fc260b75f4ffa9a518ce83cf660b77644655fadce2c2e8645f7ed8f5d84f5eb0

Analysis

max time kernel
97s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVITATION TO BID Fremco Blowing Machines, Inc . . .-- Project No. 21-1161L 1912.eml
Size

363KB
MD5

f5828e83032081806c349b87636df561
SHA1

2d71645395bef15772bb244c6e3d7d0392bfc190
SHA256

fc260b75f4ffa9a518ce83cf660b77644655fadce2c2e8645f7ed8f5d84f5eb0
SHA512

a3bb98dce7010f82d19832f8c7abdddac7ebbf339a556d3963fa97d0b2d6683844a0b0eb5b962ab20758594be80d98643a95760426a4fec467313451a9658705
SSDEEP

6144:I5hKDCMRR1US/8x3I+7nEUqkfR7k9TDgmTK3/HD31/z:I54DCuUW+LE+A9TDIj31/z

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000002748df44fe7b61ae722ebb366b4e2a0a7e72421a8c8efb3ed25d4254dc5ac672000000000e800000000200002000000072c56db7df34d23e9aa121546e43af93265242b10f78e3cefbe51792cdfa9e2c20000000bff96259fd7fbdc999656d2d3f0e9287b5c17c631c8e08ab775bffc1520ddf5c40000000ae35542f34ce338fe964aa16cdd1c4fe79f11cbf0bfd8bd79c557ea98b08e70eaf42814ee55597e7482e5c1f22a2b7d1f6c7395b62f7d104f44e086d53dfe282	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50561344b895da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000654bd9ce10637a144619cbb330a7f903874df364d53632721d27ec45e09f87d0000000000e800000000200002000000079f446038ba6dfb55dba76eba2a3cdb14ea38786aef9a159c395faefc3d75d9090000000ebd3a603e1dd795ef191188e9e966541bd5a01431e230b8786da99cc5c9f03b9daeea2677b22273b1ad0c081bd370d8e705dce6b6b57d22121d5329604f7e7e5eb5a746f121f3d7b1da00c523bea47c56b09c4cce103b612ee3a39eaa456c307786ad74e02f007bcff2c4046dd06d4cfb8f1470df6be74c813d1ac4f794721cfbb05b28a1f993f5c461588cd15aa8d814000000037b745cd23f08569008fc7cab61935bfac41f2a3f52d407b7879f65ee027d18eb30a00d107cb12004202b3c8c998be2de43c874bcbdb6b28bc01a941f663cf2a	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6AC39A31-01AB-11EF-9C59-EAAAC4CFEF2E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ = "_FormRegionStartup"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ = "_FormRegion"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ = "Actions"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ = "_OlkTextBox"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ = "AccountsEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\ = "_Row"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ = "_OlkTimeZoneControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ = "Action"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ = "InspectorsEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1100	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1100	OUTLOOK.EXE
3028	iexplore.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
1100	OUTLOOK.EXE
3028	iexplore.exe
3028	iexplore.exe
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1100	OUTLOOK.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3028	1100	OUTLOOK.EXE	33
PID 1100 wrote to memory of 3028	1100	OUTLOOK.EXE	33
PID 1100 wrote to memory of 3028	1100	OUTLOOK.EXE	33
PID 1100 wrote to memory of 3028	1100	OUTLOOK.EXE	33
PID 3028 wrote to memory of 1932	3028	iexplore.exe	34
PID 3028 wrote to memory of 1932	3028	iexplore.exe	34
PID 3028 wrote to memory of 1932	3028	iexplore.exe	34
PID 3028 wrote to memory of 1932	3028	iexplore.exe	34
PID 2820 wrote to memory of 1716	2820	chrome.exe	37
PID 2820 wrote to memory of 1716	2820	chrome.exe	37
PID 2820 wrote to memory of 1716	2820	chrome.exe	37
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2540	2820	chrome.exe	39
PID 2820 wrote to memory of 2568	2820	chrome.exe	40
PID 2820 wrote to memory of 2568	2820	chrome.exe	40
PID 2820 wrote to memory of 2568	2820	chrome.exe	40
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41
PID 2820 wrote to memory of 2504	2820	chrome.exe	41

