Analysis

  • max time kernel
    381s
  • max time network
    328s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/08/2024, 17:52

General

  • Target

    http://google.com

Malware Config

Signatures

  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 10 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 30 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "http://google.com"
    1⤵
      PID:4748
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1432
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:2336
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1976
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3920
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3644
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5932
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0 /state0:0xa3af9855 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2084
      • C:\Windows\System32\LockAppHost.exe
        C:\Windows\System32\LockAppHost.exe -Embedding
        1⤵
          PID:5240
        • C:\Windows\system32\utilman.exe
          utilman.exe /debug
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:5280
          • C:\Windows\explorer.exe
            explorer
            2⤵
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:5324
            • C:\Windows\System32\unregmp2.exe
              "C:\Windows\System32\unregmp2.exe" /FirstLogon
              3⤵
              • Drops file in System32 directory
              PID:5604
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll",CreateReaderUserSettings
              3⤵
              • System Location Discovery: System Language Discovery
              PID:4624
            • C:\Windows\System32\ie4uinit.exe
              "C:\Windows\System32\ie4uinit.exe" -UserConfig
              3⤵
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:5692
              • C:\Windows\System32\ie4uinit.exe
                C:\Windows\System32\ie4uinit.exe -ClearIconCache
                4⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:5720
                • C:\Windows\system32\RunDll32.exe
                  C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
                  5⤵
                    PID:3492
                  • C:\Windows\system32\RunDll32.exe
                    C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
                    5⤵
                    • Drops file in System32 directory
                    PID:5748
              • C:\Windows\System32\unregmp2.exe
                "C:\Windows\System32\unregmp2.exe" /FirstLogon
                3⤵
                  PID:1776
                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4676
                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff75a587688,0x7ff75a587698,0x7ff75a5876a8
                    4⤵
                      PID:5888
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                      4⤵
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:64
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff75a587688,0x7ff75a587698,0x7ff75a5876a8
                        5⤵
                          PID:5940
                    • C:\Windows\System32\fsquirt.exe
                      "C:\Windows\System32\fsquirt.exe" -Register
                      3⤵
                      • Drops file in System32 directory
                      PID:5652
                    • C:\Windows\System32\p6rbzy.exe
                      "C:\Windows\System32\p6rbzy.exe"
                      3⤵
                        PID:2900
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell
                      2⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5996
                      • C:\Windows\system32\wininit.exe
                        "C:\Windows\system32\wininit.exe"
                        3⤵
                          PID:4120
                    • \??\c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k appreadiness -s AppReadiness
                      1⤵
                      • Drops file in Windows directory
                      PID:5452
                    • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                      1⤵
                      • Drops file in Windows directory
                      • Enumerates system info in registry
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:3680
                    • C:\Windows\system32\SettingSyncHost.exe
                      C:\Windows\system32\SettingSyncHost.exe -Embedding
                      1⤵
                      • Drops file in Windows directory
                      • Checks SCSI registry key(s)
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3076

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\Google\Chrome\Application\SetupMetrics\502c51b7-64a9-46e6-ac0b-07945e3a93e3.tmp

                            Filesize

                            488B

                            MD5

                            6d971ce11af4a6a93a4311841da1a178

                            SHA1

                            cbfdbc9b184f340cbad764abc4d8a31b9c250176

                            SHA256

                            338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                            SHA512

                            c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.jfm

                            Filesize

                            16KB

                            MD5

                            9526ca2dc6159205575ead40341f1f99

                            SHA1

                            4da04163a251e4a97cb11a7c2715fab6834ca7e8

                            SHA256

                            455bdec9d92d1732dc53b88a453a82005a944bfb60484591fcde7088749e0409

                            SHA512

                            55ca53ae1a39720f3cee4b72e17120586688008b8460d92c8e3c2cc6da423e2f6d489605681fa26d6bb5d6b7a39622d1d656c071f9ad664f413196a64eff4309

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\31H7MM5A\recaptcha__en[1].js

