74713bf367730dcded2849a08d93af75a75d294daf6c425282ee5ac069c830d1

Analysis

max time kernel
141s
max time network
303s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 18:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Primer reenvío del mensaje con asunto Radicado No. 2024_6105020.msg
Size

71KB
MD5

a688cbc87cea31afe5dea2fd906df900
SHA1

81e015e7c4dd465682be0625856acc752a3c52a9
SHA256

74713bf367730dcded2849a08d93af75a75d294daf6c425282ee5ac069c830d1
SHA512

cee4e4d05300fdbb220456868f3971335eb6a9c71603f8b6f9169af7bdd67b7b5a27bff2f0b768bace7db16510e22fa6454d0b87e5172cbad5ed68fe1df2a76f
SSDEEP

768:DKMcqY/FyRu74EmWsKsWsK8okcxDNhq2//R8zGvituRoSWpZMTLRxFfsavbJJmZ3:7XY/wREmW0WSFGviturlLnBVbq

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000de3ad0742cbe59b4ec9b72673cbbf665f64c1fea1c7db3ca650460d881b653c6000000000e800000000200002000000022d836ff958e8dfb5f22c657251abbc72529611d2fdf165aab8bf8b93a3fb02120000000f73141748c8ac84effae5918fb2e738bc216f2bfef7634969e1cbcdb6eb0d28e40000000f5b32a754236efdf6bff9274fad71d7bafa68aadfc0da6ea9225a1952c9674b3a12aa0697686c63ffb97734fa4cd6a583ea5f5309950e3840c3f6f34103a234e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423686569"	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000915a2006a5047590be1de95f95af222b2748d3bcb356d3d53c9e46724b24844f000000000e8000000002000020000000836f6778dea91f15a30ff431a8cfec014a720410e3f496309916c0a170b206b7900000004cbee237f9a0bb984d7acae4990ee948426fbf99f6fb0d4d6bfdebcc0dfabb61b41e3d30af37bb344b17516153a96a47b64f484a3626336eab0a60a58902df4146d24c8365482e55290f811770572a479aba91ba918f94ad258fe0feb43d1b0541e49384b437dbb6c62a20cd32c494eccc5cbbd279d7941eb5ddaaf8dadc094bbcb3fb5bc496cd0c457b0125d5c1970c40000000f7780c9c0eb7a0f5274561fa8d59eb0ad2f8258f57a3c7b3dae6b423f80eaa0cb2de0e3e0b3a7ac72c06a2c229ac08edbbc129b0632b19cc7cf0c3f079b52627	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E53ADA41-229D-11EF-BF51-4E559C6B32B6} = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ab12b0aab6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1452	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2256	chrome.exe
2256	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1452	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe
Token: SeShutdownPrivilege	2256	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1452	OUTLOOK.EXE
1556	iexplore.exe
1380	msdt.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe
2256	chrome.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1452	OUTLOOK.EXE
1556	iexplore.exe
1556	iexplore.exe
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1452	OUTLOOK.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1556	1452	OUTLOOK.EXE	32
PID 1452 wrote to memory of 1556	1452	OUTLOOK.EXE	32
PID 1452 wrote to memory of 1556	1452	OUTLOOK.EXE	32
PID 1452 wrote to memory of 1556	1452	OUTLOOK.EXE	32
PID 1556 wrote to memory of 1796	1556	iexplore.exe	33
PID 1556 wrote to memory of 1796	1556	iexplore.exe	33
PID 1556 wrote to memory of 1796	1556	iexplore.exe	33
PID 1556 wrote to memory of 1796	1556	iexplore.exe	33
PID 1796 wrote to memory of 1380	1796	IEXPLORE.EXE	35
PID 1796 wrote to memory of 1380	1796	IEXPLORE.EXE	35
PID 1796 wrote to memory of 1380	1796	IEXPLORE.EXE	35
PID 1796 wrote to memory of 1380	1796	IEXPLORE.EXE	35
PID 2256 wrote to memory of 1184	2256	chrome.exe	43
PID 2256 wrote to memory of 1184	2256	chrome.exe	43
PID 2256 wrote to memory of 1184	2256	chrome.exe	43
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2788	2256	chrome.exe	44
PID 2256 wrote to memory of 2648	2256	chrome.exe	45
PID 2256 wrote to memory of 2648	2256	chrome.exe	45
PID 2256 wrote to memory of 2648	2256	chrome.exe	45
PID 2256 wrote to memory of 2820	2256	chrome.exe	46
PID 2256 wrote to memory of 2820	2256	chrome.exe	46
PID 2256 wrote to memory of 2820	2256	chrome.exe	46
PID 2256 wrote to memory of 2820	2256	chrome.exe	46
PID 2256 wrote to memory of 2820	2256	chrome.exe	46
PID 2256 wrote to memory of 2820	2256	chrome.exe	46
PID 2256 wrote to memory of 2820	2256	chrome.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Primer reenvío del mensaje con asunto Radicado No. 2024_6105020.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nec.colpensiones.gov.co/viewmessage.php?messageid=idb4e1200f4c6cf8d0cf66194c83f32c873f57ecc052cdec4438ab21ce2fd85daf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\msdt.exe
      -modal 66148 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFA718.tmp -ep NetworkDiagnosticsWeb
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:1380