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\INVITATION TO BID Fremco Blowing Machines, Inc . . .-- Project No. 21-1161L 1912.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://protect2.fireeye.com/v1/url?k=31323334-501cfaeb-3132012d-454455535732-c01a926308fd6b1d&q=1&e=85f24f0f-a7d4-4428-957b-d04f335c1b97&u=https%3A%2F%2Fnetorgft10035191-my.sharepoint.com%2F%3Af%3A%2Fg%2Fpersonal%2Flaurie_circularcolorado_org%2FErLzIgi948VJqi23n29mh3sBs598OBuliCZDnRgceq3yrw%3Fe%3DNOvNae
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62d9758,0x7fef62d9768,0x7fef62d9778
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:2
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2128 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1596 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:2
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1504 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1404 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3536 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3656 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3516 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:8
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3316 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3668 --field-trial-handle=1396,i,5716262993472415721,16572497523732691965,131072 /prefetch:1
  2⤵
  PID:1604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
88e02173658da1b28384047f7e788846

SHA1
c9ff5e459f217b20022fdec652ec9b9977709753

SHA256
b6318633b9cab24e8c4ca242b8ffd22e7b0c53d8b07a51f900d05a6ce3655274

SHA512
8589e294cf0d7dce48fc8a10f0965d296952af480f209aac78e1025d5558dc5fc29a7d4cf36f01f3381144267b640240e95a849e268ea40fab57076cb8a2d53a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
eaa955ce331a5c9e4d3c6cb268dc6470

SHA1
17da8d1ac6bd99eb0839c6a04b73f243d9533827

SHA256
4d6e5370272f8847b2060c93ee262503f285b6559f6b53ad60c614dd07d6abf1

SHA512
955595279156cae14ca08bc15c3316d97ac4ffbe652d2177c1a41f52e5bd32debe82df34c29d054d41ca815d708a6392ac5903b1b1f36128af95d626279395fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
bed2445a31fa5e4f6ddf1bd2236ad016

SHA1
7560f0b0af99022267f54f393510ce562a509306

SHA256
4d903c6c29aaa5f14451b6ada3e7d3549914f824f33b25c43a99eecf11a86377

SHA512
2d637211b5f296ce72dfe24215fa4e7408838863f952c2737cc4580bac5dc23c23b76e1411058353c440c4a122d93d455b45ce16611d2a128cc6fa59727466f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f7a5faa57c5fde37acfe750db4eed86

SHA1
115f174d0e7b2afe297bb9213e1f4ccda4205294

SHA256
9e0a254f7c6402b3ac30b1b599fc0ab73f47afff56a80962959b94d35dedf1a5

SHA512
a11ee57caf641c2d15dcd0ab3e5fea8c9b3df7c29811d54e5a20e49b288f379ad9fc8874a0759f6263f114dfbe1bb07f045c13d314ca5f628d651a69cfa0e7db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18ad9f7af449a35e88254f220763672b

SHA1
e312a64c97721d2a2a73cada67dc2e2b306e80f6

SHA256
3607cfbfee592035ee87eac1cdf85721c33dfc3ed9694c4bffdbcc958290fa1e

SHA512
0dfd9fcd3b04b29120be70dc870652c2ecd4296706132a5382f148c79f3798a0ca062f008fd416c53c792a78aa5613154a9f3a499b87e9899ab0d96b596d4ed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67c1b495e3608867939eaa3cfc62bf12

SHA1
ec705f9fc26b92d460a7e88310e9ea17ee057140

SHA256
716c96bd91e981c3557e5cc69127694baa2bb22bb5edecfc2902c70f292be57f

SHA512
2f9b8e8c1a99f9a90e843b20ef5fbfe46f279b1ed344a36d7154be96cb2ccc6c976e4342e65019dff4ff2be8e9936ec77c65303fd2367318c70ca3e775109807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf9ec03bc58b843759e8d7088e3f81fc

