9c3d3d3aff7f217a777fdb3ed497d813d91b2aee906374890a88f11b6993bb01

Analysis

max time kernel
132s
max time network
242s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 18:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1s-root1=email_banfield_2023_10_05_14_SMTP-att-1-4S1YcV0CkWz1jvln-2023-10-05T14_20_26.eml
Size

25KB
MD5

7827f7deca0e02f0e78f119a6b1e1dac
SHA1

04d95226e6852287f785a25b9182f60b325c9dee
SHA256

9c3d3d3aff7f217a777fdb3ed497d813d91b2aee906374890a88f11b6993bb01
SHA512

8d19e99353ad108b4616c17a17806255fb4a411ba8feb5b3bd0da8dba091581f2f716bdba78582aa4a2ea8662f87bcd4efce959e9fa4b6aaa15d5a2f68f63a4f
SSDEEP

384:3N2GKzm5JHlkT65uT0Oj8V6kghzBxoMKBpEIlxHPXIh3hxU/F3ke:38zoJHlkO5qHjLkgYxv4hRC

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402691137"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000012894a2f4ce8a10925053f2667fcdc25091e58353b4e92913152799a327cf4a9000000000e8000000002000020000000065b31e04594db2d167e569d322aeea2426b1c897b48f5e5ddd0107fa3c4cf5d200000008108a28505ee2ff55c99eb7850de47b81fe0bdfca682c9961b2cf5eb6e5671634000000087a84db19c5201e4c8d853733362688c1cbb8c9582db11e048bec38ad55802fa047db6b9de1a32c9cec064056b05fa283a62180960e312cd9ab49222ecf0f0d4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604c7feab6f7d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14A778F1-63AA-11EE-949E-462CFFDA645F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b00000000020000000000106600000001000020000000508950e20eaf33dc60c104c8b3fae962255dcf7957d0c1df8c4316bcd310f1a8000000000e8000000002000020000000ba06402889423a84a652b68eda4d36b86f35ae5009d695b03596c204ae84c5a39000000004e00e2c125c9d04e03511d436edb3396b5eb5591cafa3781c5eef42071722552ee84ddfbdbd570a44b0382c7cd4b36fced881f42f3edccd7dbb7130f8d14e9fd3fb2ecbc20650c600e5c2ccef6862ef1c0975270165feac755b210334446ac0dd74dc2f0c959fbbfa6acd3c52a14e387e7e001f6a552312efd22b171f6757a9c2aa7555b25ef2690025c8adc95b56bb40000000538c7f4453012a0c7e37c637f23011bd6f052bfaff04e14e2fb8289e405099b489d3d6ba57c03659268cdf1cbb27298af98ec65115abfac1c5d7043d72a850f4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ = "AddressEntry"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\ = "_MeetingItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\ = "AccountSelectorEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ = "OlkCommandButtonEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ = "OlkOptionButtonEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ = "_OlkSenderPhoto"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ = "InspectorsEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ = "_ReportItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\ = "_TasksModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ = "_NavigationModules"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1896	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1136	chrome.exe
1136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1896	OUTLOOK.EXE
1084	iexplore.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1896	OUTLOOK.EXE
1084	iexplore.exe
1084	iexplore.exe
344	IEXPLORE.EXE
344	IEXPLORE.EXE
1896	OUTLOOK.EXE
344	IEXPLORE.EXE
344	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1084	1896	OUTLOOK.EXE	33
PID 1896 wrote to memory of 1084	1896	OUTLOOK.EXE	33
PID 1896 wrote to memory of 1084	1896	OUTLOOK.EXE	33
PID 1896 wrote to memory of 1084	1896	OUTLOOK.EXE	33
PID 1084 wrote to memory of 344	1084	iexplore.exe	34
PID 1084 wrote to memory of 344	1084	iexplore.exe	34
PID 1084 wrote to memory of 344	1084	iexplore.exe	34
PID 1084 wrote to memory of 344	1084	iexplore.exe	34
PID 1136 wrote to memory of 1160	1136	chrome.exe	37
PID 1136 wrote to memory of 1160	1136	chrome.exe	37
PID 1136 wrote to memory of 1160	1136	chrome.exe	37
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 1268	1136	chrome.exe	39
PID 1136 wrote to memory of 932	1136	chrome.exe	41
PID 1136 wrote to memory of 932	1136	chrome.exe	41
PID 1136 wrote to memory of 932	1136	chrome.exe	41
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40
PID 1136 wrote to memory of 2056	1136	chrome.exe	40