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:2536

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f39758,0x7fef5f39768,0x7fef5f39778
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1276 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:2
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3232 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3404 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3600 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3200 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2772 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2360 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2328 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3716 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3724 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3768 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=284 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3460 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3828 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --disable-gpu-compositing --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3464 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --disable-gpu-compositing --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3776 --field-trial-handle=1220,i,13701177415836571544,10462161231262852141,131072 /prefetch:1
  2⤵
  PID:980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14991a7a03d03a548343726405f31de5

SHA1
78ea7e2a113c404192bb89101fcc628e547cf0d6

SHA256
a952e57d33cafc5ee536b6d685f35aa0f1e682f0c609fe02fba9e6c750ed5544

SHA512
c077d5b19e538ff402f7524cdd0912802c4c37f897a606e8d171c1963f4203d7b6910a4bb22d1ba11deabb02c1f6d37c1c68b87c48f0b65a9332d288d45116c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8246847b73d145b728495722aa2c900

SHA1
aa49851dd2afe80f542b2e75baabe1b4e4c9078c

SHA256
628e22cfa1967d870af4161cc8aad43110b5e257c3bc50e29df62ae66bcd26c7

SHA512
61d8e56e83b423d29069925b876867e3100f6faced91b73c6da20198c3b9ca6c14b6410b85191298b3ed522b0a552a3d91d8f5e5d60ddf3433a054d25d48ab7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a76aec4e1f940ece242b7c9eed78110

SHA1
f4ea9286c90df489dbfa5fc2e0642a72fcab96bf

SHA256
45e8fd8e6eb68160819747bc15020683268770a7e0fe2d6d878623d6099c4068

SHA512
d48e6dd6669ebc614d22297f44564839856eeeec1e56649392292ee38e6d985c446f2aa9933c14f8072227d38026c7065ee7309387b5d7ea040358ae88aa9704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fc9878f9459f0a947bb64a07df7fb6e

SHA1
f1ecb4b0ced27c2f5ee7bf4b382bbea7227890da

SHA256
e012e1bfa9e3badafc284b1f12f931c7710f7cb7888392e214896f1a98c067ea

SHA512
d2ace1909fc1f8b1d9539bff86eb613229420b65df158dea147c311af04b5a2a0fdcf74ecaadf7e0eac06b8102e64b1531c92111db5f179038ac3d3b6e2f2d1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9b9e64768b5339ad41b5e8e14cfab4f

SHA1
8bb0905f74c31b99b084ee6d64fbb9a057db945d

SHA256
bff151019043f0c30bf55c44c935125971d994122a3904e36eb9cc596b689a90

SHA512
db5952d8501aaddabfe7d38b8aeb7f009373b6e21594a8ca523e3a2e21a0ba5d5f3fb30dd685dfb3a2cb5be51c3fbfa03110636548a51d0b1ed357c40a0b0bdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34ed2780e94a09c9da095236cf650be4

