0f7ecea06f0bb9d3338a97a7124c03b5c83a0a8b9b17d730ee3d62da99d89ad8

Analysis

max time kernel
55s
max time network
152s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
22-11-2023 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Copy 22-11-2023.xls
Size

96KB
MD5

83397043e6a029c8328717d564f6b28e
SHA1

a9f7aaf1353a81e3f50f9778a6e0ce3e5e3b3cc6
SHA256

0f7ecea06f0bb9d3338a97a7124c03b5c83a0a8b9b17d730ee3d62da99d89ad8
SHA512

e1aaf233e802db60f738a5cc314c9380fa13e87a4aee7aa6c0c86e5fa79dba624dcf614820861154e74e0b12b46c108e10ef2d68f6df07cd8af1b6bc79dc43cb
SSDEEP

1536:s3Qzl3ZpWh+QO3uMdS9dSttRJwyE/KtxAUY4TtuH9OFeCtFpI25pYJ8gl2Q/fj6f:s3Qzl3ZpWh+QO3uMdS9dSttRJwyE/KtR

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "83"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\slab.com\Total = "85"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\slab.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\inv01.slab.com\ = "81"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\slab.com\Total = "83"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd66920000000002000000000010660000000100002000000047371a97fe0b046200ac64131680f0ef4a6a9be8577f36955bdc79652ba0fcec000000000e8000000002000020000000e86e34b06e6c52ab31e50ac9e1b4ed5cdd2754effbed97775f77536a1efb5fae2000000044ada5da229974bce25527e7385ce5e229342526ad47d7a061f25570632d258e40000000243962c63edc158ed4e2c64d16afe2e3c2b14de86009fa0012239f2a62e8ed30b5868249062056fae17b38dd5b4431a3de08acbd89e5d65072c6610bb67e41e4	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\inv01.slab.com\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd66920000000002000000000010660000000100002000000060319a7e50dc7ae2bf4becf249d7c0c619ecd84fe676fda854dde0049c3b16d8000000000e80000000020000200000006bf8e76e8a5e9c04dd24949dd3eb17c063b8e195f6d2163f87bca46a59ccfbd990000000def644fcc7c13888efc58c177a39744f3eddb54485f333532b9fe3cb9c18ffbfc55d121b6f868140c383c0001a717a1e732052daa6e9011e81d0f8b465a4c26283bb4e1db94a38ea049931c3bed26d387a794a7a23f0515b5dbbbbf00191987b63992d9bb8118fd7c571a7fa92976ba50d591a6482e542ca5bcd9d76d95514ee533948ff90ff6188cfe9c9447402211640000000b4d495c8e293702f4fcc427a623a35f10362b365edbef1ea3876ff8a7d17db9ceed4ee4584a5716010ce54a55463f5fbd05fcacfdd471d90a6e5abd461627927	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "81"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\slab.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DOMStorage\slab.com\Total = "81"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a5e30b6d1dda01	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2164	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1108	iexplore.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
1108	iexplore.exe
1108	iexplore.exe
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1108	2164	EXCEL.EXE	30
PID 2164 wrote to memory of 1108	2164	EXCEL.EXE	30
PID 2164 wrote to memory of 1108	2164	EXCEL.EXE	30
PID 2164 wrote to memory of 1108	2164	EXCEL.EXE	30
PID 1108 wrote to memory of 2072	1108	iexplore.exe	31
PID 1108 wrote to memory of 2072	1108	iexplore.exe	31
PID 1108 wrote to memory of 2072	1108	iexplore.exe	31
PID 1108 wrote to memory of 2072	1108	iexplore.exe	31
PID 2172 wrote to memory of 1696	2172	chrome.exe	35
PID 2172 wrote to memory of 1696	2172	chrome.exe	35
PID 2172 wrote to memory of 1696	2172	chrome.exe	35
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2112	2172	chrome.exe	37
PID 2172 wrote to memory of 2280	2172	chrome.exe	38
PID 2172 wrote to memory of 2280	2172	chrome.exe	38
PID 2172 wrote to memory of 2280	2172	chrome.exe	38
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39
PID 2172 wrote to memory of 1712	2172	chrome.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Copy 22-11-2023.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://inv01.slab.com/posts/shared-a-file-with-you-6iy6b3d3
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1108 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6439758,0x7fef6439768,0x7fef6439778
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:2
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2248 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1116 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:2
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1304 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:8
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3864 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2308 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2824 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3884 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2476 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3804 --field-trial-handle=1180,i,12268205591709572935,10266606689701430787,131072 /prefetch:1
  2⤵
  PID:580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
300B

