53f4d37cbea19d5d15b5db048414c368dac0787500db12418a78662d33a92cb7

Resubmissions

03/08/2023, 11:07

230803-m8ec4sch93 4

03/08/2023, 11:04

230803-m6e7mach86 1

03/08/2023, 11:00

230803-m4czgseb6t 1

Analysis

max time kernel
260s
max time network
259s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
03/08/2023, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1click.cmd
Size

2KB
MD5

a53a00da8b89ce467a121613cd56d4e4
SHA1

e7a50d4f41b500d6066a6f3dc1c310102e6a6c85
SHA256

53f4d37cbea19d5d15b5db048414c368dac0787500db12418a78662d33a92cb7
SHA512

84addbd6375e186c1abc828a99a2cb852a8d744734096c952add127439ef1066036a3ba501bbe5288e8bc791b4c9391e1b39831d69051fb1407237a091d1551a

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133355345176961988"	chrome.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4480	EXCEL.EXE
1064	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4028	chrome.exe
4028	chrome.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3800	NOTEPAD.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
4480	EXCEL.EXE
3800	NOTEPAD.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE
1064	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 1584	3564	chrome.exe	76
PID 3564 wrote to memory of 1584	3564	chrome.exe	76
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 1012	3564	chrome.exe	81
PID 3564 wrote to memory of 4276	3564	chrome.exe	77
PID 3564 wrote to memory of 4276	3564	chrome.exe	77
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80
PID 3564 wrote to memory of 5016	3564	chrome.exe	80

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1click.cmd"
1⤵
PID:4532

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\New Microsoft Excel Worksheet.xlsx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffcfd229758,0x7ffcfd229768,0x7ffcfd229778
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:2
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4440 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:8
  2⤵
  PID:360
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4392
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6b1987688,0x7ff6b1987698,0x7ff6b19876a8
    3⤵
    PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5040 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3056 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 --field-trial-handle=1768,i,17213452363288364261,1858410415647348481,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:3960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\1click.cmd"
1⤵
PID:4448

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:1048

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\New Microsoft Excel Worksheet.xlsx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:5048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\1click.cmd"
1⤵
PID:1172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\1click.cmd"
1⤵
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\1click.cmd"
1⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
1cc22b6e7fe312ab700bab306ac5148b

SHA1
d5acd408cd1f052352f92ad8ed0a64dc5c4aba84

SHA256
d1032d8e9e20eb842bf62423f977d4f3b95da63720d116c190306653920c32a4

SHA512
ee8eb782bfeb3b1c39118827b683f77ce78eb1bfebf70656ddbc7a3945f10425f59445d225ad4477ae4d280efb952b195239844d7a405ed636abf2a76980f799

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
2fa5ca52426c67ddf4af032c01da05f3

SHA1
d50977c152a98b53d1f6403f9d1bed1014a19d07

SHA256
b6c597b7201f6a648a770d23cf51373639a8b37ebb7e3d3e86cf46c3f2963a2f

SHA512
03171f280faf9604750a2b1b8c9e15346eb53642546a795c472fbf0522ded1a03aebd7807cb064374adfb37bdcf955524323f63737dd3f1c5c8f3dd5ff70d736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
3df59fbefd2a4c71e2fc57c311361c9a

SHA1
d56ad6687934a71db3dccbd39d3119412fb2295c

SHA256
88a695ba83add433b023aa01553d1865b2f9e7d05ea75ca1f9a853f080979a05

SHA512
c4db67c166d2d661304a42d0dacad053a599f54ae01272eb6afb7059c392ce413336eb96bb71235ddc7689c02ee7a6c5a848cce7146d1aa26b38c198d1a57d46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
886f22bf00c954f1f58c872db9bdfec9