SHA1
7cb2dee664aad200a4d3f8c7a1ac0354d7b76fb9

SHA256
3ee6a88b3aa5db372093c7354fcc77c5eff296ff6e5e74e867436f975f352d6c

SHA512
e5b7decccccbd55335229930a060785cfe9d7500fcb10f0ee1d3ea7f83a58f16b8ada4a016cd255f06ef0f2bf5cec1f9232545f388ff04686ed6251496c5e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24015841d895778d8254bb52977ded10

SHA1
48b7459d6cb873542d79422d022b2bb2670f996f

SHA256
e5c0ce7a3d22015f092c751310a9e43ea2412c0cdf55d41b779bcaa72a4c6ec2

SHA512
acc22ba9983591bf379cb7696dfe1ea0be433c10d7c3d5faa5c1c1ce861765b56e7ac0fe5265662919ef2fae17cc3d8928e8c962cf6a3fd74e6ea18a75c9fffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65c199752feb6c66b3a234634370e9f9

SHA1
b2d6426dc0396e9e5f5ce9b929b3b3a60de42bab

SHA256
6c173cc58c9cfacf8096f801ced8efc32ef22e3175682b47ade5380d949129b2

SHA512
989f9874fef5ed333598456740ed055e61f66866c9f466db0aaa48697d70dec286aaf1aa29ff016251213ef4db5e7cd7e68e14752d3d2bb012722a2fef83fb1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c13bed6b01cc8d66a360c3516d65e380

SHA1
93a48e709343f4819d5d8adace5c71b604855bde

SHA256
9a60b26bab419adb0f9c15d4f11657bc111116f7c39361ad3700cb382236a385

SHA512
6af8b7229880669bff9f5f07a62c1b0141ce1ddb0a0d0ba92e2398ed8925b5d4f99ad8fa643a6d1497c562bc1c78c4fc5506957d602b98f2cc9a842f2c741e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
417ade47f7dc01f19170d331a54fbb5b

SHA1
355547e186fb1ef4448489ef7ea013156f2371dd

SHA256
6f077d1689ff6be696c0e0ea5227f0c9bb691dbc3ddd48c5a95747266755a76d

SHA512
ca5e71a1f0ce34dd9cfa0a8a8cb40a13867ae3c9007c3b6500356c3e46417240622707c4eb1f7b3ed9d023c9d5bf392f6f5c0cc9e960ba4e0c216ae19fbd8d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60366232b826a10e5164e4dcd744731c

SHA1
001cb1598b3b35379c9a079d3d2b7d3dd3fd3ea6

SHA256
052a2cba1e1e0c9608af9a8e8d09ed5f78afe351a9e3bf3a36b1ab600c2b71bd

SHA512
8805486daf58e2bfce321f253d5240b8d385a3a2ce1ade3c165dc869f7ff9690dc0e382c87ccadd923962e08bc331b96965b873fbbfcbeeab4f8f09ab9e19b68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d750099d01f5f702e76e23aef0e28856

SHA1
4dc560a02ce51eafb7dcc3fa219592eae6355fed

SHA256
a868a221335a3cf31b1d32117ee96e23c3b6bdaf4f7490ad1a3b4aba9c53ceae

SHA512
0244dbe097a5789e6d40e038f399372e6e594e3ec8a4f14c963e711fb4c2d72e3253e18a782823600d694691dda2feac72522710cd8f1deb6e4a3720e05d6fd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4297c0fb734c9acc083dcb60a166b907

SHA1
5d1e00eb36dc4a342beae925f00d236ede9f41e5

SHA256
ed87494c9f9e8dc4680ff86302a259154fb7a6449b396e4be9b375b0e5c7d11b

SHA512
8c84a6d3926b4f1281f3bce1e5e8064e502d408f72dac0caea089664c9c1166ead39cb24d9e499ef74de7b6abc514dcdabec825cd60f9356fae77d6caf02e60c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee5ec2a1f72d8ade9a828dfd555eaa1c