MD5
dec6bbe308eb44937f77160a25ee32db

SHA1
8f08a4b641b564b67205e00106ca6bd9ca46fc6e

SHA256
68a71de28f488586c2b169f4652347e0a1fd632d48a6d6725393607bfa18bc7e

SHA512
6c2d684af52588cfd34a682337749b829c2336b34d6add7e8bd6e0c641862c26889617b4d6e9f298fd177b89527deb696c493a205ea8490bb8aee60090a68475

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
a3cc6ca6a97183df84e82e052642fb8b

SHA1
0341d0b9840ded9d345ba2f6ef0c69713568380d

SHA256
c9e8271f64b24ae89bddc1f52e25e4d75675fd5701ea7f710ef048fb4db681d6

SHA512
83257a088d908e774834f544081e40f11103257d31f3eaf0531e039c8cdd710e639ce53ef6ed2b46cb790004a13e45c524d0bb4bb9207602165ee7fb4d388549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
d535dc81b5f5d99ab7f1c14763827350

SHA1
105894ece9592edd271ad2a0b3ec69cf0013351b

SHA256
ebcfd3892a81ed8640fed1fc93deddea71e31f1815191ec66e03c2a33e99211e

SHA512
e8a683c16b41b757fef80c77782b40640b96d1d476e380b14bff026f12a4682deb66a2012297bb6e06e3b250a09746e15721a0bcf966e294d002680fc4871c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
93da602b9762a2046418fa459fb7f15e

SHA1
57942c0972bc7ae553612c88ec48f71edeeccef5

SHA256
bd4136ab7ae3fab9d4bdcbb85df969aafbf811d0eec1953efe5ef6feb7ab9154

SHA512
c11042f721edea7089e50d4e9a890fce19869636e938a5c95bb5a25c128374000e0c875d7ff16ead05fecb451eeee54c16fecee688239239db185570933e8a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
630e8c30b50dcd81b107aa8f48829f09

SHA1
b529a9e8e74f1f1143dc9e2202456d94b69513cb

SHA256
88fa5b6f845cdba1821debe47886a89fe9a01dcb541829b334b3f246db572578

SHA512
c551133d3fb55adcfa57162eb2b595eab6ae78c7bb35273b010af91484bc6b9c7a640c9c5b19773358ead588a64f3dc356fb3a745beb3c96d8f041de34c636ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
74559980b6853e450c17d5ab053f8fe0

SHA1
89e32202d8da0662d29fcd48cc8ab52ab620fbce

SHA256
e67fd6e132ee52b4a6100789d5139c1c5ac57d61704fe709e6009ae24dd4ab1f

SHA512
9f854c2781142a166e662e8700b4644b32cf0efdb7ef40fc2b748c401cae17be9856b5429649316425a645ff6b0f6f6f3a592b7a5cb0a611f48a4810ddb82acf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
6013334d8259c7ab17ace29ad430d393

SHA1
e41c11abe6adbadebcbc892a5e86c62f564296ce

SHA256
bbe54bf7fe0732b445878b6fc670ed28becd3e6e719300ca7dff503322c9dfa1

SHA512
d742dd22214287b0676bba41dd09164ab82bd1c0e253b66f5a195d8bc65cb2f719d2f844908c73a0e302a267ce2c48136c5ade652afb8381271f681d2a4b8d60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
756559f9464a169c128bfde39c782e9a

