Malware Analysis Report

2025-08-06 00:10

Sample ID 240222-11m7yagb33
Target Proforma fatura.msg
SHA256 307119554d57a79005b8b76c692ff226ca961b17f7f9ad0d43590556632d3745
Tags
agenttesla collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

307119554d57a79005b8b76c692ff226ca961b17f7f9ad0d43590556632d3745

Threat Level: Known bad

The file Proforma fatura.msg was found to be: Known bad.

Malicious Activity Summary

agenttesla collection keylogger spyware stealer trojan

AgentTesla

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Reads WinSCP keys stored on the system

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

outlook_win_path

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer Phishing Filter

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 22:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 22:07

Reported

2024-02-22 22:20

Platform

win7-20240221-en

Max time kernel

330s

Max time network

623s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.msg"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A
Key enumerated \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1516 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3092fbe7db65da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b86a016d89bb368112a7a8dc872199c288b19b9d3184c27be829329c30b29cc0000000000e800000000200002000000021a7838474579f40fd7b7f3b53a58e35174aa28117222977adcc8d0a3070d680900000007f6f79a728d20eb3ed52d19a39c0661595316e69708e763e597465873600fe63cfd0c009d66ca0654f860f692a2476c05457d4b58390787a759391f33f5ff1cbdf7944629616c2fdeea6102fec4deb138e4a2ff759978ce4b51aeccf923914fcaf551fcbbec8e747a5d9e395b867736ba8e330ff02525aeb0f28b1b4fd548d9d41a734437070446e30e7dd19cf2fb4b840000000b5f0947dcb44a81b9be14236bc998a2756609d067c3f3cf6a8c476ed478b49829891e6dbb3bc119a69e0c817237164bcb5ab96406f4cf8eb68d555f7f8c59c9e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0B4E2451-D1CF-11EE-B2DC-EA263619F6CB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04c7ae2db65da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414801637" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8628F27C-64A2-4ED6-906B-E6155314C16A} C:\Windows\system32\SnippingTool.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\SnippingTool.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\SnippingTool.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\system32\SnippingTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\system32\SnippingTool.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\system32\SnippingTool.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\SnippingTool.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 C:\Windows\system32\SnippingTool.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\SnippingTool.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\SnippingTool.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\SnippingTool.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\SnippingTool.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\SnippingTool.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\system32\SnippingTool.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\SYSTEM32\WISPTIS.EXE N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Windows\system32\SnippingTool.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 632 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 632 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 632 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 632 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 632 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 2692 N/A C:\Windows\system32\SnippingTool.exe C:\Windows\SYSTEM32\WISPTIS.EXE
PID 1920 wrote to memory of 2692 N/A C:\Windows\system32\SnippingTool.exe C:\Windows\SYSTEM32\WISPTIS.EXE
PID 1920 wrote to memory of 2692 N/A C:\Windows\system32\SnippingTool.exe C:\Windows\SYSTEM32\WISPTIS.EXE
PID 1756 wrote to memory of 1516 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1756 wrote to memory of 1516 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1756 wrote to memory of 1516 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1756 wrote to memory of 1516 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 1516 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe
PID 2848 wrote to memory of 3048 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 3048 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 3048 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2848 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.msg"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://ddei5-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.mediafire.com%2ffile%2fn3pynq1ahyj3sp5%2fProforma%2bfatura%2bpdf.tgz%2ffile&umid=FF77B1C9-11F2-F806-B0B2-939DC61042D6&auth=63cded8e322153b72c43efd522ce71164e75829b-43e5315b7c99def4ba82db1e7773f265cbe0e71c

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:275457 /prefetch:2

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Analiz.txt

C:\Windows\system32\SnippingTool.exe

"C:\Windows\system32\SnippingTool.exe"

C:\Windows\SYSTEM32\WISPTIS.EXE

"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}

C:\Windows\system32\SnippingTool.exe

"C:\Windows\system32\SnippingTool.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Proforma fatura pdf.tgz"

C:\Windows\system32\SnippingTool.exe

"C:\Windows\system32\SnippingTool.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Proforma fatura pdf.tgz"

C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

"C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe"

C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

"C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Proforma fatura pdf\" -spe -an -ai#7zMap3492:100:7zEvent31218

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x580

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\" -spe -an -ai#7zMap29106:140:7zEvent6907

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4a39758,0x7fef4a39768,0x7fef4a39778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1524 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2524 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3112 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3864 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3696 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3672 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4360 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3772 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3460 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3632 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3120 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=580 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 --field-trial-handle=1220,i,11883708639282234696,1167129311017963550,131072 /prefetch:8

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe"

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

"C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\" -spe -an -ai#7zMap19660:140:7zEvent18176

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

"C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe"

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

"C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe"

