3861795ece849d6b417a3c9870a7e0a0eccd27f74e706b9242d94d5e8885b705

Resubmissions

22-03-2023 21:05

230322-zw7kcadc8x 10

22-03-2023 20:11

230322-yx9wesba78 10

22-03-2023 20:06

230322-yvvnqaba59 10

Analysis

max time kernel
600s
max time network
593s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22-03-2023 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

obfuscation.xlsm
Size

35KB
MD5

b54c993e941836bf2c9c69948b30bcf0
SHA1

a3e6234b5310a3918b9e01c08badf3eb5f44a4b8
SHA256

3861795ece849d6b417a3c9870a7e0a0eccd27f74e706b9242d94d5e8885b705
SHA512

cda8807707e6ee42309df106c3c3f8daf1c63b154dbee9741ca25679732d6e61a36fc6dbbd1ca76b8d444296ba5001cafe57d11c6ded384451d71cbef7cc80f1
SSDEEP

768:YLsShCAVaV5WqShv3H4+jbXAAQpyQyAtewZP8a88ULsR6LQkZt5mZ2:YbhCLVkqStYuQgrCl38896LbZt5mQ

Score

10^/10

macro

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exemshta.exemshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3272	4220	mshta.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1908	4164	mshta.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1344	4860	mshta.exe	EXCEL.EXE

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\obfuscation.xlsm

Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

4220 EXCEL.EXE

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEchrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\493A5E00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXE

pid process

4220 EXCEL.EXE
4164 EXCEL.EXE
4860 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1984 chrome.exe
1984 chrome.exe
4208 chrome.exe
4208 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

1984 chrome.exe
1984 chrome.exe
1984 chrome.exe
1984 chrome.exe
1984 chrome.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

4220 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\493A5E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

EXCEL.EXEchrome.exe

pid	process
4220	EXCEL.EXE
4220	EXCEL.EXE
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

EXCEL.EXEOpenWith.exeEXCEL.EXEEXCEL.EXE

pid	process
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
2128	OpenWith.exe
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4164	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE
4860	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEchrome.exe

description	pid	process	target process
PID 4220 wrote to memory of 3272	4220	EXCEL.EXE	mshta.exe
PID 4220 wrote to memory of 3272	4220	EXCEL.EXE	mshta.exe
PID 1984 wrote to memory of 2488	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2488	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2176	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4476	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4476	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 4864	1984	chrome.exe	chrome.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\obfuscation.xlsm"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SYSTEM32\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
2⤵
- Process spawned unexpected child process
PID:3272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1636

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe7ab39758,0x7ffe7ab39768,0x7ffe7ab39778
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:2
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:1
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:1
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4536 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:1
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3568 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:1
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1040 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1032 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=1800,i,15965504553102645269,6704834127768919183,131072 /prefetch:8
2⤵
PID:3532

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\test.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:1772

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\download.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4816

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\obfuscation.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\SYSTEM32\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
2⤵
- Process spawned unexpected child process
PID:1908

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\obfuscation.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\SYSTEM32\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
2⤵
- Process spawned unexpected child process
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
f0093fcfd862362529ad565f6910b156

SHA1
598ba7e047272d4cc7386752f72493b9feaf222a

SHA256
6f44346a41d1e4eb2b030bcdbfca08e466d887f812f9be7b30767daa2a5dcdc9

SHA512
b21d1c1ba92e385e6644381de5cfc21f840b5655c5b9d94d8b43f23a7482dfdc3db8d52a1445a562a1952facdf22eba711e917512af254e9c620a6aa43ba5f07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
412B

MD5
73c9158c0ce72c71de21f2be2288eb89

SHA1
df9756e6fd343b605d6026d2715876fbc8c23e5e

SHA256
18094480e77157272c7293264974c79d931a1dc257924a726c75edf41517a305

SHA512
bac58e5db0477eef0ce089a296002c3b495371569d7c5ff9325aab6c18bd8f268f616414ad4c91f1a76c1ca2845e022291c6de2c8c124edd860e3008c190ef53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
360B

