hxxps://www[.]facebook[.]com/permalink[.]php?story_fbid=pfbid02heVPzQw6VH2XisuVnuYGfLiREb8w52YtSxBqJ3Vq13JwYMdSbuD3aSW47N1F5Zvrl&id=61558673575378

Analysis

max time kernel
175s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 22:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.facebook.com/permalink.php?story_fbid=pfbid02heVPzQw6VH2XisuVnuYGfLiREb8w52YtSxBqJ3Vq13JwYMdSbuD3aSW47N1F5Zvrl&id=61558673575378

Score

4^/10

discovery execution

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
332	WINWORD.EXE

Checks processor information in registry 2 TTPs 29 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 30 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430699121"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3761111127"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e021d7e0f5f0da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb51000000000200000000001066000000010000200000002cca2f38b05e1b97d36699c6a4a37bdef57c91507afe2f5007734cd5574feb65000000000e800000000200002000000064bbb5a779b31d7ab0d7528ebe5f27da72dc55b799c1c5dc0b61823e3fa17773900200001a483457ec671c09a025b3e871f4b6ec365225c5f3e16c538e06e795e18c4bed2d81b63aafc901c4134ebcd3a307829066b8565190787253e0db840d239261f032c1a0696cfab4186214ab5337f41eba941c3596abc88560f6582a9c78fc6596989134e791aaedc5aa1d65270c5f7e6b83d7563cbd5b849a6919f93e0039fe09b6557b6cca9dd860e7217b9c9b2bd2f4843f1b449ca7a5256eb076115bf03f924bad88a1ff6eb59d8878a52e2da2ebf5a424cf970eb9f15af4188fbb9084515f24ec892c8b07fa3deda53bfbb7e19dbd8f6566e6172ad27806fbc1882a2ae48f8ff8fa0bdb24e4e846e271c604ac4312d1d323831e06f04da24d53f76ff238e94ed29729ce473b756c23036e445902451de64d1d766b482352e6f2ca68553dd5b08ae42d9252848f2e77c67d98983fe99043262e638c948dbdc3d0d1df5140ca38d624f3c94f76c753f7899a9c3d378d0f55ff5a70115b819a0489ece6b3aaf4f3d7e326c574af1cf7b5bc1d41b37381168ee46bd9e4f6041218a03b73462a681a500a34af1c581c594b77d789a80b859325ac5697bb986afe9de56f93e93821b6c5d87cd991e82c62ada603ea93a7e57ffbad557e0531083c6915f41e59babd75c465f9a81bbc1f5731637d44c9c10aad27913e9df52708a2350be39bf6f60d9074e9436c071d9416d10a233a6b7881dcc589b448d1d48e29a4a1ad1ba0da1e696e00d19e509665eb842e659239105ab7dff0158fa054fb59db7a0590144cdb8d01e969bb3cfe6540c7a716da5c0ed12e0340da538ff0a885a367870c60af40d9683ae0618558b768067e055179f5cf5d55184bea3440044204f6085d74318f88cbffb612c87fb5c05209d011c0ff638055308c3b08aab751f44320e263295a5e7302752129c1cba80a8720c1191a2c400000003328bf965d07c34624db4e56a714216401eb65f8a40904329bc144101efee1818d21cb886c7f99d6904f9c7ce46c9a250bd11cb1f46e1a1fbe3a0fac73e845ea	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3757986125"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000c4075b48653536d4bcbc13ad8f4e104cfa9e57ad75d7598891092f88c6a87e74000000000e8000000002000020000000c16e3b1d3749cb8e80f98725ff9aa7d4f00fd68764c61c830f1bc3eea0d8fe78200000007d6b53277b57ae32c95eec4865b221e90c39ae0b0eb80c4bdafd4dda31203a1640000000ea92da04eea829a3d30b288eee0c6d32f53c0e57e72c3860c929576dd8e2114b0e0f0c2b0590810c3732bff9bb620f0f13c706bfd61dd7198f7e907ae94a16fc	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000030000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0B87F9F7-5CE9-11EF-B1C5-DE20CD0D11AA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3757986125"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125749"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125749"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125749"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 10 IoCs

