Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/10/2024, 07:33
241011-jd1fbaxerm 1011/10/2024, 07:29
241011-jbkl3sxdpr 1011/10/2024, 07:11
241011-h1ddma1ejb 1011/10/2024, 07:00
241011-hs54nswcrj 10Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 07:29
Static task
static1
Behavioral task
behavioral1
Sample
malw.exe
Resource
win10v2004-20241007-en
General
-
Target
malw.exe
-
Size
724KB
-
MD5
208a7cf0646365f76dd6e381e96cf6f3
-
SHA1
21d89072373999a525a29882802eb639c6850c03
-
SHA256
8a33c8b3367ce89f7b0a54accfb415c98f1c6ebadf1fb72d150c575fa85b7b5d
-
SHA512
05b980d8c72289a5d3e8d4134a9b285c82dea833c5f3016ea627649bfea5def48ddb136e3909b77b37a8b2d017965ac123a023e5439cd1319cda339f94d6a681
-
SSDEEP
12288:MjqZqdLyerVbCx3YNo18QAulSOfiH93n5N2Ia5oMsn3+wQBBQA6AfwBhptfO5ItE:+qZq5rVbCx3YNdQ1xw5cIhKlBH6EwDzC
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral1/memory/4352-61-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4388 powershell.exe 3944 powershell.exe 3528 powershell.exe 5012 powershell.exe 3228 powershell.exe 4400 powershell.exe 3732 powershell.exe 3972 powershell.exe 560 powershell.exe 3740 powershell.exe 4856 powershell.exe 4184 powershell.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation malw.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 36 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 50 checkip.dyndns.org 76 checkip.dyndns.org 116 checkip.dyndns.org -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 3576 set thread context of 4352 3576 malw.exe 104 PID 5072 set thread context of 3124 5072 malw.exe 119 PID 2608 set thread context of 1112 2608 malw.exe 121 PID 3664 set thread context of 652 3664 malw.exe 125 PID 5024 set thread context of 3924 5024 malw.exe 129 PID 4560 set thread context of 2680 4560 malw.exe 133 PID 4844 set thread context of 1496 4844 malw.exe 139 PID 1828 set thread context of 5024 1828 malw.exe 143 PID 2696 set thread context of 4008 2696 malw.exe 151 PID 2284 set thread context of 3028 2284 malw.exe 155 PID 2136 set thread context of 964 2136 malw.exe 157 PID 2996 set thread context of 4932 2996 malw.exe 168 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133731053975226295" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000 notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff notepad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "7" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" notepad.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 notepad.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3096 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 116 chrome.exe 116 chrome.exe 3576 malw.exe 3576 malw.exe 3576 malw.exe 4352 malw.exe 4352 malw.exe 3732 powershell.exe 3732 powershell.exe 3732 powershell.exe 4352 malw.exe 5072 malw.exe 5072 malw.exe 3124 malw.exe 4388 powershell.exe 4388 powershell.exe 2608 malw.exe 2608 malw.exe 1112 malw.exe 3972 powershell.exe 3972 powershell.exe 3664 malw.exe 3664 malw.exe 652 malw.exe 560 powershell.exe 560 powershell.exe 5024 malw.exe 5024 malw.exe 5024 malw.exe 5024 malw.exe 3924 malw.exe 3944 powershell.exe 3944 powershell.exe 3124 malw.exe 4560 malw.exe 4560 malw.exe 4560 malw.exe 4560 malw.exe 4560 malw.exe 2680 malw.exe 3528 powershell.exe 3528 powershell.exe 1112 malw.exe 4844 malw.exe 4844 malw.exe 4844 malw.exe 1496 malw.exe 1496 malw.exe 3740 powershell.exe 3740 powershell.exe 3740 powershell.exe 1828 malw.exe 1828 malw.exe 1828 malw.exe 5024 malw.exe 4856 powershell.exe 4856 powershell.exe 4856 powershell.exe 652 malw.exe 652 malw.exe 2680 malw.exe 2680 malw.exe 4512 EXCEL.EXE 4512 EXCEL.