SHA1
4062af5d6d05a6e68373bae838170055f0fab29a

SHA256
d360f79fb827912c1395f8eff10ab1f1d3ff9ec0afec16977aba6a9df9949d66

SHA512
31e6b836c51d484f9f45c3b041fa14f4e6a5ba8c93635efa91a970c5a30325c0dd630e018a5aa3732b5971b117f6a6fa336b5a68d591ceeb03747d65d4e8b9dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
718717eba1049c74da1c7357d0500b32

SHA1
0974eac6070d4cc2996b12d56e84f654e9f37374

SHA256
1fa1b36655659735da105ae5350af6c22a7b6f0357c0082f05f2a75f7408866d

SHA512
021b1ad5aa28ee45f70ecfc98e675a49697668d15c48ea60ed685760da1634ce2b8622ac4e8791912269d9b53315af33b4645a98baab20e7c2026480cad54cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52eaae8e339f8339b76abfed774f2bf2

SHA1
83872830e60d6d66d678368698bf241303c05bb0

SHA256
5df035e1c5a9b88cec733d26beaa8b6fae31bcee4de5d283b3061621836be05f

SHA512
5993d04a084c11405183b61e951122e72b48f314f01ca6f3fc4f37f6a7872c7021dd7f02af8b7831a47451bb478343371299ed531de78f44f71d8e3a9ae95336

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0147c4686a01bc6f045d0709ccd68cc

SHA1
c9b9602715e673859b90d1304166b50b086ef3b5

SHA256
52db5d4c96084e153e63a795ab0151ebe1fcc2513cf36abf261297fc94371418

SHA512
fc3f81af6770e6f0907102606e49d66a638257eb48f2218dba790f0c78c95aeb041d12662f01bec6d863a827d8a44d5cf5c1ab796c23c339f952f31ad66b02c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf0197987284b758cbdd31bdcc595475

SHA1
d817402dc22a46a52d53b0c9b741dcfd304b84b6

SHA256
35e1df0384478d87c44786b33f2742ff2d0f720e2eacd0e54d2beb29379ceae1

SHA512
281e4c3f8316dc867e15e92ef5c33f12ca622b8d1b5bdab9f3a3773016db538995917cd77047c21e9ca4c462544abb271ab596f99c01127912981aaac8a83cf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cfca16f2f2a1d4dc62fb9533d4af5647

SHA1
bc67fec039710dbb525c4ca5d01cfe41e3a57a54

SHA256
821575064908d8b9487171f1844207a51913d54268924cf24655c958a6b42aa0

SHA512
85946f16dff6ebc65cd237be1352e26b326af19004b5ce8818588a2bb14088582d5394beb38591675bdeb3759ec2adaa489d72c6a926a04ab7feff51762b572c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc963cf31d054c6c1f8f46084ae6ff97

SHA1
cb38079cba615b110b0103dc5778ede5361ac8fd

SHA256
369231bbb7c242dce1232a24c5547bc45ac52d43c0e6bab43a2bb7faaaeef91b

SHA512
0c587a68d248fdf1c9239a0b52a87ee9f96ce894b78812044a96159eb9f4d01a5c1a7bd598db2f311352ec307a94a350db563771bf4adc5eaca01fb435fc6ab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2abc8c494f28deeb9e96517b3028eb1a

SHA1
7db63a8a51246498621e1874ad8b7248b0353776

SHA256
e097e553dc57b84f832d9279c5bcff6b6366ff4cd3610032cc48e458608eb84f

SHA512
f2cec9ec3d91415114aca891d48821c1e5d0a97428e68bbd387e72e99191641b2ce14c05519975f0fa5aca2455696a9dcb5bb58002e80a88fdcba7f307109cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0a4372ba04c890b529ab829d8ec3694

SHA1
8e2445287ddb2b69c090521153d455b5342884b9

SHA256
85e23a9fcf54d8195c27169e49f7bd84a905a65212595f62b7683850c914cd5d

SHA512
7ca2c0b163f606aa91a80f9ed03343771aba127863014ba67e0f3af02d798908af46b795dc1c39d8c190a51483d73c7e4a73fa176a3b973f1d7c4d2423a7bfb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0edb2abc747f58e60987feb39bfc75bc