SHA1
e9e171b16711b6d8ffc707dda3282127a53c4a99

SHA256
c2f8137456aecf10ab415e7ed633a4147a50469f8237a1e99371990a359e2893

SHA512
beb4601cc64f165959b562586df77bf1554344129108577930295ee40c7cd547e9a1a7c27b6c230d4ade9dea556c3f05d171b9a9e105943722479bbe534b29d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d747e838712756a8bea7db12ec815b6f

SHA1
636fdbe03627f40cdf3e9f411cdc02a4b2308d5f

SHA256
d622e43f018b1827325efa70326f1a246f68219073b300cf5c36e595f1670144

SHA512
efbd0fc0a92cc5a9c526883e9047539bbedd062d28f1567cbfa720397f078265aac680a24f8e44a7a1f6e9573c72e903cb2b2121b0735d6044603c01b0be03b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
286398edf269391cc9f79f27d430af5d

SHA1
60786569a9ef66ed2248744a47f3bfaae1af56c4

SHA256
2a3ad194cb66e613b42fb8cef209c211f101fa0a37c75ca2efa3bdaebd1c949f

SHA512
446fb4ebda9f684eb8281e3e03ba654c5062a33649f2bc5a376c5491d349c8b00854dbc584565a9587bf042c17ceadd9f7d599ea3222fd0a766d9315ba6ded78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d70b07b839c9cd01db8883320e87650f

SHA1
64974d044eb9e9cca48defc0c28ba1ddd45de0e2

SHA256
8fdff6c2140becf1e417c9cf4f03dbdbbd90c366861a24dd6b3800b3528570b7

SHA512
aa33f4aee5b2b1b21c2d3f1b4d96280ff109732314d64135637bb61617885069ab087a11707cbbe2daf9ab9a20661ef7d593a608d9596e6ec94104788092ad5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335244b05ce193343dd5573fe87508a2

SHA1
b1c4db56cb4b97614b188285044934cde9de2532

SHA256
7c7f44ee68b74ef21c67f877408f2d388caef07aab3d0a18b541af0bb797a097

SHA512
0460f8e422f7787e49b6702b39d73121d7dd63cb6dfac51cf68231c01ebbd4f887a000adc7eec8a9666a729f3b42f90b70ad227de56c0af5508b2b8b5b8985ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
228439f9969f331c37f12b70cd4a3806

SHA1
f5bee163d43dd4b37d036c1b2fba7d5608d48255

SHA256
0ba990e9877273b3b31b6cdc7228fae2d47fc62fee39f50ec7a43934cae51e53

SHA512
1582867d4ff296aceaac43ba28c2804008a8ae3a7534849eb6032a2b28a6fcee308aab96e16c8334dd4eedb4bb072c55b9e743fa7021a24df707574fac1d6183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10c381856399a90d3232b404de6dd3d7

SHA1
bdb92e8a7a2f49b3e7ccfa63398447e19ff7ac08

SHA256
064eaf1e21727855689192b2fbdd8ff49cec9f83606777a6033e889a0ef494de

SHA512
37eec64b87b64ffe87966588aed1bd25ce4397b70af987c9a267d14cd7fc17021e95b7bae8b593b660d14c353035b2f9bd1c048e8c4507a7c93bd62f0c292bc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aba2473f5b57906587a4788ffac08606

SHA1
9bdaacf629beb2c4d6b813ed22acc4776e766b3f

SHA256
e545099cb717fa3e08bd0d2be21fa7a5e5ae9faba35410ef664bcf7dbcdce623

SHA512
7b189406828362b5d847710531edd26541636dd110e5b6ad1065f38b8991b1a194bc14e9184d3ddc9710fb600952d00e2a33d0c960ea1cb2826d2dd5948eb95f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8694a085999045f107d87d5486fc4e10