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

"C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.messenger.msn.com udp
US 64.4.26.155:80 config.messenger.msn.com tcp
US 8.8.8.8:53 ddei5-0-ctp.trendmicro.com udp
US 52.10.22.132:443 ddei5-0-ctp.trendmicro.com tcp
US 52.10.22.132:443 ddei5-0-ctp.trendmicro.com tcp
US 52.10.22.132:443 ddei5-0-ctp.trendmicro.com tcp
US 8.8.8.8:53 api.bing.com udp
US 52.10.22.132:443 ddei5-0-ctp.trendmicro.com tcp
US 52.10.22.132:443 ddei5-0-ctp.trendmicro.com tcp
US 52.10.22.132:443 ddei5-0-ctp.trendmicro.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 104.16.113.74:443 www.mediafire.com tcp
US 8.8.8.8:53 download2294.mediafire.com udp
US 199.91.155.35:443 download2294.mediafire.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 www.virustotal.com udp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:80 www.virustotal.com tcp
US 74.125.34.46:80 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
GB 216.58.213.3:80 www.gstatic.com tcp
N/A 224.0.0.251:5353 udp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.187.195:443 www.recaptcha.net tcp
US 8.8.8.8:53 recaptcha.net udp
GB 142.250.200.3:443 recaptcha.net tcp
GB 142.250.200.3:443 recaptcha.net udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.204.74:443 content-autofill.googleapis.com tcp
US 216.239.34.36:443 region1.google-analytics.com udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com tcp
DE 172.217.16.131:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 216.58.204.74:443 content-autofill.googleapis.com udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com udp

Files

memory/2904-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2904-1-0x000000007354D000-0x0000000073558000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 6428f91f29cbef2859ea5e52b8b8374d
SHA1 2bf66ca7933c0a3efe513c64a2e8187dd605ac0a
SHA256 ebeb3908dfd380e9ac134fd48264ea77f42d30aa065fe8068e98919de9768027
SHA512 9cbb97cf8038737c6535d5d01046c0505f787c8adf4172319e03539f56c3407da9e0747925103d009231f60ff4d36cf0251acedb2ecd7fa7762377a3f9f165d2

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 80678e5fa2257a9078cd60a82ff79291
SHA1 f25e0cf100c0ac0d95395e7f1bde1bb116bf2743
SHA256 777edb12177ff1586670449fadf8fad1266602e1a76f56f20c4ca54433d72ede
SHA512 d8cb2ab99bd8155456a8b7d67524356ffe0130f1122ca51363f6e1ba9253fefe137002a72c2a190caf13d59ed34be3932ff00fbce8418261201163d6935315fc

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

memory/2904-172-0x00000000694A1000-0x00000000694A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{536D657C-F407-4B1F-82B4-B08F8410CE67}.html

MD5 adf3db405fe75820ba7ddc92dc3c54fb
SHA1 af664360e136fd5af829fd7f297eb493a2928d60
SHA256 4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476
SHA512 69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2904-203-0x000000007354D000-0x0000000073558000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi

MD5 8757e39a4d046b69f85477baa443055f
SHA1 ff9435e41acf0394136719c5a48b45c140451c38
SHA256 9d519372ecb38266fdb79b24aa083615c4ce48a8b4912fc276b2b09423005c39
SHA512 2a431cd31aab72cb03790b40e6646a3676d96df0ac7c9212212257f89fb758e23c7a75f62bbeb76213311a7529106cf28bc67564fa5959f90d9e7bc4c0b23e55

C:\Users\Admin\AppData\Local\Temp\CabF383.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarF462.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5818d877a49fb23bad94c5c112dad302
SHA1 01ba4d215061b79ab20f7894ddb32bca24e22a45
SHA256 1d8c22e7b04e63c3c19709547ed1211daca8926984d9c63eb589d07fe7eabb63
SHA512 06d1b99a68638863880436bd1f5e4fee9409832779d9b1afaa12038d8eb026040e0b72e90fa8aa6ac94a00632fa591723c92db1f807798c7d7709d44b23feb15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c64d2a91be3d264fed440ca88da547e
SHA1 0098809eddae75ef99aad2fbe00bf72a7d0e0c67
SHA256 4b264082c2e04f5b026ad6c9cfc5083afae9092d3e076611f8673a9cb280e84c
SHA512 6c6b9f424012cab516e53f4a85ed39ac3d178e7a1b4b081fd13d4e0977421bf01d8ce3532e6d8354f52ea587c2485749999cdd09d5ac2784e925a8a32244236c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3a2d3633cf3fcb5a975d8ae6eca6a94
SHA1 c8a3c2dcbf8fd58b919d834b795760ee7e6191e7
SHA256 9b2cb5b55ff60ca33b8f1aa1ee360b2116e76e4f9de0cff4be5d39247d885844
SHA512 8b258882ed3006f4a504e8698e0df6f7b1994a5a527c96424668420a9d61a2f3f8dc586d880a0cb414d45a00927971942f784bded7a043394e835511e87379f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd5066826ce3dc30bda50571073cdda8
SHA1 4d18a97ec592ff2ef39c843312eb38675def966f
SHA256 749656cf53afc7cc1d37a08104d42a162842058d9cb6f767eb84de2fea901a69
SHA512 47d433f2be508b70e778ab10a6b018b978aae4b850042810268769299867940fa2a23d9bc1538c4d5b1affacf538de43e07f7deb5efa78aa1012fbd8bf9fe0dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a420076d54d3fe877aa1e20496309648
SHA1 0e4dc3f9d160c389d68f14dad7f993c9100c79f4
SHA256 7d900a069240e93b2451f70f1c89b783a4e90994d269a44978379e6aef610acc
SHA512 f0c8116da8f23309ed9727a5a575c9985944196079c43c1f519ed15806b9502ede8e1a761dad59879285c4c10bbf456e5fac4c95c25fa50207008e47f7692264

