hxxp:// | Triage

Analysis

max time kernel
1074s
max time network
1373s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 12:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2800	3020	CLVIEW.EXE	52

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e00000000020000000000106600000001000020000000de1cf0cf87474d4ea245a2525bb094313459d75ab7948cd316cb3c8ff0c24921000000000e80000000020000200000007f0296237f7884ed77fdbe4a4ab297b9e94e04e27951fb71b866f2bddcf5a3d4200000000091e397dbf424b4f8c386d15bd2fc43329fd2531f76a60c97d0e491ba3c190140000000873b12b7148a0849517ed3f6a5f75ee340af0a37def3b4556e5c2b19a92ef599217dcce4b19486f67731e3790fa53ade5e6a95e021151a1685485fdd6ade5e57	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e000000000200000000001066000000010000200000006ec067dd46cad2ca0849865b957e774a566c10fa577f996f6153b0517a49c5bc000000000e800000000200002000000039737eff4a64a6db5c26ef539a7ed05a3a5c51e64b31fe8f673250c8cf45895490000000ba2a1a84e4a2d128f31a73eb75a19ddb55ca2771c0d3a30b18239ceece4bdd98663ae056e9ee919d6a08c2ad623c9c2eb20672017ccd9f80fd79f6f2b1b5631ca03d8c106ab2f4e9ec18abc5bd57887d93c490f30bb056a533f75b262121a629ece9480b1e9f387306a66acdf02f8763bd65eee1dfb2376ca9ffcea1662cb4a2e7cff0a7985b7a3fd8a032f1c1dab8c2400000008a24cc5f16072fd73f0683b54b189924b177ca03b132f6e5b00f175ae35adb7b13cd9d0e129e1385e5c547c8de815c8390fd1ea6d85ca0c0976917071fd97cf4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87D81F21-EB6B-11EE-9D31-EA483E0BCDAF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c2db5c787fda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
2248	EXCEL.EXE
2196	EXCEL.EXE
2852	WINWORD.EXE
2312	WINWORD.EXE
1412	WINWORD.EXE
2940	WINWORD.EXE
3020	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
820	chrome.exe
820	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2852	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2704	AUDIODG.EXE
Token: 33	2704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2704	AUDIODG.EXE
Token: SeShutdownPrivilege	2852	WINWORD.EXE
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
844	iexplore.exe
2196	EXCEL.EXE
2196	EXCEL.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
844	iexplore.exe
844	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
2248	EXCEL.EXE
2248	EXCEL.EXE
2248	EXCEL.EXE
2248	EXCEL.EXE
2248	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2312	WINWORD.EXE
2312	WINWORD.EXE
2312	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
2940	WINWORD.EXE
2940	WINWORD.EXE
2940	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
2800	CLVIEW.EXE
2800	CLVIEW.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3064	844	iexplore.exe	28
PID 844 wrote to memory of 3064	844	iexplore.exe	28
PID 844 wrote to memory of 3064	844	iexplore.exe	28
PID 844 wrote to memory of 3064	844	iexplore.exe	28
PID 2852 wrote to memory of 2244	2852	WINWORD.EXE	38
PID 2852 wrote to memory of 2244	2852	WINWORD.EXE	38
PID 2852 wrote to memory of 2244	2852	WINWORD.EXE	38
PID 2852 wrote to memory of 2244	2852	WINWORD.EXE	38
PID 2852 wrote to memory of 852	2852	WINWORD.EXE	39
PID 2852 wrote to memory of 852	2852	WINWORD.EXE	39
PID 2852 wrote to memory of 852	2852	WINWORD.EXE	39
PID 2852 wrote to memory of 852	2852	WINWORD.EXE	39
PID 3020 wrote to memory of 1108	3020	WINWORD.EXE	53
PID 3020 wrote to memory of 1108	3020	WINWORD.EXE	53
PID 3020 wrote to memory of 1108	3020	WINWORD.EXE	53
PID 3020 wrote to memory of 1108	3020	WINWORD.EXE	53
PID 820 wrote to memory of 988	820	chrome.exe	55
PID 820 wrote to memory of 988	820	chrome.exe	55
PID 820 wrote to memory of 988	820	chrome.exe	55
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 1748	820	chrome.exe	57
PID 820 wrote to memory of 280	820	chrome.exe	58
PID 820 wrote to memory of 280	820	chrome.exe	58
PID 820 wrote to memory of 280	820	chrome.exe	58
PID 820 wrote to memory of 2916	820	chrome.exe	59
PID 820 wrote to memory of 2916	820	chrome.exe	59
PID 820 wrote to memory of 2916	820	chrome.exe	59