SHA1
2bbf86eaa1132fcd3ee52f05cf7e74e79ad2061e

SHA256
43cd00d42501c7bfb8d323d6fbd6c37dd692550aebb0d45612a6cd2dad785ce6

SHA512
891ee6808301392fce1be7df91597db18f48e310c47c0879bb21da39e2f0da4f09dfe98199ce5ad8cf6d2f50c281dd055413c5dddefff6b43ce133004b4c4a3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fd986a34241bed1fea3d36fd59845318

SHA1
1ea85f0eb62d78640888a82d1c7918ef7b62c6e5

SHA256
68b759d0cf84e3717c450d256c8030c5bb045490ebe72055acace9ab2d4ce1c1

SHA512
65951d462700a5cfc786719ff8e90c473dd4157732b4fe0a5c9fc089214a619f3630fe8990f0efe37f16d9adc4110d2c3b5fd100d433be028ade8c0cc2ca3819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d6dfce11ed0a96be02c2f725eb0679b0

SHA1
3ad7ef6b3c4c8f3d8b51c28c34850ac5571be218

SHA256
0348462144c32f451a6e37610a50ff28fc86fdffcf1d899e5f5ed0478fec98fa

SHA512
e6babdcf231bec2d91f66c88fd0abec6ac684e3bcb9d74f33adce09d44dba399e4f14584b7e2d8c0ef720dfc6f1dfd72da8f0baf52b8a6cf50bca1099126a1f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
37c0e036a7928c5154240aa27468635b

SHA1
1209738b8604a55392b09d1494313d0c2c2c0dfb

SHA256
08b76ed0e8bc58de9209cc2f19d4af0594f8545e17d21f7e2ff6b0846b796311

SHA512
7912d52db3138cd06fc0d9bee2915cb406e0d53fe0ac6dee810c9d91e556561a22563f5ccfe5f8cff5f7815e78796002108a77432e40b8901015ef0901518d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
75aeeb50984b12018be311a01681bbcc

SHA1
572687e83d4a0ef1e131c4506620a98109ac8ce1

SHA256
e9084346507175be0cf5e961b27065675ebacc7f003e5af293e9c425c9868dee

SHA512
848cf00d45b3669937a1a3c6d433fcee12b6c4a4ece28f05e77ae831b0e286c81d9a79644e8794e5b5c43f720ae7287e16773021c15e7498daa8b743dda8af9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
177853c541167f3412522d373ee4ad93

SHA1
62b94f894d6052fb48ccb10fcaa30851fcc22a6c

SHA256
8daa09ea4865acc7bf31f979997c47777972c282a7bb9c72af618e394af41453

SHA512
6e3f6a77f238e0505981e553618ceb4ab10c800ef965efccf2a0703e25879513e0818f72c4511f7fe38c3c52621847e469de5fbdbfcdba4d42f288e178d976ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
da7543aa8a80af5c12649f340ebd7585

SHA1
c7a2eda40ab310cf58317286d1d28264f7ff446e

SHA256
175f792404274346f0e80a979fb4e21e34f00d18d06b6817c86ea6504475f029

SHA512
156333ba3fd54f7ff6694e5c5d7fd79b1e803cc91bdc0807c1caede4a79aa0815ccb74d11037d4a027784b43bd79c6975dc4f083403d515f7b198f4a035b3507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7844065f2d2faea157c3171df96d33a2

SHA1
2aa242aa9543854ccc5af2cae84baef3788e74dc

SHA256
321a183500c04da4825a6ef69fee6ad44893811fc82c8f658ea2adb2b5c7a5eb

SHA512
3403b0096fbfe610f223ef3c3c1831d1b03b4a168541767b073077c949d0c1ed7d16a6c40b4465e455b8595882e4c3be23ffe2fdebd926896b11f26b04bdc816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6535cbc81cb91d32e8199aadc668dbdb