SHA1
54c4d767b654e9210d7ff4ed7b7157d422871863

SHA256
e7573cc31ffc2781aee946140907ff0b0144f9ce138c2d59c2f82cfe90dcb68e

SHA512
c7c74adf82401cc30e0c0c839eb224fee94fc587f6c3857a471335f5c9a2c53b71ea73345b27f9a5eb79801ea049a24c4a5995da7aa182c76355ecd2e3d94a46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce4ca3acdffdb008343192b6fc69ad64

SHA1
c1ea1033938641fc0464530aad0031ed50a90c65

SHA256
e960d93ef96a28cd390f1639cdc3556f0dafbc8d5589a56df6c130649103c21e

SHA512
a2fed5c06f54a15d9bcc95d33f14edef64445820799a10441ed303bbc9dabca110e50699d126af9f44e362c55dcc6432a3f94b4be525be92b20feca8bf936659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03e668ba1049656fe24244b0f2529897

SHA1
1261e19f84135b73b5d357350ca3cea855108d2b

SHA256
48257d9f3aacda08572bbde0c866b998498727cbbb8aa467d9bad360898d5413

SHA512
5b720e69d0e9314d740b0ed8d917a2c92c0bd08e85c384c226d987040df78a4b6f2697fd54084ce1df7584a0c0ca92bba5e00b02c5485d2f388b9c289110807c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cd4042af2822be3453d508723d8eb54

SHA1
3ecff376e271ddcdcd02e94a2e653087cfc0aeeb

SHA256
cf2721197f3d97b8b1788b5904269d7bf0e3e0187b74ce07f87024d8f022c730

SHA512
174fc12261aaed1b274719467186236615bda8b98670e75e6a1833e59d006baca1890c75d1c1dbacef50159a8de718afe929050212ceecd4950d8e39f80528fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35bd5a3e4d920da8508003f9716beb40

SHA1
309c654f17b7e2bb966da9838fcffea0a6a64ce5

SHA256
ea9301552742d82f02308ccb02a8b14fa3db088b870bb499565fbade93fd0962

SHA512
60752df4ae6903c32601a4d3e96136d93f49b2a3de75e171156c4ff95ef67777c586ed501b2c32c5348a9d7626defec2261b52fa1016f56ea4edc67fb98b9c4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a7a62dd80b73748df409b3d9dd781f4

SHA1
aa0eb8818a9de898cbf6d0f467783948969a1cb5

SHA256
f7f9648d96ffb468226085c4333509f5e0ab01fd28cc6da3b9b241d891a3966d

SHA512
6f257fd06534209dc6f2deda5bb38227275e4718fe0689fea2e6772673de8f0f3047d678fa07afdafef5bac2f2d1718644c523426a65485dff19c2d33c2236f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a86081491a88df8f352d32e8f2a069a

SHA1
5e85a16160a5a72a3d6beb85533fab0d27d6bf70

SHA256
d13f9ca050952fefcb1362d89d2828d7a158301dc0d43f5ea53ffc11e6efd91b

SHA512
8dfaf1a5ea84b2693e2d2bc7e1d057bc00f003e00ab7a73eccbf22459346ffa98ccfbdbcb7f8c23027469a5406ce4f8fbfc0606a9e081dc134478e97330bf2c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35b66867b580e53df77ef6f4ef5066fb

SHA1
88e8a9b47dfe34b0ed1a2e8ebfb18a6dfa705018

SHA256
b78e85d60a8e29153170653cd82b0e45c9d8a44c01081199f8d8c97061417b27

SHA512
4ac333c04f28285fcd0d5822a7012a36f7ba9e0598d02cd2ef19e877913fb08fb169ffacb1cda78a590cec991f041f8a50165f245999067ff463b51afd428f0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5acb1022f23145e5d305b6293406ecdd

SHA1
b865a960dcf9b9dc5bdb09ba7fd52cadc69f4566

SHA256
ad2e2ba8fcbd0598b818e6a48cb8284d132b446776ef900fb7e563b1a98429ac

SHA512
77a2293661cbe691a4d399fc8cd52259d8bb046bf640a9debf751bac85f8ffa36b571dc4a08c52e25f2ed70c4ef1cad659ef9e725b32395aea08218416a24b30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54d9b22979d387eefb172f009177b0a1

