Analysis
-
max time kernel
167s -
max time network
169s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-05-2024 08:34
Static task
static1
Behavioral task
behavioral1
Sample
Boendet.docx
Resource
win11-20240426-en
Errors
General
-
Target
Boendet.docx
-
Size
21.7MB
-
MD5
14b980a65c7501e12ccfecd9bf55cb16
-
SHA1
7bf794b9b674f5946eadb8e07a01d6aaeb337d7f
-
SHA256
a91345c766f145d47d6deb90c3ae9d920f28101e12e39d93e88e3612eaf07329
-
SHA512
a6758a6617f420ac3a49bbfbb055f43a2d5fbfa3611030e359d6ff788b7276f4c005a0e04c9cbc776dcf02e0ddc30b6bb55d1c8758b1822ad6e3cc612a54a504
-
SSDEEP
393216:9/K/AmXAr22JMg1Ml30SRiGHVdrc5nw0DxTceN+ujRIT++9kkG:4/Ar2XRiSdrc5w0DxTb3RITBeN
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" wscript.exe -
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
Processes:
unregmp2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" unregmp2.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,22000,282" unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" unregmp2.exe -
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\Downloads\metrofax.doc office_macro_on_action -
Processes:
resource C:\Users\Admin\Downloads\metrofax.doc -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
Floxif.exeBossDaMajor.exepid process 2088 Floxif.exe 2956 BossDaMajor.exe -
Loads dropped DLL 1 IoCs
Processes:
Floxif.exepid process 2088 Floxif.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll upx behavioral1/memory/2088-404-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2088-407-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops desktop.ini file(s) 1 IoCs
Processes:
unregmp2.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wmplayer.exeunregmp2.exedescription ioc process File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: wmplayer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in Program Files directory 18 IoCs
Processes:
wscript.exeFloxif.exewscript.exeunregmp2.exedescription ioc process File created C:\Program Files\mrsmajor\MrsMjrGui.exe wscript.exe File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico wscript.exe File created C:\Program Files\mrsmajor\Launcher.vbs wscript.exe File created C:\Program Files\Common Files\System\symsrv.dll Floxif.exe File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur wscript.exe File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 wscript.exe File created C:\Program Files\mrsmajor\def_resource\f11.mp4 wscript.exe File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs wscript.exe File created C:\Program Files\mrsmajor\Doll_patch.xml wscript.exe File created C:\Program Files\mrsmajor\default.txt wscript.exe File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat wscript.exe File created C:\Program Files\mrsmajor\reStart.vbs wscript.exe File created C:\Program Files\mrsmajor\WinLogon.bat wscript.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe File created C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\DreS_X.bat wscript.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 708 2088 WerFault.exe Floxif.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
WINWORD.EXEWINWORD.EXEchrome.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "203" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133606677110035132" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 64 IoCs
Processes:
unregmp2.exewscript.exechrome.exewmplayer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1230210488-3096403634-4129516247-1000\{4E752D06-8746-4C42-999C-8C316902CE79} wmplayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command unregmp2.exe -