MD5
7e0f267190acb83f450868e05cd893b3

SHA1
b28be88f49780aca2f0a5ebc7eda9b533e93d30a

SHA256
3cd588639728fc0cd76e5ee6c37957fac8660e580c5bda308a79f30226257049

SHA512
aa71ec00ca521f7435f50c4c3ce9551f27d7b66fd071406ef35c5c01a2719c479264e83c99e1012b826a2de1dd8839e719ff824981f3911db5c9e35c4918e8c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
c1dd1cf46b00c994247a2ceefc18e2b8

SHA1
a6b416272c058fad19ac16ebfb21bdccdb6e05c3

SHA256
ba7973a79525c6b64381479070f4d0387ac5a0e49517ab96448817eb5dcc26b3

SHA512
3c99e9883970c776f114b071083c51bdd625e95ab0c6607a3975f3c113c706cccf873b53078fba9ee3b9de2f52606f3a5946bb53b0bbd050ab2f319cce6f5d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9fddb96f1f51d2ca9e5ff3093e0e2e90

SHA1
5f43ce9944ade991c1c7023bfc26869b676f6750

SHA256
f288b8a8f39e3b0ff5f6ebd71d27483402d007f21cef16627d382e7ff0e7d4bc

SHA512
b43142e011f35d2a18a74cde802f6c8a39b9a2887aa12596b7e3484cd4e99f03ff04390cbfc2a6980bdf1b72639a2706502e5514b29b19f517eb0aa6cf8bc48e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9625a0fb2a7466a0c4a9ebf3a211de11

SHA1
7e797356102f43907e47938234017e7ad9c3f3c2

SHA256
0e6ec0d92ebbd118fc1c3c526e29638bf4c97b825a9f35e2f0c407ed0b38c2fc

SHA512
68c9bf89ded95f1ee287ba4491f5a64266966780a6fef9d7aaf4153ab3113aef1136e5d3a20b41d5dc8a36aa6c8ee8a087697857bc05b8d5712df3e5a3dbe9fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
cfa083a76c5f18b096cd13c173fefb15

SHA1
5c4843757dc759c6a84f25ec9e568cf1ec43d50c

SHA256
70aac39e6df4bc23431cb961a6269c44b2c3d9de84380341b650054c1ac49af6

SHA512
55c1bb9315e0567d22ffd2a17911d3dd5b36c973a4da3481eceb30c26f9150d32495f8069eb97a2dacd13a78a16aa4d0f560b51e6a58d236215fff29b659cf4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
db5f6904b2b6ea1d75e871f0edec6a34

SHA1
85e62169476c563118593c126d543cbcccfac337

SHA256
45732374af43183ffb5b4b913996d8ee6e0145979f08afe065e1a6ce9ed623e4

SHA512
74ccc4c33ea376b48b8c3e6e60567de052b74093fcf46ed44ece5dba88d5316efd8f8fb58c64f3e7f0999ab3b5d50db7e68bc48e9070998c2c04cfedd588d630

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
32ad1f6e780ed8127c1da8196aaee224

SHA1
b9fb0f6a1978f40f1d8af7f36d0a7ac8e059beb4

SHA256
b8daf5e50cac0f7dd804622300a8fc2451042d84fb20b5ba88e6cbfe870a1ab0

SHA512
5067e44abd51e7e3059d5c0bbc75a034b164f4e883032d3821280e48823be1ea1390b40dfaf3fb93d56941b65ceb8ff3550960bbf05815f8820519603bb4e3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ad8a1559f94a959a11f77a9913a76d74

SHA1
f6a96046e0e87dbf233f94f90289fcb25915e93f

SHA256
b34fcc7eacd6e58ecdc9112f6e95861e2aebdc8abc7a24a21e88e35f745654e4

SHA512
91a33b8a85f141420424ae45fee6cecea098a42ff7fefab38d3ba5f16e38ded6515e8162bedfb9876350c58aaa54298f66f95fd63a3b07cae2b9e76dd2fa7263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4bf2b36d58e555994cca2ef541ad4e5c

SHA1
3ab0f783ec00af1095e25f129b3d5c564f7e1593

SHA256
c88a853a8c6b4848e108dec902668cb160a7cf05dc2fa5b5b79d9add0d839710

SHA512
426149d695aa9baff5ae9596413466a01ee76c26913d6321aaa9f45c01944c23f24ee45075b5f7a6e14924c7b258c0cf163d2175e5373ae57de08d60a353bab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
eb88e0079c02234a5f1773aa6c5836b4

