73bf12bc7899244509130edfd84c146d3b0f77a69550ef4ff34d6f51966f79d3

Resubmissions

26/04/2023, 21:52

230426-1q5n8sdh2t 8

26/04/2023, 21:16

26/04/2023, 20:50

26/04/2023, 20:46

26/04/2023, 04:32

26/04/2023, 04:29

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26/04/2023, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dezz.rtf
Size

365B
MD5

21579951a326c9dc08a51fe364344914
SHA1

7981c5d563ef63956259016174fb5f023e0d8604
SHA256

73bf12bc7899244509130edfd84c146d3b0f77a69550ef4ff34d6f51966f79d3
SHA512

db2bb92685631ed125a7ace9795e346b52c72bec778716d8dbaa4f1f39011f79eebe9497393fde7b2eb7a5321534bde7a88164dc6ca6de3ecf889c3367f74fee

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://roblox.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = b08013b50878d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://roblox.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f35fd4ec1ca1494aa57fdd0dc6b810a40000000002000000000010660000000100002000000087068b74704dd7423deabfbafe3809059bf1aec4c4f4ced4f57c8767dcb54d15000000000e8000000002000020000000a10c881c383851137d216d4ebd650f566433c2145949b9843a92b9f412254b342000000009c1afa1a505f6155db722a71d1ee911d2462aafbd423f4bda76ff42c10456a640000000462df6bdc514908d777afe1df6d22bd09169767d6819438a27272c0cec6d218bcd922d255af19f18a0ddaeee050b21d9d4f21601fa7c0defb2fabf7fa88a424a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0dfe9be0878d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2032	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1096	chrome.exe
1096	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: SeShutdownPrivilege	1096	chrome.exe
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1452	iexplore.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2032	WINWORD.EXE
2032	WINWORD.EXE
1452	iexplore.exe
1452	iexplore.exe
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1452	iexplore.exe
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1592	1452	iexplore.exe	34
PID 1452 wrote to memory of 1592	1452	iexplore.exe	34
PID 1452 wrote to memory of 1592	1452	iexplore.exe	34
PID 1452 wrote to memory of 1592	1452	iexplore.exe	34
PID 1096 wrote to memory of 1964	1096	chrome.exe	37
PID 1096 wrote to memory of 1964	1096	chrome.exe	37
PID 1096 wrote to memory of 1964	1096	chrome.exe	37
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1528	1096	chrome.exe	39
PID 1096 wrote to memory of 1036	1096	chrome.exe	40
PID 1096 wrote to memory of 1036	1096	chrome.exe	40
PID 1096 wrote to memory of 1036	1096	chrome.exe	40
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41
PID 1096 wrote to memory of 680	1096	chrome.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dezz.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ResolveJoin.vbs"
1⤵
PID:1052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1452 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69d9758,0x7fef69d9768,0x7fef69d9778
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:2
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1352 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:2
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1572 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3900 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1200,i,15055240447068138024,17905963571099351957,131072 /prefetch:8
  2⤵
  PID:2652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2429140c8a50775e11430e2c05fa7cfb

SHA1
df907220672282b9e96df0215e7bfc702463462c

SHA256
84a762f719481d232f533a6d8556c225a641c23beaede1522a15a2f152707b3e

SHA512
881ff636cfe00d3c28111d70aecb59a46bcca53fbb5446bf8147ed58eb972c6a1e9cc64ff1bd417cdfb85ee929afaa4d5ef313dcdfa0d6cef0cecdba53a447a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52aeb7e09fe9a0dded87c4e73707e829

SHA1
06c3cd2fea68e6b8d32ba39a4ba2b9df727e16d8

SHA256
07c23cb609303d9663ff8500279bd3eb09944b7774670871f366ab2b56d4d853

SHA512
cc538843f71e3a90e13cb70520f5309d0ab7b569e79b577fc484041ae79c9837bd5c356e5f73c20cc404249f917d0405f7662414438ae50ada3a1f4940a556af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f5147888d4314c44cf035591b36ac76

SHA1
89c8edb21860b3a627b0f9ddced4f9a81134d0c1

SHA256
69add7509a532c79c41af6d8971a21090f96ba61dd44f3e16c2221dcf8497bf5

SHA512
060de5fe61e1b4405b99e978c1a78034b227cd963c1a3b1e0f31fd91c7d6be64002224f7b93b979d70be6a54ea93ec29bbc008b7dda46cb30c68371f34d371b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f5147888d4314c44cf035591b36ac76

SHA1
89c8edb21860b3a627b0f9ddced4f9a81134d0c1

SHA256
69add7509a532c79c41af6d8971a21090f96ba61dd44f3e16c2221dcf8497bf5

SHA512
060de5fe61e1b4405b99e978c1a78034b227cd963c1a3b1e0f31fd91c7d6be64002224f7b93b979d70be6a54ea93ec29bbc008b7dda46cb30c68371f34d371b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f65e494fffd89c61151b41c1d9dc0885

SHA1
e050bf5f245d0c75276ab6e37abd0b31bbd28c17

SHA256
38686be2bec9f91a0e62fa2ebe69de464eda53024eeff51098c5e0bb3ceffbdf

SHA512
dc8f0333c83881ad5e951db60b3908a45590b72c4d2c41d0274a9fc1e1a6201bb62ceb9d3e759dd0ab797fd3ed3e02cbe2ee8a9e9653d085f94346c668d758df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bed1915728d840b8d2a44b5a0fa68d69