NTFS ADS 6 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exeWINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\Downloads\AxInterop.ShockwaveFlashObjects.dll:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Interop.ShockwaveFlashObjects.dll:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{26E4841C-2C69-4A62-9F36-ED6350716480}\8tr.exe:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 5 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEpid process 3408 WINWORD.EXE 3408 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 2732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid process 1456 chrome.exe 1456 chrome.exe 2300 chrome.exe 2300 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exepid process 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe Token: SeShutdownPrivilege 1456 chrome.exe Token: SeCreatePagefilePrivilege 1456 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
chrome.exepid process 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe 1456 chrome.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEPickerHost.exeLogonUI.exepid process 3408 WINWORD.EXE 3408 WINWORD.EXE 3408 WINWORD.EXE 3408 WINWORD.EXE 3408 WINWORD.EXE 3408 WINWORD.EXE 3408 WINWORD.EXE 3408 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 2732 WINWORD.EXE 2732 WINWORD.EXE 2732 WINWORD.EXE 2732 WINWORD.EXE 2732 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 236 PickerHost.exe 4464 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 1456 wrote to memory of 1704 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 1704 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 3712 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 2256 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 2256 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe PID 1456 wrote to memory of 4068 1456 chrome.exe chrome.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Boendet.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd888cab58,0x7ffd888cab68,0x7ffd888cab782⤵PID:1704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:22⤵PID:3712
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:2256
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4068
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:3780
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:4640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:3920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4380 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:3344
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:2860
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:2632
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:800
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4244
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4944 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:128
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4240 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:4708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2572 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:3568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:1792
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4544
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:3532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵
- NTFS ADS