                            Filesize

                            531KB

                            MD5

                            1d96c92a257d170cba9e96057042088e

                            SHA1

                            70c323e5d1fc37d0839b3643c0b3825b1fc554f1

                            SHA256

                            e96a5e1e04ee3d7ffd8118f853ec2c0bcbf73b571cfa1c710238557baf5dd896

                            SHA512

                            a0fe722f29a7794398b315d9b6bec9e19fc478d54f53a2c14dd0d02e6071d6024d55e62bc7cf8543f2267fb96c352917ef4a2fdc5286f7997c8a5dc97519ee99

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\N3ETVNPW\styles__ltr[1].css

                            Filesize

                            55KB

                            MD5

                            4adccf70587477c74e2fcd636e4ec895

                            SHA1

                            af63034901c98e2d93faa7737f9c8f52e302d88b

                            SHA256

                            0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

                            SHA512

                            d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TGFYS00V\favicon[1].ico

                            Filesize

                            5KB

                            MD5

                            f3418a443e7d841097c714d69ec4bcb8

                            SHA1

                            49263695f6b0cdd72f45cf1b775e660fdc36c606

                            SHA256

                            6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

                            SHA512

                            82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF0628C9E91BD2403E.TMP

                            Filesize

                            16KB

                            MD5

                            765ae20e7e608aa8e0219eaf7a60fbeb

                            SHA1

                            66ed99414da2cb149f7008a50087b352ba137157

                            SHA256

                            375b32bc460854b5d4ae9db2563a426d12367e1dd49c248c2cb72e49a6f15f5e

                            SHA512

                            0f68891cbf038ccd4cc5b51b326930fa39311b32ae0c7ec1ceb999f8c24983e849eda7ca77f473718299d16619d078694b33954df2a5313a4a95df4d21753477

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

                            Filesize

                            1024KB

                            MD5

                            8bbff90331624af9a08d36b27d50f088

                            SHA1

                            dea9fab8317a2e6237b7867fb572e1764a3c3f9e

                            SHA256

                            85a76b9acd12e40db1653180bd1353ce3cdae8c8f0c4f2387382c56f2477ec64

                            SHA512

                            99ef38f9d76499133349a3e6957b5b6da82de29f223474c08c6d5693ecfac442ed4c8d919981fe1d242cff27fd1f743ee13e695f1a567991c6af5cf39ce3389f

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

                            Filesize

                            1024KB

                            MD5

                            ba624422b3bf6681c2caf63cfe3e7eca

                            SHA1

                            bd5ffb9249be63f14600a882098ddba9b5fa1299

                            SHA256

                            f40ad577c8891b44f22344eb970fbb858fdf030b8c8a46e1faca48b843b9a7bd

                            SHA512

                            75429cabab080bb203cba840526c1a94182cf619b1293ab40751280024fc9536c0045876ae676a77ec11e8202de7d5b538c600e43a3071c0b9fd6a11b14058ba

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

                            Filesize

                            1024KB

                            MD5

                            c54cde3ceede65db57e1ef09429038d6

                            SHA1

                            d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7

                            SHA256

                            80a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb

                            SHA512

                            1677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

                            Filesize

                            1024KB

                            MD5

                            cbc53eb850533b51f852377445973831

                            SHA1

                            c7924ce38f58fac52dc3259486d8669f9e4dddbc

                            SHA256

                            b8eb5d43ccc63d7dc0b2ce3164a51c2992a0cf8069fa821ba18ac3900f6e07c3

                            SHA512

                            0cc9bd77633cc48beaa9c4bce36ed29afc2a0bcce6566febd4b0498beb9888979cb9f474f4d377af3b32261d657bb6eb04412870c2798e3e6702bd2f4b27f2dc

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                            Filesize