SHA1
7b7895fb0b33c2dfe7d8e4998fe87edfa043efae

SHA256
53c92a82a7be58d1210259b93d48f2b374a9145e55c858c3adc70bda25ca39d4

SHA512
3b423cca8ef5382b463effad6f0721f4ef13a37abd9ee3abf85352fa511b2800ba8fc50099abc12e60312005713f1d01ee41d457f34bf6be58bc323bfa40d2dc

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024060418.000\NetworkDiagnostics.0.debugreport.xml

Filesize
66KB

MD5
93da683132d94e6ae4a8d03548cba3f9

SHA1
90164e8bb92ad8a9f92c19bd9e927b2b17a88ddc

SHA256
ebba5722b5b85b40fc46bc825cfbf24c77abd8c35ae23b4b32e59602f6f84881

SHA512
a79cf350dba3e7469312dc5f477468f8fab7f28ec4e84e3ec7db0c0bced6757bec360d79537e47a5146e0eff3aa4e17d5b60578574a4eef4a21663a903b3c672

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024060418.000\NetworkDiagnostics.1.debugreport.xml

Filesize
8KB

MD5
4d327a900f5c58cb610f37b02679a44c

SHA1
9e46412853dbc530984efd7b92bba93322ba8381

SHA256
31fe50ee1b4cc01ad44f6984387cd4207536ec578ee17d1233b61de54a17da64

SHA512
582751472852687a5c4e442d155dc130c398080c381c57a78143563d9e8974638665f41bae61ba80dde456289ffabd8dd7fc2ca08a9f1b5b19cc7d1481ae43a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
eb1d83f1e0d79169633e8e6e22061d18

SHA1
d8a2ce4f88ca8bac30901f6ccd200a21bb3620d3

SHA256
5fcdc8982d28e85f4ad991845e9468975597efac0e06b14fcfc587f7b2330ea0

SHA512
9650eac4347b8e314868ce1a9d0bf142b53d6095996afac3f2db9596cc2f11aba36d2cfea5ab70b113b764bf48505e0adc195dbbce3107d092adccd0d6b65107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
683734abb608ae38cb5bcee25b85547b

SHA1
8d913368d86b38b35030201c9bcbf8bc91f47a9d

SHA256
f084031998c1e64d372f417bc9fb2c3bbfab23eabc1d8c837864f46a774050d3

SHA512
bbc66963a5b496dfa20801e66c0e180e3b9e6165a87eeaae877ce1e121fbf215b3536903ec472d6f7e4f27634d72eb45b0f2c5d9e70f9fe294d6595705cf7e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4bd84521888f7c015ec3a49977c38b67

SHA1
f04ba6a01a525115631cebf75af0286570b8190f

SHA256
9028433ac0ddaedf9645ecc80ade3f1dd73b910035b86c35b54c5b484669758c

SHA512
e9e4ef846dec599c5cee22a5c6a2ece3a361d220001509f5616424b941de33ed1b33173577b6baa08341f86b6f2c6162ad93e8461d9496785c4d426a6dab513e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
12b6284040bb5d5eee39fdaf6bdf0489

SHA1
0e100828108ba8e5fb9879377342b10e0c8ff492

SHA256
9c3c5505702127353ddda9c253255d64ed7b9329cd24f21bfa33e52ba76a1d90

SHA512
d6b5bff17de7b2b1867ae45d9b16a4797fcbcc70507c59324770d6c9fbe12234c68bdd69b838ee9f5e30991d0219a0b93e2bc4a5cf4d1d1f7a97fb2992b89f3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ad0ec4f24dabef92a7cf25e9a876b4cb

SHA1
d8476688192de2dadc35be4b3cd7c88082af9a37

SHA256
1e2395bcf1781fa746bffa1c7ec27602c86741ec13caa9d0debb361f589766d6

SHA512
c53012f5042c39a35a730861cef66c18c65fea4d37eb3253c370ccaf9ec93c9d7f7c0edcc376855472d97aa45cf70e5fd22d3dceea14489ef81589f47f595491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b3c0b57f0e976112f19edfb3ec841598