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\a1s-root1=email_banfield_2023_10_05_14_SMTP-att-1-4S1YcV0CkWz1jvln-2023-10-05T14_20_26.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Famp%2Fs%2F4neverroses.com%252fdreams%252ffocus%252feu%252fjmsrtq%252fam9hbm5hLmNhbXBiZWxsQGJhbmZpZWxkLmNvbQ%3D%3D&data=05%7C01%7Cjoanna.campbell%40banfield.com%7C6eb9e9465a49480cad5d08dbc5ad76bd%7C679f63d1e1854a47a081c530ccf734f8%7C0%7C0%7C638321121070413590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=hxDr%2B3HRvhN6rYA1I0QeAiIOzLABBe5OTEAMf1MYR2o%3D&reserved=0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66f9758,0x7fef66f9768,0x7fef66f9778
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:2
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:2
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3276 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3488 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3792 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2616 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2672 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1672 --field-trial-handle=1288,i,4957301819978366484,5661971563671008126,131072 /prefetch:8
  2⤵
  PID:2412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b4cec08d2cf9bed102b23e28f7a9a50d

SHA1
bbf68d9917f585fff5b65c4a33612879144d1a44

SHA256
54f10e3715a6a697ad1ef4c3c4d44614c32a816467bd1c1dba5af3a5796b303c

SHA512
f6cb1fe4e51e6980ebe190188f5a563a0b7e1669ab2a70b72eebe0ee69b8fcf384d1099fd973cae480943d0470021d91ad7bcdbd2c71ddcfad08f13447625bcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7e526528fd7c641df27f98425486a8e0

SHA1
6d6bd355eece1a3436b3ce6a3d842fa1ba608874

SHA256
17d90bec67bc6491134eac4d4946ab136f09350cc865e8c1a502a570ad7564fc

SHA512
d5b91d0be33a99a4533a4c65dc92791c188a0b05a57119b77edd3648e8c28b148c5afbbb51af4f30a5eae9ad154036b1cc7dcf99fe46900286d4269a75f017e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5186f554493fec6387484da31507491c

SHA1
d9a601b3914f322c3c57dd5fbbadfe4927760a79

SHA256
52b8909bc6484ae3562e1cf14ca572104959f3dfdc26683452a21d1bd855f47a

SHA512
f715f88f1439c93a4204af0305ce7c565bcbfd122511fb5c21b3c06a13a64e080c85e215b622722429011b4dc986ce5fd30f752a9134b344c10d67a605359ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
745a918d1ee15d7906aa6fab93081494

SHA1
b7c2103a99dde3122c5ce6ce5031f207194a5f3f

SHA256
e9e1fb5864c79a955c2e09083ce34d14df2727a7cf8ff6f1d2c96ef03d79cbdc

SHA512
539fc346a95db8278ec4ed056012e6974b989f5440911738e2da45288d2121360a7022f562ccac8e40549341cf261abc4d9a95ddd221f99fb72dec9e65e5ea88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
544b2a58182c11cd8f57747f2265ac64

SHA1
30ad3a7282120a3fb380068e8a4e93f3aa9635ca

SHA256
0bd9ae474f5331553e183926b10844280515e45e0e4a2f91659980702531655a

SHA512
9927c4eb262815066edad3cfbe392b01e1502eae53759577af8a7a95f888ba1a193f9e78eff75a94be4310b01fcfc7d7d77138894a09392b943a593dd9d2a34c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
23069a8c2b4a843c4b62fd58430c62ca

SHA1
3174f8b476ac71f0e6f6d32804669fc2e6fa61b4

SHA256
52521cce97f810be67d820f9313286763729564e84d0be058c6771d08045aee7

SHA512
1bd71a10e4a7d1ae744003fd2810ce940c0afdba669875bfaa6028660a51ec9edbe817a916b26ea12f1b92b1adc93db29ab6fa3bbd6e7568ec5b123af44a25c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ce2f449e144082b761154f3b404a86d3

