Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
14/12/2024, 09:08
241214-k365tsxlew 1014/12/2024, 09:06
241214-k26gxaxldt 714/12/2024, 08:50
241214-krn5waymgp 7Analysis
-
max time kernel
958s -
max time network
959s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
14/12/2024, 08:50
Static task
static1
General
-
Target
sample.html
-
Size
267KB
-
MD5
65624ae0f03e4b0b37b193246a35de15
-
SHA1
b91e192d5b0199ddf70bec6dbc5e6237791c80de
-
SHA256
14c9466ae2013053d20cf15258c8fcdf886e752542c7a0519fd39537d91c537b
-
SHA512
e3ab55d6104b4ba7c70f67e66e8663e461c6317df593d9478994abeb2292e5edef1bf1782d1535bf486a6618f6ff35ad05d6ddedd34570a0fa44d0d976c7a8f2
-
SSDEEP
3072:7Oh7Oi+0joZWm0ITADlNRzh4bgEJfzrIugDAwtN+Tl/jS4:7Oh7A0joZQITeRIgEJHIbCS4
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: PUID00037FFF8D6CE234@84df9e7fe9f640afb435aaaaaaaaaaaa
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Executes dropped EXE 4 IoCs
pid Process 5512 dismhost.exe 5096 dismhost.exe 2808 dismhost.exe 5696 dismhost.exe -
Loads dropped DLL 24 IoCs
pid Process 5512 dismhost.exe 5512 dismhost.exe 5512 dismhost.exe 5512 dismhost.exe 5512 dismhost.exe 5512 dismhost.exe 5096 dismhost.exe 5096 dismhost.exe 5096 dismhost.exe 5096 dismhost.exe 5096 dismhost.exe 5096 dismhost.exe 2808 dismhost.exe 2808 dismhost.exe 2808 dismhost.exe 2808 dismhost.exe 2808 dismhost.exe 2808 dismhost.exe 5696 dismhost.exe 5696 dismhost.exe 5696 dismhost.exe 5696 dismhost.exe 5696 dismhost.exe 5696 dismhost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: SystemSettingsAdminFlows.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml SystemSettingsAdminFlows.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\80187993-fea9-47b9-b3b4-6c6678cf5401.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241214085026.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cv_debug.log msedge.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Logs\PBR\CBS\CbsPersist_20241211153424.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\diagwrn.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\WinRE\bootstat.dat SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\DISM SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\Contents0.dir SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setup.etl SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\ResetSession.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.setup.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\cbs.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_41BF.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.dev.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setupinfo SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_41BF.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\WinRE SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\DISM\dism.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\WinRE\bootstat.dat SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents1.dir SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\ResetSession.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setupinfo SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\Logs\PBR\DISM\dism.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\DDACLSys.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_40A4.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\PushButtonReset.etl SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG1 SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.dev.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\CBS\CbsPersist_20241211153424.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\DISM\dism.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\cbs_unattend.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\SessionID.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setup.etl SystemSettingsAdminFlows.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettingsAdminFlows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags SystemSettingsAdminFlows.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\GPU Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\GPU Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Software\Microsoft\Internet Explorer\GPU Microsoft.AAD.BrokerPlugin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "108" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "124" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{D674391B-52D9-4E07-834E-67C98610F39D} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\Total = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt2.microsoft.com\ = "40" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\signup.live.com wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\Total = "124" Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\FFlags = "18874433" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByDirection = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftonline.com\Total = "124" Microsoft.AAD.BrokerPlugin.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.microsoftonline.com\ = "0" Microsoft.AAD.BrokerPlugin.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftonline.com\NumberOfSubdomains = "1" Microsoft.AAD.BrokerPlugin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Settings\Cache\History Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\EdpDomStorage Microsoft.AAD.BrokerPlugin.exe Set value (data) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Settings\Cache\Content Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\aad.brokerplugin\NumberOfSubdomains = "0" Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Settings\Cache Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoftonline.com Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\ = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com\ = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Mode = "4" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftonline.com\Total = "0" Microsoft.AAD.BrokerPlugin.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "3" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DomStorageState Microsoft.AAD.BrokerPlugin.exe Set value (data) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftonline.com Microsoft.AAD.BrokerPlugin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoftonline.com Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\LogicalViewMode = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\Total = "0" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" Microsoft.AAD.BrokerPlugin.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.microsoftonline.com Microsoft.AAD.BrokerPlugin.exe Set value (data) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\MuiCache wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.aad.brokerplugin_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\aad.brokerplugin Microsoft.AAD.BrokerPlugin.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\FFlags = "18874449" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0" wwahost.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 6964 explorer.exe 6964 explorer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 652 msedge.exe 652 msedge.exe 668 msedge.exe 668 msedge.exe 524 identity_helper.exe 524 identity_helper.exe 6120 msedge.exe 6120 msedge.exe 3048 msedge.exe 3048 msedge.exe 6260 identity_helper.exe 6260 identity_helper.exe 4536 msedge.exe 4536 msedge.exe 3404 msedge.exe 3404 msedge.exe 1568 identity_helper.exe 1568 identity_helper.exe 1016 msedge.exe 1016 msedge.exe 1016 msedge.exe 1016 msedge.exe 5272 mspaint.exe 5272 mspaint.exe 856 mspaint.exe 856 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 6964 explorer.exe 3404 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