SHA1
46689f0482239fb3e7d78025dd94b98535ce0a07

SHA256
b633be7233962397e41d29fef67a6f24a4262a8dfc4806fa33ab66086b405241

SHA512
1cc86c6059f5e983109e34573ecb85a609f58016421910d77215e53b3fbab49128382223f954abb4aa670220d4ffa808b704250571c82b634f43f875c708d29f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
86c7a68000c94bb6aeecc4407bd0047d

SHA1
abc6d606ed17de2bb116595594a2f53efd5f14d8

SHA256
24bf16630ea7ac6eaae4c2cd9113c39447058d1e29fadeef29005fc65361e578

SHA512
ab4f88e37305a41afa2b3888691b58baac5295982c2c610e1af76c6dcf0ffeab5807335e9151506d542f94556600c2c62d086e613201bd2768ddaa320c03fcd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9a936fbf623bbcb7e50b44d3e3ae613b

SHA1
1883289c7d746cb36d532801c44be0655d80db66

SHA256
aadaefb6e8dc8e891aec5356a1ab25676a893a89c49bf356871296b6369d822d

SHA512
f2b783be9187a56ee00540e9c06c49a4486c0f5983dce5e752f3a13d0f66fb214ea8d9a77cf1d49878e67ff336cdb63b7cb67bb67a1f1e5d626fa5ddd91b6db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
1aed36ed8c3bf171dcdabee953a489fb

SHA1
5679ea2657567cc192683dea6a8a1fa427b12658

SHA256
f1f5b0fbd6f98a1ef9a8433d016ea0cc9d6bd960e49915c86c6137315d2be0c6

SHA512
230b5c4b22f417ed544359bc3504187b9b11b94ac0c2b238c590c94a2a0d04ea50b2048cc91c36511b1107bbbb434390485f5a81e0630e694785730d5a6bd35c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
e16f28de6037e5957ac70d3e9eb0ccc8

SHA1
95992febca732924c24426489bbf65cc4bab2fc3

SHA256
bbae593ec4e18c6dcbcb96288a48632e455a511a82b4df8afb8145851c61788a

SHA512
e2998f13cb9558879e43e13c668c8a4e586cb5867361e55979ca377413498080140aa22c47a52c665c8654d3206f8eee164fd93ee6357868d35a5dbf6cc067f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
48952ac47d2470de0b53b851dfa5a15b

SHA1
f0f82c91546b5095462c495b2db843bc56bdb05a

SHA256
aba047940cb63ac00f4dcddc4a1f9548c9254aab4e64e5a0c29f97b0137bc577

SHA512
ea9e885c9bca932d3d50d98889ddf39a2f0d0e2d3243eaa234289ed1497a79d82fb2c28c3df3a280c76125d2fc5ff147d83f704ecd7f786f94e7d3c13f794cfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
e61585e368e0da9723f20e6db23b4085

SHA1
e7d6c2c5ee1db891eb40c27db2c6a0cbf3a1a480

SHA256
1bfc3d272ad3c5dbaacca7dd4dce0535cba53ffe400f78e28597ca29e37f0068

SHA512
85c230280402f0074f6f6143ce6d2c809680535011b5e879af5250752cb184402e9427861764449251826a57319bed6f7677db8263c2cc35b9bda3aeb22a3183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3520b8e0d2172eb4bab01b5aab6fe27d

SHA1
7c0c4062a9b04fd37ee2cc48f20a7bce6ce56adf

SHA256
317a7b7e03cda41340eb66009f070810fa54d23e8c6857e8376d6a6df0c5a11f

SHA512
1f620f1139b607033022a0221667459efc02f48113041d8d0dd3084c8c38c10e39c8ec8da990ebd86e581052230a6b1ef4f242af0614295170b0939b052c5fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19f1e8011185444384d0156b8678b062