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4c1ad7d487f3f0e984307f421a86472
SHA1 d85cef9d7866ecf1193642184f1b5a9e450e639c
SHA256 9b30ae1ea74125ec82e464f08ce844e686417ba5d4a5c24b92c373119dd9bccf
SHA512 d355b7966a59f5d8c261808f5c273a86f3822b1cca7562349d850150ff7117a68a001173cf8fc6bbdcab10841ce110c08de411628e886adef130486c865bb691

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5aeb837e75333c666ce144c3428fd3e5
SHA1 f1b6e0e2c41d728fab0e0355b205e6b4f7e1f02d
SHA256 8f9f63e8ae6c6f307f748835cf1f8dc5b06d0e2b434e26b40f2d95376ec07243
SHA512 81d740200a39f81f09e304a452dab9b712506fa62a52ee2e1ced3d20eed0f3380be670b803d4f6354ebb5ca77201f2b74f620b232c0afc03512e5d4e479eff76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdbbf3ed71d081266e6e1eef17362231
SHA1 4b3b97a5502084cb2c788389bd9e61f6f7727e80
SHA256 be5e80d88b054134e257741a2f5a6e8bb8e10a0aa61ca19a96204737f38cc29d
SHA512 f1ebcdbab7b5d1a1c506e6d87408cc6879e3bd80d3e16ff2276321ce0dd83636645a8e520642b9b3ed335cb7d98a9ef8bb362c2f0a0fd9f474569429ab7d5164

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd489483c13944a1f9bb6e3cdb6bd293
SHA1 31e1ff5a7116aa20508c6c1677799de8455e0063
SHA256 32b4ad610560832222bbe13eb3583e5e1cf24a4f0003845cabcdfb44c8ce1305
SHA512 ce732bce71de93ce5da3148b230c94742b62a0a604f083187115d99f77c32e4affb1df1b1aa2b804cf8ec4fed4baa581fddd8c588e9e019c231f49a716f056c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56c3a216ac12068cb551dccb5c6a06b2
SHA1 ceb1dafda616c73f104b519c30935fe3f753d922
SHA256 6792d1d3a16b2379992451f86478815d91d5a14b14eb6f114906c309cb6babf0
SHA512 e2d7a8600e5f7d51424c9331cb6af51e8d4f84061742d78f7d6c0d42fa7e5810dcedf3db1f09e05bc52234abf4f465354add626bbbba0fc937da464e92e5b252

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc1c9590cc6faaa5ed4ae480b1a4878d
SHA1 ff473923fb47a6931ace49968dd9c8b2c971912c
SHA256 a3dd894764f6a4d28db9e23b3c2f0acdd35b08758759557662a386fa1e972b28
SHA512 39f3bdcd3acae6f200524a221ce9305c8fbc36b8ed3a0ca381a41954c8eb6a4703ffaa422634a0e22d82f92d88fd4b2e842b98099610c782abf955359ff6a219

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8eb586e6645e84e67cf8e3056518bc1
SHA1 b8eea8174f993850fcfb6ae915bc9f5dc03ff2b7
SHA256 5d796e59c090639343c5bb1d69732bd1f38a6f499eb3f6d2d41a6f9e15ee446c
SHA512 709dc8e1784ea7c317118796e82dd72e3bc056bd74c8533147cb2a9459857afe2c6518efb3f369eaea8a596adea66565d828bc73025aa44e46ffc41d9ddbc1c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d914026e65df08b505f590bc8dabba0
SHA1 f2a17ee7336ced5e1f8985b3c5d758777fb677a4
SHA256 78494af4ff791758da6c5e9fc17d1b82bbde3cf0bd597189b6e490e9acbf4124
SHA512 dbcc37c6125c20808b9095f59b5c39493d7c4465c6bfa2f83806a66dc943470f166b316c1376ae93e39588d7625941729db6ce47054af1563c44d16e05ad5319