SHA1
768523a5ee5c3f4c103680e67fd1608cedf56b8a

SHA256
f5908a3ed96b2f94fb709aeed17ab79915e62f50fc5b705ab461c9d71f6a2847

SHA512
1ab25bee9d535b9f8b81ebec39b0a33810d79642cd04ab87c422fb1423074b6d02ed9f3d48f7864871b9f3f91894df3d22e8d215accfa49a1eb11d99347f68b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
68b552437e93c2b6466512944d521937

SHA1
a362ef19c8041b109857e0d8d6854a23a8498ed4

SHA256
123f17a5844e3a3a51bbe44d2fc507d976c489ecd37aa1aa82166a9c008ff6f1

SHA512
0ab2073fa67f4ce61c36aab446b75cb61b8148c2f6f36d9eba8018a898a74ed3f826f2e85b1905f10891ea061c7ec90195701ddba80d9b45e13de05c04cfa00c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\de468cd4-28b3-4592-9ff5-b5a7c44cbe26.tmp

Filesize
5KB

MD5
ca4675c6d2f52f2677569d13073c65de

SHA1
b92b8455c52456b2c2f06e4711373b4549373283

SHA256
b231d794523f0a4be1ab14e77a95258787e103bf96da3bf40c54d95d39f32963

SHA512
e7bde1f39b77316469adfc1cdd56ec12df2edb090d1595b7e69aeaca588af1b2c183ca2d7c65bad005e07f99d254cb9be7ac2153460937c77cfbeff973b1d5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f89a668a-4398-4929-ba89-3b146921feda.tmp

Filesize
5KB

MD5
0037e9964ce59654df9ace5e9aa56739

SHA1
7423dd051d7adc108b68d0e1d870afddebd6aa23

SHA256
65e8c53ba44e8d493cabe8ec982eca00d7d06269c83a8ef49f4320bf78f8d075

SHA512
14cc9e07d1095f42e47287804c6e9172dee9cca880fbed11b9cadf37afff85535a60999ae32e253987720a0f9367b05407b0329e15ac2f34031673a78420a698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
26d659420bb0e4233c2e3151678f0989

SHA1
aebfb500460bd2be338233805a20bb75676b336e

SHA256
1d8c32649d8b86896c98c3881f675ee7839e6ff4830de8a1676042ca26e8fde1

SHA512
86f4e1609bfdf6633eed93ef2ebfccdf693eaa5b7362cd78857e3da2f83bf2697c7a9ac89afe977e79c1f6eeedacbe65f998da2173794fffea7fbec184f3b416

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
f829acbc6e99a19511882a1e68a44e4b

SHA1
a327adf79374561fe03f9755ced3b8014d64c83e

SHA256
fed2f1dca523d54001a0bf58e981420783d9e687e1a1458b1915aa4ba59284bc

SHA512
b9d514b0d9a05f9208b5cc50380e9aab7a192a4ea7f5fc067cf550e1601b6522b1bae9f5b46de08f412fbbba0dc34f28c05cb0390a572579dd3654398fa32e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
be8767d1ac7d727a694985d4e7175fd7

SHA1
632e69e132871ba4fde841923fe192f4a178885e

SHA256
0389ccb3e52e2cf6159fc6fa652f8c4f5c112a069d554291c279eb647b3760ff

SHA512
f85bb9ad6b5169a647bc1626a442dba4b250a8e5afcef12f38253f9a76e603680f18058d3a61559670ba2ce079c5653898fda25ea9da8c2affb262b1e9c181de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
ab715acd8b11556e7dd7729848be269b

SHA1
fe7cf785c48afcaadc81b9a91bc14dcd22739ea4

SHA256
ea7e6fbf4c02d6f86b78baaf85790109d0449021c8ed7b2daaa71b79feb46988

SHA512
9def3bdfa209b11e2567a2c5675d24ffab207ed31c93970b8098b5176e1b1d23b46ae50d21463a32510c9a52dfb3dcb2aaacf24a01cc8a46cc68b0ee4ee38041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi