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3064

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2244
- C:\Windows\SysWOW64\rmactivate.exe
  "C:\Windows\SysWOW64\rmactivate.exe"
  2⤵
  PID:852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x17c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1704

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Hi test.docx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Hi test.docx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Downloads\LockUse.docx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Downloads\DebugCheckpoint.rtf"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE" "WINWORD" "Microsoft Word"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of SetWindowsHookEx
  PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5519758,0x7fef5519768,0x7fef5519778
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:2
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:8
  2⤵
  PID:280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1508 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:2
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2984 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 --field-trial-handle=1248,i,17460827582163205041,15370086428130091540,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2244
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f577688,0x13f577698,0x13f5776a8
    3⤵
    PID:2756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D

Filesize
521B

MD5
2566629fefaaa5321465595bf2ab730c

SHA1
03242c0592224e8a47f65a844c8e44ee4981c0fc

SHA256
1d9ee082745c4577a90f191c9f4e2aede0bdb6212254852bbbb56ebbd62ef81b

SHA512
a900385cc282dfe3c4419d316249b687b6d2db49488fdb4efa65ff27b0f8a3755f5b47d7bfa249b8db5ff9cb6d3c3bb93ecdbd477d1c4bf359b5be7c5c4556ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
530B

MD5
5e275db761aa5a23ac651af8f6c4a000

SHA1
583fe93323b8fee3be1469f2d1bfc16a091ebc70

SHA256
3b9b2f75b724fe5354d24a0ef729b8a2aaa8a9313166eafb1f73b07cf1a745ef

SHA512
892fd01ee561591cee4d00ae4cd3cc91a07587c097d6969f8392af87582f93c259c52dae17d161e22ba12bf47b0d4d9953cddcb7df91a4a0e4de1a9873c936ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D

Filesize
220B

MD5
c127f6a2e35baeaf5cace872f2743227

SHA1
7d8d78961c86cfc0e11859e16a0f4825f57bef53

SHA256
899020127cb0601c8a6490e0b4768c4442637838e2d8362c565f72d25b29d1a7

SHA512
eff2c1970b14c6a59af701151e89c166fb085c9db50aefde4b46c42ea921239f14a0e74bce97952f0b92ea6dcc6626c25b07e734817e1e9908b19378ac6fbe3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7cf80238bd8c3e47115c6e286979602

SHA1
c6cda16b895c3eba50c82e885ddc49155d386691

SHA256
17d462a4562ca29521ecda6d25e4f0ab3d9edb6a9ae5322b760cdf2ac31faf86

SHA512
43f6175184aedc2f02b9503c441c54f071328eba68b9f99f44bfb9dbaadb9158aa95017283cb84c5376b1937e96accce652c7206cdc8008148c7309bb1e499c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57c5519d14a75d31eaa597b366b991d3

SHA1
7139d6816f8cdd6c51007a409e41f39918fa425e

SHA256
0bd36204f8b8d7c08496714dd6b60d6fa3e77e43fef5a360cfe226568f2ace13

SHA512
c9c26ff87ce438f1cc1608c355cb9cc96867490ac99ee57391808146266a9109c62f070d1565acb7771c491f1fc8fd24a2c42fabc03dc6c73208822b485c7a85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccc3f6f546411e86ba2c80b125f47a62

SHA1
c18cdb47333fc84d7774bcfa11315a3be683691c

SHA256
c0e7951fd937dd9bef33cf469516c6b535305d3550e8976980bf244aad27439d

SHA512
db7ed15657143c1ee1cb059ec1886b2d9200e6603f662f474e1c77faa5cce0a2b9492f119167e0c42c57c80ae7d56b681bc0a67c14d847df3a7d01e2ac31a727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
930e2957a4cdefd4690205c776c29cc1