pid Process 668 msedge.exe 668 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeManageVolumePrivilege 1840 svchost.exe Token: SeDebugPrivilege 3992 wwahost.exe Token: SeDebugPrivilege 3992 wwahost.exe Token: SeDebugPrivilege 3992 wwahost.exe Token: SeDebugPrivilege 5624 Microsoft.AAD.BrokerPlugin.exe Token: SeDebugPrivilege 5624 Microsoft.AAD.BrokerPlugin.exe Token: SeDebugPrivilege 5624 Microsoft.AAD.BrokerPlugin.exe Token: SeBackupPrivilege 4504 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 4504 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2572 vssvc.exe Token: SeRestorePrivilege 2572 vssvc.exe Token: SeAuditPrivilege 2572 vssvc.exe Token: SeShutdownPrivilege 6964 explorer.exe Token: SeCreatePagefilePrivilege 6964 explorer.exe Token: SeShutdownPrivilege 6964 explorer.exe Token: SeCreatePagefilePrivilege 6964 explorer.exe Token: SeShutdownPrivilege 6964 explorer.exe Token: SeCreatePagefilePrivilege 6964 explorer.exe Token: SeBackupPrivilege 6876 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 6876 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 6876 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 6876 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 6876 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 6876 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2008 SystemSettingsAdminFlows.exe Token: SeSystemEnvironmentPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2008 SystemSettingsAdminFlows.exe Token: SeSecurityPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe Token: SeTakeOwnershipPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 2008 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2008 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2008 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 2008 SystemSettingsAdminFlows.exe Token: SeShutdownPrivilege 2008 SystemSettingsAdminFlows.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 4504 SystemSettingsAdminFlows.exe 4504 SystemSettingsAdminFlows.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe -
Suspicious use of SetWindowsHookEx 55 IoCs
pid Process 2660 AccountsControlHost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 3992 wwahost.exe 5624 Microsoft.AAD.BrokerPlugin.exe 5624 Microsoft.AAD.BrokerPlugin.exe 5624 Microsoft.AAD.BrokerPlugin.exe 5624 Microsoft.AAD.BrokerPlugin.exe 5624 Microsoft.AAD.BrokerPlugin.exe 6960 Microsoft.AAD.BrokerPlugin.exe 5680 CredentialUIBroker.exe 4312 AccountsControlHost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 6312 wwahost.exe 4312 AccountsControlHost.exe 6964 wwahost.exe 5752 Microsoft.AAD.BrokerPlugin.exe 6704 AccountsControlHost.exe 6704 AccountsControlHost.exe 4504 SystemSettingsAdminFlows.exe 6876 SystemSettingsAdminFlows.exe 5272 mspaint.exe 5272 mspaint.exe 5272 mspaint.exe 5272 mspaint.exe 856 mspaint.exe 856 mspaint.exe 856 mspaint.exe 856 mspaint.exe 2008 SystemSettingsAdminFlows.exe 2068 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 668 wrote to memory of 1968 668 msedge.exe 80 PID 668 wrote to memory of 1968 668 msedge.exe 80 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 2312 668 msedge.exe 82 PID 668 wrote to memory of 652 668 msedge.exe 83 PID 668 wrote to memory of 652 668 msedge.exe 83 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 PID 668 wrote to memory of 360 668 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff87ddd46f8,0x7ff87ddd4708,0x7ff87ddd47182⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17267148814630209910,6460886726558143641,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17267148814630209910,6460886726558143641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17267148814630209910,6460886726558143641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵PID:360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17267148814630209910,6460886726558143641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17267148814630209910,6460886726558143641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17267148814630209910,6460886726558143641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:2600 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff60be25460,0x7ff60be25470,0x7ff60be254803⤵PID:4276
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17267148814630209910,6460886726558143641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:524
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2204
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe"C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe" -ServerName:App.AppX20qnn98vxw5bhxrjtb1f6rggecb2k15a.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2660
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992
-
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe"C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe" -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe"C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe" -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p1⤵PID:7148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:6924
-
C:\Windows\System32\CredentialUIBroker.exe"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:5428
-
C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe"C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe" -ServerName:App.AppX20qnn98vxw5bhxrjtb1f6rggecb2k15a.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4312
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6312