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28d5f3eac558b6dfbb6e78e9006e3fa1
SHA1 851f3899517dceae5a809457fab927917f3372a2
SHA256 021db15e07882ba9ea5faa002de0a551e8057ac7349557c6809f4e3ef24d1712
SHA512 b8ff308bae6b614c37f64ed329d4fbd984c2170200cf3a6dcb17eabe0366b598583c714e379ca5587e7aa6ad9efb8a403f7f7671482473ac76321a61e50b74d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62c109b3b92ac2a3266c9c8ef54daf6e
SHA1 672a9d708e0f2d2632a9a7ad5d8ea65506793839
SHA256 ef05190fcff695aa48767f3ab10f86817266039c0317ff731c6b79111eadeacd
SHA512 2fe52512cf0fa6505f53a1a46a4eacab9316d61e0f7618bce29d1773e5aa6afb5024da3d6bbe0f904c23e095bfd195a7d82454f16288ccb1e7a4c79a2764ce45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7727aa04d656f01ab8aa8a0a71c01f7
SHA1 34eb3afe1fa12d7b70cf0152f76f7ce1c348bf4b
SHA256 e4b45d3ce1e230d4ca841c3439689880afd748bf08771dbbbe8bc0f874addffd
SHA512 e2a50b41e5ca385750ecde4a3e6eef17b32e0b0e48e2e984455314dd059bed9ad74728bd12a561b87db8bffc3c2e10f05a0ae216216680a1a5e9fc61f3fdf518

memory/2904-931-0x00000000036F0000-0x000000000374C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50f0ef5d6cc0fe0887a6c8d09b1bde21
SHA1 5133d4e3014e93c1dcccd52f4bafb620fa525fdd
SHA256 b4be7f6dbbd12d7f2fa7d319e5b84de189697107549ed9c048add7d37e03d34a
SHA512 7633ff92c584d184d1170ce60b22dfa00584c24bd76d9488f65ddc93409aa4b5901ec3772a944fbc127dbd80d695ed71d0bc52a8507885f5aa8b8bb19af44b59

memory/2692-1247-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1920-1248-0x0000000001E20000-0x0000000001E21000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41c396f9d81b9df91ff2f5486a6b369b
SHA1 79f94eca7e3f1d65024b242197d0a7960877d953
SHA256 2c9b0d7f88d294e073a01650282e3d9754e0133c5e31a904d4bc56ce11cf2cd1
SHA512 093d2dd1c5f6f2c6cb12c127885056eed048b9e92041c3740670492aded1c597a5187f173eb03a34cb1b5546c74938c2d6c4f3ab95e6aff884bef7a1139ccf25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb7cb9130063fb86b3b403313bdcab5d
SHA1 85e2bff8c34cb7e8002a9833ca3212135fc6445e
SHA256 6eb5f327fe82cbeb3e3fd30111a7040fb3f9e13dee42845927ea678707ac87ca
SHA512 3b64a122731d4e0a91688757dcc1e0e2cae5c6dee97d68508fe6bd0338c8976fb3eedb13ede354c270d51195b8f3eb5a53c91cbc7abf97b445a4d0950b7254c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f0e4ed236a3fb1debcad26194ba1ede
SHA1 78705a3c6fc0b91e7b272ca0425899c9c3a9c9ac
SHA256 bc8ac9eae905e186207d7ac57c0b711705960c12d8a48643c5a8e22807a14ba5
SHA512 516cadd24efa4dacfddd3e97f9cd9384902f24a7dd0695e797c11f4ef200a352b1cf4832f3b99984aa356e6f22467b01eacb551f28eed35e956be66c68ce246f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e4e06fc4f68c3b760f2b86e7eb3ca85
SHA1 b98082ece178a89902e3050efb2b05b3804ffcfe
SHA256 4be105cb248902071fe9d8cddc2c43e9dab46c1a29ea64a824588a8aa111da14
SHA512 a60ccf50ff79ace706a28a6d6dfdfa6f2153b0f742b163c68c1d37733fa74657ae4add93ab2b0d4bd7e5ab1c88910ddb06ceaf01902337187a3bec2468cd1b38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a52c585bb49c24c6796bae8bfe99e24d
SHA1 e0f5bc5f6026c800bee0df277da15cd3d8f52fdd
SHA256 38be0ad3a9f2191b1725f82514f7b209561d245931ca30bf90ae6ef6c1d2a673
SHA512 4578d82a7f74c41d135a9d7b756829a1445d50521a7f659688f9a352ef7d6069ee2c90bf69d3d28587ce69ac55aba20fc2f9e425c7b3879fcbe90465fe95be28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd2e452815375e9cbab562eec7a60547
SHA1 73ce35e0936695a70956675536c3a12fdf59143a
SHA256 f134284bdfc2f64a137a357006e1e183ce377b3daaf1c90cc45a7d349fd0d0d7
SHA512 961432841ca7982d424dd1669b86c6e3691231e19a54cfb7c56b9a0a35e92ead8ebe9f7c543268bbc2304cabdab21ab725bb7ab464e2538925596162514ad722