SHA1
a291e1f5881bfd30de8c51b18906d9a7f7c22d12

SHA256
4629db342df4de2a59e7718e02bd47ff89b5f3ab44533a4036a81dc5396303fe

SHA512
94cc0490b486f00dd4cfb128fd3cbee4952a646c3872f81f77196a3c3d008caee721663b6972d9e79bc59b19d153829ca4c7fc0189f02ed7c91945ba8a695c1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63e9ec1afe3e5bb8c2e2904a1382c14c

SHA1
d23a5fa514d4735cd7e0a24f9ebbbc213f32b7f9

SHA256
40257c39be7e37b650c699f48f23c205cba9976b8ac53b5612ec8a477f5e8441

SHA512
bb34de8170224e2b789d720321d05ba349fe1cca80ba86feb18ea4c34af591c99052815adba25f57297180b62a82a1f0b13e60c7e695233dc8e4b1106a70b956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
364d23522d93492afba9afd739f38985

SHA1
3177b978e94d77377865848a421b89d29ad2e56e

SHA256
c1eb55da31e9f957a6d358b5c6ef9ba153225d19a7c553103c13e927e49cf19c

SHA512
c33835f904357d682e379f2bb7b3e4e0f67d2eb1ea0fbd2451f5d89633bf1c3ca475351e7984dd6a5471a81f129211b1fdd0b7d2be0da642cd27efc5005a85e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d531bbb1c700a04f8dcc6f67872e4d4

SHA1
332d352e9f36e7968e9818c59adc8842142097e5

SHA256
34307f6b74a4fa031d4e3b8919cca157268b80262a4be710cffc6f971d6190a0

SHA512
910885d9a5e7b6332bc0aa52381e17ed6bc1d9f2e8e3d22eccaf73cf84adf8bbbc2ff16d5594b972d9c94b2de888ef04cb91720e7436efb1e395010b57f84513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e1b120c492aecd11b3c04de0538157f

SHA1
06eaf93c6dffb5240a6e0fa89c5fba21397828c3

SHA256
3d430bc0098d1bd9e0b56864b749d009d8838430711ba2560f7c600c680d0425

SHA512
45a18b3f32f39118b167185618e7ce7f668394f7d73de3ca1c3279e742bfde3772c1eaa3356eccaf8b5388b0f2c262640a434e3c0d20b82373d8f58d174f14a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d062228fc6d258cfbad5e9b9ea40dfa

SHA1
e5b1b611dcdefc80385a5fd3174daad2bdf0a167

SHA256
729a43b8af098e0d7a5ca067443263be695869c36bec7fa1be53b0ed90da03fe

SHA512
aef088d1e2a37c72d2c41d572ab84470e2a50eb7c389283fe13fbba2e2fe67dd11720d188a58212cfcb88ea686ac26d2183319e7bfbdeb6b24e02c97f64c51dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
985c617edcac4308672e2045b4dba34f

SHA1
c66e55047a10b26c97b541521333b88726e7eeee

SHA256
57062fea048befc63ecdedb7b1f3012da4a843888ab8fe2fdc87fb89bdbe6026

SHA512
2d35896ddef2852987512e3326448d23037e1d5ddd0d03fa833a5157777283f3f607acdb0c1b95dc6910c7fc4d045e74519ed8bf97133f916a51c7ff81873407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d88050fc81f0dda6e0083f1dae7fb305

SHA1
6636ed0d5dce68d835223193a589b71d34ede636

SHA256
1895ebc962b89bfc23c2e70a69198a08a9702c612c63928d0051b8a786f98ed3

SHA512
396001b4711c5633787c6241859e3d95e43af7a3ef276e0d2dae7d7cf2e5c60d5ed66293272a6a438093128f0197e2a1104619dbfe41a92c20dc227089d4b6ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
222B

MD5
54ff057d4456930856693713385b2fe4

SHA1
2db958b36ad7bf99caadf1477be971a77fae6343

SHA256
ed5fbad1a9349db123a4abf238c418762f596e7bebe018ab57718afb6611430e

SHA512
99ccb806efcbf0fb9810ad2b822763d3e4642faed5c5ec432e4a8e8c4d435494d10796961f36862b1f51edd8080079753cf8d57781d1b9581a023a512e469f84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
633B