SHA1
a2da4d66268252c09a704d55c741c311bc798ee2

SHA256
f03a35064d1a17ed01424f146ded86b1eb960d6e62c20e1d7ef6ff6d5f05f3e4

SHA512
c0e68b3a9b278d5302dbe6295b5e62ae77e209df07a46c157f25cdf3bac265ab8d30ef785b01d6cee77f9b42f54359fd22fdd2df061cb6bde07209f4df57eab4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee6c0df851775a912b24bd5ca7118ed9

SHA1
27f372ebb9647de225a6993ebec6719bee420eae

SHA256
2b1217df77f6c907d070dfff500fb5ce8e3e267f2a63e8778643bad6b3c686ee

SHA512
6fbab8edd0ed646ca7c77d6ef09d380378dbd291f62b892bca5315e02a882571152af1e231788c3523a207417d6960a4db9c387d09396a37273afc221a4b706b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31116fc66efe35ec311a85c6c92cb03d

SHA1
80e647271810d5242961c7444abdd4722796ec59

SHA256
1c7a6f49dbdcf746d1c8c53a0b5638e1c768d108540781d47355c4b6f8b6fb49

SHA512
311e37b9ea370e470d8492884b36ab26cab10e91ca3c5d2e42ddd4509af21de3d9799e801c7759fe100c6e7a7c311daa7752ca888818a680211127ff51d92a74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5dcb4ccf339394bd254f9567676b3e3f

SHA1
746cc58901dfe38f853f4b3e0e7f95aea52e474f

SHA256
9544644a04fb0c9b2ddd69b9f13a84cecfa98447803b6188d8cd7947bf326cb8

SHA512
867716a20b1645f46deb9f09a9ff751c21f3dce53a8f718d1dcde062166ac7a26f341817b60a94a5fa16555adb2ae8b5e9cf8bfeec07c493d73715f22fc491e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7675a81f22f192e9951ad93dcd5703a6

SHA1
25fabedcf69bc9472532d469ad5a099890599fee

SHA256
151903275eb5fd705fafe3a5724df7191f10836f78391e2e8e029b248c1ddafe

SHA512
e09446ba2953264573eddfe6cc4cc7fbf6d663a6a23bd330c517c709d0951545574c5720a7305cbf22d8b7e0911d527a1a8ebf1ffb6729919ef6df8bd634c16e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
381a24c619fd4ac4b6bb3d8ae55a94dc

SHA1
63d05a203c1db156ac44e45e9c2a908db4bef3a2

SHA256
7c2f2a3a52e383c884ffdd9df60e0113cb2bb92d8f5b8b428c849d04ef58239f

SHA512
5859d86389e757828dde2a31c4f6a9a095b68f9b84d70404da850a847eccd2ab19e9a029dfe792f37d9e319d9d8411e40d9b0cf0b735397c918f328dd4224917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2da1d2b982f23210ce613b9b3bf8f47

SHA1
7f4a58a2e4d0d3f8dba6d43de298b63d4e3cded4

SHA256
026e0a38cf2b41626182a6a71f1981d979596731b8e5d1649e3d4bb9d55dc44c

SHA512
28ef29cd5ebf9c4beb88a0d6d06b07931484f6da5a159815f6174faec903128d60b8149280f55a30c68974cad25149e3b603c94519916d21d5261adfca6ff1d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca96edf4fb3fb673367ad1102783efcc

SHA1
2282844c788635ed0db350e0db54e9e01a2b329c

SHA256
8565df0530a5d18234a38970a5db2a55a56a7818ff26fa168fc161830215c675

SHA512
e839c290a162b8b172e10c206d229f2759d34a1a31b15ee639959140316fb3bed81198af186d435a214002979d6588300d6d46b4756ea32d80619de92a0262bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9c2c2157983c99f4f6c8f7390175b48

SHA1
6d2d776862b221d1fd1c8c4101c82c326f3540a4

SHA256
7f823e980636e54f2ca7d7d0d79c303e1d9206975cdba5cbff49b09642418858

SHA512
67a38aa0b65ea92de0ff5d400b97865229b5e5eb5f04cf0c8e88ef62ddbfa344051b04e9e7f80ee4d80d942f5af6886a87a43a1278d1b144ab57c41967f52ce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5b23c5f00e324d747c9c1c2f0a48096