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e40bfa20610b7a79edde59edc78b1c6d
SHA1 e9c41f56f656cc0683566aa1360df1739dd28977
SHA256 48d89bb127543008a6e6a00c7b5b5b99fced042362737f6cdbeed9ad189d7e53
SHA512 4ee710335954be6ab653708e529a7c277678a9613cd042af5ebfa80922cc23753c46fb0dd452b2f0ad6f8c093679c7bef43317ad8ea5e34ea060a610ae034e2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07936dec4709c42c342ff507b1b04fd0
SHA1 447322cf4330a88b6a9f76c9492c04474d29fd05
SHA256 ba2c04a389c260ca92ffa990d1f7bb5ffa24e120c43ec84c7f41e6c728caff63
SHA512 c6ef49b7f47e1d14a9dc960774cd9e6f8724dac35ef62309eabb2d0b1ec290c32bcd3422079efbf9442889ea770497334511705d39fe286429904448d3b0909d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b94c3301603b7a029059ffd0011d14e
SHA1 f0c1f9c34064ec45a2b56408670b221c6b18075e
SHA256 24bfe0e5f446852784a4b0c7ac169f64111899dd3a38aa6e0b63c8add06867fe
SHA512 b9948f0acd8542a5f71ee7e33092411337eeee89d079ba9711f0a379d524fcd923e1c3bd1f877d7199447b919a617689d2ec80840bed9e0e23b344e846cb604c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a23889eb2a728a83e2db3ba6b402a22
SHA1 489b0374ebd446f020b431ea8def148ad8bc0b70
SHA256 9059e9262b7c65d6a2b4d7a2b023fc18636f4b9a4b76b3911811c7f4deb5d669
SHA512 315ad3367298313c51c1615467f05c898d0f9ab22f4f94b27e54b7e879629068f78e3240da83d6c2ffb53e504a4688a43c8f47ae307dba1131bf158c8bfb1a8d

memory/1920-1678-0x0000000002330000-0x0000000002340000-memory.dmp

memory/3040-1679-0x0000000000150000-0x0000000000152000-memory.dmp

memory/1920-1681-0x0000000001E20000-0x0000000001E21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\Proforma fatura pdf[1].tgz

MD5 9183bc7aae722187d0965f348260711b
SHA1 6210e4ab866e595b9b30e60259587465d5b9a2e8
SHA256 ed0fe8c8e92dc38eb12cbf7736c52fe76f4fb26eb139976d516d4edf33ee2384
SHA512 d29a73bc162c04917c286bb8ff3ad4a2615f97091e83b28526774557e54a112205e87c042634a113e6ce5a885e49e79e1919e0f0d2a2b84265a7958f37b5a05f

memory/1936-1690-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1888-1693-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1888-1699-0x0000000000270000-0x0000000000271000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

MD5 f503066b765fb057fd3ac60bdc99af08
SHA1 90d655defe912a13dae7275465e05ca829a6fd96
SHA256 c9c7ce2b9230a693e6040b6a0ad5cfbea441b98079f74692838d31e810bafe5f
SHA512 a8dab57c466cb3295f7b6622944db0aa15d1bd75c2713b3d590af546f9d4d3d8147b0abb596ea17cf6d9a74efa119cc4301a957f851f30435f0671b02c514747

C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

MD5 3b0047c9adee3fca1f3ac92022a200f8
SHA1 49f3acc621954b2e43426bcb85cefc308a7018ee
SHA256 aacb9dd015718e5d9f119bd2ebd108133aeffe5f59548a340d5e72e61061c73d
SHA512 2be2b2e38c2481eb05faee6485d8bc4d1e87b607a667c41180373ae4cbe4ba8035962da07ea8bb6e78fc0a15530442a7331083c97980878b7931e630e2992574

C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

MD5 f952ce9ac0b604527f7e59189a8a8895
SHA1 39a96ee433f0a010209882276c986aea65f32bc8
SHA256 94587b561db036c71d33ba200175663500b9c2c25fc77a113751e04989f7c42e
SHA512 a7738944125d0741d878019b8a751eebfdd766623ab0970842e8b1e50bbaa2ff7f734aae210f0e53283abe355a78dfb77d91a69b6d6dfc67c8fe4d5e9bf7cc4b

memory/1516-1719-0x0000000001030000-0x00000000010EE000-memory.dmp

memory/1516-1720-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/1516-1721-0x0000000000910000-0x0000000000950000-memory.dmp

memory/1516-1722-0x0000000000650000-0x0000000000670000-memory.dmp

memory/1516-1725-0x0000000000630000-0x000000000063E000-memory.dmp

memory/1516-1726-0x0000000000900000-0x0000000000912000-memory.dmp

memory/1516-1727-0x0000000005190000-0x0000000005214000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

MD5 4755c9e048b023040b30c2242cfbb5dd
SHA1 568d6a6b3ee4fcf91f4ac23670efb220f166e386
SHA256 d8223aba4e74ab4ce4cd0eba5fc0999ca7daa118be26d89c1b83fc15a27723d1
SHA512 c643ec0efc61ad43f4d6cd90cfd0f8b30226ff70f351c55f164db30fbe9301ff8b12fc36aa61e6e104b5a72eb1351b901e7eea7e26f08261f83a08d58e4600f5

memory/2624-1729-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2624-1734-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2624-1735-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2624-1737-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zOCD6184BA\NNvx4SRO575DPub.exe