SHA1
06b5e8c8ba902670c9a74c26c3d55b65b6c7c283

SHA256
4271b6863aeecb5c7a53502dcb6733cfcec7385a5cb6e71eb4aa85a1715fc727

SHA512
7d04f65a0888f4b43bceed19f9395e7fb34f2ce84ba6e11673f4b78156b2089574eef0bb2aea75905a6b917d3cf2ef6f9a53d9c2bc92a63efcc09bcdfc2a0299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
250288e4bc43b1951d091ad08ae0f817

SHA1
59ea95dfebb5cf4d928daf07d3998274bfa9c3fb

SHA256
6718c95ac28ad20e0e46e0872ecbb54104cdef34fb8b6c67a5fccd806921f3f8

SHA512
2b394b1113a95433fc81dc5cc6fa850bdd99a150cb60b000008c8558595cf62f629b7bd31dfff58762abfcb602fce3eb5b5900856f923fe9e2a9bfbee2584bff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5e1a1978e7d313c91c442de693ff836

SHA1
8ca1b52e4df5f76fd25a50d86b0a65c761531789

SHA256
534e4416b7497b3af095e22de50660a73fdb3d8ff0d50c29c20e7f353d1a56a3

SHA512
dfd5e42d6c1c5cbde3f03f2e26cbb1d30bcd4c8ad2cf241638d09d639d5423a4edaf493f00f6416e41f721d1a86f139a0a042182f9929829328265f7b06a33ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcf5480984a324cefeeeb85b5ba4b226

SHA1
b934f14ae6bf0fdbc94a838b88e0acd3c89a040d

SHA256
9c976a91856ac239c34f31663a035e9067029ec015fe46f2d3c5a227c4097d01

SHA512
e81393e77d7558441c5e0bfe694ec7a363741f76d17d7f2ade4b64722f5a1888d343c9901f99dd47dbcfe2892cc0672a04da2f058534344c9670c5ef15502d61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a841d9730843c4579caf63bd6c6b161

SHA1
4073fa60ddb0a8869492f37da68d1d6c4d2d8ee3

SHA256
f8de1fd4e166bedcc2e08e7cc26d7b67d383909f15cbaba4c1d9f2f42f05161d

SHA512
908139dfe9e242b13f0e5a312e40a0904c88de5c20c433434f543ea274785631d903a5d486e0496ec788aa85588ddb216e8fba167d6eff8306189af5078dbe75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1f69015ba41b169137a407c6cb0132d

SHA1
651be5047bfffa45b0d7f716c9d6d67b6380ffab

SHA256
f7cd8a3f620d057196bad7f510b7bacd586140f8a29e740e6c7549e59fc231c2

SHA512
b00f383d5120229503e374b47360a0a6562ee17c90d098cf92ec0706b050a344769fe0cf61ad1f227caa6a7afe0a909bc39f3db8965e6f9c5947692831f9a901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcf11ba534fb8d0190b64d6269790855

SHA1
63e982fb6e5aad3e7dd4960e1843966e9af3dd5d

SHA256
288e64cb79b1207a01bf7d5e7270c3ad3d17df74ac5a8cc771fc9e5547f74f86

SHA512
7bbf39ca8b9ba18f2aefc4ef7f7ed108cb00aed9e5239f1c3f965c4d920fdac0e5c09bf46c3e43e972aef51b82ba0b1ab4274ebdf96f20b6b98cd21864c55310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db6d3f16f7d4c131515076a9d568b7f7

SHA1
f0bec12520446134a8551bbef8c7f364e42e8013

SHA256
c4984039ea8912cd014a38afdb8ea4a7aa641068dda6179143d817934412f262

SHA512
04e3077b3edc8c59e83cd547b6da739914d48bbfbd64652d9a786f193f339fcf39163f75b6c40f9878ebc58584d9dd5c783f177a263cfc297abb1b157683903a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa49b352d87658a338c50f629f8d1bfb

SHA1
2b07a4ed7dab7d32601b5fa6b4e7f369df235aad

SHA256
3a6345118db4de44a704445aaa58a9c8af384f249251213752bfbfc1a4efd894

SHA512
baed560d30766c5342b4a51757e9a608ff4a88d6519941d6c0620f061db6bcbad94633dfa8d7113da6c784322ca6cf51ae7ac2c8bbfa92e8dc7cb2fc22a6b7d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93f2520d903ded46a9ae5acefa3fa36c