PID:3844 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5396 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4856 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4268
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 4563⤵
- Program crash
PID:708 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5316 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:2140
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵
- NTFS ADS
PID:1972 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:972 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=1904 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:4956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4928 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:3448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3236 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:1364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵
- NTFS ADS
PID:4936 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3212 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2528 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:3080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5672 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:4868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3236 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3324 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:4768
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵
- NTFS ADS
PID:1460 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:2100
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:2364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:2964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5548 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=2940 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:12⤵PID:4472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5616 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:3404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1444 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:1900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵
- NTFS ADS
PID:1324 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:1844
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5444 --field-trial-handle=1924,i,13064352455115883588,15771585683235415075,131072 /prefetch:82⤵PID:460
-
C:\Users\Admin\Downloads\BossDaMajor.exe"C:\Users\Admin\Downloads\BossDaMajor.exe"2⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6FD7.tmp\6FD8.vbs3⤵
- Drops file in Program Files directory
PID:1272 -
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:4204
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:5036 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"5⤵PID:744
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"6⤵PID:2748
-
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary7⤵PID:3468
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT8⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:3044 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch "C:\Program Files\mrsmajor\def_resource\f11.mp4"7⤵
- Enumerates connected drives
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon6⤵PID:1692
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT7⤵
- Enumerates connected drives
PID:4332 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 035⤵PID:2836
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2088 -ip 20881⤵PID:2160
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4912