SHA1
0578e179aea22b97ef6b3550e8fc8c67fe578d08

SHA256
04c39284a374786eb45cf9339dcf8ebeb842289fc310b9c8a7caa5e3c5f8e5bc

SHA512
ae4ef9ccf5e0ae43f8c21785da075d771670f8046dc5830a7a4665a43dd193560904685a1fc7e1435993b69ea4e910e08b887afc15df1ca32068877a72fd8387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a55660654cc70b46f3fa6914368fe3d5

SHA1
3cf92e7354c2e96bf7aca3492a5f6144949d4fa5

SHA256
d1041fcbb75b5ee68cfff8ac23ce4aa99cad1d4307cacec233c84ac1e87c87de

SHA512
3260ead0e01fb9e50460c01242138612e9823e12764567d7791703f40f56aae8e6571fa223af4522d08d7776536b63772c3304dfad4c111f4f8ac6a2211d7c00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d64dd8d8aee98702e7b9f5238372b163

SHA1
5178152e6f7c3066ad6da54073a3cc352a90104d

SHA256
e1e2effb42e52480aa48f640fbfb07ee4e0ff1fe4f16c50924e50f7a5670df06

SHA512
7cbcb5bacaae82f4ded5c2305f8310323f0f1102983ea62b3463dfa32a05c835c2556ea140049334cfd9bcdd6d7e4ea6db140d877428672aad158b41354c7e6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dbc983d7a76a9f2b2016ee7d4f878073

SHA1
131f3c9e2cda90e88b51c604623f7c06c503d6f0

SHA256
8d0b1d2f2b14b2c43993769dec9d6c76c2ea51e8a902083819538d4cc842db56

SHA512
c5ae0358f82817bbf6417039260db46524aef2c4d84bbd32cc2bc6e6baf7ca6babbcae199a58ce5097dda6cce22705ae6f3f1dafcb11f4a86e87e006e8feb1bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f3ac1251f868713d37b426e94ab3f61e

SHA1
663c392d7e1aa9c8193c71f198bc9ee16c522298

SHA256
f364a7ec44a29b3be86fb5679d07b456fb88cb1bbdc64bd656eb9b7f77997dd5

SHA512
33dd825a08da31ce53e5ae618aa4ba35895f3806232dd8ae9db7a3574332a9b5bb89d666535f6538e662dfa4155eafcd3218d188f3b912676d65ae449fed7d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2d8410805d2ad915b9cf4f3944ef0456

SHA1
2ad0f0075cc8bbe91e1176b8c6586e00918c62c4

SHA256
ebe21a293d093f85c97f9ac7be03ed0fae707f34e8e444a4a4122157b2ee6b5a

SHA512
081a23195ba9b17166088d151d3a07c9cbf91b0fffd0e0c259445bda12bf21d86738b09d6b98a6022a15a250e7c4a6661795cdfea3f612df33107bf76a48c287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
eb7c1e021188189197916ef006e829b0

SHA1
4b894e43aa28933a0eb6a71d2183f12aec24c608

SHA256
dd656f0ee26a1ac75b5084da7682cc6d3621ba50e64526869c5b33998ec39c9e

SHA512
529480d93ac692d36e6431554fd484f1382fb40512031c173dfb4d91b448ced678705c952c785337ba2e4bb259c91259df84603d7d3d262b949fca0217195da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
eb7c1e021188189197916ef006e829b0

SHA1
4b894e43aa28933a0eb6a71d2183f12aec24c608

SHA256
dd656f0ee26a1ac75b5084da7682cc6d3621ba50e64526869c5b33998ec39c9e

SHA512
529480d93ac692d36e6431554fd484f1382fb40512031c173dfb4d91b448ced678705c952c785337ba2e4bb259c91259df84603d7d3d262b949fca0217195da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0ea030c0f3406d8b986f17a31311ffb3

SHA1
363d4ffa3cd45205cbb1f5c397e2d32c052321ed

SHA256
1722d6591cfb53a8478f2fba0e4556f997bbdee2a1140f7fd477c790ce6d62fb

SHA512
7117b43ff9a30edcf1c3c9871ce2764c96095c0d1b3f252857aef6347f6489930d04a451b5614f1df21421d354ce49d0eb62d24c0d6c8bf141cbdcafb9d4d34c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bb83065d1926d78973beff2c2e1af5ec