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://account.microsoft.com/?ref=settings&mkt=en-US&[email protected]1⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x128,0x150,0x7ff87ddd46f8,0x7ff87ddd4708,0x7ff87ddd47182⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵PID:6688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵PID:6152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:6252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵PID:6432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5416 /prefetch:82⤵PID:6420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:6920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:12⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:7164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:5168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:12⤵PID:6796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16828010224831778918,91561254616384239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵PID:6280
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6852
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6824
-
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe"C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe" -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p1⤵PID:4528
-
C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe"C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe" -ServerName:App.AppX20qnn98vxw5bhxrjtb1f6rggecb2k15a.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:6704
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\4594A6FC-4794-4A5A-BAFE-E373979C0598\dismhost.exeC:\Users\Admin\AppData\Local\Temp\4594A6FC-4794-4A5A-BAFE-E373979C0598\dismhost.exe {05CF7A2C-9CD2-4009-B7E5-42DD95F390AC}2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x130,0x104,0x7ff87ddd46f8,0x7ff87ddd4708,0x7ff87ddd47182⤵PID:1056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:82⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3188 /prefetch:82⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:6908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:12⤵PID:6296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 /prefetch:82⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:12⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:6824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6720 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5764 /prefetch:82⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1196505268799096066,5176796868563045460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵PID:2992
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6544
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4368
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:1752
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:5788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:5360
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:6820
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6964 -
C:\Windows\system32\OptionalFeatures.exe"C:\Windows\system32\OptionalFeatures.exe"2⤵PID:188
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1820
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:6424
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6876 -
C:\Users\Admin\AppData\Local\Temp\05F6E524-CA24-4185-AC52-73C2B3AC8591\dismhost.exeC:\Users\Admin\AppData\Local\Temp\05F6E524-CA24-4185-AC52-73C2B3AC8591\dismhost.exe {64A58C1F-B0D3-44D4-BD1F-67FD99E703B2}2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\68ED2B30-5703-4BD9-8D78-DC93DA2E2C9F\dismhost.exeC:\Users\Admin\AppData\Local\Temp\68ED2B30-5703-4BD9-8D78-DC93DA2E2C9F\dismhost.exe {6A65BB97-B699-4831-81AF-E673468DB3EC}2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\C1970896-E682-454F-A8B3-67DE21690F08\dismhost.exeC:\Users\Admin\AppData\Local\Temp\C1970896-E682-454F-A8B3-67DE21690F08\dismhost.exe {BCFB39C9-8AD2-4D45-9B51-70DE6EFAAB3E}2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5696
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2704
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\CompareMove.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4044
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\UndoDebug.dib"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:856
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:5824
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:3888
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2008
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5656
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:112
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2144
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394b055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD56183092193c2da5166e9cde901351a1a
SHA1c687278099761bc88bb72d1d21a6cb72c1943159
SHA256a6e0979fa60c221a8f738fe7e9520fdb24bb3a2f1e8634efd576065ba6bce798
SHA5127c0252b66ebc8665f8b57e73d8e64b555f4f92dee819b0efcb08727d2721fe11ea4b9d4ae530ce7053707ad4c41266a5f2a90c8d446defdf7a92f94a08dc3d74
-
Filesize
42B
MD5d8963b73a7267e8e65190d983ebd8ba3
SHA126d2f3feda36a6ae96c26590eb75da54d63b47a5
SHA256042f65faffd53ecb5db0e6b05eeaa351d261a5e09a9a9414b5b1d2b553bf0b96
SHA5124d367ec46a6dc55663c1a9f9ad065cba9c0cc508f27549edcf80ef876eca11365ae62d0da7d48959bf4df071e5679440cffb68011f6af07ab21b3a7e3bd76087
-
Filesize
66KB
MD53c08dea20e350ea34f7309e856576428
SHA1d7a048ccc07b4d16afc4d778d5601a067fb151b9
SHA256b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82
SHA5121c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d
-
Filesize
7KB
MD5bbd63a3778698e0eccf155f41e20cf93
SHA10c0a864f603f5b9efa824cf7c5ca939f6bd57de5
SHA256ff63f4b8552a8f24a094c642f1b489b3ffe781e4dca79619fbbdf4957f8ae6a4
SHA512a068633b00f6f83d1ac7409fb101a233a8d36a129f8e668d085941b0d27d953df4081631cfb5a5c3a294ec685198d1868e24db331e7c26313c260c9d1492d5c8
-
Filesize
11KB
MD5cad4cbc7e2e573aba3b7cad6734c1ea5
SHA1af6ff8eebe3e292b708562ddd26c2023b92e2bf5
SHA256e1a23149ebe3264f8750a330f404a05625d9e7741026c8afe1de5cc1dfed6d0c
SHA512482cafa5d6f63af3b0906379bad3d948181fd0a6030b965841c56d04e455fd1f68e02faebc18af1e5d749bc733d32e62cc0e42cb76e0e796f883d45a5626881a
-
Filesize
152B
MD57b19b7ecb6ee133c2ff01f7888eae612
SHA1a592cab7e180cc5c9ac7f4098a3c8c35b89f8253
SHA256972bc0df18e9a9438dbc5763e29916a24b7e4f15415641230c900b6281515e78
SHA51216301409fee3a129612cfe7bdb96b010d3da39124aa88b2d111f18d5ae5d4fc8c3c663809148dd07c7f3cd37bb78bd71e25be1584bd2d0bacf529fa7f3461fd8
-
Filesize
152B
MD523fa82e121d8f73e1416906076e9a963
SHA1b4666301311a7ccaabbad363cd1dec06f8541da4
SHA2565fd39927e65645635ebd716dd0aef59e64aacd4b9a6c896328b5b23b6c75159e
SHA51264920d7d818031469edff5619c00a06e5a2320bc08b3a8a6cd288c75d2a470f8c188c694046d149fa622cbb40b1f8bf572ac3d6dfc59b62a4638341ccb467dcf
-
Filesize
152B
MD5ef2eecfd8b9d5d9fa22a8b7a58b4300c
SHA10f9ccbbe964685ab241d9f87901095e5053e3c5d
SHA256acd94d5afbd7b6ec927ff94ebb2efc03b924eb93956421472350ce519723b8a5
SHA512f5a47c06e3da089f496878747540dcdeaca08a2e4867088226324b45c4ad18dd38fc6d16923d9501726a5919f4305a020085c128af6c033f61a259a48a0b7664
-
Filesize
152B
MD547e3d03e60d014ab2b20e3246bacb122
SHA14cf5e2cda1d28a85f53555ce1da1705a118e8b0a