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004C41⤵PID:4992
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:236
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a38855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD506dcbd58744f04194e9539c3b5d9d27f
SHA1fcfe1c6e17de2200b346bf252dca02f9a4202ee4
SHA256c39e7de26badc307d396e81725442901aba72d948ad68d3b7e280c232b4976f5
SHA51251ff3ef89cbf78ab2080eb5fc970ad10874a2e664ab4e020d5e80418df9d57d10eaa61f0be09a709855e2f0f05ba1ec1ed65dd441299da1e1bbafbb6adb4169c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD566a2c4ec9f50324dee0833b8dbeef348
SHA107cf3a0d93a93d8af500a705199077f60f60b920
SHA256f909763cee3686fb996f3f355990a3ce85d0242db0b5942764365d43e1adc4eb
SHA5125c39a038153163dbba9a9c5e5c7a0f375e470d0d04094846aea0756c98c8ad5eabfba0348d107f8834605a9fc4d0b9c930402673c20ae3ff653591bb23a170a2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\70bc0835-f5c9-4259-a8bf-6e2c1043eb0f.tmp
Filesize8KB
MD50d65aa22f0eefcae5da7124548088aae
SHA1e04937327cfb80c0f117b7423fa843838ad06549
SHA2566a5121a7d5250f288cbcd2aedc6564aeaf1929b971db97c3ebdfbd2b456cea15
SHA512cc75950280adc25179ab5e32a51fe78c426388f54cdc3c65dd61031d3de893ea812db356a7dbc500a33792a83254089c8f04238d001d92aa1eaab297c09dc4ba
-
Filesize
2KB
MD54e75c2a287b853a9a24dc6ac15bca15b
SHA1a24fdc41b6b3127d66aa1bdea0e3b1505d9bf8ef
SHA256799051fd4e60742ebd75da2a1d10c0ad72bbfa2cf76205c5749f980aa41583d0
SHA512b44a340323e8926d8a9dd2563ad985ef5d89293848ce9791541a6bf0063f4316d50f39a29d3b7e27b92683eb499d8dccb0d1aeb02e08d8a5c5c96f41af097851
-
Filesize
2KB
MD596502ed98dc370fdb444beda1c84f654
SHA199c25459e7666c23bfe3deeeef50c1b138ea717e
SHA256b4de3420c7459d72c110042173c20af3642e3c73f727afa69671f38b2f209946
SHA512eefbb41daa000596a9ee0ac3dace9b63fdf1f1e39255a39b6f11d2bee7b75c09cbbc5a3c2b1a19755b25d78c036b3a13590a61465a5e18e7d22bb73de2e21726
-
Filesize
3KB
MD5af4c9c458f0542e1bab7208215399ec7
SHA18f2ce09d07389099f04c6617081dfb5a7e4438bd
SHA256538932ad3d80c27e6d332ec086d7e13bcc59707e524be198ff45288cc43a29cc
SHA51263b6fdfa25b67fe61c7ff345de68688f4edc36dc6a822f9a66cc0279d8ef4ee50dd287765c45f565a45682a44fc89f30cca4dc7e949ca707348d57cd6f0911d4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5eaa28c7e9e387233782fcac39d51e02a
SHA1956eecba629418f280e1a0f945bd23cb18dba7a8
SHA256a3329f3057e524dac5ee794f24891516f456840b441f04b811cb6ba0842e8554
SHA512f707263a9eb89525ee346e71be1333515aff7eb9718eff727aee31196553620188d29f7e7c4637abf857df3e5370566882387fad1f975258f094189dd4cd754b
-
Filesize
1KB
MD54d03131c4f6b320346a108509ce494b6
SHA1fd271c17e167b36d6ee0714a6be08a898c1e2a1d
SHA256a1cf575bc04bb9a3c2d667c3911069282232a118e9a8c3c765944f0df02bd898
SHA51290dd8422713668d3cd9bfe8b86360cca4046fecaab4bb401068045549a8177cc207f358688765b7f3541919cef267cbc79a18b003c42a054a87652cec8dad571
-
Filesize
1KB
MD5476921c319d9f60edea0aad9e7777da8
SHA1a9afcccc68b2cf20c6bbc0267ad9df2600028319
SHA25698a8f9944aba07ab856daa10015083d131f5166c1c118f32057c2ad4da7b7375
SHA51202791e754a24efc2b8d4f1d3d2ea7cdb3529d01d4a6221620c9d03a3275620e4d398092b50294b0d3ce01a1215fd4482cc3e6484f40e91103053ee75a20e6a16
-
Filesize
1KB
MD5a10d3437a4ea9612d89dc5f69dc2b32d
SHA1d05f4465e6a4daae848a7b75a10ac10c3ab4245a
SHA256071b71c7846937febd0a114de9dd63177064815b1d28279fe181299d5473331d
SHA5125fc82b5b501e068e17cd90b6ab3c68ccd35ceb2896072ceaecbaed1d5e221c7b21e45de59942425d2dbc2f725580ba3a29f9a300afe77a63946c621c01a67309
-
Filesize
1KB
MD5014cba5860dc865830ce95ac84c48ab8