SHA1
7df786caa51d03330350d6bafed676332cb3adea

SHA256
19c7af4298e93dfccdc4c7736e9d5123581051e26508181c0dbedea73d3204fe

SHA512
575d6593b3afdd8a5bf28f2a4fa56b9a2cdbf822fab924dc39aae56833d0c0c5a454a8f3712d5030bd0bc3cba501fb83422b277750e13536fe9050239f194d95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08583f7cd33cd3d44c49ffc44aa4a61f

SHA1
7058fe04977afd1be705658d1d63bd8cb6445d39

SHA256
acaa957ebfbd19bfcd5087a74827ccb67652afb792db4851bba5a3a33d88f72e

SHA512
823b31e2ea6be8cda7b6545bed0160f4ae1ac50d560a2ba168b6a8aa8f1ec710500a6f13b5c934c724278917d813b05f895fc8136a4b6c1cc136f8239151fd14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ab68704e7682108906e640596482035

SHA1
d99c31090f7a16331fa2f187e407ca111b886fc2

SHA256
d4d97c2b9124f305cc80df005e18ddf59832d7e44bd761eeb924a222254ac739

SHA512
ff8284d4daa497029f35417031ccc5848855ac470e41734da1b78606e4c6d1d0700119111f94f82a82ead8e4c938abf655ce4d6c5f82bb0f6ccef0cf6dc55e15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d350b2143e313cb28747238a8711bdd

SHA1
107710594d77038a2d78348bfeacf628a84efbed

SHA256
4854e4b14d4e5a2dbcdf7cd92d2c54c871e54fd2236da7cc8bdffd1815dc79ab

SHA512
6b7c33958d8347c28cb46a12282e10f8d78fef07664735279316044f68f4091de664215ae6b25b7583634b012a47d3bfcc5c1de9567f452a2fa7880564bf32ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f507869b60dea8781da55d237ca3d1c

SHA1
413428260b84c55335ae48d836492b45ce2519fe

SHA256
e98ae4c9ea20d3c569debf5df011f3595293c7a2d433f8321509dd7b4603c0f3

SHA512
6b522d70c6a281cc92f060076e5e7749a31d1856efc43540491379a45006f1a20cf96cc3fb902b7a1a9c345c1431ad4ad929d16ca8b362430cc7f2e39a54a0d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b46cc14abbf59cf59ac62f667b5d289

SHA1
c8246e7fa03fb75bd1640437031592dfea2c254a

SHA256
756c237e517eb04104b16f7dbfd0d429be8dcca474f08307abcc443b6d7725b1

SHA512
925c70965a9d296c3d9a44beab4da2e5b551d381086760beacdbf13936acbd9eac40aff1b8b9282813a88692a5965b2a7996313e60c05c5c3c137ec732a75897

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0942badca7c99e92fb02f7a066884156

SHA1
804f21021873fd49f8b9627d98e323cecbd1f577

SHA256
b43dd8128d02f367978bb2489c7ea3e0294ecc8e665f91abca75eb728078dbe5

SHA512
c66d45a7a632137177bd1dc02875ca98afdba7bda01c2abbbac0f2f0de34a08b7bb40950ed32e2bcfdd190faa4cad6b88ea21f40087c9857341ecb82d04162f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93cbe0b115124d42c1de078e36e2cfec

SHA1
78205a3620c462da29e66ed1605a04bc27a7e6f6

SHA256
2bb4784956590db6a69392789639910f52f486d91790f04e3b8b695d1def8fe5

SHA512
e1d1638d1397e9eef7782b5c76c326b5bc239f5131d272c749c8302754ebe2a9d7b0c32ceeb426875ef9ffe5d462c6bb15d091892e1f406f8f48d528ee495bac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18d0d0805d5e3f43f949d6504440fc97