SHA1
cf6d07e1a76e54be1e19500b508a0ab7b42e1b38

SHA256
2086ab950377d0d8c0ca9b0e89be1a9dc409e91dc565864c470cb826c2cbb528

SHA512
9637cae73fc12aad3811294769c8f637fe2cbcea2cc674427808436772cbd311a565cbcc0fe7f79a0365ceb88270c08e52dd53ffced2cf1d1a9ebe29d6856215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8b30cab75b7b48912704ce3cf76ef5b1

SHA1
e4afc2a981294803ce776e7836dcb6c302b3ac62

SHA256
248163366c1253d0ad39611d26c2395dbbfb198b1218bc68ac415d7b62bb587e

SHA512
0c3666e82f195c1903a7e9a9083566e9f2f7e615f4b395dcd8e6b202970d749e1aa7ce522706a4f748eaaaf7f8f6db6c885844fd25529692c8db124f731d8105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1118a6a3091ec3f01bca3c0d029cef9c

SHA1
a36b2a55f89f5f2197c47e79e4d183aa674a84d9

SHA256
2887e10aa7d1e0a686874e60d5b227f3466324778770b769fd7787ab253dbab1

SHA512
942fd9c384c59db46f0795f73fcd814b83df638f88ffff752e6868f9521efd04436b27a1fbcfedf2910644b957a9316f7e2d125ab8ae9715f60a660131824077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
857d75f9600e7d69b4a113005011ede7

SHA1
0984787ff6a8e5655f5122ab2bcf5c868af1f82b

SHA256
f5bb26c3539a7a19e19e39c9700f570e4fe579f609efdc407edc2fbcee6fe305

SHA512
97c950cbd21c0b47dce0c25da33f7fa9ad45580e799d8b6549b770799fa9cceacfa97f30ca798dc8e2786008f44420c7b7a8ae2682405bd35f21cfb4b137780c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
4e44b4b6f88e2b66f8085a80dac2764a

SHA1
156621d1e0aa5f390d0dc3b59a815e067676f62e

SHA256
94800d0dded28cb996dae7593dea66e969dba0bf857b3def12e027497ffa5d74

SHA512
76e5b7ed52fc751f682d8176d88f28cb5acbdc620c173af38bcd80dc89ab3e7090398d3c125c3e7b056790797963bac1b4ac35ba452bc60711f48803564dfff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
108KB

MD5
673af6b4221079e6ad88ce5fb5e4e510

SHA1
bbec7d02bbeca3916336bf3a269df60aee00e277

SHA256
da4f6d3633e99ba772fb6e0dd33bf1f1a76d0273e0a1ffd27f9efeefa4e675bd

SHA512
71488217e7c3ebcdb9d3e2c756148d6379cba62e713797790a2c97f21dd6474a0f556f11747fce60169a13b17434eae323c4b65869adbed8a5d723bb52d88bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
112KB

MD5
dd0874005f8fa43ffdfc43ab16c4ef23

SHA1
b45743a53ee2b3da53bb36f975e9a47e540ecbd4

SHA256
22215aed01df696115b605aaf08a6bf097d635c7456cd32fbbc409f4b37c87a4

SHA512
2c534c47d51e06109a16fd71f3c85b44e334945cf64297d8e352edeb4084d8bb95b2ac107cdda3f2ba3a3234cee3db3dd094a9f054af06733cca04d2a1ea62b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599fb1.TMP
Filesize
98KB

MD5
ab132cc56ed939ab4983effe4073665a

SHA1
95ad8374674ec5a778838d3d0a1bbc0800d05d1f

SHA256
a50cc64da952f3a5757ff34d6a709e28bae2f60dd574675e2714d475dfca2cd4

SHA512
70bc9de495f59fedcd00d78668dc0284d9d5bba0836494527dfc7f63ab89863e4aea91382c7ac7925fbe879557b6c1d0d1186df9f887ee1e37cdce6f70d046e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json
Filesize
502B