SHA2561a6a22a23eefb9bbc7767f6c2ee79ae7a47f0c08bf70cba7bf63b441241524c4
SHA5127785d2a9ea47d2179a6d4c880e7e5dcc22d80f1d37875793b9bac18a2ad5e52f93c324d5b71a29b2b948ea9ff6f6a7acce2e080c259bd00aece0e1022019fd6e
-
Filesize
152B
MD52f447c374fd5d21a0c0f7436f16da437
SHA1572be59b899cd170f2acde96be468c42c55f933d
SHA25615e67c3aee681a1fad168e7e84844e7b385721b6e8a16c65117ba7d39c939379
SHA512a55c6ede7c9f987aa092b2bd2e88322bcd793c9f0206d23ee15c09238b1de730240539c6a3b555257ab73c2ebf012da58c07840babf690b5fe4267458bf09de5
-
Filesize
152B
MD5c9cb81fe23168f8e75c558005bfac61b
SHA1f58acbc90d2f0b131f3c358b545b8b632975bee7
SHA25617ed18796bca36fdfe889676c1e97326446bcd24e56aaac2df75bf2a7215b5e3
SHA5129e94f1548b4e01e7ffe2f8885f17d718282d6727e2288c4e04becbffbccb292240df1476acdb91e3b9954952813d0c1be684d296737766a803bf73919b9a5e60
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2ec70310-a4dd-4428-bc74-e97aa595f7ff.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
79KB
MD5e51f388b62281af5b4a9193cce419941
SHA1364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA5121755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e
-
Filesize
16KB
MD512e3dac858061d088023b2bd48e2fa96
SHA1e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5
SHA25690cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21
SHA512c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD518782a44aa5e2d0cc735768539687558
SHA1b901c58f3cd7f790788bf6599a2dcb613c902c17
SHA2561c5edca607c66c9c05a61ccf64e012f318de91f84018eb37ff04df9314563f6e
SHA512e3c11a21d3da7cd5acf2e65ff3c350933ac78eff16f5a27b5b55549b6095e265aa439879bdc7d43870d62e12df59a3ea69a3cf700797080b980db247e266d788
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD528fe452fe08064caa445231eabd68b8f
SHA1c625b030571f3212c6e67771843013ad1186687e
SHA256345f4ea4153bddb147a89088614dcee350fd9e962429737968d6318fb1144f60
SHA512e2a56ce42c2941a53fc97ed6ec1bbadf469bced04bd1203cb83c4812441d66b811c6f13b174648e0c58006009dd6134a1943a67df9b856f969397696ad008546
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
3KB
MD5662345e87368866901f9168ed233f8e2
SHA198d7a3c0384a38943b124adc53d140e2cd61a827
SHA256dd14db37c10ed119ff479dbeb75ed66e6884a2d741d18318e2010f52e640fa60
SHA5125fb551cc0bf1592426065b6c4c414bd7b78fbe0ba11815b4e142ec0ce2ea59918c702699a37844a48aa9c00c5edce6adea1929a33bc53117060152d621432c0b
-
Filesize
6KB
MD561046b6dcbe1a73d10095369a99d5099
SHA11d404aacf9e1d5363e4a016fde188b2fc30a2599
SHA2561f32a0341da17374c3046798a1f65257a425bd978bf74437a1551bd85725c7b7
SHA51228bae4b00b34bbfa240c0887d058760e96f764cb3e3e1aea7df4d6cba0e2ed8355f3267eb10f4a22bb718d658b9c0d88b90b6fad96f279b43644d0f97e05ad1a
-
Filesize
6KB
MD57a76f73f79194d4ca779d6cf5621ce8e
SHA1f727c187444ced821851bfedca3726c0e4a96ec3
SHA256f08fa12006e9223357a5c5b3667bc75cf6be6179770f984276bc2e4c4fcf9143
SHA5122f9c9e7ad4ca1ca2ee793070e2db4a853aaaa49aec619c3d6b39edd95bb6aeb3e593fac956b0b479e60958d10ccc03211933579b83e3a4ce955b938883f4bc06
-
Filesize
10KB
MD5c0dfdb3384f8f304c0c9b0727f1f67ee
SHA1322bbe0d08307179a1f5740ede6400cad6a51bec
SHA2568689ce3bc6ffc340918721599b5d0c24a21827eb5224ebee73fba161adade1f4
SHA5127b4519619634c027c64452e59609640de036a6ad53e6e6f3068e63ce9d719992a9e38c9339dc77b73cd70c70991cc658db3b946d0739c41315513bb5e1221021
-
Filesize
11KB
MD580f6202b82b16fa0bc44dfa4d783aba4
SHA1fe50b05a35772064e90c223fea8106b7c389ac50
SHA25653e9f41cd3a16b218596fb19f6de9d423392baa9081f887241118a6ba157ab07
SHA5126d1c395f63b8d978a0c82efdea2b5fc8ac5a4e61a9fb76463d474f4d2ff731bd5dda847c01d571fa170cb2aac1cbe49f9b347cd2a1880189982ec95c05b9a76d
-
Filesize
11KB
MD5f5bfb2919c75c01ff350baab8063ae31
SHA1bf5ed18e686911b1fd78875e7e4c472c50cfdcf8
SHA2562d1580414120ad3ee6354c10e71b8cb4e6a10492f30fffcf7311179fb27393f0
SHA512bdff7ba4fe90b0e51a1f0a598ddd1325bb6e1556f81d2e145a92ba171880b5284f7b8fa5c2e73b2a41c7d3fe47487438c7d127159e07c823693c910d05433337
-
Filesize
5KB
MD55d05be172ce9f65cc868c4fc05d4cb9b
SHA161fb0e178d92ed1fddf945a04aac9ee7dd2dc145
SHA256ff574df7d5a03563f0abd387fb70e0919f00e30754a21efe0ed9f428f529ef65
SHA5122d74da1a81250ed91380378ad5e61f84236f67bf25b2b7f49475ef6f0e4da41ad0ec99ffe68306ac1d37b79cb28f9041a12785f9ac7067dc89006522650f95b4
-
Filesize
6KB
MD559dbaf05b1e110f78cda115955f7c209
SHA18f54714417fdff014db3844c570dff24c6cdcebc
SHA256654637470cc3335ed5033917337b44048dbadb93c56cbe5507c94e4e761231fb
SHA512cb3cb08d772fe04ff305b1c3e08a8d4588f023f429e349f70fe8964a610dc97609a88291de9571747e751f150576dd7c56fd26328a208385640c1a0018f514f8
-
Filesize
7KB
MD557fc0491b473634590cf3ba94ee36215
SHA17161abd01a1ba4ca0f9b22ecd7a80e6c2a43ab76
SHA25611bd0738794e4300acdc49b1a38803b443acf15eb049bfffdf06083f536b657a
SHA512e742bded21e6f2f1f0075d8680b4d53e4f41b8c97eb3ff633f00cb9d00daf7eaf4be0e70fa51f227092985f059370ae96570c9d8646a7a25603e3f098fa19c51
-
Filesize
8KB
MD50d651106adcdf54f9ecfa592d0f5d026
SHA15b4136b6d1412171ec92f336afef5c8df647bcdb
SHA25698c3d2d683472116c388cab45bf0ddf87d773592f109f1b0cae9a2ccfb7fdd5c
SHA512d55a74eb42bb9efa0930a5a973eb7a00ccbc340ae689ca1e9e096b05f0deb18676d9b24a93805f86c5e66b4fe06d11d6be8772589a0f1b32d0932280ad69b20e
-
Filesize
9KB
MD5cf432ff6f1e5b580bbfa1c473991ba8a
SHA1ba1af1b2aa4158d81f050f8c9563eb35549dad04
SHA256c570d7df86536e0b394a0f9808a66e08274735270a5b0709e2de8c23c828bc0b
SHA5126566793868d5808be39c1abed47065217f2563a76767e8d1c92cb46c4ee1c80642ddc5b2b77be8f0369c0d5d55ab092f1c13bd9640681e8eec404165d04b33b2
-
Filesize
9KB
MD54336329b08a5dc57f1f112a6ce1a1d8a
SHA1a5c24478fe56a5668eb52e30625630d0420cf0bc
SHA2565f23257289d54b646677dc993382d482eaebb542f27cf352aad000349afcd6a3
SHA5129e1de684eb1d080dad50fd147c388fd43c05df17352edb42296afde443fc1e93368677316ca4034bd4a4c49657d7ed8178e90cdf2db0b6524cd1e6be7f62af81
-
Filesize
11KB
MD5abcbc9861f5d367d8a084553b7f92eeb
SHA105a4c3924b40dbe007a34ebfa9e14f29a3fbd662
SHA256df6177287f4090b9998da403c6e9fd439989f8e04aad4ae4a0c0b8143f3f9d62
SHA51206cdb6e0996679147686fe5359ac785b31e0b6832236cf1a9e56cab680a035c942b0d6bebbead6984c83e443a5f5d54b67d3c4a3561d48c7826fdda90381ca5c
-
Filesize
11KB
MD57a5c5e67a9fdfdde33db22c916e496bb
SHA1aaa3cba0222eb3a0822dfa54ffa244d4754301c6
SHA256d9bec083c1fb6a1c2ff991b84cc39a51f066a4b2cff8c8fa64a2fe8071ff1099
SHA512184d6572b2fa1fc14d5ccd1d21840c68e29d08e0e13eb6a61d7278d89b543dd141da75c29fb5a5f014bd781aa3d8cfbc278cbf2345c58d2b0e76c370a6576499
-
Filesize
11KB
MD530b8ce18b8d4ba723f4c93c2cde06e8d
SHA19cb6571f4f1942db86234948c6d7d41f03c8ee3c
SHA25602abc34040aa44c16deb6fbf1019ab4905ba242b03be42a0f02d5becd5a72bf9
SHA512d0a2fcbb31eb3f9d6026c89b17021446af707710000d2a12341f2e81678277137f558f070258699f0cadea09b9175fa2b9630e617787ab23653bc179c3c434ac
-
Filesize
7KB
MD5adfa88a0fd3558eb05338ab4dfef7ee2
SHA1b01ec1997277847323b70eda264f5dd3eca9a92c
SHA256e319eb26d1919d4cac4260c3dd57530ddf31a09912f0d7e218c09dca95730f6f
SHA512da9db7554c028e72be045a16346f03f12c4b89533b54e56264b34442880ecdac4a29f21aebae6ff9a57ec87448c6e0455491c5bd026be0eef7f3f97c45768e6e