MD5 fb604b3185f2d67108e31c68bf5cb192
SHA1 7edc53f2bc1a79438e01cadabe8a8ef33124b109
SHA256 d97a4324c410b9ef071989d68781a34a517491f064a47d24f52332f8f61e78fb
SHA512 4629bc60e24cde8da728aa42f981c3ca019d75525ecab9a595fae94f350287571b77f529e4ea2f64e7a5bab8e202b7f5cbf633165d8bbee62c7985f1a99bb8fd

memory/2624-1733-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2624-1731-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1516-1741-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/2624-1740-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2624-1743-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2624-1744-0x00000000647B0000-0x0000000064E9E000-memory.dmp

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf.tar

MD5 57ed7010877e3fe85b6c22d17deded11
SHA1 aaeded6469ffb63a662c526be3d480e4e76b6f06
SHA256 a651dbdd7568235874afc4364bdcb01a4a812738a24480563dc03e9e579886b1
SHA512 28dfff5f3e0c7c71dbcbc1ce9f85bff6abd2db9e8e636010b8cb8a24ab7d4f501b4c0f498b6ae5b7976c7003fb5bd3fe78f4c97ddd0439881ad43fdf1c426f5d

memory/2624-1746-0x00000000647B0000-0x0000000064E9E000-memory.dmp

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf.tar

MD5 eb37950bb0b8ec8ce4a4229dc2316a54
SHA1 985bde7c08f82bd93240bf5041ba98a513dcd8d6
SHA256 127848a85ff5e4a84203df54a6d6af1cb149a038618ccfb3fce862db865125ce
SHA512 4d9fa8ccb44395d656f587ca26d8ffaf1550049dc73d94b6fa1927ee8447154ef616ecac154456319173c05d25d6c93413d042e20e5db19d52395bfb15d62248

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Temp\~DF8E781C8A6EDC070A.TMP

MD5 cd87e31e79dc2f735d01efca1d5e6ebe
SHA1 f4a77956d416e027684252de638da34071467439
SHA256 8a9d2975121cc31d911c48e86c7afdecf9bcb2bd1eb55ea044e8f44f6446f146
SHA512 5c85ce75ed38184f1fcf1466d56751adcae39fcf44a589711a9b5efe1600daf98a8bb9c29955f27660040009e786eb02a7ccfc139da1b26cf7fe1fa8109c2bc4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ae0b728963395f6f9014ff1dbde3581d
SHA1 0c7c404bd3bbc74194c267b3cfb1b28a7041b32d
SHA256 6d38dca583f666ba23b25c36b4ba3681e6c981c972d0ebcdd5d816f4b4370fcf
SHA512 76ef2e8898658f479496549b5300973e5ee5b0f25bf17ddec39ec177722758d00ad56c0d7985416ab5a5fe1a89c27f340694a6683c5e9ca4fa5f780a18be4a87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 324ff9dec44c8b07daf6d289d91ef41c
SHA1 93ea41775ecf66602d6a4f48d4d40f93cf2e72c9
SHA256 ebbb6f01be67cb8764fe6bf28e88dea898e81a72a6ed924ce599e8bb5a6ceea6
SHA512 38e59ada367ab12b155a4ab13bd46bc6d14607cf3323a89777e56d4935d265a3331e077f00b81f2e925f87a9a5954aea3a70ab14681702e534aa040aa6de00ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4cf493c16ae288a88be206e73dd53f86
SHA1 266ed595a0cf427066890d60a87728ff3d4747b7
SHA256 3917d4cfb9acb6b7843378e3847057288e3eb327c2e6de148731ce4260ed7b0f
SHA512 bc1839869e5ee36b1fddfeca53d3073aa616eead2a3e9d66e5b94ab22ef3590c0e85c68f650f66e55cfa95b3ceaee45028b8c4007b5c5e4249bf5ed299b6a3c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

MD5 873734b55d4c7d35a177c8318b0caec7
SHA1 469b913b09ea5b55e60098c95120cc9b935ddb28
SHA256 4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d
SHA512 24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf7c337f.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7451fd7469cad90d50641a20ee80c457
SHA1 f4e8c50864c3620c3e362bfa6bd2a37952d310ee
SHA256 8fcaf28dec2ced2f49a5787a71263ec6c645b42e9bc7771ae191c7db6f4ba84c
SHA512 e1937411cf49cf6cf3a4eb0986ebdcdc25376f35bdf6dc6180781eb4a3861e532f45c5491ddecae39d8885316445a8a0a41cc4796c180c8e07609549c47085ff

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

MD5 3b2bc32727fa67cb5fbcccb9287acfd8
SHA1 6ec980596185b78b546dd51e6ab9755cdd30b0f5
SHA256 068391d4f3a2b15abebc1042fbc66bd8d85c4b8cd906d0c2597a531a61d30607
SHA512 1ed70f6b740ee605dd080d6a7f22cb62ab343afd7a00cdbe42dceda15c52627c264e1e9465f2b78211eaa2766ed6cbf71874dbfb89f2e9f3c3729f9c9dd48297