MD5
af4abd01d33ea29c46b711a255ea6ae8

SHA1
81fd34cdf66471e6bc44a515408232933718c730

SHA256
15f2e40b26575a1572d5eb0ce788ee131e5d6ae196d94c873319faade531b626

SHA512
0566c0132b52516b96e513ce942ad28ba4b3cebaa71a94503e0dc10868afd22d9abf63e84cca11dde92e906e4b23fddfaa1957315658519256adc995f1b13abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BF34F61B-06B2-42B4-8A89-0E0BA5394C6E
Filesize
152KB

MD5
acb6878c991103b3ff7d8c410e1e7f5b

SHA1
ce3514def78ccf1abd812319ae4219e9dfb83ec8

SHA256
625d950e5e5065bc9209821b4c5da526cb2efeafca273c01f8c58b99a14b39e6

SHA512
eac46e21e869e615cf0335349e0f469be7a3b335f1b7590d5cf6b718c18acaf5c9fc56f422eeab9a9abf6a65ead0654d55e0d0411a2e3f2b3bdbf5b0a0f346cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
323KB

MD5
9727b1893f4a4adc3107a50a77813c8e

SHA1
93f76aa52461deeeb49672f7dd497cef15470186

SHA256
a5faca4539374a78a69ef31163e96a358c49014fb3e1fa413f4463b008499d51

SHA512
acf7309e548ba621e94c32b9062149670012bea2eaf280b97359f2ece6d61e7d60eabeb295c7690b42ed3c52982b317d96aa6205cb58fa44dcd553d8468751d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Temp\493A5E00
Filesize
37KB

MD5
b5a2c7fc0ef96b08b1af7746225868f0

SHA1
168fc61fc62fc240719f54248994d7bbc9746911

SHA256
8f6a51b5fc38634d1245851ab13eb3f61a66177bc9270dbe12dfc32ccefa0f7a

SHA512
186e9013d3e32552d2e60697131eecc2f3510c85eb7f94a26b3e60e3a90deae4ac28a513a356440aa1f8738aee1aadd95cf0f8c607b3f858f5e04ad727a6142b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
Filesize
17KB

MD5
084149c0fc6722b43b42ebc96f22effe

SHA1
d40525e84d7da7f2e193a4e2fc2a24739dc88027

SHA256
8d74853d271ec7a12880c4e33591df212628e3cb6a2f4038adad28c4b6891a96

SHA512
193a745b3bed038168d7523e9d7f670e62bf4f6ba81b4117a3c80b9c848b3ac69059bc3c4ab72eee41d4defacc32249cd9df1b6683c088eb820e54fa85d7280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
Filesize
17KB

MD5
084149c0fc6722b43b42ebc96f22effe

SHA1
d40525e84d7da7f2e193a4e2fc2a24739dc88027

SHA256
8d74853d271ec7a12880c4e33591df212628e3cb6a2f4038adad28c4b6891a96

SHA512
193a745b3bed038168d7523e9d7f670e62bf4f6ba81b4117a3c80b9c848b3ac69059bc3c4ab72eee41d4defacc32249cd9df1b6683c088eb820e54fa85d7280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
Filesize
17KB

MD5
084149c0fc6722b43b42ebc96f22effe

SHA1
d40525e84d7da7f2e193a4e2fc2a24739dc88027

SHA256
8d74853d271ec7a12880c4e33591df212628e3cb6a2f4038adad28c4b6891a96

SHA512
193a745b3bed038168d7523e9d7f670e62bf4f6ba81b4117a3c80b9c848b3ac69059bc3c4ab72eee41d4defacc32249cd9df1b6683c088eb820e54fa85d7280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
Filesize
17KB

MD5
084149c0fc6722b43b42ebc96f22effe

SHA1
d40525e84d7da7f2e193a4e2fc2a24739dc88027

SHA256
8d74853d271ec7a12880c4e33591df212628e3cb6a2f4038adad28c4b6891a96

SHA512
193a745b3bed038168d7523e9d7f670e62bf4f6ba81b4117a3c80b9c848b3ac69059bc3c4ab72eee41d4defacc32249cd9df1b6683c088eb820e54fa85d7280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\obfuscation.xlsm
Filesize
37KB