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 116 chrome.exe 116 chrome.exe 116 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeDebugPrivilege 3576 malw.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeDebugPrivilege 4352 malw.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeDebugPrivilege 5072 malw.exe Token: SeDebugPrivilege 3124 malw.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 2608 malw.exe Token: SeDebugPrivilege 1112 malw.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 3664 malw.exe Token: SeDebugPrivilege 652 malw.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 5024 malw.exe Token: SeDebugPrivilege 3924 malw.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 4560 malw.exe Token: SeDebugPrivilege 2680 malw.exe Token: SeDebugPrivilege 3528 powershell.exe Token: SeDebugPrivilege 4844 malw.exe Token: SeDebugPrivilege 1496 malw.exe Token: SeDebugPrivilege 3740 powershell.exe Token: SeDebugPrivilege 1828 malw.exe Token: SeDebugPrivilege 5024 malw.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 2696 malw.exe Token: SeDebugPrivilege 4008 malw.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 4512 EXCEL.EXE 3096 EXCEL.EXE 4060 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 116 wrote to memory of 3252 116 chrome.exe 88 PID 116 wrote to memory of 3252 116 chrome.exe 88 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 2960 116 chrome.exe 89 PID 116 wrote to memory of 3108 116 chrome.exe 90 PID 116 wrote to memory of 3108 116 chrome.exe 90 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 PID 116 wrote to memory of 4156 116 chrome.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 malw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffef732cc40,0x7ffef732cc4c,0x7ffef732cc582⤵PID:3252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:22⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2212,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:32⤵PID:3108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:82⤵PID:4156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3700 /prefetch:12⤵PID:1540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:82⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:82⤵PID:1852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4892,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:82⤵PID:4876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:82⤵PID:4116
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5076
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵PID:4268
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5012
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
PID:964
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StopUnblock.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3096
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SkipPop.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:4184
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- outlook_office_path