SHA1f55eb08b6022094f5acc2b3463693c011e29773b
SHA256ac6c4d41ec0dd4bf22950cf4078cf355ca71698f64e2afefd719ccb5beb8b29b
SHA512598e06e6000b495a3d46806d0fbb9037ef4cc3d4a2e9af85e9c1a83951c504e1e58e22b02c5bd7d28800117f8697aa9ae09db69c124ae1cde4eca96be1f0ce31
-
Filesize
1KB
MD5a76415d659a361cfb9c38132178c9434
SHA1b8e50fe0b775741bef5e65fc4d9c0e7de674d3d3
SHA256c29c1592d53ebcde23d581870923c2d2558af666525327d09250775b90a5da94
SHA512ff4347cf55b942e326832682c67a6acbc7511d862b9378ffcec2ba65e93595eb3a42528fae692998d295ac469006987ba3846c4f578a484d2d6cc22c327a6233
-
Filesize
1KB
MD5dbd1078532d65ea92a6f6aff7270ea40
SHA1927a533a8ef533b7c6cebcebceb8d874cadd0cb9
SHA2561f15d0557810660f454597540959fa8e420a143f3a336bc1aec77c63be22980d
SHA5123df60fb11c139ae05b6f5cf1cda5984de402b19fbcb2aa5a9ae65ea2614a99d4d032b96c3011495556eee70658901713a5a86a556a65783e8a7e390a030a8b91
-
Filesize
1KB
MD5a9f0d0ca8a8536b2db2567f1ac0c5c64
SHA142d2b7c353b4b09b8c81289b3707901aac8799d4
SHA2563c405cc4b5fe955a255d1beaab3c8d7cb8ee41a8d3c98c80952731cc1c5c8dcc
SHA51212c5b722233755a097e1228617820c8f8ad7fa95d6d4557ef7c328adb5e405e93eb305f8b071e3273d71b403109440f4fd335caa06c4de1490f365d7d64e023f
-
Filesize
356B
MD5bea3a08d6af27922e6ee1ced5f664596
SHA189cfb6d214250a7b1a128a903570120a58552591
SHA2566ee00e310159e3727fb9bcbd80cd0c0591c574cf883b1e0d606b07700c7e4967
SHA51249bc06ddf4b60d9c4a67b480bbb77032aeec34c33e5137088b5e09251aeebef9a544b4bff69e1b86f951a74d850941983ca137167c2fd1f032a314c636365db0
-
Filesize
7KB
MD529963864352a4bb867e418a3a5cb1814
SHA1fb633b9a8288c18f06773c28e58e5628513107d9
SHA256053bbc43743f53df6c94fd6806df2ce1b45dd987391ad7d13009ed403c30dfa8
SHA512032a72a85adfa1928cb048762a1d1a4ad338996cb1d35c8d50e783d95502a516babb9bb5bb4a2ab3977967fe0317e7f82318ac1e65ef59dd86ec1e50d469169c
-
Filesize
6KB
MD599c9ef8a85dc90b2db3cfd5643eb56f6
SHA11465b3093025b8b775091db84013dc6958e93723
SHA256cce02ba4959d400ea2bf48c0701128f7acc5e36371e54050d8bca78e82a271c4
SHA5124573431fd49d1b83302ce917df3aab86d55c5c7f3022b73d1439ea91ee2fb3440579753c69362582d77294446e83c50646e15774fe3ac196880c9b61d62e1682
-
Filesize
8KB
MD553f87be3a7d7ccebcff19084062f1dbb
SHA1269a4bc753e4f6d9e114e0520c724b7c30c920e0
SHA256aa9ff072cb9dcc32f5e35411ec010f945a89a44781c68762ea4e5f29b614d285
SHA512526df95881fdf661b3e3368173ce9ee0da15c67c31d73acd9dc7e249520e169140fef5dd8158a44dd4277720cd99a2655c1760b1d2878e9d25ba1eb0be3344f9
-
Filesize
8KB
MD5b0acda02def8edb78fe3f13109b65126
SHA144d82827a5dda5340e422c1f4d09cd9944d17d02
SHA2564bded0a443331d50703b1bf0a92fa2e859591787aee976f843b1b850e75adf31
SHA512417dc683c0375c99c0ce24d5d15db4885060fc7248d063010d1dab5145848d376342eb4b47d36a2b970de30808d54a83298c03a8fcf8b0b691c315533a44d4ab
-
Filesize
7KB
MD5085c9de2b7a4fbd7ff8e082720e3f443
SHA19030861c6376dc275f7a4f2837e76408b7573eda
SHA2560ab6a8b3959ca6b3375fa5911b54956dcb159c39715b4aee6584d7af560528c5
SHA5122e005a3ee0f84024b82088e4165061be16b820bb12e5884f4ed63c7bcc2e24b9ad7aac40c3651efadeb87f9eac358680370ac8cd24d4760c3ba367c2202f67d1
-
Filesize
16KB
MD51e684bdc7c61aa15cad6ff982b6b5d95
SHA13ee5fcd2fe10a4a4ed1f66c499d6e1bc5fc27ca1
SHA256717504a85a1c4619f4e231c1528e058db251e66610a4597bad32e5cd4672f066
SHA512b7b4a2a698f14b4adbe910d6aa4bc196b603d998a37e0b0853d2182a509eda5c071303678e706a4cf7727245f619d77cb1cec1f0031d1402b9d06caaac881212
-
Filesize
260KB
MD5bfaf5ff5b6318ce4a8418b9ddf89f69a
SHA1c4e864c485b8df28400cc5b7113f4dd24776111e
SHA256d78d331bd529b805f5e8bf50be93137682faf05d1b8078a03debb393bea69720