pid	Process
1468	POWERPNT.EXE
2348	POWERPNT.EXE
852	EXCEL.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
664	vlc.exe
4548	EXCEL.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
3080	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4676	mspaint.exe
4676	mspaint.exe
3924	EXCEL.EXE
3924	EXCEL.EXE
408	mspaint.exe
408	mspaint.exe
3472	mspaint.exe
3472	mspaint.exe
3532	mspaint.exe
3532	mspaint.exe
636	msedge.exe
636	msedge.exe
4704	msedge.exe
4704	msedge.exe
1888	identity_helper.exe
1888	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
664	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4732	svchost.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2304	iexplore.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
664	vlc.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2304	iexplore.exe
2304	iexplore.exe
4060	IEXPLORE.EXE
4060	IEXPLORE.EXE
4060	IEXPLORE.EXE
4060	IEXPLORE.EXE
1308	OpenWith.exe
4676	mspaint.exe
4676	mspaint.exe
4676	mspaint.exe
4676	mspaint.exe
1468	POWERPNT.EXE
1468	POWERPNT.EXE
1468	POWERPNT.EXE
1468	POWERPNT.EXE
2348	POWERPNT.EXE
2348	POWERPNT.EXE
2312	OpenWith.exe
852	EXCEL.EXE
852	EXCEL.EXE
852	EXCEL.EXE
852	EXCEL.EXE
852	EXCEL.EXE
852	EXCEL.EXE
3924	EXCEL.EXE
852	EXCEL.EXE
852	EXCEL.EXE
852	EXCEL.EXE
852	EXCEL.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
3608	WINWORD.EXE
664	vlc.exe
344	OpenWith.exe
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
4548	EXCEL.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4060	2304	iexplore.exe	84
PID 2304 wrote to memory of 4060	2304	iexplore.exe	84
PID 2304 wrote to memory of 4060	2304	iexplore.exe	84
PID 2304 wrote to memory of 3464	2304	iexplore.exe	136
PID 2304 wrote to memory of 3464	2304	iexplore.exe	136
PID 2304 wrote to memory of 3464	2304	iexplore.exe	136
PID 2844 wrote to memory of 1764	2844	AcroRd32.exe	144
PID 2844 wrote to memory of 1764	2844	AcroRd32.exe	144
PID 2844 wrote to memory of 1764	2844	AcroRd32.exe	144
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4540	1764	RdrCEF.exe	145
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146
PID 1764 wrote to memory of 4928	1764	RdrCEF.exe	146

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/permalink.php?story_fbid=pfbid02heVPzQw6VH2XisuVnuYGfLiREb8w52YtSxBqJ3Vq13JwYMdSbuD3aSW47N1F5Zvrl&id=61558673575378
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4060
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:17414 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:3464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\CompressUninstall.js"
1⤵
PID:768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RedoUnlock.rle"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1612

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\ResizeRequest.odp" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\WatchConvert.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConvertFromMeasure.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\WriteSplit.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:852

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\WriteSplit.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeImport.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SwitchDisconnect.MOD"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:344

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UndoOptimize.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StartConvertFrom.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResetPing.docx" /o ""
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:3220

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ReadDeny.ico"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:408

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ReadDeny.ico"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ReadDeny.ico"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\RepairOut.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:3080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2969D718FE370BCA543211BB02FD6497 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4540
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5013067BD45984825BFE2B9CA5754AE5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5013067BD45984825BFE2B9CA5754AE5 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=263791C6926F1F69ACF16A62A0B6C130 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40DD3913412F5B1EDE8EDB386456A1B6 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd699746f8,0x7ffd69974708,0x7ffd69974718
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1508,7104946368990820775,1540972489360356283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
c96e614eba353b508b28bc6db6f904fc