- outlook_win_path
PID:4932
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4060
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4268
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3944
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD521804f6e56a5d7f7198742e1f17336cc
SHA1e60814379f1210fdd84f95ce8efca329e6c15b92
SHA256463f826c9956af1471374fa0ed2f72d2c9f55637a706f2673b8957c8c833df2c
SHA512e5573ec168e4c37b94b20e0d2f313408be7817ffad7c0361806adf0dda0966cf01d4f56e9b81a6893713dfad849c49d03d2d9d76208405833c976ad79689845b
-
Filesize
8KB
MD56a45d9e257a910af01def29a53213a6d
SHA13404709ca493a2be2b3657fd7ade3b1742526f5b
SHA256d17a502cd82a2eb73089216550b51409c8a52719ba9261b943e7217a606d0bc0
SHA51285e969ef7d9d644fd662afdd5a6fe3609e39dbe7b40b731e7833bbf8a762f638853a7723027f59414c57562d181b11d96b07c72a94f86bf766eaf7aaa6d791fc
-
Filesize
15KB
MD5d89f3772d72b8704cb64f751660ac7b5
SHA1ec86f6c807c8ae5dced0ac37a64dfc8a2111de5c
SHA256c5d583817d9af82cbefca0ad97ee09f1f36c214ac6831e8ca722dd5d7b4fbf2b
SHA51237ddbf4714755002485ff376197a18f4fe9ae6f43f8f41910b97725784a0d2b76688c7956591164f0da86c7168fc4b02473a981b92574c1a24510a00c97d8186
-
Filesize
227KB
MD5d69878cae067a5971bbeed000fae85d3
SHA1fb61c7b92364f59a9860a8a4616151ec71df29e0
SHA25634b8242acc7f24ba4410bb995b1561894efd9d9efb26b5321a8f8bf83a94e756
SHA51270ac62bb36f45608a83fa46dfe87690e00a953ea05c5bb2c810f7eb0e6b29d2e9f236388f3141b8a5f36944334e7fc3da274997b833e66815c4c7bca68d6887e
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E63ED0F6-D851-4450-AC49-6710FDEDB3F2
Filesize172KB
MD5df093cd3defb03bef2044280b203f3ee
SHA13574b9e59d62526a1b7e0b37ef465f699bf2c1c4
SHA2564be0f6e33c2f371e17b17097980bf5d1f8bcc1cff77dc20b9f1fa7e882a0fea5
SHA512d88c252c2c99e2486dc3bbc50b097c2cb6ac99e9afd9fbbdaef363a00380b1acf661d56989a519369e69f8a258ed82f56ed22beab3640c98f7ea5ebc9a574039
-
Filesize
8KB
MD57bbdf7549dd361ff57f6dcde70c46c5b
SHA1b71be7e0eb43409092bea55f38f50168447b90cf
SHA2569e1a03de7a64c1386fbbf7c6c02a35a11459bd30184d6cd1b64b4155ab3137e5
SHA5127d1c7c8013435404602fc6f650e6fd9db159bcc4182c30fa792f086b060744d70b3d44043c60d82dcf01fbdd18d839c40c501e8d54eda4d96954687f012f016d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD58dfdc5f9a174bbe75900921d968f3b94
SHA1192b5a749c802d96b6865ebd615e9256f7ea57c5
SHA2569615853cd7b7518abc633c0cbf66145b528ba20fc0592c565744efd0d223fd9f
SHA512fab96d658056c2b0c7edde7c7d659e06f6dc6914625436b8235be421bc2476cebb34f69745a8f3e829864c799183f65d28c9d63ed211dc3b5e523f29d49236e0
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD58b5c3bad70428a28e6a5d0cf0cad78a4
SHA1bdf20a6d4b082cb69cc7e12604d0a87ad2989549
SHA2566624c32a3c754d25818437fc1a36882720a55ce0d2374bd1fd02810c3f35c6e6
SHA512f5cb060b9af06279fa69c6877695903a27ca9fe0c4253c216a141fd0587afb6dd78486c8a71bce1c0ffb8582f23e0c5dbcc2fc5fd016cf12351350189d3262da
-
Filesize
18KB
MD5341cf7a05d3268e8b4155b640820870a
SHA1fca1afc2ab8341e8f6599c3fd74636561b6d4638
SHA25636c0f3e71b5e69e745a36c3608f38a9639bd89eebd6619bd797ebe4c263b7b68
SHA51218b4acb61cc53d84b83869104c8c69c2df8c95a0a077474ffd6f7c8c75d1bcde8a0711fa3ae61e0d18843977f8e38c52f37d05ed2bf60fbcb3f2623f7631d2fb
-
Filesize
18KB
MD58f132c8f9a5d403d89750d8bee89d4dd
SHA1526a3c058b2ac4f9b8dbd45a15067d26e6b5b246
SHA256b7208240e48e51d6d6ed0c06750fc0151e5e434d5f50e51cadfe99f600fc81ef