-
Filesize
8KB
MD55543b210d560bf94e59db7432fb0e90b
SHA1c1b3a4b5ead38a6316d7ace652e0f16055b50656
SHA2568fd400c5eddf8ffcb28cdf1456571ae934e932b190633363602e3c5b3bf0bf0f
SHA512038f2f82f3976f7f778071ee19094acc7f83cae739ff6c27f9d5812c65d8e8080d9df13dfbdf94bdf9fb1ef7b5162eaa60dd721da0c0b7dd5cdac5399eeac5b3
-
Filesize
11KB
MD518e77e4d0013035f211367ea3d7633e1
SHA1933c128a23bc29e7a02396d53997f6a332c0db73
SHA2568fd27ff38ebbe340afa83f2af3bfddf8a86247b7ac4a92c01573319e5f5486aa
SHA512d310af363d1cc0df999f711514a6a8e821cb3a6ba5e453e3e6984cf02ec972157e8bd0115fc6cbe7e4d3d316502cc3496a6c7edfc9c36b14e24e1a2e0484a63d
-
Filesize
11KB
MD53554f61b06a87938d18ec717f9117073
SHA1e240e5bd932b208c7b75eac4027332576c1bbfe9
SHA2561c21e68f17d89a9285cc30d7ac4177c10686ed72c38c7828a024d218dd17cfd6
SHA512f3936a9cfa604f16ea3fae3e805de1e5472e1a9c85d103b106ba43708baaa04b87f49b76142d9d3c4c7397cbc838142ddec5bce056925bf31830edaf72505715
-
Filesize
9KB
MD5e38a73bcb2dac6f8e6c6352c0bf22cd7
SHA1d82655e18bc521da8e94d0006633de06616d40cf
SHA25663b605a48aba14b8fb0cdce29ec5a1b1c2d2cd141aef2ece5f35d6d795053818
SHA51242c576e64faf17feab8443d92e6f541045f444d097879894e9d71b4c86803e74a5f9e8794ac2bee7a48bdb39515c2c1cbd6cb8f02ec04ce594bf7afef4f0386c
-
Filesize
6KB
MD55aae23ca9426eab2e8901088c4d91b7b
SHA146f320bca14ade518d98eb5d50bd739756c6fbbd
SHA256ff19b80bf6f8d7e3a3d2167a0fd476297ab87876790f90e34341d96b86310276
SHA512e82836a36344b2fd8c1bfff26d6b9036f6077c0e65f4091f2ce1ec10fd0ed968784c0210aae80971758919c260927d243fa7e41f3eb41446f4136a3804083f60
-
Filesize
9KB
MD5b17d14ac08f235cf6162745305815498
SHA126c359b242375bafc130846bf9da98c2063e450d
SHA256ca97ec9e3ed036dd196ec5a70110013e60b7371c9844be6bb22aabe6901700c8
SHA512b307290fb814c9175c38d30fbea24c9ce10d79ff17c32095a09e63beadbe330cdebfab4c88567d1d5cd0c555ee9d41fb6e50a87883a8e01d188dfc27684c9683
-
Filesize
11KB
MD521d69d004f7b9227b05a74f2fc00fd97
SHA1557846caf62587fd059aee990d465dc1d62c5f7d
SHA256056a80a2650a03e37d2b05d2bb62e38c2f5b7a6c808f1c26a34143b90ec22fe9
SHA5123912fabf9dd72af860bb01d46a2afe8139c23cedee511f431e049dd7197539f25dd659b1de67b56f49c8701e5101db901042bcd889f0f9bf8be697016f90aa7a
-
Filesize
11KB
MD58cdbd2ad577d0c7ffe49628d38d7afcc
SHA1a3b6c7105bea8f3303323dd6aecf372ab20854dc
SHA25660b70f6829f6afc0dc433e5cba34bb0fe402df4b00408c08c347a985ecdbb5e0
SHA512814257e87db90f9d1c53db29ef066d9616080ffcdafbe9b83813a8ec2f93416eafa8ac5124d3a44e126571874fdd62db00de7cfea33992f16948e8897b416a36
-
Filesize
11KB
MD53366830199c7eedb9f7c1f76f428a083
SHA159a1af6d9be07ccc9e49d830e5a4818cc7770c85
SHA25638ec4cbb7d6426fddfc9b4c13f47b66247fe0d9f58fe5956f9e0e0bda3d144eb
SHA5121da57525531531857f66d144550b5885eec29f2bd9dde4239c0233f8003c84e1fb6e5150086efddcb8c052c6476c64c8a61a7cf24f2c32319cc2b99a5e691e42
-
Filesize
24KB
MD5ffbe7d9b2e7283f7ae3ed1324237ad7e
SHA12ee52d1d1e549524aa1abd2ecedcb9d4fbafaa4a
SHA256a55cd3929ea7ed84e238bcc0723f8c3ba34fc3ede6085b635641e8cfca31af07
SHA5126fa41727c1392a6480854d30aa4a86efb3e2efc44f73f051f895b67341f06d7d4be7e08fbf4df78a695d1143fa6fd57413f7d9177b486387c2ae9bf3a69e553d
-
Filesize
24KB
MD58cd513127214e252edf0454f329bc002
SHA16f47fac6be8e7331e54203a7865e86b32cddf16b
SHA2563df220380a8bf881117c17102a5c70ae7deea18ec92e7c478df2ee904d882108
SHA5120b6d2f2e12bb8b15175875b7118778e57475934dee0476bc3ec989c5408d1ff5cf1c2d5dce4bd980a3ef9bfee232f974fa90050171826f3f0847f9682ae7e4c9
-
Filesize
24KB
MD5e630c7e87d4e24698b99088b5fb6afe2
SHA1f6dff4fae52fd24df84b3853ff8e4b7baafd2fe8
SHA256d4bae1a68e8149074540ad5b9e426053ec99537b238ba3aa5371d8d5040bbb43
SHA512312f634bda1d46f4554a01be3a9d95368beb11acc992ff2ee782edc69e670a11fcca94ab79b66f24be623dc89fbd70320aec0d727d952e07c269ad7547bf0185
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD57495bba344e7f61f59bf94b6edf05e48
SHA11ed8578bffb9740cbd4bd753f53bad6bc6c4fe00
SHA256cb35a4abf8ce4adbd35504ea8ccfb4221a7817161e406af15ab92d542b29ab70
SHA51288e02335297e50909b621e047bef9794aa7e4a44b3f0a94986c32287b2059a4f5cfc340528ed840a7fb073cb7b32291d5ab89ac7c43edf85da7d0c7e0317846d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5df08d.TMP
Filesize48B
MD53f0dc63984bca34323c9013ee6f049bb
SHA1d97b58fde0865d44fc9f65e771634a86f53b6d8c
SHA256b8644bba50031a80fbeb49669ef947183f8bc5af4d2efc8b77c8e38e4bf9d5a1
SHA512df053391561ac7572dd83330b86deac53456b901681cc1188667746d6efbb2e35aa4473810b2f606ddea60cb84fa621fd6d337c7c786909ab48bd8c45f318762
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
3KB
MD5a3477389ce42dc69da432587eeba9d85
SHA1cc7e89a29cf31ca239bc830e0ca187555f7ca430
SHA25656e58923c0edcc559d4dcbd2e4d0f847809be43986f62619915bad2a193e6470
SHA512c5f9f16885e9901f8f2b995774f41e8ba90813611cada205d38d68cafe1d3251eb615b9fc2010c4ca965c59ac9231634aae8407fd4321ae2bbe154930977dedf
-
Filesize
3KB
MD5d402605860630e15effe533033704bf5
SHA182e348bc730dcd660c6c3266f4c6ec5342dc7107
SHA2568d9f695d34852a990f6d7d635b6aecd8d8144d9f5994ca3b2043f0ae2c7893b3
SHA51227715900a44d567a0f0740541688b588074e493eb8972ce7b9b1d7464a2a1315256e62ebeb6726509dbd0c443bc7600fa912fbbfc3c119ced868a6b2c696cc07
-
Filesize
3KB
MD5c56235a6868e7da3cd7d898db1d10db1
SHA1f2ee792397c132ebfb788b876091ea086762aae7
SHA25668a7ba8ae179ded483d1567039c44317b9af3d68073dca3a057ff089c2bd6854
SHA51228a63e2b0d25810efff6c6df221eb429cfdaa0a87695428ddb44257860b387e01087997b9f0ff3e2aad0efb61198a568af31a26380d8b761e130582f2488003e
-
Filesize
3KB
MD5ca3f9953bf5b2527c983a652327cdb55
SHA1872f59dfca6ae42f0ebcfe723d70eef02e85ab38
SHA256ba1827ec1d74aab88a553eb02ab948e52ded3249984a23b29d3edb79a67a698b
SHA512701f8dc8ce4c93adf7c5d2fa3b0a2e2fc40fffe04bad9e9b1f63439f7fcc0544114f996ab5512cea6433a0e97745913e815df43192c5e94c8841a50d665510ff
-
Filesize
3KB
MD586490d6a05bc24b4a08e924257970d6b
SHA17a914411073c4a7979517b0cc79d3dfa4d00a2a1
SHA2560f24ab3eec890331a3202f913e83d6b750c50c5a01d5db35254212f5c916d9e0
SHA512b2637fb19d3f9fec405d415a0497234cf390dc410eaea73fa8dc01de082fc61072df9258d5afcca4cd6ff803d868af0eae4ad752d5fdb9e7435796a186fcffe6
-
Filesize
3KB
MD585dc4759662eac946efb5ac763a2ef80
SHA1b4ceccc325f89209087559072fab4ca061d70e97
SHA2563130550746f9f9a601a34c2709ade7908111a2429664c497866a38fad879286e
SHA512b5056704a9fac24ec8e03dace8d1d918ca24c29423ddaaa9a22ab5b8a4ff921db583ccc39ea647e0d107f40fce11848ea1aa9e558f0186a7617354e8a59552df
-
Filesize
1KB
MD591759787c4e04b4b9885430dcd41445e
SHA1245a087a50d906c590a140f09f0f4d0df92b2ac3
SHA256ab80f0c2dc24e1bd378a5c78700ff0419ad055f2a3db6bbd26abd35080c94f11
SHA512ce72a5b396847270c90dbd05aeed326a4323aec51a73666179b09b1d4874c8b01618c89727edb8e0e0306f8fbf0a95f8d7264932bfbc80023d77d1320dd70b99
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
11KB
MD5f056916b61b89581914dd49040173231
SHA1e3e30673de93100df3afd410bf507bf0c12453e3
SHA256ed6714173666b91ad11271def15d93d927f4db7aa3d9884f6f2fbf9bc66dd07a