                            7KB

                            MD5

                            53a1264b64e3b5b0d8f3c913e97524e2

                            SHA1

                            85a684869f8721cb327cf7f6fb3ce8f2b39e80e9

                            SHA256

                            9353985c11ae4085208fcd8527fe754bf3feda7bc1c93efe0ba0bcf98f37594a

                            SHA512

                            c50ee6e14cae24769d211e46bebd7bebfc684132baa1f67930434709505acbd1b74885efc28acd8c3c43885f12599e135594dcca89c96ccbd6b7a11689da945a

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                            Filesize

                            7KB

                            MD5

                            8af0f8fa98245f35212df5527845c733

                            SHA1

                            91c0f6f736a67bec77c1b9ac4ace3782615d6431

                            SHA256

                            3da2719fbd19fbbfa0f13caedf1fec57ea757f27bcffcb8a919bcdc5643f4a3a

                            SHA512

                            fbd28784d2f8352df56cce3f2345331f55eb13a85e96bc22760e7473787309ea5bc0e6b5e32a76e289eefa0d26e365bae941d31fe856d71f2a597e3c93ac2a24

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

                            Filesize

                            24B

                            MD5

                            ae6fbded57f9f7d048b95468ddee47ca

                            SHA1

                            c4473ea845be2fb5d28a61efd72f19d74d5fc82e

                            SHA256

                            d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

                            SHA512

                            f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

                            Filesize

                            7KB

                            MD5

                            1b73f837420eeaf4f21f295433da8277

                            SHA1

                            4ec6c3159b51c68766bedce11f445226de10cfe2

                            SHA256

                            8b1ef0f318f0f17bebc44d742fbd679af65786c39d20cf60eae20a6be32567c5

                            SHA512

                            f8fcbd78fdb69b416019dd56d411e78038b1ba2c7beed1c5220f28e4b6c64479d97c2cb31a690738bfb77fb8779e6bc54bf9f82d26161b8cd263a66b30329254

                          • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

                            Filesize

                            7KB

                            MD5

                            79b10ba530903536e6bb7f7745dca23d

                            SHA1

                            389b9bb5c6b99eaf6c0f91bcb779d73fb21422c2

                            SHA256

                            a8c8f4de365db739d168d587af06c7e538d3b556b105da4b0e0acd0102af8540

                            SHA512

                            c640e89fe3b555b587adb812a8d0393c92348805ffef2b6a38b54eebd10a9ea22e03001a0cd480a7953d285f77b620bc09c1b223ae3ca5c4b3087b7a59be9462

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

                            Filesize

                            950B

                            MD5

                            0a0e34beca9fee31d0c6358300ca1e1b

                            SHA1

                            596debfebbdb2ce9fae7b20ca2c93b0c3d008d96

                            SHA256

                            d37ae914d17951da50440f59aa8d6ec26d0c8221a3508ac2740957898b5d0642

                            SHA512

                            fab3bcfc7c5ea5a185ba5316f3e867a69e3ad1e235048fa4c62115824e31cacb3283fa4c0c3c117cbf0cd7b4706b4c8b0addf7d5cd9f1b90c16bd7350310889d

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

                            Filesize

                            2KB

                            MD5

                            aa77d7db677b355879153f5259a5ace1

                            SHA1

                            e043629e450aa3bd5a4df35d07cf4b4c584a432b

                            SHA256

                            c68d645453240d999a36195846a56e3f389a382abd82f8f251dab9ea6db2dee1

                            SHA512

                            63b2f2a3f80a3b4c6b60695ff5ac97e8eee8d6e8ebaeadbf3a4ef15b774010ec1a59ba8f20f45843baf2f4b7a8a37f928a84cb9f70f66ac2880886efb10b9fc0

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

                            Filesize

                            934B

                            MD5

                            4c968d6116b5097ede12db505f478631

                            SHA1

                            3a7b770160e5e7d89ffcd7a36454a555174d007e

                            SHA256

                            3dd4be322ccff5b847cf0c30633cc2f6d48374aeaf2da5dc5530a226ed5e929b

                            SHA512

                            0cdb047f40240561a5177046fc6b6bfb07696cfb3c80742e92e50b2a6d2cb1c16cd44a37c5cc8bb04bb8b6f3c3e33bcbe0d1c75f45064bbd7ffc84acb63ee3b4