MD5
86506462df0950cd1ef981ad45b0bfc6

SHA1
038f301050f1d90ea3394ee62be95966a0feaec3

SHA256
cc6a97cd28ec653feaf355cebece9cbb0394443c9eaea6b0ac66b434728aebd8

SHA512
ef6a84402e0bf36cd35e0ae99e8b5310b918e4e67a501ec0f0bc726b4c6ee33c6bf0a037046229f35c2490df979b2ffab401e1aa12428dbfe2c4fc25d925e1f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
db312991369bf0b520479ce8bd4e739f

SHA1
87a73fb6f2ac22cf8e1e33582efa4e758ee032ef

SHA256
d5b54abb6267ceea429722e8b24bec9c30c757dc82649a60d3f4763c30a4756b

SHA512
b26d1c296730d0d3615f7c131a250d0499f94541957d2ed1d1046ea43579ae671667eee5081ffd6915bf15012675638f6209f4a680fe531b9315536cd61b101c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5768ad46e45c9c055f45013674fde2bb

SHA1
3a6a8c2f67598f957c9cfe23bc4319b8dd9c21e7

SHA256
d1d92e623771a29b3098fbff107e72251130f94c2bb27bc3159d7675b0acb7d9

SHA512
cf4ac913ca78d178100a06f5a66b7eb70b39901a3bfab3eba1726cbbffc68edc31a6a8a22c5db99b9c46ba8096e030f0195e48bc497354391d5706ffdbe5c796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
829B

MD5
b2ce3b90860cdbb2ecb0d1799a4568d1

SHA1
f815616c863ebf6cb8bdca161efe10e84cb31931

SHA256
b892406bb0a31799d56e628a25a8cfab2f03794a93d49ac22a1d8d34be5cbca5

SHA512
86a2ebb3ac726444754ac1bcb1a858e4637b460adbdfe97c2706d24be7aa27478ecf750eebe0374e7b3cc4ef0d45a9cd4adc42f1bf66df27efc82b80e7648827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
da8bb88d424f33fb1d67c219a689090a

SHA1
32946c502cf66c6af87222e085d353cad699963f

SHA256
ee42ac0a86dc83318512aca2171ca6c63f3fcf39d689269ac41e3dbd4eff8140

SHA512
11a12997d6d0ad5a82d9a7b5e5450ecdc9c6cc10273087aefddd5060335f1a58db13e25059cda8ab3789a7e472249dad2dbbc6c17e236e6a20f5389de34b6f28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
628d6478a50774bf62e6c836f7fa06ac

SHA1
33ff6c6f41740f6c6e966d83403a7d59394e796c

SHA256
22a4f0376ba68905a4e4b139d8a66bfac1c66ad927daf653b324c7d550d82237

SHA512
6f0ff5a00ed75ac6f7e71ddfb3dc750c7ef97498d7109e16bcaf83eff48a231fe7951f062ba6af9af7a452a85e18a91acbcc5779fd45c3a5669252c16475693c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm

Filesize
25KB

MD5
440aeac83d43ec7d6b1b4c3d5afcff1c

SHA1
5d3ff2751ef3d29aaab4cd80e443138f9ce19257

SHA256
8acc9298ed84c07a73bb14d8c94c7c3b79d90c57dc9842f22fd0c8c7fb7c6fa2

SHA512
d47114b213cceb843ce81bd1867e41534733a4362108d8f17581d83ce275fb0a09ad319fa333eb87fd8bb7fe268bfc9f2f67f18dd287b7d9fade91037f03951a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AF2BB19-2850-460E-8664-605D5AF867F0}.tmp

Filesize
1024B

MD5
5d4d94ee7e06bbb0af9584119797b23a

SHA1
dbb111419c704f116efa8e72471dd83e86e49677

SHA256
4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

SHA512
95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOHC535.tmp\BROWSE0.WINWORD.xml

Filesize
11KB

MD5
bc5242c91400826977d72f4a3f2a8949

SHA1
d573ba3d9176c8d3848bd81d44d15db42cdf6e59

SHA256
f65218b485fca5636dbb6b6ef5e1eca4c7ee7080de7730539d36791c451e7aac

SHA512
6a26599451d4f50ec60b00298f1c2d5266ee36a019fb02eec37569148191bd268d517f34d994133566648f930dbaeb3213f33588afb007726a71365aa7d041b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOHC535.tmp\ClientViewerSettings.xml