SHA512c10ef8d9592e147adacdb55b6ef2fbfdf29b10488f82bdb962435cf4d2480a598461d742f0e738aad02d39fad9a1c4cf0801586029f235a66e55804d67ed143a
-
Filesize
12KB
MD5967aea668edaeae8d4c448f19b9a5438
SHA1fd6175a962e1b8cc4d14a8217237d10599617ae3
SHA2569f66cf3ed20a03950d60137438d012c918a9369b8bd8883ad8f7a7f99484edde
SHA51287aa5e45d4f5b7e4bd39c1878411eea91462c465e0ad6d942cd93484bbc471e80ba69147ac356728d27cdcebf989664fb180dfbab69ffeff05aba69867b55c73
-
Filesize
12KB
MD5ba1454d935fc56ed57676420ac98a72e
SHA1b8434754bade91603027fed678224976e26a0cbf
SHA256f5dff09382de4dbed44318f4645c68e728d7827000ae799c3f3efb21effa8147
SHA512ea1eff943c378a5c20f10a8cf20bd2c6a1f1c2de7d013ebb01965e1ad11d8c53f61c0936b34448a346e55fc45da168c4ca1bf19826cd33c9e3c8ebdde66a9320
-
Filesize
11KB
MD509e8c24354aee33a854a9a692aa2442b
SHA19937ded551eb06aff55cc5c5aa2c7a2498a37afe
SHA256bc2c8a40e3f15e75a57f53977e4af44a63f60c147605d30134bce897acf1f8e6
SHA5123b907c5bce26b3484873b40c2255280629052a734a7e97dd5a60bb12a3e2311d3d0b5c118d6c2239233270a053a4c0bf04e95b29d044175a3b73af1084a263d8
-
Filesize
12KB
MD59ba87d4ec024002f614824ffc9e078f9
SHA1afe011149585f8b05c43dffe4e754000cb561e5e
SHA256812a6ee547588ac41694ef0e16a7e5934ba9953c65d47423027eacf798a07d5d
SHA512e7779bedabfebdf6f042750f2a9700ea390a32ffab4b962b5b66d274e8f7796ab7e14f97984004f97ae49bcd14cc584203f4b542b01cd37c05bae5aeeefdca5e
-
Filesize
12KB
MD52002970626fe6a05609e23b617fa9ee7
SHA1c67553ffe2e5ad5e6e2e37ebdb160fcd218a55bb
SHA25635c3874519e100fd699e67311defaa1824c31ea0c73d1c18f83868a27b0e2eb9
SHA512e8dc001ec5b8de7684339761e9f4c2439117b57324492b66aee4b91d9c350a612f91cdb3757282e3a43fa318a59aefc3226f8c70be4131b38549bf28d9775026
-
Filesize
8KB
MD58081356da44e6f3344b1f61bf6aafaa5
SHA12b1c92c565b5f2e0412a91912c0ddce430eafa3c
SHA2565f5a16f0e5cd3d6454b68b64d836f82bf1a3b74f2ff38c99285365cdc2c82587
SHA5123eac3f47707c552ca9f712aa08640ee075560c0b601361f7ca34e23a6158042adf19bf00615b15442ab707003d5d044d66a0e75a4844b56d82becce9188102d9
-
Filesize
12KB
MD5ae5000160ae2f68caa10801674ec750d
SHA1323537d57615b3831168d585bcfe040e571dc640
SHA2569403e1cd4729ee0a92e021e9a20453191bdd47f1f9763fdfc8fc501dd2a80a74
SHA51216ec18514aad55a2f835934d5fc43bed6f57fc928b3f4249e4e0eb612419f00b99d0f9c83f8dbb957742c2b4698aee716c62c303c59d9bcaa63dc493c830c9ae
-
Filesize
12KB
MD58bc5d42f4d3fef5aca82cd5cf5ab4dbd
SHA1887a8d7ad779ad8a01758910761737df53edfb60
SHA256ebf5f7b4a552c2241f0c7f6b533f2b7185b279a0c51eb2df5f9e6ca2a229d3d7
SHA512c46cdcc26b71c76d8d62c0792ee01b2edd43039b53003d18b4a6d14c0a3d2cf04fca060bb26aed65847cde0b8a0f00d7577d718c27e23935d227eb6f11f02298
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e105b5161419cb5e449dd2457e242fc5dbe04a75.tbres
Filesize10KB
MD51974cefe3b1068bb566d6ffdb27ee0e8
SHA156696affe8044ac8613e48479979247a541f7433
SHA2569e536d0d3ede0615a34ee3e9b8502477a0cf7ba941b14f0dad394c40b1d88df1
SHA512b56118d22294a17f26640d17a8c0493d2233b3ff42ebeea82da9633cced3bcd6385e90288e3860468be225d47e7aef990c48afba762f8e1ab3ab694afab64c8b
-
Filesize
13KB
MD593131f8f00d163176b9a0b5b1caa5364
SHA15e006babe045029c85a03ed94eabdce56d042963
SHA2568903cf8b65b5a8b097d3f1b6aad1fee47ceb17a0ca371497fdfa6e9c32476ba5
SHA5120b3205afa0d571e8b1b27bf1b1a366015dbe6b6bbb8141a418ed7672ec0e667538eb354e4968cc8bec12897504d49b05debae1bee91a8ea3212c29b9c3ff7df9
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HPV4NNQM\login.live[1].xml
Filesize13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\13OZVJU9\2_11d9e3bcdfede9ce5ce5ace2d129f1c4[1].svg
Filesize1KB
MD5bc3d32a696895f78c19df6c717586a5d
SHA19191cb156a30a3ed79c44c0a16c95159e8ff689d
SHA2560e88b6fcbb8591edfd28184fa70a04b6dd3af8a14367c628edd7caba32e58c68
SHA5128d4f38907f3423a86d90575772b292680f7970527d2090fc005f9b096cc81d3f279d59ad76eafca30c3d4bbaf2276bbaa753e2a46a149424cf6f1c319ded5a64
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\13OZVJU9\Common[1].js
Filesize1KB
MD5aca0f1b02dc406e76ddc5f2bdebec6ce
SHA1594c930be86b8843377565e349d2a10f1755a13a
SHA2560446c6fd9aeb7dcd7cc089fa25323b1ae9afa77b4cf8d4449f7d2d1b2467393a
SHA51206887860f73d38799fff8bf5b2972160b68c303ec904813861190e9a8a6477e4d300882994d661fdfc118c408625c537d8b28287dc9941d50302bd91c88ed98f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\13OZVJU9\ScriptResource[1].js
Filesize26KB
MD53dbd97a205b8ce59d755ab94f8c42964
SHA1b0520226342bba131160a510ba3b57a1e8b7b80c
SHA25636f7b9fe80a026a5d933855de494ac6b7a4d01a93c26ce8a8737eed0c79367f4
SHA51282be6f1015cc346811eb736bd78f4949c855e49f8b4cc8493b22ae0f8d329efa34205599e1138e57d33302b8a7b76f085ded053530b0f79d0dc71e257c99d80d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\13OZVJU9\ScriptResource[2].js
Filesize100KB
MD51d6864709db6b20418228b3327f5e090
SHA1c3c02cd59138c0c468bafd653d95276d619d0c5f
SHA25647e4ee744c576fe52fe74a169a738169a4505bc6ec35fadf26784ff68bd81a3e
SHA5126192083890b6b957234d09ea6cd1290178dcd15e4683551e14ee852454b8ac191c06f2a620f3b9d307ddfc383292824e8b140a918fe9d1e3972a7336d53a519d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\13OZVJU9\Webtrends[1].js
Filesize45KB
MD5dbfac7887a157c9b73dc42927fc15b74
SHA1435fd188bf66f0207eeb298dd13228d17d36e4d1
SHA256fc66e3943bc6edc7b1f79d952d31dabcba3bd576190deeb9a7518cee6b75c5a1
SHA512c1918b35a03bd2110c2cb4ead140ba342c54ee7bee2c1e4b6582b56b86da93aecdda92da626c7b15bdebc067893acd354919495551e71ee0c9d5993b43433958
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\13OZVJU9\hip_text[1].gif
Filesize478B
MD5309b41ee7a44bd51e5d1b52ccc620e5b
SHA1b162ce55de01bf7c005f8ce4d4d7c32e7aeaca08
SHA256f213507641fd02ec43981535823474ecfde973d1b33a6cd385f1f0827fd4b528
SHA5129279138126f8fedd3aef32ba4bcd78d3d26bbd4e7de6f3b21014b96c34d7e69bc4c6471cc94772346cb6c7f9020eb5fe1a3a96686a5b250f5ccdee54a0936f4d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\13OZVJU9\signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6[1].svg
Filesize1KB
MD54e48046ce74f4b89d45037c90576bfac
SHA14a41b3b51ed787f7b33294202da72220c7cd2c32
SHA2568e6db1634f1812d42516778fc890010aa57f3e39914fb4803df2c38abbf56d93
SHA512b2bba2a68edaa1a08cfa31ed058afb5e6a3150aabb9a78db9f5ccc2364186d44a015986a57707b57e2cc855fa7da57861ad19fc4e7006c2c239c98063fe903cf
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\LWTVZ7L3\Button[1].js
Filesize12KB
MD58edfcd3f7a179cff6b123dff50f29770
SHA17a2d9bb4b9f6072ab3049e6421021a5ba0a3dadf
SHA256d0b747c7f7414a08b0d5107832b2f4bb44a9bb4a3aad28390f58ede8bbea6ae1
SHA512169d1c71078dcb1c65b3cbafba3379b94718d6c1e472990666430a6b2c0483cc9b27e13820a29d2dca2364d3cd3f7d2ecded48b9acf406bf74cb505489fb9503
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\LWTVZ7L3\WebResource[1].js
Filesize22KB
MD590ea7274f19755002360945d54c2a0d7
SHA1647b5d8bf7d119a2c97895363a07a0c6eb8cd284
SHA25640732e9dcfa704cf615e4691bb07aecfd1cc5e063220a46e4a7ff6560c77f5db
SHA5127474667800ff52a0031029cc338f81e1586f237eb07a49183008c8ec44a8f67b37e5e896573f089a50283df96a1c8f185e53d667741331b647894532669e2c07