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\983971b8-7796-4f14-808c-eda69cab7048.tmp

MD5 845a40de90ba0df444bf8a2dea51d5e9
SHA1 3ee1ff2f92b959280d43dfdc8924a81125410224
SHA256 4889c1712d116538363af23721edd7638be79ed58f74ed9b9d3dda729a61e828
SHA512 0718558e99125dd595dd459d2263561520fed7568fa6b6f00105043d571219b312f30e87cecd7f410cb49c54306501d39bc9ef6185cf334865282a198d906004

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 07578e0b44f0e284475ecebfcf7595fb
SHA1 bbe3a0829a85c1fd3eb6867ce49a9484c894a6a4
SHA256 62801e223496101987c249215e5832c28111979a52ca95a0a410a381769f9f07
SHA512 16c512ce6d2a26408e420b1912983fd01c840de2d80cb1b3779942d41f91a9abf30c1e7bbed68241241260b438a704ab070a9e2fc13d8eb30a0c05fb296677ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

MD5 b82ca47ee5d42100e589bdd94e57936e
SHA1 0dad0cd7d0472248b9b409b02122d13bab513b4c
SHA256 d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d
SHA512 58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f1fc3d0eda505e9a2bf550df9d48f92c
SHA1 44961c7728fce5768828db574bae9066936c175a
SHA256 9e2df30caf82ce491ea2503c8234ddd2942eaa2fdb3ac66b6985dd886acfa791
SHA512 5e970b74b5922618a0b9f0a79fe9649c564d68f5132c2af74e13666e92c9e0a88e190f9a140531404594fab72089d9ffbbdb08785d538ea82009789e4211e3a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1c8729ceaea8aa40af8a972eeb0bf2e6
SHA1 ef5d4b200812c4aedb8cb3582e5a0347d65a165d
SHA256 cb0c41ba6be92d056feb370ee7106e02d84a6e8edf5a6255663797c802afbe96
SHA512 0f525578c42c46148e99880f31a8a275af24ae65c4432c8ea76ae3ba1422d4c2800d4b209a18e0932450e6ca5cab2d5825d1ea0fa266bd2ebf6d9726f612a1ae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4979fb9245683ad02525d891d58e657f
SHA1 709c5124064217057aaaace40a2b087ae64b4925
SHA256 e6935a0d674504c2b14bfff8859b3a3516818c4331a64dda1710c7ad656edbda
SHA512 de840553be87465ae59e3bb57c0f69ff8a4d23001713a4c8f5248222245cf8cca26a01a72f92635d05619141e1bbed03da2e81f61610656c048730d840a0023b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 33a3b8f29024e07beb5d5429f881aed5
SHA1 1e80da31de7861dd40d1f7240c9d7f489e1d5851
SHA256 7041ac7a7fc81e88818f3d97953b6d465c8acb58d3bf311603f9e1fbeb30a1ad
SHA512 cb624c6bec67cde069a6db7bff402159dacdce228b01b80637869703691d8f5d72ee94548247c6587a702e0ea1100774cb654ac5902a5875152d69ce28293758

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 33f9a9fb58fac4146b288d37c4532cac
SHA1 9273135c755feab17503ed6772395f33475c710b
SHA256 1b2072d0788378f55d098792e7ccd499522da9c3f9e5f405dc82975d53bdd41f
SHA512 c97fdf6574a0ff318d4c2e2d07373f871a5a5b6f24228e115841986276e4a6db42263942f4c66968c54aa4becc5f29385005bb1a682db7974b402239d9a64f42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4700b386e125ef2f9da045d7ef7384b4
SHA1 13c9cb2064fc7ef379a317368c7b7fd8f34aa2bd
SHA256 f61ef39702526e8ee90492db573749102e97099382fae83b65b194e7777bed51
SHA512 afc74a55bebbb74a3afdbb9433050b651ed6ae0ba936a1e9ef0e8c35e460712531f65dad1993c43c0f22da61f6e59acfd82896018a145c1cfee0e7a6a82b2914

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8a6ab0072cf5ec78dc0c5ebd2816f9f6
SHA1 3f0ed4cd8429d915aab6693968a524d958bd7325
SHA256 be1098a36416929ea31a7b444fb8ac0a0d36a9756b07cee92e84911a5239f4e6
SHA512 b26cca40505b6b62e42dd0998003af7ea0d8704404c90c8ad2162ab645dec752315fb6095485b7d09947519f1157292387af9b0b9fb5ac662f2a128e31188d70