SHA1
b440e1c59da861c4d8863ab00c0c306d365814d5

SHA256
f213a07d1b7e35195aebc24f23845ac336935ee0cfb684982116758f96d5f219

SHA512
6a42f8be3633b302de977af3a75092d02783fd933550bd7762e4614fcc6c5703d102dcac8c7d9fb941f6607cddd7f006a3f298fd5d78e213835e1da73c1aabdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8641f959a01383dd282a482fdcb280f2

SHA1
e0712c2c937d43987c1ca17656a427cd11f6584a

SHA256
bb96acd591aa64fcdae654a1bafbab8a5977b7ca35be3bd89c398f633b9176d2

SHA512
3bc70066eb9d586685d818a1bcef214ac86dd2856d25cafeaebe8c3b152d132d66f3dead81d6067507947d82eac58d864f88c0291a0d297d492bd19b3ea4db89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d23f4e2942de76ab596ebd2326f533ec

SHA1
de6689374314d8481fcc42330deabdabd4ec7077

SHA256
127a59d6b977ccaf29362365ef8ad5de244fd7128b074071ae10bff1070f0a95

SHA512
bd3e88fb6cf78d25ae270455b21eaa46e34f959f87d5592242026c0185d6764351abc3e739c55357a81e38f9173bc090c96e6a0d0c1f95d154106f7c94b38faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddb68a98afd5cf7d1243d718c1fcffe2

SHA1
a24533d77c1cad984c314d24003c9304dfb39dc9

SHA256
e6653d8998b9654ed83a06b45a95bfcc63764275f271c4142ea9c819b4e56df9

SHA512
b3627c5fe6bbd91101e3f779cc4ea590a59accb313614dfad2999c197724209675d1fe36d11be0945a71402202d8e7a5612d49b227bf5ec75b45588ba5eed939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80effca43e34b504b7c1eb748db1d8a8

SHA1
e469d31a99717319fb9f0f7bc0d4bacb8b4d32b1

SHA256
3e8ed97ee7da562d32fa6a1c7d8840dafb2e27f943547c8aabf5549a3f7ef67f

SHA512
2ec296e4b5ec93fe3e276e731c9ef9ded47f1d9c75f551868859c1eb896093b2ac974388518780cf2ffc9891d2bb11e1fc774b194840b68ac58658b1ec866af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5d0d34e1448a320d9bc37336cc76666

SHA1
eb86a564cc5fbe6e0901470371e45fd93f9c41b7

SHA256
95804bd03e066070539ae8ca634d51d2d6df4f4c1871c4a9423702de2e29a3f8

SHA512
5b352f1941ae09c12f6b9eeb225baa255fc098cbc03b0f6cb11e696b379859fa8d72e93ee934a8faf7280586e26efbd31418692d29e56c95cae20ee338ddb745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
283ead9b4fce99a85f5514b6224bbd48

SHA1
2a6045673a3ab048a6e83a2953e5a192a8e5b174

SHA256
67549c2ffe85098aa7cb5dccee5775e953f05424f647c1c5f5edf28dddbcadf0

SHA512
cfcd7c048fcbe8ec423b2336da4b8c05890650ab568270086877478ba5b9538f65bd483e55887d460430f33d9e85c47fcf5b6327cf26a5c522434e1a12a17ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14ff8f17f2e95c3eabae0ef3dd3674ee

SHA1
c9ff316b405bcb42670139b42cd4629c23fd4a1f

SHA256
44fe73d0243fbfde9fd55b32fa38d7943867557fac8ebba988d77e131728ef6a

SHA512
88631bded640194aec0a832319c2c391192d16c76da6aa041380c760408a4f1d7d5cbe5d57444dab7d9e3b8ad36f7b525c83f03228d876c407c952412aaa1a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2571f30167384b4fbaf59d2fb505b9d8