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\LWTVZ7L3\convergedlogin_pcustomizationloader_27cef08ca792f8e8b149[1].js
Filesize397KB
MD59083d228e539fd87ef95a94b7abc396c
SHA1159ae950d79b4987d65f18ffbf6ff87d76c5b536
SHA25654b34ea260d9dcf6d7961a60c9b540673312a965f9ddc2f1ab9855d622bfa07c
SHA5121306a0cfba637f249786677e9c29d72e15c72f1575deb217e9e965e456d2320c5644cde43f06ba1e8373d11e16d33dd955fb3e9077c38f585e4a33b5a1075a0b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\LWTVZ7L3\convergedlogin_pstringcustomizationhelper_cc2c59f5ef2c09e14b08[1].js
Filesize111KB
MD59f02e24cd4e7788d28587c2b1cb504e7
SHA159da2fc24777cd180f6d3a3f7ce9d9dd90520430
SHA256c30fd6bb912661057ec2eea9a2f135303a6d0f8d110bf11493b369286f0587ae
SHA51295276c7f1bba2777f02e7cd3674cd0e967c96f0e0fc88c0862e82a7455a6c7d6cc90a23f9623412b3696f39f8c4069b17dc8fdf16c03003165d398e2080cad57
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\LWTVZ7L3\footer_logo_grey_bg[1].png
Filesize3KB
MD536afb641becfad75fed5f4e6e8c39268
SHA12495652f017b7a06d796afe9c4a06ecd54f9ccfe
SHA2565c2192a3932cb78b431a1ac0f3f3d73414a31c63d5cb279f2687e58c72694200
SHA51208c27020cf80a181b941ee144090ffbdd12ed34ba8cbec037acece63f850ff8a69be6ddb0ec24f7141c46f27779ed59af84a55fb367c1b6f8893b444f44c5af5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\LWTVZ7L3\hip_speaker[1].png
Filesize405B
MD5d4ffe61373f6aa32eeb8ca7cd41ab980
SHA14925fac4bc73efb7c7bbc32b11c435ecf1d61674
SHA256d5c54ffc6b8bd44d932be8f37b1cd5b666205c7574f9d56ef68e56f83e08ffad
SHA5120f7ede96f20bb3c053c246ffe1ef8ce739cef7757faaed031a365299b88664a046557c2c7fdb3baded070ba4eba1a14950d7e3a066b4976bf07142cefa48beeb
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\WebResource[1].js
Filesize2KB
MD5a870b45ac5d6b0d4e18c4829c7b660b4
SHA12d3ca0e1f19efdeb9b2dd3dcffb17f8aba118aa0
SHA256144524233f795d6a425b76f7ae5c0bb622b5f67e2e6ae73532ad526528ca07cf
SHA512295a21307d452f4bf51c62770c6a6b43cdb8b5a6bfa3617e068c8550285252b88f8bbf93a81c39e4bd7f73645ee094ede0e2733dafa5094e3ebae20033363270
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\header_microsoft[1].png
Filesize1KB
MD5bc89c1fbfbc227dc5a7ed9b2797e240d
SHA18a9390297fdd0963c466cf2fd35d5b1f88a46b6a
SHA256744a8cd0a4d15dfcf4a5d2e832ff556d950f8af24d7b66104ab2ef4fe2605d9a
SHA512c18f6b22f4ac5040e3febe8034ad3a3a3ef32cf3384be6c3144b2eb04080f03111743d5b30af3a1343afd68a20aae5972422c724107243d00cd9cf263ddc10c7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\ltrStyle[1].css
Filesize1KB
MD511fe4e6509513db245f1f97e37c5d3ab
SHA105322c35b6bfae84ce8c626bd7b1f8c4a6f15a6d
SHA25678d437b40a85299f96ed9d02e35f23fd3d3ef63d844d8d2523a15516f7e1d09c
SHA512e8a7c3b06c54b671ff6772d6a360dd0b4a65888b4dbd32ae04d14e4971343a71e1b4ec1e58bd45898744a1b0df4ede24141ff47e2c0393e18aacfc97e6f10d76
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\marching_ants_986f40b5a9dc7d39ef8396797f61b323[1].gif
Filesize3KB
MD5b540a8e518037192e32c4fe58bf2dbab
SHA13047c1db97b86f6981e0ad2f96af40cdf43511af
SHA2568737d721808655f37b333f08a90185699e7e8b9bdaaa15cdb63c8448b426f95d
SHA512e3612d9e6809ec192f6e2d035290b730871c269a267115e4a5515cadb7e6e14e3dd4290a35abaa8d14cf1fa3924dc76e11926ac341e0f6f372e9fc5434b546e5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\marching_ants_white_8257b0707cbe1d0bd2661b80068676fe[1].gif
Filesize2KB
MD5166de53471265253ab3a456defe6da23
SHA117c6df4d7ccf1fa2c9efd716fbae0fc2c71c8d6d
SHA256a46201581a7c7c667fd42787cd1e9adf2f6bf809efb7596e61a03e8dba9ada13
SHA51280978c1d262bc225a8ba1758df546e27b5be8d84cbcf7e6044910e5e05e04affefec3c0da0818145eb8a917e1a8d90f4bac833b64a1f6de97ad3d5fc80a02308
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\microsoft_logo_564db913a7fa0ca42727161c6d031bef[1].svg
Filesize3KB
MD5ee5c8d9fb6248c938fd0dc19370e90bd
SHA1d01a22720918b781338b5bbf9202b241a5f99ee4
SHA25604d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a
SHA512c77215b729d0e60c97f075998e88775cd0f813b4d094dc2fdd13e5711d16f4e5993d4521d0fbd5bf7150b0dbe253d88b1b1ff60901f053113c5d7c1919852d58
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\oneDs_f2e0f4a029670f10d892[1].js
Filesize185KB
MD54877efc88055d60953886ec55b04de34
SHA12341b026a3e2a3b01afa1a39d1706840d75e09b3
SHA2568405362eb8f09df13ae244de155b51b1577274673d9728b6c81cd0278a63c8b0
SHA512625844edc37594d5c2f7622bd1b59278bf68abb2fa22476c56826433c961c7b1924858a7588f8b6284d3c5ac8738ecb895eec949de18667a98c04a59cb03dac0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\XNUKRX49\wait_animation[1].gif
Filesize2KB
MD593de6fb07c1382459e473381da5d0e7e
SHA14e1208d482a7aba8c86fdcf8e0e92c90bb8c8c8a
SHA256e97fa0cfe4b0a7bb22e9713a67d4667da064e674a944d607e78f0d3bf48e57a5
SHA512b415de10b55639dd5dfdd038fd490b675059122373659dd86aa00ebc7f6735fd22360264226f8675741fb76f3b3a16e9ab7fa907f489b377ef16e9222aa26e3b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\YUV6CDZK\ConvergedLogin_PCore_kAx9qZOSH4g90FNHstHMCA2[1].js
Filesize440KB
MD5900c7da993921f883dd05347b2d1cc08
SHA131f7a9c889c260dd56ae1b601c7ac73ac806c38f
SHA2563bb35e786c5ef0186c1202ce43b9745d0ea7315c2158259bdfbdf9cc028780c6
SHA5128fd0a4eb1e15ffe26081b9f7731260b8c18f89884a4e37258b4890c10d3faf1ca9def61a1b86436a16a49345e56ef8d5416300b7c4c1d0085544b83d9d8958d1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\YUV6CDZK\ScriptResource[1].js
Filesize39KB
MD5aeca88483779ac14b47f14389139050f
SHA1b2d6addfd778216b8577a9788144f6313900b05e
SHA25638deaf33d1c84196e4c4f3c76c67587090cf261d423b9bef9badf535bc146a2f
SHA51231e647b1ed341ad8d5db4e991008f3a79169ccc0dc68e63da0f0533e1f9875b871336b5b5c953b267ae4788f0adfce6f54e3492c4feb8e087021ab84258f16be
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\YUV6CDZK\Style[1].css
Filesize12KB
MD5432c0225d4f996fa527b1dda37faf9b1
SHA1000b0e2d9e8e70b56fcc4dd5cde19b6b6da2cbe4
SHA256e7a2f12c0f145fa465b669f22f47fa9d7c43b6f67d2629ffe92f155c2fb009bf
SHA512f857e83aec665a71c447cbf4acc431e38b5de3875ee673c4a358a793459fbd93e0e0eadf20f435ce5043cf324909d5ec9456208486622bab789df7a37ee7302c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\YUV6CDZK\converged.v2.login.min_81imvbluez-v5hbzpkxfcg2[1].css
Filesize110KB
MD5f3588c5412d4119f95e47073a4a5df72
SHA13c4b1652e71c25e1ce7de611fbd17edbaae411d9
SHA2566cc79c59f00478ce5d8eaa982efdd8fc3cc205a7ea023a564bb2688fa206a087
SHA51262886f8bfb32d2be842a23eca157556c30ec1d616e2607d9df1894f702bb7a982eeb3576c95f859b4b8e9183a84d70149a8802f31317f80d4845b02ccfa018f9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\YUV6CDZK\hip_reload[1].png
Filesize471B
MD5c651d60a08ff0f579e2eb9be6043a3c6
SHA1e7bcbb896eea20a4dc68edd2ef5b336e92690a55
SHA2567b4b6adaa1dda648143a18a52b51dfaab54775bdb6284dff5c869235cd385230
SHA512017c29423f096a45ad5d1002b2f14e27a8298f144a962b78f46a96626a1027d5e4ec57468cd8f8c5b9e97461fa651452a1786cd9f5f76264652d03f55d516138
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\YUV6CDZK\jquery-3.6.0.min[1].js