SHA512780ea90556f3be5f20f467b49ed458a5ecc41bcf08ab6f4feda2433c5c4e916158a4ef55dd49a59b34033d383eee8b9dc64c1c729a501b8202088b92a9369637
-
Filesize
18KB
MD52177cb5065d89f1c12b9d756410a6dff
SHA164c97bd4c36cbe0c0b3d4b7dd25d0899771b4e93
SHA256a0b18d2b3cc305510b8fc2f0492537c69e252a75d21f0a303e97714a61cb5aed
SHA5127677ce5d2464f971962662e75c6934f0261ba79972ae906f04a2a6661af82deef8e65f4016a0b680b698f8c3c2aaef4f26af9a2e83b5a5773fda0a6eb2301fa4
-
Filesize
18KB
MD5ea2f6d2361b24ccd82cbe43013b54eee
SHA1cbaae89cfdb811321198d0318815e90004d8530f
SHA25616bbb281cce8619886e733b960b3b0f4ea9f03e82b64c7f382779ed75eb28b88
SHA5120ce24a796bc2403ebf635d61637a2c3dc6d4289be80bc5f897ade08bed316c23f58745de8b1411da2d2bd44fcaaf7daf5481e20f71e2d80e67278b1135557474
-
Filesize
18KB
MD56dd536dd2f04096ca8a985626573d3b6
SHA12d8ad2010579192bd54b672d6a8ee879e3cd255b
SHA2569c08a30ad257a5e2a75499f19e69445c173e3fda218db02532d57c6fcd4699ce
SHA512b7e0ad7ddce4ee1dab46e53842d141fea7e2102056c2fb168eb9b3fbadc8ff58b40e8e7280d533e6235bd7f70baa5bc37f72b7c3305a8c2139ab8d44982163cf
-
Filesize
18KB
MD5416dc0c7899b4d36900018776fa403b4
SHA1ead47fdd0019f8d56a1d13fe8a5062a6c404eab6
SHA25631ebaa2c608e01f9a6816dc7c38525e8f143f855e142a36340420ba2b67e3147
SHA51203ea54bc6da374ee0ae38d7d290aa340c00c5dc0a656ee9630b73a9d5d6570723e46c013e5316824bf8881412423c585cd5fdc240d333eb0a1684f2131332bdf
-
Filesize
18KB
MD525dc5b410887b79d23736dc874564a70
SHA17d028edd386fa6be9b7234dbdd097daf66fe4c33
SHA2569aa6475b8888323dfb06a01120ad9fe8c7b9a9971273c409e03b670690a8beec
SHA5127c1f98a7825a081f7736d25768718fc5843004149c944279a853cc59abb5d17d1436c8c330e582b3d35bba6473a27c2125b217949296231518a706fdb366c0aa
-
Filesize
18KB
MD5a6e9af4fa0a2054e9a0fca38019a3496
SHA1be3c8d42f86a5fc5d97e799b492a3d949d5f31b0
SHA256a3bb45872e57029486c4de6c9b89ceada8f2131009d574385f437bd7665c5d0b
SHA512dc2cf99ba9a274d3e90b14397e6aa6940bd2f5304175da03b78fb4bb01315533ba9d5f1ebd57997fb25b28336687b1a5d1da946f2800559fb067d7e84df26ff4
-
Filesize
18KB
MD599c5c917a0f061add54cfe444c74c685
SHA1a3e57d25ec95a7908706544b0e317b29679cdf65
SHA25621608bf7310ad62ca85fb6cb1ed57cbece2e4b40d83ffe68b44662cd6f43c9df
SHA512ab958127f7e91e1fdb9f9cbdc6afb51c8041c96931657dabbd63b5f124f535328aa4e58306832067465e2e03acbac8c9473c7d8ca24fbde60b0221ecfe934b41
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
363B
MD5d5c8d1a4b1ea29fcf5c6a3df4ac75c85
SHA1d270ba37905b99790f330f16c54e3a99291ea32b
SHA256177786164349e62d982e6c6dfac6b36263f947fb8f5b7c9b2f7dd7fc2c08cc42
SHA5120f8ddc3aecbfb2f31979a184fd135e6630bf159b9f9bf66aded08f6cb6f05feefaf2393736c6ca359cdbfbcd0a5e06662840793456c17ab0e65949d8d47a35b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD580d0b4c4b2395b4c5d2ed3f542f3319e
SHA1442de60ec32998b0890d9688121bb5cbee431dfd
SHA25628e463528fb154ca107e88456c9bf7d873e51dd6622fd2b68df376531abc37ea
SHA5122ea89607a84a30e944d35eff812d8c30239d325cceb7f5f03b2d67a13227d6e645260c45a06bbc15204e9a8204670b8df8e3781efbdaeb4f992a8de79fc62618
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5ccfd6a6b4d1656d7987e9ad2ead2c43c
SHA1f8ea57396104d42efb30e3eb983f232372c4da04
SHA256031b81da8173ae0bbb326ee11a068b77ed246c84c69ff074e8d9e4309edc101b
SHA512b5326b62cc5f2b556bfd0810e7ff533d1e19bdefaa8dd2df0bd5575ee0b8085e616670325d83243899b6c014c87647f01e5f008cdaafb9ab13bc32881de739d2