SHA1
129bddbc1bb3ac20b2ca941f8619dd7839248e57

SHA256
700586f397bf2af2b5a29e54e6a1efad1d998ffebcf03b93af6ba718be73130e

SHA512
77d77aab15456dd91457655e64500c9ad9d1a5145e1a3cbf3ea25475e7808330ac2edfd76a5019157938c0b14ca76e5b3aa44876940666f61ab8218d4297acf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f871bb4a2d3ae2eec9e3265580cc3b0e

SHA1
cd47ad7801896892f89e684f551d2315a61498e1

SHA256
f3c7ca948b46cbf344cb8bfb3f6fb2b0c25ee905072d818c8c5fe54e431e99d2

SHA512
39605a6fcf4fe06885b41189ca2fd540cd3bac09b7cd9dc5825f0537c11bc3e632c580d73a13914445d083b74d9c3e2239fe6f0b278c92ada5c83683f6422507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f0f2d6c307f3e2f86119f5c89eaa2bde

SHA1
b7d6b2f7249d9e096159bf704b6f1d05e88236f3

SHA256
0635fe40e7957ed45ddb5a2e433d042bc2f4cb5b0304739586b5e2646872a10a

SHA512
1c5d2d2fbbede513886cf4198876a0bab26009c4b0c83ae7f9a10d3ecb429ade7e2b1cc48cee7aaf611f2b1913cfbebeb1b420443baeca84672618f2829121f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589cd7.TMP

Filesize
48B

MD5
c6ca4a4295476fb519400293828fd3d1

SHA1
3b9f94b1a1c64f8b4155e541999e2b6d9efe568d

SHA256
296ce629d92826dd00f58081e001d0c70877bd231040f44346c9619a81a1f6ff

SHA512
be2128b7f78f368d0516a0ebaec102174e3f6446533f921dbee069f06a6c164568cd5618076ca963129cefe132cd0049ca4002138f080276c7f7c3b5c702c73d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b485bc22-8bed-4751-bdae-ba0f20151255.tmp

Filesize
176KB

MD5
b3162c6625f230d0a4e8075b5754e50e

SHA1
a4e9a2f9022a5a81867f26373fdae2b9bc03c6bc

SHA256
24117090fc09efe19b5bead6597c7988d0628e7c2422d5495bb7accfb73c2ff9

SHA512
cabca0af7dc3535a0797df9d4435bfa446b849df0bb5add56a050ba618ad3a39e197a9350a54ca77b51079958103d9c489d42abd839c92427518910f5907bccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\15002B45-3270-4879-BF21-F7C537CE4CA1

Filesize
156KB

MD5
fba60e305caa8b30bece0265ead326ca

SHA1
69e8ec85d784ba3a722bfab36e60d9a24c72b83c

SHA256
58c910fe69e0f485c687150334e889c337ab8d6880fcf56f8de11c4ced268ef1

SHA512
dba7ee9c46d8827b78e4f68705d8c0c8962cd6c8f52615da7182a4ca3707c57c19cf946586ed3af5c4e9dc42f217a348a462c75b04155982178913170a74e610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
323KB

MD5
9727b1893f4a4adc3107a50a77813c8e

SHA1
93f76aa52461deeeb49672f7dd497cef15470186

SHA256
a5faca4539374a78a69ef31163e96a358c49014fb3e1fa413f4463b008499d51

SHA512
acf7309e548ba621e94c32b9062149670012bea2eaf280b97359f2ece6d61e7d60eabeb295c7690b42ed3c52982b317d96aa6205cb58fa44dcd553d8468751d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml

Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\New Microsoft Excel Worksheet.xlsx.LNK

Filesize
622B

MD5
d1a71762911a13874fdd25fed5337bfb

SHA1
4a2e218a59dc8dee6d3993095e036ca9d7769d5b

SHA256
aecb51a5dde5001e9b912bf1ff84e0f14a51d4c6b93f00b65e599765b6d1276b

SHA512
03aa8b5fe30fc14a7db5123711938a3da16c22de3020655b1b06360dd7cf799470f6984c22a6ea207bd072314f3bfecf6ebd5e72104f9ac64b18ef8c667de490