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

                            Filesize

                            2KB

                            MD5

                            38a3f52468060eb6cdf8aa8382dde290

                            SHA1

                            70886664da05940323ba147d9dbf2bc9728ad8b3

                            SHA256

                            26eb31efd3188a8ebc49ca4bb539e188476184940ddc8f698aa21775e27ca9ad

                            SHA512

                            842698405580e927723c11aaac2356b3dfa0816424db30ee52f9f631eecbd42717d5ac23af4e3bd30ba1d139d136a1e3ed29315627b61776fe3b457cc0fe26c4

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

                            Filesize

                            946B

                            MD5

                            020513bd05cf822a696635b8e2177966

                            SHA1

                            f83f356d7d1ef8ba3fe1ccecd37eac26c07a25a1

                            SHA256

                            976bd478030f5a2cfda905786ae7b506b23ef08ded0f288168d11cd3e18cb220

                            SHA512

                            3e570abd6be18650b8ec76590ba13a03e657d6b46a5f523a7ea9d36bab89f5d2e6801281e5e9ac1fe183841bfb02d051950ccc728467272337c6679cfc3acdc5

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

                            Filesize

                            2KB

                            MD5

                            22f8e34b3cd4c60b355736a5b2fa219c

                            SHA1

                            1db6e2362b033c37f740f655901c036f2cf2bf38

                            SHA256

                            cd6568900f8ff21bd073c24d43e92df8b600fd9886ac3c0b1f60eb20083f4c1d

                            SHA512

                            4f00ec301adcca585868d578f287b25935ecee41641b4ac4e2d7f8cec0f98310cd6263b83d5a82a5a99eaf2397b843bed6321e9fbe1d030581a8a56a2ae8b96a

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

                            Filesize

                            939B

                            MD5

                            969d2a170304ed57ab03c64c3723af2a

                            SHA1

                            d73421f1678157eeb090319ae24c5f9b621d0aa8

                            SHA256

                            245303f9f7aafea4ea36e76a49548a06c2ff399d4000a957c041d447b8c4706e

                            SHA512

                            770c524284022c9104886aeb7d3f9ddf725118d205831a1429f78f31e156c6ca12ba0d255ea4360ee08ad5f76a0b619a6475f7cc1065870ab92b762d25614a51

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

                            Filesize

                            2KB

                            MD5

                            ab02383420c3377ae0eb4c946b6349b0

                            SHA1

                            f6ad3f0f670510a4750f6b0debb047e9b5534df0

                            SHA256

                            016890bdc9c139f1c9809595c3c33fea512b82f2f009b5f506437505a86ca68c

                            SHA512

                            1c67b50dd6b47753e701cfa97cd4057247e34e320e5bee5e108a58bb9e34f10830719361891acaf792d099c7bb263e52fa246fe01ab8f4ae7c81fc9c97affceb

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

                            Filesize

                            302B

                            MD5

                            99d72adf4e683fa1e6f1a435ff5be9b3

                            SHA1

                            007ac135b547c29a9419eaf5b9c422b562f7cd2f

                            SHA256

                            873bcd7fc25e21142bdfcd6c8f2bea3e294a055e3f132d8a2b3407aba45074e1

                            SHA512

                            fe623875d8ce38b7533333af24d6331459b7bd4a35df2212d666c8ad2eaf16b7f1101ed778a3114d70c3e3731da947d5ff7e272949ec21db194e2389398444ff