SHA1
927610445b4fa45b4a04edf375814e987d1b34a6

SHA256
810b4bff49dad46744697f352a924048cbd10336c0648779d2ff9fe99abc5bdc

SHA512
7f8929dcc59fc380d6ab2ff12faf0866c959bf754fd84f257e17cf186542edb54d29cd1f555f49d57a23f55f3148b22fb22a51ec1c6e1855022068508606ec1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
4051e847b223ba9d53fbdadfca783fe4

SHA1
c554fa94d3d1b59a4a01d672749bade052bc9100

SHA256
af98b5725f91fbd29d38d7360811780f59d1f605c978975a75061e7b21f3962f

SHA512
5cbfd910f7e50ed2b1410f30a33a6816b2a87402944cb78522c4fb44e10c367e784661a896c8bb916d20a484f6beea5394e5591c341ae82a731a95d4b1bc5163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
2a22fd58ac468c09fb0073447fbd4c1d

SHA1
a084d09bbde406e8b3ce4449e29188baa99d89bf

SHA256
f8f3074be26b043a7f64691135e2da05fb52eb0e0848a8d8e65cae1641b02f3f

SHA512
0c24af222a5f7067986d85d3b60a1cea894b0ec0c0f091245a31d5f29aff5efadfe565338558894ec1d38ecbbf43e7e5795bc68e8b86874f93d29b39b03d6c0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
339d9338ac19360fe1d8ec33d8f42d3c

SHA1
79101876f8e4b86cc63a97477084ee7b25778d2a

SHA256
225b703653d828fb0cfcf5fd64629d596d4b6c237bf385f83a2858f6597d7fec

SHA512
6a65a90c5d10050d647c399a8f0bd9bc6a57a9dc8f266fa677e7b401d5f10015567164f710cd98ccff621c9d014c8f88f57303d92309bea9519422333d2490e5

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
bcd361396808e485a8ed0848021185df

SHA1
633dcaea378c52379bd399ca632ea97bd46e0468

SHA256
7181c4f97bff6fdfcfc6f45292b21b1627520c00cc27d20fb0c6a46eb3770e2c

SHA512
73d152f77e63012fa94b3c578d3d689dad08619b3a458370fc7f343a4d45e1c169693a3cb19d5fd6c0a5f686de2fa8743a6c1c63e104bfc343ada875c3c67bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
65abd8b69d87fd67e541a32eacf98464

SHA1
604cdae878e1e120c5860915c6647023f4c3a04a

SHA256
650d0d90286e0e53cf1d74be0f649563d0688789cfdb628cfdcd3f1ffa279e51

SHA512
ceac67f2f67e75534b8dbe25da91345b5ed8c5175f6c13eaa8841ff2b85efa43600fdf682683a194f141adf17d434d123fc573c5281350b2a3038f71f48ca200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f3a03d36efee38874968c43247bdf8a

SHA1
205c6c0b5e0def234e769c2fd5c92a17710ebec5

SHA256
02af8fa91e24ef89f83b995a3eacdc77a3eb2ee35977f318aa47568408e9c6a4

SHA512
da5d8e546aa845bbd5acdef89ccf109d9dee5ad75fdeac8e3be2640188e59456513bae042a32552143d544e44f83c7de0cdaa222c31e19a689c1128b9ecb0122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
435a954d1cbc887599f0e5051458f5f5

SHA1
89458677aa4f12f93670d45548d6a04b9255cfe7

SHA256
86bafff557508950ca7bcde975751ea92b7c7754569de67ca93e8c8ec7586145

SHA512
54669eee2bb57606715e41a0a896ce4cd4d5721191b40ea38f24ab648e6176d4d68f9b50467360cc8cb6f7db2ab9f3d764242d85ac780bcbc93474ac63c3d1dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
14721c3de8c33feaeae6177c00119578