Filesize
7KB

MD5
88fbdbf0b8ed30038abb141e26ad42b6

SHA1
e867446eeef83f11ec0b9c3fee7499442923d9a3

SHA256
63a2227b104139265e9d2f43e5e4c8c61aabcd92ffee838fbbe18e987e911c68

SHA512
e3924be97958268b1ed49e396965b901121ac4c1c04e8fbc209517b00c9f2de386c821703e31a7d85383055f381a0191a59f0aad159b94e5071a81325eb4d25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOHC535.tmp\cvglobal.xsl

Filesize
1KB

MD5
048efa38358f297327024f7f90928ee5

SHA1
7e0a2c3105f0ddc01479151e416ca0873c00fee0

SHA256
9004e1b028764e0e482fb273c16649d3282be74e9212e6332be10b294eca3312

SHA512
a8fc4ca631c5f70427decdfd47576fbcfc5f47fe5230eca68ad85df2057d8667593885912c46d8484f1e5afbe405e67f339d3b94d8a8400d045de83be5b44571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOHC535.tmp\cvglobalstrings.xml

Filesize
6KB

MD5
3548b520874395a9cbce22d15e9068d8

SHA1
8c41b481f96d12ccdf9e20fb4049ca9efd60ca19

SHA256
31f2fa759ed6862569f7c68aed874053ebcfb4e27c74476a0fd3aa1e3af818d6

SHA512
f9b10d94a163d8e8f21b264c640498720e8ddc4323de59e00dd0d2bac8f549182a7a5fe4951ebd2c5d3eedba84788aa111ff6c3906357b060860795951596a99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOHC535.tmp\script.js

Filesize
2KB

MD5
e72eebc1eb449513d28447f352406330

SHA1
058cdd329da5ca2d9d583f0f892260932a026c05

SHA256
e78f14923030e2e817fab024e72482d72aa14f3dcaef66f3a2c6825d6a29b305

SHA512
c219af4b6dc166aecef727f2de78b34485a2331c409fc99c70077c1796b3b0fc1d6797e79f5e8be615371a969f279c4859dde6d7d701ec586aecc6d4e627150f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOHC535.tmp\toc.xsl

Filesize
6KB

MD5
26de67342be3c52d20d0c152fae1f843

SHA1
15536c7bf9cc5763253893d9ba2025ebb7c1eb19

SHA256
5e65cb6e32a25b91b80b19317d93d76ce5222b565f8f495a01149e82a90beef7

SHA512
22a1e0006070283ab132bd4c7ee953db86eb1d803589fdda1a44367e495e21912ace0cc22657487e9d11e7b1428a398072bf19bfa0ca4a15d16ed1a490066557

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6A98.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B3B.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\keyfile3.drm

Filesize
4KB

MD5
2d6182813a23841713a5eb4c28bdef7b

SHA1
44610bc33e1ccc591fbf21236eff36122bc9f807

SHA256
62f14e6da682e010a9b23f1a9d5759c6c440ad52500b98d753b76e8b2ee97ed0

SHA512
c1d92b090c784320952fc422993c3e98114a5225b74d587d0aefb0cf3ac6e3d5904a7b5508e35a8234fdfff030bca764b373eb5819923b6d17d621db327751eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

Filesize
36KB

MD5
5cb560a812dab5ac4ead7bfe4edfb223

SHA1
428b8431338f04c0311d04e69d01da05d75b8dfe

SHA256
59bb29bf1aeb1d579cfe255bf13848552d117eeeed4bb18e0961c4743f35dfff

SHA512
be70a18494555547a9091b513993090f822d8be6360e43d930d5e62b0b377c4b902ebd5b244f71bf7a6882497844b31a28a3e043b02b698c64b1d8bfa2623ee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Hi test.docx.LNK

Filesize
987B

MD5
65e933283de8f80f7ba130e2c1a2d066

SHA1
a69e83380c2c982ea17518b4e301baf51508971c

SHA256
f26fa7ad79634fbf15ce14e71543eec622370ed038e560614be7bc9017bba03b

SHA512
4f765f55fff88a19901c8f145384c3c5d0b9ad8ef93903b67e000a163edb7c4c069db1956708f84cd1cba7e5c0e1c57e9722dee3db6c103648f8aaf1002729c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\UnblockPublish.xlt.LNK