                          • C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini

                            Filesize

                            82B

                            MD5

                            1c61dc21f9b83172d65be1e94b79026f

                            SHA1

                            7324473ddda64b87c299bf6e3b9e9aff53f7fd74

                            SHA256

                            8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b

                            SHA512

                            9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

                          • C:\Windows\System32\config\systemprofile\Favorites\Bing.url

                            Filesize

                            208B

                            MD5

                            5d42dddda9951546c9d43f0062c94d39

                            SHA1

                            4af07c23ebb93bad9b96a4279bee29eba46be1ee

                            SHA256

                            e0c0a5a360482b5c5ded8fad5706c4c66f215f527851ad87b31380ef6060696e

                            SHA512

                            291298b4a42b79c4b7a5a80a1a98a39be9530c17a83960c2cf591b86382448cd32b654a00fc28eab4529df333a634bcdc577aef4a3a0a362e528b08f5221beb1

                          • C:\Windows\System32\config\systemprofile\Searches\desktop.ini

                            Filesize

                            123B

                            MD5

                            a9154e63d5bf5033d0a6d13939b73a4a

                            SHA1

                            109c0bd1f78582696da1851edd854b789f778cde

                            SHA256

                            b32f58e7492755a4c50f2d58ba1bb44c23b46ad5a82effcedec7ab8a7f44e1d6

                            SHA512

                            8a34771d2ededd70b56c43cac58e33e546479849711ad8754bac9529b995d0989b21f727a186fdf2f0ba370b005be53da701149902594244f820a6f6f12d47ee

                          • C:\Windows\TEMP\Crashpad\settings.dat

                            Filesize

                            40B

                            MD5

                            6b962e677f731152187c97b0f2a5bb1a

                            SHA1

                            b39c9f4bd886f0cf00ab1e66df78a5b1273f9ea7

                            SHA256

                            8b52a5fee31af1a57ef10f3f01b680e48758c39f5153bf3e591ddc39abae9720

                            SHA512

                            c3d3588c25b7a486931e2207d43f4399408bddf2df9d91eadee8c98cdf43d1a9f209ab71b0713eb4367f054ca75ebd7970a0a9a2d53d00c1c2ffab4ff9bc064b

                          • C:\Windows\TEMP\chrome_installer.log

                            Filesize

                            1KB

                            MD5

                            f509260d8932619d661f3b94451d9edb

                            SHA1

                            079fe88741c3f309f16d497b329526a0f9c13644

                            SHA256

                            37077a06b8ac9bbc89b56b4e19ab0e8194c8fe044b18c26b1732fa2f6ca309fc

                            SHA512

                            550ad4638c287763aa9a543c60a8e5ec4b86b75abbab363377d75571e7352165de60c9a63007e24e0b8cb4c3463115db72dae49323b990f2a5f13432de45832a

                          • C:\Windows\TEMP\wmsetup.log

                            Filesize

                            685B

                            MD5

                            991a42a16e7c101fc6104550b99436ad

                            SHA1

                            72556dc9f3b0d8d656a3983c15b147fc2e56a476

                            SHA256

                            636408917137143371f5221138ce6a58c4be22a2683193f50a1965ee5affd67d

                            SHA512

                            91b19f088a71d7991f2491a21204054079e4c165567d3821e5fd7413cceb5ab1ca6b9f55af5f0e59642e151b9e079cc0be605e912911d406f441b4b5f6f7a423

                          • C:\Windows\Temp\RGI3CC2.tmp

                            Filesize

                            24KB

                            MD5

                            dd4f5026aa316d4aec4a9d789e63e67b

                            SHA1

                            fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153

                            SHA256

                            8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737

                            SHA512

                            3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

                          • C:\Windows\Temp\RGI3D44.tmp

                            Filesize

                            3KB

                            MD5

                            a828b8c496779bdb61fce06ba0d57c39

                            SHA1

                            2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda

                            SHA256

                            c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d

                            SHA512

                            effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

                          • C:\Windows\Temp\__PSScriptPolicyTest_yb0crys3.wbv.ps1

                            Filesize

                            1B

                            MD5

                            c4ca4238a0b923820dcc509a6f75849b

                            SHA1

                            356a192b7913b04c54574d18c28d46e6395428ab

                            SHA256

                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                            SHA512

                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                          • C:\Windows\rescache\_merged\2717123927\1590785016.pri