SHA1
2f4d26af2092d1cf865207fcfbbe2ff6cf97206c

SHA256
94ee24ee6dc408334f36ba7341b00a8177f0ab3202be7f9b5f5fa33aca15aa7e

SHA512
9c9bdbbfdd0113341f405998aba85a80c635c0878c30b58db6034cb99b81143b99cd2d8caabc0a270159addea1ab255c54fa8d073c51802e20899f02d6bfd202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E530AEDF-89BB-4C15-835C-F3C9AE9D182F

Filesize
170KB

MD5
1e77bc3f33d8b8282f3139fa619e824c

SHA1
507dde02c6205e0af5e985e701d1618d5dabbedf

SHA256
acdfb926984559d2711f674da09f894cebb2e74ed8c4c3ca85df4ba610264d7b

SHA512
34bc10b94cda5fde656cb68932935ac23d790cc193116367eec90762d52a5c621109b7f20612ac00fbf163c337b7644667a96f10b2b25fd1f1a2371e0ed67a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
320KB

MD5
1860cdd48aea9511bbd598c3d6e80ec2

SHA1
4d80fb389297d1b42330fc9cc043890b7de843ef

SHA256
c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035

SHA512
64718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml

Filesize
372KB

MD5
3a08c4ac2bc4189c8ff57e6034ed196a

SHA1
1a9e891a01f6d5bf79301fa7bf4a443acef3af9d

SHA256
33471c946787a420170d05f5520eafaa9cad9ba82c44fa9df7dac200b1379c67

SHA512
0fd0f9058fbf225fb3182f9c2f3f1e620c828c0b63f376e0f171e56a3d378a33593911ecb8888ff6921d5f1d752d6ca73dd67eaea3e28be41501359ce2c25a5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
9KB

MD5
32601accddbc0dd5aca78f72acac9117

SHA1
9b473a8d9e00ad3d6380f0b9768787893cfee1a9

SHA256
25d7fac81260f6938117e9c015c7218c0701724b5c456b2647e467e0118dadaa

SHA512
ad303068e28843195aa87e914784ab23858006bffaf7a34bc76ad079d783851a282f84399716c6b2f3cbd8c78c1a3c078922425e340046634c4b8898d7c5ef5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
13KB

MD5
afb546e53e84924fcf980b0f9caf5f6a

SHA1
73964143c577eb4dd982ec9f39ab4cb3eee7ce34

SHA256
425c2786955c4927dbbf0651cf3a7938e9b9cc4cdcd201a1107601c1ed780633

SHA512
f98ff1d3c8108283e65282b07aabb24dda054939c184fa00141501c8ad968a3a5b017cfc0dc43bad2a5ad0153dbea334fd7d7d5e463e0be3af8013016c664552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
85af9f4e0d884aa1569383100955b6ea

SHA1
57e5ac1a0454eef3941a79cc91954d764cc165d5

SHA256
9d4bf6af24c59edc82ddeb96a58d512356c2af4f133396fe01d6a99e1aa44a98

SHA512
cdcb468993af6f0a3dd0e13473762d7be40e83c570ebb785420a8ab5ff6afe06428a50ab48b72512275e2b2d04fa30c0104d41e96db94f80d707bf888b529a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
581412ef94406f54982ee59727868ab8

SHA1
5a3d9432552a6a754585611a01a8ec11a2731dd4

SHA256
b95dc693df050184ab6c9c9417c7629a179abc1a25ad5c3acad5199d43606f57

SHA512
d964f27ecf4f25d6c14da0ab21bcd89e4f9f6f8b8cd5499c33cb8396104c385da73dd9abc63a7b87f1756cb5c976a6b05104d6b464d0545a9a3f77e64013858a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
76051c1b17602b05afa6f55740a0f7e0