SHA1
606a31269047e89c053373b5da159706e0ca3121

SHA256
8884e507188cd8eb2ef798df6846115883c6cb23935e5b40531a05f6766a99c9

SHA512
b5c12402f593604fd24bb30fe2666969648047db2a7d69a5fbb268d31bb82f686ad0ec147c23618bbb23e8290eeb2e0c12e265dc4f7880f36f6ad1dc88c7a8b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
a2f116e9a5f62c28785ee7f5539b5599

SHA1
a10aa1a5734a296cc4a1a0963aefffd8af65d699

SHA256
4041bffd92e58eab96538bc1f693fa5fc9530f204fb017f014ab6356b1367e1c

SHA512
db456e9ba57ae7af8aecce76c0b2c56f298238aabcf15f6dc87d635f372c54f0c9c311fc0bb10adda08e195029b1684ca45e6c14992b62793fdb5749a4dcbd8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
0a29126ba15b74d5ee71a0457cc3c70f

SHA1
38ab0c0158f03beeac9addc79cc6cb7bb6c5de64

SHA256
20fa557603ed5fa7f24adcbf3691d3e9cf00590d8acf0b0626aee47230b3c111

SHA512
349638ccadf15ba0ec8c5fa933491204ae67f92ed002e24ea8618d08a43e09142715db797486adaf4990552a8b25b654f4d4afc069f01b91221bb860d181798f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
82bcc3ebddae3eca5e7510a1381cfcbb

SHA1
b998b39964d1be961346faa8a410796acfd54860

SHA256
2100d4901d482da1d767f5936864748d7a643514f65dcafccf7612716c561f06

SHA512
37943e632224d9e3c9be1436d7991be056a48fffb6c7d4f4a6d3911d2d87aa75c6ef26e4e1b3d0ca1cbc5b0de90cc224e187b51d517138aff528c562aa80d62b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
82bcc3ebddae3eca5e7510a1381cfcbb

SHA1
b998b39964d1be961346faa8a410796acfd54860

SHA256
2100d4901d482da1d767f5936864748d7a643514f65dcafccf7612716c561f06

SHA512
37943e632224d9e3c9be1436d7991be056a48fffb6c7d4f4a6d3911d2d87aa75c6ef26e4e1b3d0ca1cbc5b0de90cc224e187b51d517138aff528c562aa80d62b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1ab637b6-55b8-4cdc-8775-332f002ad403.tmp

Filesize
5KB

MD5
ebaa36795854b7c75925fbd9ce36b5d1

SHA1
e06b851db5a9a67f007e55a9b6e982813131db55

SHA256
634a3bbbe2b69ee314353dec06bf3e805c6814322534741f09a5f706d09f8b52

SHA512
940fe4b0284a4f86900bd7bde03ec28552e161399e44cc8febf14860760d302b01858e8647bf124a65d18faf5f90f9e67794c8c5285ae7f657e4c68f37f8321b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_inv01.slab.com_0.indexeddb.leveldb\CURRENT~RFf76e4a4.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5eb693a31258122180aaf4f815bd2bf7

SHA1
96ef2c5d90ab2a6d058ee12fe0555276ccefb1e3

SHA256
c24e5068209608524fa8affe0b66017b0f82af225dfd0ce71fab44c114a01b27

SHA512
c1f63882c08a5e0ff1e2d0080a9c173533869edb410047538f04684eb88e5ef996ccf5bc5a602e3ff346d7e0a6752b1055a9f958ebf3a0bcf1b4d4207dbd2f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2d7cedcd16e95f597456108ab141ecc7

SHA1
03d31b5e4ef13eeb58db8f58aab5116701041144

SHA256
d3ecb6d86bd8d42a601059d963b12ef3621b13325d52ffceef5cf1011960d197

SHA512
c69a2aa38a82ecc7820366bc8958cce541d1d28a1c64448cb3b84208d62325dae24914461427ca164b621b7a7fbac79fe6ce8cc86150256025a53ff1d70e9587

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9949e43702530313fb6d3e6945bf225c