Filesize
1005B

MD5
b14821b978c99b9d46ff737f05fe3ce9

SHA1
38ab874a59a8e9e6531e5948f52e35f24f359bdb

SHA256
d922f63fa7feecc31cf458307298d8423f872f306df4070a9b30005264640fd9

SHA512
ac0341711cdae3f539993be89b988af4cb328a01fc3780980fad6f4f05fa09309feaf8637efc5c6e5556d18c2cc78fceeac0efee431abaed4d23a6adeb9ec61b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
100B

MD5
57f80f4caf11026cf10c0a2299de719c

SHA1
8c7f672f8408af9e130e022d05ef54a5b35be6e8

SHA256
0d496e2122009bd8223acbfaa04f47ecf411e4b604a66b0211e9f5da0ce0a890

SHA512
2a9cc3d33a892134d18291036751585d245b4d46e0200445b3208c7ed4740f51a783ed1eaefbab26b0e6d9f3ab1ac24df21482a1eb9011f6528dc45c5a2e77e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
117B

MD5
ca25759304a11e93f23a4eac1cc9dff6

SHA1
b2657beed16269c18e26f3859f29bdad7d7b0bd7

SHA256
ab0b1732b7472701adc82349334ff129e0028c2c0d7d8ebd60bcafd041c87d5a

SHA512
78040d04df1ef3f7823b5ac6a388d5d6ceb9e58981c099a8c4161ba3efcfebc3c2494bb50bf7adeb3c64a4de7026a0f737cb4ba21d1df323ec8fb7bac1c80266

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
165B

MD5
44f93ac2763f5e1061987e81f8eb3774

SHA1
d08d4c6423051ba5d943888ba189a262f899d073

SHA256
b14cb4f858467467e986ad3e791af4b438064a8993e974e531388c9d471439f3

SHA512
90a2e2431ae477ad113dbf6978da09a5967e76c7d1ee8653393da1c980850ca5d4ca90a2ab88ed4da487019843ea8b0e430ee1525ca81a31c513208818debe22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
182B

MD5
e06dfefc49f2f1db89fa283fb1c6a62e

SHA1
6cd324b929945eb33b1c967c7c29b7b156b9cf52

SHA256
0027baff2e3a15a2c1048aa818106f5603e368ba4f005c834db2494c6dc21dc4

SHA512
ce27a8161bb4893759ec4161861ee443eda73907f563e0eef005214e40f4dc113e8cfbd63fe356ad72842b6f88b051e42dce4eba7e01f1d63d02863a36f4d9db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
236B

MD5
e230018aacd47fb34ceb1243ea569b48

SHA1
b79777db47d8c6f83780e02bab6a8e2585b0f673

SHA256
4543097843fd593aa8d8f645d7943087fad9ca743cb598adc875235a397a8f1c

SHA512
497b0558ceb91f9f13a542dbc366cd2e619cfc4c42d55fee2e735c600c50aa446edc6b589151658916fa4ed7e8d521a738a05df09b3607d56a9b748c37920795

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a50bd536e324690b735fd3334562af31

SHA1
ce689ee494fd96511c20f9631ce8ea136d23c5e7

SHA256
8bacf6f8bb7bf46d705b4c6d0e2e0d654b997d5de203affd36002fa7dac618fc

SHA512
47a4bec74e5260eb6f95375b8eac36c8fed5632b33f65749711a30f35c0c931d0e1d800c441ea61f72a0e5f495e9e312f7d25b40186dfbb1698dfdfb09727c79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Hi test.docx

Filesize
13KB

MD5
f60c9b31568cfae186343e4d5b7dfbf6

SHA1
f7565135617d092fd743a1c576d8fe7713edfd9b

SHA256
47b4a6336666f318e800241c5b802b18603d4b523c9cb576ac99fefe27bcdead

SHA512
d79e514d169ad3fef974ee96aef5bd52294f284c206e51fd816332df671d660c8af1a3685c7b0a8e28edb1051cd997a5d64f5be2b2fea750c6f1d242b6c4f72d