SHA1
1ecc9a0a4cb2189bf0ce0c9cc1c17064e4b624a7

SHA256
6162c272179dd0d8cf2376b0fb05529523dcd562045fe43f17583d46b8b15748

SHA512
534d5298c072ab4c35faff4877c1b6059fe681b4ca8cf7cb7dd692d98f0ee49cce90537fb2f41a0c479b2c27291c4093bff9ea53a4ce2de3331e69aa2345e45a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e25d61d6f643a5d158fa4ebefbccd593

SHA1
3142d1ef686d1f060812a5d837c67388a4671da5

SHA256
02f792e024a521a2aa7f9fd1d68b21e85019ebe8f5282e3bd50b2c0fa61fbdfc

SHA512
5e8d8ae6573a47f81fc98ddbd88fb55962d3e80a39e9b582e6e669ce2b6955fa3cd6de972f8f77734fbd3a784ec91cd510c862d53608215b4dceea397e99dfd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cf71cfb1e99f06bda5ea017bbf53daf0

SHA1
ee80eeeb54284b49dfc6c7bee906f6032966add9

SHA256
732d5766ec621b6ab5e0f2a7f964f1bc67a599229defa5b3999592d80627f5cf

SHA512
775451c2ea74537240ffe41b660efa8c5c4dd32226c702c086db45a909c6e78d019a459f18115b96ead2672a2bb2d4ea95d320ed23a08b6d39f6ea23cb8eb5ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3f99a7a1eb3f7fbfa2f7cb76b6d0eded

SHA1
b921acef3056e626343772931d3705d929bb78b4

SHA256
6f99986187c0fd350f0d1d7a68d14b96b68ab44ce4522ba38963da746a5b7356

SHA512
5df05b7aa646724d99a328a327b7cb8d9fe39f865ea28288548e68cb74affa5862cd9791ffe2872536195cc46098f20b7fa7b57d1ee20631791cb94396c0898d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
928cea44cd3864a252ddd31468e5262b

SHA1
9d7338b1d8d83a7a6e7afa3b27ca0a536a49d7d5

SHA256
461b1d6223a5d8884d7b58d4c3a697d523836d4be1572f0d3f66717b393b2f5a

SHA512
9875de8c278edccc0866d1dbed85537da793f2bcbc4c51b0c2b0c8d1c828e1b9d898bfb9ffead412784940b1ca5955cef4f33b6a1c33b73b101a80cd84f921ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8df8e2399cc4c32761b66a509ffa856f

SHA1
892ad3928b5242f0f55b9a1ceee44902666e3597

SHA256
4f05222330c0f5ccb375291bc8a5ea9e49fe7501cee018d788dd57abd66ea8a1

SHA512
8f6eb981a44beb82b3b33fa66399b9b8a9964b67a3a8a33169aa15155396c7db83e6d6a06576f880d585f4c1d7ea51c88d6e96727b3ac46eedc66c421c084b73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bd60ea0a8c1b88f038a65a57bac4da3f

SHA1
04ab1e690dcf11ed9d172377f6f598591a007155

SHA256
5b17e05dd98689e983fcb3c1d11bd1dcfade67ef83e6260e0d6f10e3b6a79616

SHA512
57f55339b7481100ec478b1819a0616812c69da213d03836855926db3d160807594e010615b86a146afb1a5537c6c766503c9d55f4e301e453e31310aa375611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
737ff5f937db071cf854c07813875b5d

SHA1
ed8853fc11b02ed4f4947fb8154a2c9acfc39e0b

SHA256
acfd46b6e816c7c376ee3698e98f521ec9026633c54cb78b4644155b623f93db

SHA512
371286a44028367dc6b9897597c1a7ecfa5e61a27431e5cdd28f6531477eeb2691d4eb766e6ce76d6a1b2c17703a7693e6298d925515e57ccba1d1664b08a1bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
185KB

MD5
a9673bd087b4e5e2cd21862f8b7d8054

SHA1
0854f56b37b3c7c3938ebdd75a79be32c94b281d

SHA256
d4226b650de255fdc92e6ba1b89181c445fa23e82e86a1de62059ffde35081b2

SHA512
3e919945421b284915da26cd49d55db1e4c5b0530cfafec936982e2b6f400e372b98df78d1f07813a473cf9f26699e9c1ffa555904d6d2b4fc819b2c202afaba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4f78f3de980222736b78bb9394b2f81f