SHA512eed9c54e654b0e13471235842fe2da184a8761ae2b92f801766786d0dc1aab5e50de3040afeb1295dbd47da0eb87e9bd09ef153ba11f4cab4c5eec74da9e2fdf
-
Filesize
260KB
MD594f4dd7ee71b8eff76d1685cf2520727
SHA1e57df8fa7499025e32a24cf89bb81a72e741ed0e
SHA2567495edf00eea20e897124987696cfc80f02e5638a36b8dcd715b429ea470d9f3
SHA5129aad1d65a1700329c9d09abc86088d457b7a397ef39dde4e3d3fbd39ea5dfc8b57677eeec00fcee238e13e3b32ed3c37c935a8473405336ba43a2e9f22181bd7
-
Filesize
98KB
MD508d73cca48e80961652bd56b12faea41
SHA142c4f038f5264317e1847ca4fae7c044d06c1749
SHA256d8dff6fba087d36f3697559dc17cea53dcee2f679f5ec202911c2be1800f04cc
SHA512a380bc6ce3e201d7a5bfcaa8cb608a822c39fd9353602eb840b8b7a92c661262f6ae84ac183a79164ef61bb3ee33a1416da0df970cee312518f263f3e6342c42
-
Filesize
100KB
MD57f7114342fb4a3ee770dad76e606c5d6
SHA188ba1c09b27bbb8995580c2ffb3b69395d944e9b
SHA2561ab9fbf8e54a0a356029ca917d1998f4341ca08f4df46712d338902cc063005a
SHA5120e50dea6feaff193c101eec53ddb0818f281798a579b0b5b29e5d8b537970194fe975df3c00c509572e97746f877485af9bc06b3aff35b7f81248b4c6458a6db
-
Filesize
83KB
MD59d54562d239b98ed9d47d52925520d65
SHA13dd9f8c0fa9ac1bd2215160fffbd75e60abf579e
SHA256c4e2a6bf659087ab2c04c0ccc060d64c7edc99182d48840acc821aa08f1de348
SHA5127ecd358a4f25f4efb665d8ff3c15f90d5d4f5ade0882dd03c2a34281b5da19729eeadc12fef0839b9f2d5b9c639f28556ae00cd1e250169e2fa06c703abf000e
-
Filesize
256KB
MD51553f4412f0373d5333a9f12e49e863c
SHA1c117ef6e8cd55a9bdf974a228bde97aadb440cad
SHA256ffdb9c3d8773e354d5a048e7b48ab4bf684deef7d72482a1762c437ed23d0c8a
SHA512ca76ad53c021753f43c166d147f03b873166c63e494f55e20da0077e96fc8dcb48a4012e94b14ae12cce86dfde5901e53ee233ff72b4d68ae7005d0744103ebe
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AD46F96A-6D65-4B6C-8D35-9E66198241B5
Filesize161KB
MD5a99856b5d7b81a4dfe79d24a0bfb4f0d
SHA1603dc55493e0d53c0cd2e583b9560f2581a81ed6
SHA256505155bb70e33495d8c0c86f9d9c1337deabfdcd101b859c9b9b459fa830a242
SHA512693edfe303b5c55b70f91888b5d8ba34bbefb19e7f843a05f00b983f418cf4c7c8b18189ccd39af033e3f3ae47c2fd789bc37634a9ee52070dc527a4420f025c
-
Filesize
20KB
MD5df84e828c74c7f2e8976ab709fac0795
SHA1478548e55f726c55e35b7a55ecfa4e7fed2976b4
SHA256e1d93ce8e60c42db3a0edcfab7276f50d02702f8de0b9313479906260693baa0
SHA5124f019b1aec6f7e2435556751d3708a872947555105cdbdc0acea7ae68e55d9bf58d5d1bb6bd3c69e3440d777ecf1ed0fb955267678b617323755bdd25f9e481d
-
Filesize
22KB
MD520734ec3c51bf31c3ac357316482dbaa
SHA1f231623442c977fa26b50080c81ad870ae08652e
SHA2567e99f4bc504b23418945bc85c6f093b8de26f044095df30ed1b321b86d4f0230
SHA512ef2f351f340ed1a608c535e4a2f778cab7b271a4bdf0f876eb443085f599abf7e7c731dd5ec84c7e60c6f40edb07e176a8ea713c8a57ac7be0e75ba1d2704f44
-
Filesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
Filesize
8KB
MD5d444f823123b53a68396364473f6678a
SHA1d42efe4ef369aaa2ff92fd4d362934da6237c56b
SHA256b6dd994f1f0f40662738fecb3a31d5465cdcce500e9f2a9777685e168361f533
SHA512397e3fac3acaa7f6827f5723ffdcdcb3ac432cac4255ba5cda044c3518cfac46bf311d8d9b2dbfba07cbd1a752ffbe83c13886d48f5ec2cbd751a9eef1044bfc
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
5KB
MD50ed5bc16545d23c325d756013579a697
SHA1dcdde3196414a743177131d7d906cb67315d88e7
SHA2563e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af
-
Filesize
816KB
MD50a8d790f6961a7515c3a16858e301058
SHA18c1174b3f093cf0b7ab8b37b91aa5e7e4ef04453
SHA2569c2770bd5594ea372fd49f501bd91fc95511d4bea88bf1a722290269489daafb
SHA51280d607f959da8f15749b0647de5270e5a56334b842630b7b56c18f19711702d5ddafad890b08e345275a8e65f578196c50a3554505dd73ba21642a782720f334
-
Filesize
249B