SHA1
2e44c6842ea8825b2d84cfc1270ccff198c70439

SHA256
7a7628c26dcf0ffe428beca2309563e6945836606743cbff4880121684f0483e

SHA512
b6bdb939dd638c517c241f14a6e21fc3a8ebaf54e4da70b8696451e99ae281f808288cc87061b9aeaead2bd0970ff3c178b85668c91582360caed42ad04ddf1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
711a6ef763bf3fc849a96a9b01eb8ca8

SHA1
68f04a1fa69819642495a943e5059102c6af5cd7

SHA256
c110ed072a5507d4ac883be297d733a81d1d735a1066d08e861a7c84ef35c7f2

SHA512
5251797e3346a0dd04c343fc7d9bc4a037f5154344786287f8eedabafc1ff1adb9948b8fa74deed3bd63d5202f67652e972c1db40c07b5c23cbf030aae947d29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e30055e0a0256a5ad10ca610ab30f11

SHA1
af519199f5cae8d0ebf2fd4c2074d4fe06471cdc

SHA256
21cc7bf4835157680551f9197789d59d4b5082f3ff82d305185e59762ca49e10

SHA512
b218cad9b3366173e4555bde46c7175687441d18db4ece9b7625770cf60acca55313c938bbc893b6cab95fb438cf328a8762f700ea25b6e0833ae4eea498439c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f506f8c7178dbccef86194965d61b9e

SHA1
79824da2cbfc35a3e04e175884bea7b3de0dbfe8

SHA256
7277c7622339a0f7d6595d374773a6718241badfa8166ad23f3761ba4e8399a6

SHA512
e7ec999a3f452d7d8fef845787df13b021cfef9f2910bae6d63cff242dcf5058c3002bcd8a89788f7a5eb6ce772a3a9460de2aa617d727e1f60d743005373fe8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f46708d692ced4b612a57e37118f8e3a

SHA1
192272cab79a751fe1385d27f116bd4d7349a66f

SHA256
39d52a0f57738766d77369b94de3c4a852165d3a5f3ff0eb32f51a4ab80e4ae0

SHA512
c8a04e8afc305bdb9f4b8d68419594984cc21d74ae08d9371e56a977e22b2374b52cbbbd892fe184bdfc945705f0dbcd553068f3345a9a01faab5f72defac20d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
453187075c7a9f84ac8406f5fa654564

SHA1
62197e2a7e8d6e09b314774f2773c0189e9bec12

SHA256
5461d4465f814f1491b1a03028546411c25c893f1d6072d69f6f2400a48a665a

SHA512
1da8d88febcc911e3fd8a2d182a43ac11c48e8140a44b5a2404b576589dd1258fe679bc2e502675eda45b3253630e1951820ff1bf13195dfd98f027c8613e45a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
b66c691f0c66e92e62ab73e44e983d5b

SHA1
e0c0ae9b4e1195df6fb958b99a356bb71014b13c

SHA256
121295f86376b86bb50f96186a78b271169dcc9007a2ea5968c6e8e00919cb60

SHA512
52d17083934060ea2e94f408d1ccd7648460427132d25fea9efd7eed166d519a2fbc6fc6fa82deab4931ed09197b77e0a3288ede266a5b16c4f5c5244dabb50e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d2b1d2e8-9112-468e-9b69-6d0307d4bb2c.tmp

Filesize
200KB

MD5
ba41b03cef2145ffa10347c589329f5b

SHA1
14d66000efeae8974b7c3cc73407f05c19bb06ec

SHA256
cc987dfe8508d2d17112cbcf0124991e49abff9f9cf2036b31ab08774abfa795

SHA512
a6c945c18fdbdaab86597cfcc5e8a908df5d269110a2cc3b512db18d5ede7e8c496ac26795cde21e1fdef1486edfa6496a596f5baf2121c62ceaf9e9d4ad1662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\qsml[1].xml

Filesize
471B

MD5
884cba131dd0a5c5364e29b80061d666

SHA1
9b63b74b24b5772d242ed33a5989cf54a4f9f8b5

SHA256
8eb8dde2693f629c93b93274eb7e1a67f0d56337c70a824453feecc08a4eb394

SHA512
a4c993b111b0e0df26eed5933137e7315cc155ccb72dc5747f228044fb3b721d71f7ab5d1c1b11d5efb0898ab78913c9853b335f8e8b84b421dea97fb1d341d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab78BA.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7994.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A19.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF07EBE61FA6A88F10.TMP

Filesize
16KB

MD5
2a9ca6cca9a7e8dd4efa5ddc43ea457d

SHA1
7d219318d02aaa0bab36b38b81486a6ba394164c

SHA256
12e85d17fff20e91fc15dad9945804b46b4b60e73d88e5a9e1182465075d0576

SHA512
a9c0905e4ec89d047320ea45bd5faa22a2021d9d36597ffb91f98294fc63ac346102108d9a7bc0482e486649d25558df773065ad674e8f83743aa60879b12c70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
69276077e22c9f9570abd47e727455fe

SHA1
82b469088f6e407fa1ecc54e57e21fe2fec07196

SHA256
49e833362127b904cc2752829835f1f07789702a87eea0a0c157e9ea67183f82

SHA512
18ee81b6c78b612f99ccce3d4d4395345ad7866da9f7061ad29e37142d7fab6e45ce980be1196d04ebb29e0e01734f476db41b531383bee69a5d48546e6238d3

Download Submit
memory/2032-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download