SHA1
0e21344d4bb3b0f5dc029e2acedb403c486b8196

SHA256
8d064f97fbfacebe3503d2208aa83c9e9d526b1df58c50d8a8ca91c092df50ad

SHA512
ba1793ea89acc14b0eb44188d8c55311522ac161f65b145d0a14c5c2f94ba405e5b16803fd9e5523f94ffbdc0f810ceddab883065da22b57b1b9bb32b7226690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88d4c58c04dd2e9c3179ece23448e4e2

SHA1
58af4a609279738216f743906d371d185c62751c

SHA256
a1921a08698e4bb1e60de43d4dabefafd959402ba7a4c50a5610d839f67239ea

SHA512
cd9a4ccf326a952adffddc0ee227db63a9a27dcacf4bf8736ff45aff74902533bb12f5bc66e577bf9c13345b6fd0fbf091dc9e64f133ff62548428d6020c0e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5de9063bf6a568cdb40e7bc6242a20c7

SHA1
320785f82e816b82da4058f643be7cd435ba9363

SHA256
2524809ea2dc0f27d2058691b65cf24a347e9c6241df4e2de4d7ea7705bd9f76

SHA512
7a2785723b38372bd1ecca3de76ebd486cb8f7602e1c6a7a373d9e6d2a206c168d20ce8d373d1e195d36ac8fd3914d434c9b234be27fac7d2b87e0f9de39f278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32dbbbd216a131fc850804a875a24802

SHA1
87901399b9fab1652b30079040461ad589fca3db

SHA256
e332c67a2d8bb2c237837b72d9b44d7cac1a0cbfcf7593edbd26124babc761f1

SHA512
ab3e50344b54cbeac84a100800dead5f8833341fe7f1fe39a2f3d7c005d6094f05939d88b12cb9aa6778c4c017806db119b87f69d56251d2bd19a114b3497905

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1238489724fe9b775f374595eb58373d

SHA1
87adfbb235e6c1310971f6c53aa5f9d3cbb13552

SHA256
86c3f4d5466fe9b4eaa737fd3dd7b029407958b9adcc3a18ee7c44caa324bbc6

SHA512
a326bd943aa5ec6604f4778735818a516def4cc9786c642c16d19d8b1ec27b81c768b0b15eed0a9f0104e4736e89b2f76b8f29d30965de3e010009e80bd77d86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae57784e6664eb58b249112a091d68dc

SHA1
8a5b046b3f9b7b5a478b645a96a2994441bd8f30

SHA256
7746445fd210693c7c129ad5a71bb26caf03258b54b2eeb59024164602c3e78d

SHA512
c2ad45e30a7a1fb2876c34dd1da21f11f9af71498390afb73857b0d39ec67a4f6a2ffbe1ac3d3027daae5744b5e334ca3b6ff3a6147306ab3abe6c071cddef9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69882fa325b4258c9f57160c83720471

SHA1
1d4a12988fb91797459f5c949ab6623a59da67b9

SHA256
17a8f1c831b47fb99bd0759ed85df24f28784f29642c0783c459578e02520913

SHA512
91c3989efd98d14762a9ed4d0ea5d7ac7a5b19075cfafbf227b6f3cb221ac318d4b7abd06f007fe75c7a33da5da4437537a5b54eb036655e66650710ab27e2b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c003f05a90b14e1afab9d5c022d622ec

SHA1
a879a7c2972f217beef36612be2c9c1b1f47ee78

SHA256
05f815452787a8eade2bb68ea59784abbf642aa96f0cb07d1fb43adbab5586bb

SHA512
a9e5c338d2bf7064e6e22ee61f998ab73eb770743c737ddedba40fa51ef39f229872d1d529fdb7fe0c244c9b103db64adefad17264df05e27c23cb15cde1a709

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4cea7dc623089c1d505b51d737907fd6