Download Submit
C:\Users\Admin\Downloads\~WRD0003.tmp

Filesize
402KB

MD5
d83fd6bed1baffdab3f986a46d1f6c26

SHA1
8666b9a0fb894c8904c576e36cf5e9b364e5717e

SHA256
bef6d6afbdd1667830e02cd0bb2b876563d4c3257b90ec80b4fda3a2b65d8ee4

SHA512
982b1f8b5d9f925dcb6e22031c828ea0e8d1f294fbcbd0110d81cd6098a1501671fdd3e4d5986e1a220a10c1ffd431f3797de2fedefb3660ee012b24ca23f31a

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD

Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
memory/852-545-0x0000000000300000-0x0000000000351000-memory.dmp

Filesize
324KB

Download
memory/852-561-0x0000000000300000-0x0000000000351000-memory.dmp

Filesize
324KB

Download
memory/1412-691-0x0000000070C0D000-0x0000000070C18000-memory.dmp

Filesize
44KB

Download
memory/1412-663-0x000000002FA01000-0x000000002FA02000-memory.dmp

Filesize
4KB

Download
memory/1412-665-0x0000000070C0D000-0x0000000070C18000-memory.dmp

Filesize
44KB

Download
memory/2196-523-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/2196-506-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2196-525-0x000000007322D000-0x0000000073238000-memory.dmp

Filesize
44KB

Download
memory/2196-521-0x000000007322D000-0x0000000073238000-memory.dmp

Filesize
44KB

Download
memory/2196-507-0x000000007322D000-0x0000000073238000-memory.dmp

Filesize
44KB

Download
memory/2248-499-0x0000000071E8D000-0x0000000071E98000-memory.dmp

Filesize
44KB

Download
memory/2248-503-0x00000000089B0000-0x00000000089B2000-memory.dmp

Filesize
8KB

Download
memory/2248-504-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2248-505-0x0000000071E8D000-0x0000000071E98000-memory.dmp

Filesize
44KB

Download
memory/2248-502-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/2248-325-0x0000000071E8D000-0x0000000071E98000-memory.dmp

Filesize
44KB

Download
memory/2248-304-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2312-650-0x000000007322D000-0x0000000073238000-memory.dmp

Filesize
44KB

Download
memory/2312-662-0x000000007322D000-0x0000000073238000-memory.dmp

Filesize
44KB

Download
memory/2312-648-0x000000002F021000-0x000000002F022000-memory.dmp

Filesize
4KB

Download
memory/2800-931-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2852-528-0x0000000070C0D000-0x0000000070C18000-memory.dmp

Filesize
44KB

Download
memory/2852-579-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2852-527-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2852-526-0x000000002F1D1000-0x000000002F1D2000-memory.dmp

Filesize
4KB

Download
memory/2852-580-0x000000006EA90000-0x000000006EAFB000-memory.dmp

Filesize
428KB

Download
memory/2852-543-0x0000000070C0D000-0x0000000070C18000-memory.dmp

Filesize
44KB

Download
memory/2852-647-0x0000000070C0D000-0x0000000070C18000-memory.dmp

Filesize
44KB

Download
memory/2852-595-0x0000000007BD0000-0x0000000007BD2000-memory.dmp

Filesize
8KB

Download
memory/2852-563-0x000000006EA90000-0x000000006EAFB000-memory.dmp

Filesize
428KB

Download
memory/2940-707-0x000000007322D000-0x0000000073238000-memory.dmp

Filesize
44KB

Download
memory/2940-694-0x000000007322D000-0x0000000073238000-memory.dmp

Filesize
44KB

Download
memory/2940-692-0x000000002F8D1000-0x000000002F8D2000-memory.dmp

Filesize
4KB

Download
memory/3020-727-0x0000000070C0D000-0x0000000070C18000-memory.dmp

Filesize
44KB

Download
memory/3020-710-0x0000000070C0D000-0x0000000070C18000-memory.dmp

Filesize
44KB

Download
memory/3020-708-0x000000002FCF1000-0x000000002FCF2000-memory.dmp

Filesize
4KB

Download
memory/3020-731-0x000000006EB60000-0x000000006EBCB000-memory.dmp

Filesize
428KB

Download
memory/3020-743-0x000000006EB60000-0x000000006EBCB000-memory.dmp

Filesize
428KB

Download