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
267B

MD5
b5f6ab3e70e3f408e206fa7c12eafa42

SHA1
4edf76de16ceea77ff6ba3d37624c765fb6d523a

SHA256
6cf38e281a62ab5c6544f7163dd8cc98cb637abd55762639c03c12c7d1c287c3

SHA512
28cfb1fae03fabf8e842e85f7c04cf0429fd24a69b8b3052a56481e44727837329195bd14199296fda0803b1ec753b899924e5177360674ca819bf664d6b77e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
313B

MD5
381e7912aef508606aaae2cb3bc0bfa8

SHA1
1451b2c3b56aebe73dd76baa08c95d8a8e21ee10

SHA256
3e1b761b67bb5fc83859139dfcaafe83a6824595e3766f39e26615fe7187a847

SHA512
0372e43529f86600e52c832b234c3550a794b046f54735444c2d729259126d3414796ea8ea444fd5797b83736a51d3ff799e65dd0bba51d410979764e695ee35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
313B

MD5
381e7912aef508606aaae2cb3bc0bfa8

SHA1
1451b2c3b56aebe73dd76baa08c95d8a8e21ee10

SHA256
3e1b761b67bb5fc83859139dfcaafe83a6824595e3766f39e26615fe7187a847

SHA512
0372e43529f86600e52c832b234c3550a794b046f54735444c2d729259126d3414796ea8ea444fd5797b83736a51d3ff799e65dd0bba51d410979764e695ee35

Download Submit
C:\Users\Admin\Desktop\1click.cmd

Filesize
2KB

MD5
a53a00da8b89ce467a121613cd56d4e4

SHA1
e7a50d4f41b500d6066a6f3dc1c310102e6a6c85

SHA256
53f4d37cbea19d5d15b5db048414c368dac0787500db12418a78662d33a92cb7

SHA512
84addbd6375e186c1abc828a99a2cb852a8d744734096c952add127439ef1066036a3ba501bbe5288e8bc791b4c9391e1b39831d69051fb1407237a091d1551a

Download Submit
memory/1064-632-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-862-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-881-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-879-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-624-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-623-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-625-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-626-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-627-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-628-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-629-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-635-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-882-0x00007FFD08F50000-0x00007FFD08FFE000-memory.dmp

Filesize
696KB

Download
memory/1064-837-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-630-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-637-0x00007FFD08F50000-0x00007FFD08FFE000-memory.dmp

Filesize
696KB

Download
memory/1064-636-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-638-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-639-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-640-0x00007FFCC7130000-0x00007FFCC7140000-memory.dmp

Filesize
64KB

Download
memory/1064-880-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-642-0x00007FFCC7130000-0x00007FFCC7140000-memory.dmp

Filesize
64KB

Download
memory/1064-878-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-877-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/1064-634-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1064-839-0x00007FFD08F50000-0x00007FFD08FFE000-memory.dmp

Filesize
696KB

Download
memory/1064-838-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-135-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-129-0x00007FFD08F50000-0x00007FFD08FFE000-memory.dmp

Filesize
696KB

Download
memory/4480-126-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-125-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/4480-122-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/4480-123-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-124-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/4480-120-0x00007FFCC9CE0000-0x00007FFCC9CF0000-memory.dmp

Filesize
64KB

Download
memory/4480-130-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-131-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-132-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-133-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-134-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-121-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-136-0x00007FFCC7130000-0x00007FFCC7140000-memory.dmp

Filesize
64KB

Download
memory/4480-137-0x00007FFCC7130000-0x00007FFCC7140000-memory.dmp

Filesize
64KB

Download
memory/4480-331-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

Filesize
1.9MB

Download
memory/4480-332-0x00007FFD08F50000-0x00007FFD08FFE000-memory.dmp

Filesize
696KB

Download