SHA1
0a2413a05fe1cc9af271cae20eeca74149144c82

SHA256
8ea2ea519afe5f5b5b95b7b07c913a8c2a302609e4cade80753a2a5575db5ff4

SHA512
f8fd9670c93b3e9d68fd1a87fde39ce52e57289b3ddae68935fcfbff06145c907f43d61633b2fd96867641b4bab713232a154f37c9134772fc08b43c39f5357e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
8e59d6402cb378cf6515c69d42dfcb7e

SHA1
d910d21d77e59e6b1ad413aa16d2443f9dafd78b

SHA256
68ad15e8eac66181e96aecaf4254826c1f0c6c2f2ca724ea7628985f716d063c

SHA512
2597177cab2d1376abdada8adb6638ab94f840cb7823ca4ab84bbf8ea12a973d3ed4ce57365ad9eb7b3cb53d2c7eb47e4e356ee8aeae6ba75311c64fc37464d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8b1c7f136fa194df9f39579688d14ba6

SHA1
df4a21f3d48ed281c08b0076d31a581de7b1e57f

SHA256
e02725d39dc0937aa3c39ac9efe93f1e57952eaf38eb2caea2c00e1ea250ec6f

SHA512
68b808a55af27e8468dc8f799fda935d2d1496e88d164258c8928c75bf1d52faa66c868bc0e359e59bc8430ad7dc0d398afd8357e514128e02167f96997fd497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c63ff621edc17c3082cc68e65a48477e

SHA1
2eac35daad33f9e5134bef5573a7ad1f7fb9087f

SHA256
cd0a0eb75bbc6c5fb25f4bd7e8d64d3699a25898c158ad2f02859fb218225769

SHA512
548ab0ebdd8c8651d8f5c5d291fe065604c6415055f49f595199c38655b4d502a3057d78db4298f8de08490c208e5968251377abb21086894eaac266c615f3a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2c94e08fa77eea5298a1caaaec2d47a8

SHA1
fbd574a542533dfaf68dcc2ea3681ea3533db68e

SHA256
da1e43f3b84d8f22e2582db57a1a8bd926e858fe1fcd7fed479cb6075f76cf01

SHA512
6e95129d9a7f1b54d1b0ca29012e17b2c36540ad1f1cbe8dff06c0d626c04f0be10ff1cbfe473e3b28b96e2da908a52b6232deb9a770a833780251215fceb016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf786a19.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f8e08191-cd51-4957-a85b-d7329edd6f42.tmp

Filesize
6KB

MD5
53d6a376696fcf12af5940e062113542

SHA1
3862c77cc26f1110e538d7df0cc8e3881e0c548e

SHA256
9552bd1f85a9375492b59edace69a4807b08c0343c841437619d8cf1a0f0a109

SHA512
d4212db351200684d679eccb6029a6eec4daf0224725ade49f4059388f1020ec4789d11f4589ec80976fa3e019e9808001fdc9bc059df559ec2a5dad8fc61825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
18d98dae452cca8c49ecc58bb72e01cc

SHA1
81fa44cae3543fec8c409a617317012bd3855e89

SHA256
07e2856799c58737d60ec6f6c9d9ae9d121394868f89cf6b6026aa4cf9c6741b

SHA512
ef4e169a35c5ca0f9b5a7f0a612e8ce4603366fda790b67930b8e03c564dc8658cd7b5bec08f45811c5f5a7d03e5f6e43703192b5836a735dc548879f9d8782d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
18d98dae452cca8c49ecc58bb72e01cc

SHA1
81fa44cae3543fec8c409a617317012bd3855e89

SHA256
07e2856799c58737d60ec6f6c9d9ae9d121394868f89cf6b6026aa4cf9c6741b

SHA512
ef4e169a35c5ca0f9b5a7f0a612e8ce4603366fda790b67930b8e03c564dc8658cd7b5bec08f45811c5f5a7d03e5f6e43703192b5836a735dc548879f9d8782d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3298.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3297.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{908CC430-9336-4BCC-84D2-D34D7307CD5C}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1896-163-0x0000000069DA1000-0x0000000069DA2000-memory.dmp

Filesize
4KB

Download
memory/1896-124-0x0000000073E1D000-0x0000000073E28000-memory.dmp

Filesize
44KB

Download
memory/1896-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1896-1-0x0000000073E1D000-0x0000000073E28000-memory.dmp

Filesize
44KB

Download