MD5
b5a2c7fc0ef96b08b1af7746225868f0

SHA1
168fc61fc62fc240719f54248994d7bbc9746911

SHA256
8f6a51b5fc38634d1245851ab13eb3f61a66177bc9270dbe12dfc32ccefa0f7a

SHA512
186e9013d3e32552d2e60697131eecc2f3510c85eb7f94a26b3e60e3a90deae4ac28a513a356440aa1f8738aee1aadd95cf0f8c607b3f858f5e04ad727a6142b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TLAD6L27BOMPTI7FD1IM.temp
Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\Downloads\download.dat
Filesize
3KB

MD5
8ea566d287ec07db13283c36dc512e26

SHA1
ae97660363d698eb4cffe4d951de96fb22ccc718

SHA256
7220cede2ffba8e59914bb7e08d1828a068eb772e7ac0e4ba71853880c2f5365

SHA512
cfd2b231228e68c06549151e83fd0b8843ac8070b1b925525002a3827e6a8d54c5de9620afb0beed9cc9e666c054fed16a5e8f35322ff220a96161af9c77378b

Download Submit
C:\Users\Admin\Downloads\download.hta
Filesize
3KB

MD5
8ea566d287ec07db13283c36dc512e26

SHA1
ae97660363d698eb4cffe4d951de96fb22ccc718

SHA256
7220cede2ffba8e59914bb7e08d1828a068eb772e7ac0e4ba71853880c2f5365

SHA512
cfd2b231228e68c06549151e83fd0b8843ac8070b1b925525002a3827e6a8d54c5de9620afb0beed9cc9e666c054fed16a5e8f35322ff220a96161af9c77378b

Download Submit
C:\Users\Admin\Downloads\test.hta
Filesize
5KB

MD5
c4c22e0735ec592ab87f45c7be53eecd

SHA1
b6d9c41d6c81f30c8f9d383fe5e0d5a0c3ee62da

SHA256
b6e6565f337a8d5c0fa35517d64f95bd6768083ae220a21bc62087820c3d326e

SHA512
eb379572c61193f90c97345987201d2988ab081bf095d42b155b939cabe5b6e168f39aa35e9e3dd29efdf5d2e96542925ad0493f417f8222589d2967feb01e41

Download Submit
C:\Users\Admin\Downloads\test.hta
Filesize
5KB

MD5
c4c22e0735ec592ab87f45c7be53eecd

SHA1
b6d9c41d6c81f30c8f9d383fe5e0d5a0c3ee62da

SHA256
b6e6565f337a8d5c0fa35517d64f95bd6768083ae220a21bc62087820c3d326e

SHA512
eb379572c61193f90c97345987201d2988ab081bf095d42b155b939cabe5b6e168f39aa35e9e3dd29efdf5d2e96542925ad0493f417f8222589d2967feb01e41

Download Submit
\??\pipe\crashpad_1984_IGCBSDPUIRFEUJGM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4164-811-0x00000184402F0000-0x00000184404F0000-memory.dmp

Filesize
2.0MB

Download
memory/4164-793-0x00000184402F0000-0x00000184404F0000-memory.dmp

Filesize
2.0MB

Download
memory/4220-116-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4220-617-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4220-129-0x00007FFE5B870000-0x00007FFE5B880000-memory.dmp

Filesize
64KB

Download
memory/4220-312-0x000001B925B00000-0x000001B925D00000-memory.dmp

Filesize
2.0MB

Download
memory/4220-614-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4220-117-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4220-128-0x00007FFE5B870000-0x00007FFE5B880000-memory.dmp

Filesize
64KB

Download
memory/4220-298-0x000001B925B00000-0x000001B925D00000-memory.dmp

Filesize
2.0MB

Download
memory/4220-119-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4220-616-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4220-615-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4220-118-0x00007FFE5E8D0000-0x00007FFE5E8E0000-memory.dmp

Filesize
64KB

Download
memory/4860-1096-0x00000247A5B40000-0x00000247A5D40000-memory.dmp

Filesize
2.0MB

Download
memory/4860-1076-0x00000247A5B40000-0x00000247A5D40000-memory.dmp

Filesize
2.0MB

Download