SHA1
44b349be1dfe80dc949ad103a4e843c6b789f6d0

SHA256
73b9674f9ed260f8c2032469fab74c96f6bd29e1c93597f5b8199eb75f0c7d58

SHA512
1cef2fd49ac3d1ff7bb674aa0f4d11c75690c3bc8ffbb7ff48a8077f60e5c867fbf301119f01fd380545a5a396ff79f0e40a8f41aa73e6e40498a22b616322d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
220KB

MD5
9c39279e9c0edece1db99c729067941d

SHA1
110ad55534fbe83081c4cc3b8d5425b2043a3a40

SHA256
5c4a2e11f8bd36dd3a600fa9660bd941307b4c94ff5d2d808a65699d2d428087

SHA512
3ae15c7b3ba9948a2301b6b8506ef5b3d1620aa4690eedcc5abaed578df6fae470a05affa71cb84442e200c5bf67c6c29e072c90e2a2a3e442df83017caeeb23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\DP40IHQY\inv01.slab[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rpg4tgz\imagestore.dat

Filesize
4KB

MD5
045e92ab168a772cf11ba6ef29c39fef

SHA1
8558e54cc442172810f4bd67b7a37f98e62d4449

SHA256
ba16092954958770106396478f93ebe7f432f1e9f0a08e4dd5b45c1898e3d7c1

SHA512
cd37e3397057fa71023f792f7e288da6fb04b978df740e51685831a5f6975d812251d0310b078e102590287ad1f0eb7e86ac1e13001de2b019f6bca525b58403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FH71F1O\favicon-4cd04a6c3329f76935c9b946f0cc2902[1].png

Filesize
4KB

MD5
abca6bffcf8f2367a3df0583ed6a283f

SHA1
4d3d9da14db9bfcaaa15cac8a799053d9f34004c

SHA256
e61b8a267fcc7c112e697e8ac305bd3cb3748890486cf733af2f8d91876b1cd7

SHA512
4461d66d9a97bcc302ddbfcc3f905bccb6bcf4bec76d2581d57d24696c63a14d5f6a67a2f358ec238ed79d4b0496edf6cfb91fcc021dea708250b085a886470c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7T67LI6X\favicon-d8f2f390483a075c9bb320fd8c2536f8[1].svg

Filesize
934B

MD5
d8f2f390483a075c9bb320fd8c2536f8

SHA1
452044fb20dbabc7caa1e28fab69332aa2d4c9ec

SHA256
41f2b485d051c3fd0ce738a71cc5cc2e1f459f8ba4644716c20511258229b37f

SHA512
1099fd3a3ec86c4b56ff3f9232cf35d2624a06c632e154d5edf5171cf27e96e8a4d1faa8ec90e84c1c94dd602d6693631b7054910cf4fb0d8917dd7708e3da77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2C485U7\shared-a-file-with-you-6iy6b3d3[1].htm

Filesize
17KB

MD5
955dfda9da58277822905088922cf706

SHA1
c70edf79e01ef8f08c4f29e0c2f86356df410428

SHA256
c854b8fa15f6d906687bbc089d5a64df81779c5941fe4c1bf4d8bc949106f84d

SHA512
038d87006898a9ed43decd2024a03d1c5df66e727708b418ce4f4edb63c491da1ac195fcb3026d7d144b9498ec7691bb4b1075dae124401c1a3191788c851c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab718B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71DC.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VN7RXW7X.txt

Filesize
83B

MD5
042e5b4ed6d2a790cd5a6ce29ce487c5

SHA1
80fb93efc80563e0d4475cea7f64b6634e83d9eb

SHA256
b161cbae8fa820a4a02627cc8ba23a4ac3e120b5eadd96e1e3c2561b38cf5d35

SHA512
b5a3e453f090674e056770401ed62939b7fdb78702c4be377a17e941f6c7309b29dbeb704e7bfc7824c56448ffdb5b49e218a42dcdf46146e3a847285806bb62

Download Submit
memory/2164-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2164-1-0x000000007279D000-0x00000000727A8000-memory.dmp

Filesize
44KB

Download
memory/2164-866-0x000000007279D000-0x00000000727A8000-memory.dmp

Filesize
44KB

Download