                            Filesize

                            3KB

                            MD5

                            d41e13c3ab092e01760faad6db7d73ef

                            SHA1

                            2503b4005077df06547b25bd3681f69aee591953

                            SHA256

                            29f9d4b3d2caa4012ac5e8d47fdfdb713d2e9e633b4ce3a3a127cd5896913eea

                            SHA512

                            35d73f4be9f7ab65e808ad81b22582d42ee5c4f0c90c70987163ab30a1943910d3a3cae8c2e8aaba1ebe6315f4023446b84742c7df4a1cf8e5ff362d85ad5abd

                          • C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk

                            Filesize

                            1KB

                            MD5

                            3f484849e156c22686ee4f0e119c2cb4

                            SHA1

                            b820474e505bd6fa3f35f847c090e2f801366474

                            SHA256

                            e5e1b5f8a69442b3fbdf8c3b87286081e66282d6bdb6013fa3964f4634c2423d

                            SHA512

                            767c3d8fb9831cb4289e4a6be22ad29757aaac4daa46329b02305deef045704427fd7d12674b050ba026ae6e0f9fc2b74df687889de3fde793fd6e27cf017369

                          • C:\Windows\system32\config\systemprofile\Favorites\Links\desktop.ini

                            Filesize

                            80B

                            MD5

                            3c106f431417240da12fd827323b7724

                            SHA1

                            2345cc77576f666b812b55ea7420b8d2c4d2a0b5

                            SHA256

                            e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

                            SHA512

                            c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

                          • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

                            Filesize

                            129B

                            MD5

                            a526b9e7c716b3489d8cc062fbce4005

                            SHA1

                            2df502a944ff721241be20a9e449d2acd07e0312

                            SHA256

                            e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                            SHA512

                            d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                          • memory/1432-66-0x000001EE13C60000-0x000001EE13C61000-memory.dmp

                            Filesize

                            4KB

                          • memory/1432-16-0x000001EE0D120000-0x000001EE0D130000-memory.dmp

                            Filesize

                            64KB

                          • memory/1432-0-0x000001EE0D020000-0x000001EE0D030000-memory.dmp

                            Filesize

                            64KB

                          • memory/1432-35-0x000001EE0C100000-0x000001EE0C102000-memory.dmp

                            Filesize

                            8KB

                          • memory/1432-67-0x000001EE13C70000-0x000001EE13C71000-memory.dmp

                            Filesize

                            4KB

                          • memory/3644-54-0x00000209E2D30000-0x00000209E2D32000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-62-0x00000209F37C0000-0x00000209F37C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-197-0x00000209F6820000-0x00000209F6822000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-141-0x00000209F4C70000-0x00000209F4C72000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-105-0x00000209F4250000-0x00000209F4350000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3644-97-0x00000209F4250000-0x00000209F4350000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3644-335-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-337-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-339-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-338-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-56-0x00000209F35C0000-0x00000209F35C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-58-0x00000209F35E0000-0x00000209F35E2000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-60-0x00000209F3700000-0x00000209F3702000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-333-0x00000209F6B10000-0x00000209F6B30000-memory.dmp

                            Filesize

                            128KB

                          • memory/3644-343-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-64-0x00000209F37E0000-0x00000209F37E2000-memory.dmp

                            Filesize

                            8KB

                          • memory/3644-344-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-51-0x00000209E3010000-0x00000209E3110000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3644-340-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-341-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3644-342-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3920-43-0x0000027520000000-0x0000027520100000-memory.dmp

                            Filesize

                            1024KB

                          • memory/3920-45-0x0000027520000000-0x0000027520100000-memory.dmp

                            Filesize

                            1024KB

                          • memory/5996-1389-0x0000019131670000-0x00000191316AC000-memory.dmp

                            Filesize

                            240KB

                          • memory/5996-1400-0x0000019131AE0000-0x0000019131B56000-memory.dmp

                            Filesize

                            472KB

                          • memory/5996-1362-0x00000191313E0000-0x0000019131402000-memory.dmp

                            Filesize

                            136KB