SHA1
ff31efd4f68bcd3ce6bba1f368b3bf63691fa0b4

SHA256
c5fac4d1eb8a9d4eff203347d12ce33043aa3fe69d3d89043c60858d0b830d1f

SHA512
c298e63e712a9660e6e16340d46a5cb865092a6f750deb3a658a2e201a5f553864d1769ee0f839ee7d0e42cb9b8a3799140ff0f1b8c2bf3d891d153931f52528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
c7ddfd4af55d4b22d5e643fddf7a53b8

SHA1
08ad366020faea56ec62a71ee2695e057d09b45e

SHA256
f99c4b7632147acdcb91f02d116cac44e21d94b6c596030f396496c940e87181

SHA512
6ee79202b04ebf6cbdb2fbbdc3b7ed33d1048dd0deaa21d8c095ebb3f3880a5ae99881438778bd76aee10192f38dfda9845f7b9ba2155a45e860963031e30587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
266966e5902819ff639feec60f5be081

SHA1
84787b6469801ffe615a5781f50bff987f356c35

SHA256
4eb296e51ba5a854fe3ddbce60078e8543b283c7f6971daa544562e39256ee14

SHA512
0fca43a809f7d9033c0e92ad7f422f5a830b383fb095f18b40a977dc8de839ccf23b84ee5d9fb69491ed2605a79d35a34f2019c4637a7d78eda92d340183ac64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\favicon[1].htm

Filesize
35KB

MD5
1a45ad331a3c382b62b1c1884a9f6686

SHA1
785a95b5891f4526b5d94ea084dd27d66b8f8ac6

SHA256
f66bad569fccf770cabed02b5f84e83fa04a9a2e939a319ce1aff4d8b055ad16

SHA512
6d3f6566d93c765e6c07cfbed71119a3df47bc82751a04be9fef13c49e7c4a3cd67327be83c8b3611203f4a8215d12a1c3a97d9d06ff752dad1d14bbe3fbdf1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\favicon[2].htm

Filesize
35KB

MD5
6e71a84e5918c924a211953b261400b5

SHA1
b432add1a3857df8b8ad4e7ad5f8e7f977cd88ad

SHA256
7f9d8254e2cec18335825b79cfbb6401cea956f004c01f28e6e4f7fa66eaf63e

SHA512
974fccbd2d7f8c6a3f2b96cee5e2435d52831640515e8b034d82101ecc5c10ae297d63e71f77c2d6c6596d738b40610e25b59bad70fb7fe0bcc861c8c630150a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF2A4665D2B5A2E9F6.TMP

Filesize
16KB

MD5
a4928f5dbcbfcd90a52e0bb7d2474cdd

SHA1
3381297da67548637c8ec5ea83b2767e39e5e633

SHA256
ce11e1abc235e587d276f18bf884e06406bcdb8349ca88c79cb86696bacd2579

SHA512
5cea46b5007c51d283b06d309824464c932745b06dfd15e0e799a228c928ca9b44fee6dbc4c2d439eb7d7698a11f4705c6392428d95b75fd8abc9a83a9617320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
409B

MD5
53f86d804158f227b2a81428f338670a

SHA1
7ee9c8dae67a6de9e3709448a069af974a51130c

SHA256
23de357e78f071846501d908acd9879e6aad53d7af41c8b83b72a3b19d81ba80

SHA512
fabc717f7b02067e4cafe347c1ca5ee4ee53265f04836677726631a5ca03d211d676ce7c964eafd84ba00e9b177383bb73c6cc06b959ea1faaecc81edd3f6f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
405B

MD5
3798462246155f2b99914769f76d511d

SHA1
a8298ee3561d43ed42607cf93466625aabe906d6

SHA256
9a4422a92a86eaf58c28fb1ba36d143a6c3fdd548c1c466498ba4740eb371645

SHA512
df860e8927bb20e3423f28d558b1a95b69e51943397d423dde18f22e7244a2779bace11784f87ebf786ea5e7ffff8f0ff7203f16c58eb90979c825ebc12ab993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
411B