SHA1
dfcafaed4d4141f5f078a7bd77b55fe00d8db830

SHA256
1285faca36e5035a710726c962da534dc21d6c65a1cd26c3433af8574ba5bba8

SHA512
41eb1cbe60703838dcf803a7c318015989a538db4edaa8747f7c63d7fa67b412508c37ee214a8180f12f4ec7a00ffb997788a21d839fdf9d0ab2f0340e97c62e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
81b27de10265e5d69dc5affa3ae049e3

SHA1
e9e6542d683a8c8f30af3df8c9f6639404323cca

SHA256
4d4807614ef9ef5dd9971b701fffec358e4b34295a3bd18f6d756b882c53cef2

SHA512
3e3c433681625fbfc0caa1e5f6295dc1f9149c09576788f8df425e7f66f4f7f4b783b86922db5e0d6ae05b2710727b0ffd0a533e0d873a4d6f4ef46eec0eff44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2f2d071ccb087078519c8137fa9fa68f

SHA1
e9e011e65a1fded47fd726dafa544bdea69afa1b

SHA256
154b669ceb592bab8d06ae801945783a89f332ffb414854f4de4f7dcf5b74595

SHA512
1611c52c8d9a06c09e9ac258940e69ea8c08a188246195108c462e7a720a97590d0f37f410140edc6c870f5d38cc45168970c7924ffcb1f90ec964be7dc6616b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
238KB

MD5
17b1cbf3f6c07d5199c810770a5b390a

SHA1
53e85260f0c81e086828ba84793a789b6aab2521

SHA256
40348132c8020acbaad6c6f1c10d2afefacff97f78248111c52848b6aaabd86f

SHA512
5c645e835befd056d38653f999d8f273b4351a9c9185e00a508a76b3f24dea30fa4dac428ec7ace449d1ea655a11378ae808bf5129790a3bce3bbce736578c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
833ae9f91b241387e10621609f47ccb8

SHA1
185cc0053498313df863e960f2f73bb3e874a6a6

SHA256
19d3b2af38e9b7f0224c6b4f70b926b95dbc39d3c27846cc62ddc217d889ee07

SHA512
80fc4a32b8793862d2ffeeb23b101fa3887517932e4499e6169d4bc3e0b76d0ecfff045e8d7155b551c48dffbb3f977a00adf8d459757a69398937b1deaaf87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
138439e4dc6a87cca78c094b2e18eb93

SHA1
62f1b63a01f1ed7111f35a13ae4676a9163f97a4

SHA256
34b78dfaeaf6925accf12b2a2b1153a35d6daaf55db14cfa15f10205c51e8a32

SHA512
3593c117764888e3ebb2985094081c1d8184ff255fa1ec4ae042bab9a9958fba3319a0bded60854fad7b71bc72bf6518853966aa72fe27b7c979e1c617ed6daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
8KB

MD5
8a1aded8bd9c51a33ef00a9b28d1ecf3

SHA1
ecaf977b86133f37a857581016ad6f754c511d11

SHA256
df548657347e43c8ee0f88949c8e82289085517656a396532429c078da09d587

SHA512
440c3b3e20fac10e9b54625d5f073bcc5efecd494c96afb26a681763e72358c39d472f86c51f715843cd2e3f5f079b9c7e79f5aceb4f73397a9e5106d28e7077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\favicon[1].ico

Filesize
7KB

MD5
0b60f3c9e4da6e807e808da7360f24f2

SHA1
9afc7abb910de855efb426206e547574a1e074b7

SHA256
addeedeeef393b6b1be5bbb099b656dcd797334ff972c495ccb09cfcb1a78341

SHA512
1328363987abbad1b927fc95f0a3d5646184ef69d66b42f32d1185ee06603ae1a574fac64472fb6e349c2ce99f9b54407ba72b2908ca7ab01d023ec2f47e7e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFBA0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCDF.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3019725E-78D6-4D9A-B653-58722F020433}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1100-1-0x00000000739AD000-0x00000000739B8000-memory.dmp

Filesize
44KB

Download
memory/1100-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1100-187-0x0000000069811000-0x0000000069812000-memory.dmp

Filesize
4KB

Download
memory/1100-219-0x00000000739AD000-0x00000000739B8000-memory.dmp

Filesize
44KB

Download