Filesize87KB
MD58fb8fee4fcc3cc86ff6c724154c49c42
SHA1b82d238d4e31fdf618bae8ac11a6c812c03dd0d4
SHA256ff1523fb7389539c84c65aba19260648793bb4f5e29329d2ee8804bc37a3fe6e
SHA512f3de1813a4160f9239f4781938645e1589b876759cd50b7936dbd849a35c38ffaed53f6a61dbdd8a1cf43cf4a28aa9fffbfddeec9a3811a1bb4ee6df58652b31
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\INetCache\YUV6CDZK\ux.converged.login.strings-en.min_i8f-75gfk3tbsm8bmatnqa2[1].js
Filesize56KB
MD523c7feef919f9374c1b26f019804cda8
SHA13e22ba24cfd4f5a1c4d189aaadb1a82a867377c0
SHA256993a5748db7b6bc125f88788845a7599234130bce2858b528071035488cb886d
SHA51293d4d19ca4bacfc0ad64690e2426d573d47991daf772d178d5c477369675539274a5e97c666a97a49ad0ec82e566ef4b71e967e7d7ffc575fbd2171e06791276
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD50eb2408dad9b6c5c2af0f3f770cf239c
SHA123688d12253707cff445ae527cd73be6df353167
SHA256d1e0264cd58cf2defd8bb02f09cff5545e232bdc64bbfd9a719fa64febad8412
SHA51234261bbe1ecdccbb5c1ee70f6dc8ad17a3933fb5e911b4eb53c7d2680a23f2a258cd910ef640c0587b52ec96fa008c49d46c14f5b480f48291916f0822e01f6d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5c062d101e7deebae6712a37932f19ead
SHA184ca6714c4847951e682dedf12459550200def24
SHA256aad11eced280763016dafc9f5a189975d1409f250ba26ba212c56f119530393f
SHA5125789b9443eb0911810ca5062299460c8a49463fc233d48f15d51de27def7a3c1082306da3853f2b11f120a1b039d403c930d1a766d565ed2047abea34a8a41cc
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD50f07645fb8a58e5d3f8a3e57e4295564
SHA1087a4f5761c09f4e3ddb99291e41d70b9edf537a
SHA256ee8365098913983b67cbc28c58bb8190903ed64e034f53fd6d9f52191bf744f0
SHA51258abbcaf6e165fb07e7fe9986b34ffd93977b114e4a84c14c92bf6ed7fb90f4cfc4eebcde9bfcd8766c41e40ff4fd20fa942ba6597b1c5776278e1c94cbbc018
-
C:\Users\Admin\AppData\Local\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5409f93478f1f738d7b5860bf74824558
SHA105856caa617c9540d154acb232240b251d7a76a5
SHA25696a17f9658d53c24aa18aae4ab8c1875fb1066f67e50503b8325cea2b3deb074
SHA5122fcf00eaca93b2abb33564e6a0af909749455627235dce0b89087ad8a374668dbdba62b71e0b036e97c51e0b42dc6c59e8e16912883e2bf73d059b6b543aac9a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\INetCache\G3LEY0YM\ConvergedLoginPaginatedStrings.en_pqWJTPacRZLuym5vQslDfw2[1].js
Filesize37KB
MD5a6a5894cf69c4592eeca6e6f42c9437f
SHA11e84a6d36af3d353610d6a392d9d6b66f564233f
SHA25662bfc3c60282e1d38fe1c7a6d7f3793a934e6906c7870edc45c5d5c7d21e150a
SHA5128bfbefc36375d093d3aef0fbac64171f0ca3f555246c25867b68a697b6df413289099f4d39ef4b6f5678031590336d80899758622f2e98cc59de21bb4626f68c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\INetCache\UVJP1G88\Converged_v21033_mG-wAdV--_sq1kXms675SA2[1].css
Filesize108KB
MD5986fb001d57efbfb2ad645e6b3aef948
SHA1a1590f0bc684d395a6179fb915deeca3a9321d89
SHA256de304cb4d64e769dd16a7b4500603205d2606fe0877dd046460c7b8df06a31b3
SHA5120c5599773904a45552e241e9e7723bd6cdc0a3b71a05145553942e27450e8e706c128c918fc6b5599f9bb55eea1fa6b9801d78fd4d95292e24709cd90fb9a7cc
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\INetCache\UVJP1G88\Win10HostLogin_PCore_EA72VuO7AbvwWMcHEkwyIw2[1].js
Filesize477KB
MD5100ef656e3bb01bbf058c707124c3223
SHA1f38c938dd7b4997e2fb667eb7298f7179692f162
SHA256992fc29259c92af09f1c654d98f8b1170201009fa67aad3fdf9d3621f13d6b5f
SHA512a73fff3466e869598595b3651e8efd87d19d452a47fac9bb86dedc338a01b2d5071950a6ef0328b6be8de441ab50e08fde1bd049359cc7b89e4b8036905fea5a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\INetCache\VURNTR91\WinJS_vcvx4TydCFioSeM4NLxTDw2[1].js
Filesize164KB
MD5bdcbf1e13c9d0858a849e33834bc530f
SHA15cfebacff659d5304e551ee5cb856557da4209dd
SHA2563989fe38739bba3e3dd9d60c4364d9dcca55f44a1b1786de77f97f17ca0ef21b
SHA5124ea4fe3058dbdcf3e4a876f30624ca9d7e3b98ae60a2dfd28892d0615674dfe95229aa65ad25db2c0e2baff988eed7114128118156ee6ae1910b9e6c7cf6e513
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5290f1b42864f22df3cd89f1c97187f0a
SHA11d2b7387a2e1301fd56a0b731cd5ce5eca3f7f33
SHA2562e19292edb15a309d0f596745affb089cf4779939ee1fec4fa28215ec0a9d674
SHA512e4293e0c87bb242d6a5bf81392fa23bbc8fae3d082df3437f9687ce88377eb4ea907f958b12bd23872decc688420b9afddc35aab7745e7331f4507954d887444
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD51f4778cfc173492e98c7b9986a5b0285
SHA1e169eebe8d02e60b6a1dd0683c9bf3f367c6011d
SHA256cea51f689f46df4c422cd4311f5741713ca30c6766228fd2f2354b760afde0f4
SHA512a76c3022d330bda3d8f562bd7a52fc41e8fe83a6cc0b547053f87ea80ccd8ae571dec9b58a6273c498ccb7f06cbe817d47364e0208e27c126415dd6b80e0d094
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5a3d80a5c708a6fe78ffbf8dce5024425
SHA1e79b1b14751b81a79b4bfaf6d175ee13f00cf4f1
SHA256d36c77ba17f153792f90d8aa09f329020c10ed16ec359cf1993b789f06d7491d
SHA512dd9d4d9f89208a497b78a753a4b400e70cb9173ba13f16f417717dc35883a86c6ff8deb528ba5fffed840431cc1c3258f25d0f0ea3a728db6468e29c3b200520
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5156729304a68a70145dd280d6aa567fe
SHA1f648c16cc1dcca5f52aaa2fee1dfc6af8bd2d5c0
SHA256bb248c739a36680a54aa8243e7942903804b009567dc8156bcb4d0da0f994c0f
SHA51277700c475cb6c0cba04635585cba7f25a487211200c0420cd93216a04c6049d7375edd027a578016d144f7c86c9e90635e5816e255b35c22163fa7a53c2043de
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD5dea46bec94a0a175456f9ad06492003e
SHA13936efd08942d019bac00af54887b252d342ccf7
SHA256a2dbcd6a199dc34810aaf112de89331ed4eca4e9dbcd8c58c9f184872dc8cca2
SHA5121d73036ff4f39f9b00044a39ede4a70ced322937852192f0b6dff865fbc970c299ef09d3589dc850f772f56ce2a5ab206e1569d8bfea13790ad82d4c40e78b35
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5c274edc58405110ef9383ccae27a964a
SHA1cf10214fc454eb21d9f1661d63c9c87bbc9fa563
SHA256832904d7d24b19621897f2a438e7e260422635262df5afe93d90fe3412f1bf9e
SHA51202ddc5f11f393c99a20d80f4343fc60352dcfb421279b03df9b29517bed7d89f447d220b3a9f31a2d6b7ae01e3aab1d340bdf35a83aadb20c78f6ce1cbb39ed3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD549706256f09dfe247d86dd9b31ffac93
SHA17426dbbeb72a8eacda7cf4104dc9a618a9139129
SHA25625692b917fc2a875130c4838adcf6733422bf59c9d9c3ed0389d61ac667b4bfd
SHA512c1efdf280f698836c74692b19627f2b2ea94deeac3394e5054009d12ebcd22d24c14f4dc5501b392cb237e2d9c4dcc39400affa4268fb980df78d4eb844bc51f
-
Filesize
2.2MB
MD53463c1cd7f722cea80abe89cf77b6e5d
SHA1e9f25af712cee9d83a5faf0960bcc9919833efdb
SHA256b293ebc8e71fd77d6e9bb7ab6d10f916338b913cd0eacc457f8ea41f50c175fb
SHA512810b7c26cba011aa9c3616d4615cde26c52c3bf32caa61c4b7cbac1d42e2a34106b7b358a09f810ec7d591b7afa6b5b189cf559f5e8de52aff3d75156119d4e2
-
Filesize
1KB
MD59402e5ae084f95d3945dd423d26e8929
SHA1cf19c5c182d1138975b8a61ea70816944f298d7c
SHA256f66cd7ea16f29fb4bd57eef1dabd57dbf3e83c7d55d7bc7119e8ad5a7762661b
SHA51215bd6ae4d989060ff66f5aaa7a49225a70c4cb1c72fbecae269c29f086faf06ffb4a24fbea6d90d0c0e225662b02fbbdddfaaad100cacf3a2ba323128c6fc91c