MD5
a5987d600afcbee7cfa354cfa9680b08

SHA1
5f1b7ac728cee41d1e9f5289f760efdd88354c2c

SHA256
c220c155d598d29e7e72794c734e60696faa3cfdd6b20919592f063560a61fa6

SHA512
fa6356e09589cb6bb6e29e1ae9498c0c8abd5bc96a1da7cea986c5b036abe4c3171f6cca9c0a21b5e757b765bc532ad742de6c7e596891a4823c7828befd728c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
405B

MD5
742513201f0456a23c4daed85636a978

SHA1
59477446ccea9f0bf52085faf70906609c9918a4

SHA256
dcc3a3f27290bf080c43af933aac0564453b2f1be4885cbe8d82545dd5f4f768

SHA512
fa17366deb433bc97cb7d491a2a925873bc0eaca07866f12031a366856e502c6fac9ef92d8baaf054c102a78db5a0a02749d22a903b4a0a6591ecf3bbde534f7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
690f440fde06c498ac75f3e12bcca2ff

SHA1
bafad59389327bc12dfa1c3d1017c6471a4da7f3

SHA256
f842bf42064f42046597d3a8293b106b86a43fa0738e24c606a55510e3db52c3

SHA512
c8ed45e25bd3d2eb72a32501d4f2d94d92a47fdbdf2c2279b61141f7b917665ef5992ee9422411bb613e95f97f42edfc6eed20a24dd86b2398483762e84586e1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
14KB

MD5
62feef274f7b3a654bdc347f75e56aba

SHA1
298a8bc97707e0f9cd17aa4755787b9e8a4f4f61

SHA256
7a635c1153a922499a816d8881e21fdd15885332f09c46baef8c5737a2715ce0

SHA512
332ce158f41f30f8137600d7fbef7ef4de7c95e7d459f9886217583f32ca2d6ee244998e42e66b615ae3e427636696da9069e6a42dd48a1f7f3fa1721701c9fe

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
16KB

MD5
e55da27afa59259f750c0fbe1ddc12d3

SHA1
175537ba63ece4fb9c5af2f054e6fe501c591c1b

SHA256
799647ad32f6eab50793edd1770d34f984d9b8d9a0582f084edd847535f1da41

SHA512
ec464116045d3e025ab3d68d7b2de2050e46a0ed35de2c41e9255f6e48e5331e19bb864d092b8296e0299330629ebb4382097461f3e11ed5c12c4698ac753698

Download Submit
memory/664-203-0x00007FF62FDB0000-0x00007FF62FEA8000-memory.dmp

Filesize
992KB

Download
memory/664-204-0x00007FFD68D60000-0x00007FFD68D94000-memory.dmp

Filesize
208KB

Download
memory/664-206-0x00007FFD79260000-0x00007FFD79278000-memory.dmp

Filesize
96KB

Download
memory/664-207-0x00007FFD78E70000-0x00007FFD78E87000-memory.dmp

Filesize
92KB

Download
memory/852-116-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/852-114-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/852-117-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/852-118-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/852-119-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

Filesize
64KB

Download
memory/852-120-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

Filesize
64KB

Download
memory/852-115-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-73-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-46-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

Filesize
64KB

Download
memory/1468-41-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-42-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-44-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-43-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-72-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-74-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-45-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/1468-47-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

Filesize
64KB

Download
memory/1468-71-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-194-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-156-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-195-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-160-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-196-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-159-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-158-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-161-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

Filesize
64KB

Download
memory/3608-157-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3608-162-0x00007FFD45230000-0x00007FFD45240000-memory.dmp

Filesize
64KB

Download
memory/3608-197-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3924-136-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3924-138-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3924-137-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download
memory/3924-135-0x00007FFD47770000-0x00007FFD47780000-memory.dmp

Filesize
64KB

Download