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ed63e146965c67f905a385008d13c238
SHA1 bed0a954d9fd48e7d31a848400eb70a274ae0eb0
SHA256 de62ff631ef9d3aed4e48dabfaf4e72a4982e9fe3849c45ad4f7d47ca34e4cd9
SHA512 bd2c0ae1eddfcd7888347e2a5448b48f2c6375e329c0f7d637d5e355c0eca78b5504d0691ef04c9c29b4ea73723fd31b81f740f736c7f8a4e2f48f5f0d94364a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 bedaf8fb04068167235dd815af55a10d
SHA1 bb7c5b11f724613302ec829f9a28c494ddc18917
SHA256 18842c8bc6f782920891f728feea277e6d4a7b7ac56bc7253b0729ae67c6c8a8
SHA512 61f9b68bf623e648285a58ba1e5736e81f02cfa97c576bcdb104e30e7ef5aac78261f63f53ff2a6f79fcc2b328c7950dfdc1dce29d09ce92d5e47d27c94ff0a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 90e2d7004b8e44b4eab1436e016457c9
SHA1 3b78344dc131ebab3081e300ffdc73f7a04f3867
SHA256 2dba349266dfc2ac7ad426f7d5ccd3a1fb6b502e3fb89e11680589a98818e484
SHA512 fff881202edabcabade8440a0ec414e63ce7688e5b0ef4a33d628f7cacc02b74080c842166708840e849d1508ed64896e22ec8b4913b7221d8e55d5c73c6648c

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

MD5 31632c6c38e81130b3ba72857c1852d0
SHA1 66cc4073447807a4d9f5bac78d8c4f54857ea3cd
SHA256 e859c87ef74a8a4b5042ae302222b683f9ae95df5a1fa6e197fb885422cf39db
SHA512 d32cac26d65be670f3d509be8c14e854d484e5de45c694e334e102b03c35f3b46b68baeb839cab38c7f9ad61452c8db043387571bec11065af1405896b34f39b

memory/1552-2188-0x0000000000A40000-0x0000000000AFE000-memory.dmp

memory/1552-2189-0x00000000647B0000-0x0000000064E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 087f608fa6e18438d2e0d06b743a3a1d
SHA1 2c3a2deaf76075615b4b9e95ea86a8693a6ff289
SHA256 cf7623f57762b9374d9de59b01e88e829939f79f4faebe117465cff1ee1a451b
SHA512 95b011e9a1027d97b346744f27b4c9af82a50dd82f9a1d7c3070debcf74182d2d695298f051f81e95633f3d3b87f4a2a75abf32199864a998e064c328c79b928

memory/1552-2197-0x0000000000980000-0x0000000000992000-memory.dmp

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

MD5 1c213c64d4a01ffbd4de755a067e8a7a
SHA1 a2917e7cb96f5541fb24cb07909c27611cbeb96e
SHA256 e9cd192af29bd8ff1b867c9c799b75f280235860db49d04d782e22acb8129264
SHA512 c213a0af47d60833d1d921892e2c97b6c4112049e2d09f1914dd6b790ca28b879273afc7188217d32c721c439c78fc892478ae9dba581641760aa5de8b8b5b4f

memory/1692-2206-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1552-2212-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/1692-2215-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/2624-2216-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/1692-2218-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/1180-2220-0x00000000647B0000-0x0000000064E9E000-memory.dmp

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

MD5 7182b49cf46906667c8a4233fb8c326e
SHA1 e9847dec46cd212baf89e2be696b88df429b345a
SHA256 74414391b72609ba6eea732cd869dc4f3a6f3193ecb7c0a0b5be5287db81eb9d
SHA512 8b801d3a80bf2032b49a0482c6525a5a58837af168e74f01a69ccd3d422ed7409c7632b93b16992634055c92523ee53de358e7dab72a01a3f1b69ef54752c271

memory/1180-2221-0x0000000004CC0000-0x0000000004D00000-memory.dmp

C:\Users\Admin\Downloads\Proforma fatura pdf\Proforma fatura pdf\NNvx4SRO575DPub.exe

MD5 d29e706c8eb2ce00da448d395ff6b4cc
SHA1 fb79262188014b2259570b375da21f1d3a4f7769
SHA256 26127325049f325ec287b46d99c28fafef259b5361b119861979f5e85b5771c3
SHA512 03f6d3148a0719435c209b28346aa84b2fc138c62126c5931e754c707dece48eec52bd9da466e2a0cf6603fe5cc04660c27c591d7f6cf5476bae7d38d9230b3b

memory/2600-2230-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1180-2239-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/2600-2240-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2600-2238-0x00000000647B0000-0x0000000064E9E000-memory.dmp

memory/1692-2241-0x00000000647B0000-0x0000000064E9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 22:07

Reported

2024-02-22 22:29

Platform

win10v2004-20240221-en

Max time kernel

443s

Max time network

1168s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.msg"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.msg"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-22 22:07

Reported

2024-02-22 22:29

Platform

win7-20240221-en

Max time kernel

840s

Max time network

843s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.png"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.png"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-22 22:07

Reported

2024-02-22 22:29

Platform

win10v2004-20240221-en

Max time kernel

446s

Max time network

1165s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Proforma fatura.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A