Filesize
185B

MD5
d006bb6e8647c3da60a2628f611e5d75

SHA1
ea37418e4769c5c3f0738d52d09168c7c8267244

SHA256
d695852c4096c813bea52ff79e75a9ee89871d5323d65e581ed429fe612df8de

SHA512
8135db4d5c6b15db45c11dfe8798d0aeed0869a7455c3e58b540bc0a60a6fac58cc3ddf43b83809f4926fe6a2ee925a8330f2938fbfd05a7891a69d2512c2420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
b4b7c43f7e78e36996eacdb3e7f6ec96

SHA1
dbcdb2b1c8cef702336e8e3acdd55bb44e58e828

SHA256
8417e94c63fa8ccad391f722b97148f38d523ae78056c31a68675d32445c6678

SHA512
31293a59bc69509644b0cccd7be34d0f03ceff124c6d6adff2417483adfd8cf5ef5eedc0a47a297fbbb80e9a0b36ebc7afe9014d24c4d02fd3723ebe511deef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB137.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFA718.tmp

Filesize
3KB

MD5
f6bb91ebb6f7f6a159c86b0aff43663f

SHA1
6b14b8e769ba4ca63f9015971dd897f023054ec4

SHA256
6864d3768f9a77096a4d0d621650f23899088f7a7c28a84702e0acfed47a9bea

SHA512
b549de8e04d5840a386e34d34a19e2f971f7b3c2e9aba3949c4d67072038b6e325f6d1585400d88065b148d0560f45e6db144fc38816d65504636c87822b888e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB13A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB1EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{216CE5AB-DF42-4925-BDA5-BDC145006570}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\GEN-RES-CO-2024_6105020-20240521.pdf.crdownload

Filesize
767KB

MD5
b3e9168b02fe4b782d3aa813bd4cbc13

SHA1
544f45713b71c21312d8c948f9c0220aec4cb403

SHA256
41f28c0ad538a402203e7ed63b85eb2846c0312d94e20d4e2bb8d192875a83f8

SHA512
94722f6030ffb3c1e1e9f809c002ea708c0a4d56cc74ff5eb4e6cc557807d8c32a4c6be5b9dd88a61a26397c9d4cd70586ade19284fb35494c942694dfa018ca

Download Submit
C:\Windows\TEMP\SDIAG_c9ccf900-b331-42ff-a66d-a57334668947\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_c9ccf900-b331-42ff-a66d-a57334668947\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_c9ccf900-b331-42ff-a66d-a57334668947\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_c9ccf900-b331-42ff-a66d-a57334668947\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_c9ccf900-b331-42ff-a66d-a57334668947\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_30d87659-204d-4510-807f-9bb18953b862\DiagPackage.diagpkg

Filesize
152KB

MD5
c9fb87fa3460fae6d5d599236cfd77e2

SHA1
a5bf8241156e8a9d6f34d70d467a9b5055e087e7

SHA256
cde728c08a4e50a02fcff35c90ee2b3b33ab24c8b858f180b6a67bfa94def35f

SHA512
f4f0cb1b1c823dcd91f6cfe8d473c41343ebf7ed0e43690eecc290e37cee10c20a03612440f1169eef08cc8059aaa23580aa76dd86c1704c4569e8139f9781b3

Download Submit
C:\Windows\Temp\SDIAG_30d87659-204d-4510-807f-9bb18953b862\result\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Windows\Temp\SDIAG_c9ccf900-b331-42ff-a66d-a57334668947\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_c9ccf900-b331-42ff-a66d-a57334668947\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/1452-208-0x000000007394D000-0x0000000073958000-memory.dmp

Filesize
44KB

Download
memory/1452-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1452-1051-0x000000000EE80000-0x000000000EFB6000-memory.dmp

Filesize
1.2MB

Download
memory/1452-1-0x000000007394D000-0x0000000073958000-memory.dmp

Filesize
44KB

Download