MD574635f6e5554ebd726fdca0c002dbee2
SHA1278e66625144f9d89050b0bedb482a68855b97d4
SHA256483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424
SHA512bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d2f2dffbec545bac45c5781348dd9335
SHA1be42998b54a0795cc40eb230f4592738f8ab630b
SHA2564a82c071d6c7ad2ea87e34cb7a7e14a046695839c444c448375c8a6fdecb5e4a
SHA5120def379b1878a3fb51657acb5856573aacffae49a9f05a26af7218491e028e0576c1c840466af5fd6ba3c93bd0b8e631a95859959354b84714c7aecd7d5af88c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a8dcaf84d502dbc7238aeeba4a219148
SHA1fef4dd88af189294cfa9f8fc0101f28fa9efd74f
SHA2560ff04bde4e46258c401d99c00e3cf3699a57ff6d4466617095d1ee5b1bc34f67
SHA5126e1b8f103edf8e8f19ae1711220afa464b7b3b958e5b2f2e0f7d0daa0a545a32e9648a2dd5b7fed73d4fdd816c15aeb322fd50231a41f84083f9e55a6bcedafc
-
Filesize
27B
MD5e20f623b1d5a781f86b51347260d68a5
SHA17e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA5122e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b
-
Filesize
17KB
MD5451112d955af4fe3c0d00f303d811d20
SHA11619c35078ba891091de6444099a69ef364e0c10
SHA2560d57a706d4e10cca3aed49b341a651f29046f5ef1328878d616be93c3b4cbce9
SHA51235357d2c4b8229ef9927fa37d85e22f3ae26606f577c4c4655b2126f0ecea4c69dae03043927207ca426cc3cd54fc3e72124369418932e04733a368c9316cf87
-
Filesize
304B
MD58b4e07bbd7e3fd75c6cad687aba06389
SHA11fb0c88fc7c24b0acd605e8ea4d25242aacc4498
SHA25651a6ccb79b72b34ea917dfc7bdbbbbbfef90de90ea1785b19e12a7227fa0423f
SHA51209e53f59c4b8ceb30cc013fb09a9c0d13ab77f376d526189f9ab0783dc829a524727ad76d888e274cd5663dc3512829a0e9aa5d73c0be8a6e6e90a845179dbc6
-
Filesize
532KB
MD500add4a97311b2b8b6264674335caab6
SHA13688de985909cc9f9fa6e0a4f2e43d986fe6d0ec
SHA256812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f
SHA512aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70
-
Filesize
120B
MD5f9c7a8bff0ed8cbe8b3352095ecb07f2
SHA17c402c33b85f2df75a29ad0821632625994cf577
SHA256aa5d8c67b97b355eae91dfc61ac6860a2dd17693b882b1c0093965d8af39f238
SHA5123d74ac3219508fc39f88744bcfffcf735098a9625827b284893f9e143bbe66eafdd0eefc3807c0e62092eba16fdc8ae322e943ab11476f0be36bed41a5ab0076
-
Filesize
21KB
MD5e869d1d4545c212d9068a090a370ded3
SHA1a6a92f108bba390cd14e7103ba710efec1d270f9
SHA25663af704211a03f6ff6530ebfca095b6c97636ab66e5a6de80d167b19c3c30c66
SHA512ee108b0ebefb476c5beb568129da7ce058229fb42ad3500c6fc37a36d718eb67a17b331d73f6920a5290c3977be2eda96aa057533c3344898d161cb464c6ef76
-
Filesize
160B
MD58619c1bd767b50bda9c3f31a73c33575
SHA178a69fe4b83c7f2a0d1d809bc09e984ed0b67986
SHA256083faa0f135f99e94c5f88a2e68c2369a47130bb7c9ba54a6615e7f8eb791c8a
SHA51238180eb2ef23f8a1186815efa3e70d3d4a0db2aeda8f5ad5de34a5a2fbd5cb76ba34e4c52c04899eac02302768fb41280b55eef974efea19eac909e59cf4fdfd
-
Filesize
1.9MB
MD538ff71c1dee2a9add67f1edb1a30ff8c
SHA110f0defd98d4e5096fbeb321b28d6559e44d66db
SHA256730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
SHA5128347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9
-
Filesize
221KB
MD528e855032f83adbd2d8499af6d2d0e22
SHA16b590325e2e465d9762fa5d1877846667268558a
SHA256b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
-
Filesize
208B
MD5a10e4fdae1afe986f06734d531d70c9f
SHA177af05afc723ea8fa055b4ceeeb66561c3730aa5
SHA25696c810b47cd4da12574414e8885c5057c805e6cbf6f13bf3bc25d23fff154355
SHA512fe18b92ad6096ad94cfe866b76f8bf3d5d8ccc8f32322f86bb2be50491eef5bb628a5bab060d98a3743ead58837ea1a3aa996b72efa13bd1583297a64f465f9a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e