409c241ee2a
SHA256e20e04ab7f5c5035d49ba6ca27e99b8f6ba85aa9392464dee3a9ebf3ef0dc4fa
SHA512788c7219ff52c563bfd3b3804f7eab96908f218dff1ecb2763e09adcccfe8eb1c73b744de20bd45cde448e7f4adccb5c1902c2d2348e078ec3b0b8491cf751dc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
56KB
MD51c51eec57ec7a2dc011f14ac66ba53fa
SHA17d48217636faf1616c78221b97a665c689b63120
SHA25638fab2d7300ae4542c2dbe24f45fb7f09ca91e8648b2d1261d687bd84bb06167
SHA512958dc900dadaa79d3206ae96e1fb2d9278eafc82cdea2621e1bfd53536261398bae1716291100f98e2a34bfa217526eb802ed65ba98c8d079fc8d70556ba1dad
-
Filesize
20KB
MD5c2a1946ecb70f2138f6bd88c45aff2eb
SHA18e349688bb9fca4b92c50eb53348100d4383e54b
SHA256ffbef5cfe81c2a449d7f0b72447a141854c945e807e14194c71f94a963b2eead
SHA512ff94dd70bb8927fa391410e8b727d10818917e5f9c849ce2d0cc37d1f06806d867fd3bcfc61f637150efa912a97f351fcbbf6e083cdee37896916683ee403020
-
Filesize
261B
MD5e9e8ef6d884c4baf8a365c14b16eccd0
SHA1346ba06e3cffd9953611d9dc20b8dcfc7ef98ce4
SHA256bcdbdb546948b87e1ff78b3929ac5bf0d470bea1d2b9e81a44cf3080a4050a8b
SHA512997e14955568ed1f433a00983d59c1b2a7358ae9e6eccde3489f6c67f3bea83d9571175bf3ec424cb0c5a1e53e8c3ef24112a61a09f3d60b7fa1a32edc096bca
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
495KB
MD5b36280ab2514b1772d2058fe14633850
SHA157b4b40365eb4e26aa9f9125acc9965210776195
SHA256a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46
SHA5127c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa
-
Filesize
491KB
MD59533ba8d9930f60f0b6257bdb79b2384
SHA1b0b9dc920e83343784e818dcf4d9607de51118bb
SHA2566a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131
SHA512e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d