purelogstealer | e572751b2793c544ab7f6742a53e5779b35689e61edd8b2434fbcc30e2d65d51

Resubmissions

23-08-2024 15:04

240823-sfqtbstdnr 6

23-08-2024 12:46

240823-pz1absxcjr 10

23-08-2024 12:35

240823-psg56stfqf 6

Analysis

max time kernel
166s
max time network
331s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORFEO _20246307407492 - URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.eml
Size

15KB
MD5

b2e25716e5e73243001ddba02b023077
SHA1

d8ebde9deb98895999d08a482f100da3b18e9c0c
SHA256

e572751b2793c544ab7f6742a53e5779b35689e61edd8b2434fbcc30e2d65d51
SHA512

6415678e4fef5ceb29e159560b80c81926e5f509a378660f01ed2fe0eebda0bd8fc89ae60e6e99c9ba4dda89b7a4eee16304d25e832ad0bb686cfd4dbb0f1821
SSDEEP

192:aUdKM3CU9jeGADEAVKRzRqIQNAyRXS5wUGTw2usvGXwYSJ2hFj3k9OZ3XT9BQXKd:FKM3CUVeGAbVKRzRyAci5wUCu40zfd

Score

10^/10

purelogstealer discovery stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656\URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.exe	family_purelog_stealer

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

15 drive.google.com
16 drive.google.com
17 drive.google.com

flow	ioc
15	drive.google.com
16	drive.google.com
17	drive.google.com

Drops file in System32 directory 14 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

Processes:

OUTLOOK.EXEchrome.exe

description	ioc	process
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	chrome.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	chrome.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEOUTLOOK.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9058c2a55af5da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEOUTLOOK.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC081CF1-614D-11EF-937B-6ED41388558A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607c93b35af5da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000b1cb47345380c14471e6b1a5457b695abddd76846603fd4655dd5eda0b91d4ec000000000e800000000200002000000022ed0dd1a412aca4dd13f7bd24b794eb345a9bfa118d1f9bd6f7b61a0d2447f7900000006a3f6a4d62f84cce2ef325d9db98e5d4ba8ac1c3312f967fcf819b4801996c7d9163dcc69d448612bf5680dab1a8b3741f7cde8beb3f6baeb8311b001c86cf6b1008252bbf6578c1836fe12ee9a705361fd242c44901df8626efc5a269e735c6c6c288bbb5273d5420f3654760bd29783c4d6921ddcd83a37b7ac2802ea2f63fadef305bb33940e38dabb7efcc2185ea400000007262da591a2963e64281cf17a4fc791dae99b5773edeba3516a2e35da0936f69ff13eb12db580b97de814ff9d5c0e0e6f82d5378fc5c7803dba7226b213b11bd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000082e4f347b7ba5e281df2aa5e8ecc8728a2f48e16ae37d624c7649bd484292c7a000000000e8000000002000020000000349c677df09863f7639d7eb7380f3cea11078061cccfd5b061ce3c4dfee408a220000000631176edc33608c1feae530b287504142dfae18e066788f9537a21c88a65e2104000000024bd143074fafa76fd5835e1d28f3f5498772eb8ff0d3a13208ac2696abf406d437f9bb33b8882d95e2dd38011ec425254350ded05216611197adefa51b2ae1b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430579118"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXEchrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\ = "AccountSelectorEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ = "ApplicationEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ = "_SendRuleAction"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ = "_PostItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ = "_DDocSiteControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ = "_DRecipientControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ = "AccountsEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ = "Link"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

2724 OUTLOOK.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1732 chrome.exe
1732 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

2100 chrome.exe

pid	process
2100	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	2420	7zG.exe
Token: 35	2420	7zG.exe
Token: SeSecurityPrivilege	2420	7zG.exe
Token: SeSecurityPrivilege	2420	7zG.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

OUTLOOK.EXEiexplore.exe7zG.exechrome.exe

pid	process
2724	OUTLOOK.EXE
2068	iexplore.exe
2068	iexplore.exe
2420	7zG.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OUTLOOK.EXEiexplore.exeIEXPLORE.EXEchrome.exe

pid	process
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2724	OUTLOOK.EXE
2068	iexplore.exe
2068	iexplore.exe
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
2724	OUTLOOK.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OUTLOOK.EXEiexplore.exechrome.exe

description	pid	process	target process
PID 2724 wrote to memory of 2068	2724	OUTLOOK.EXE	iexplore.exe
PID 2724 wrote to memory of 2068	2724	OUTLOOK.EXE	iexplore.exe
PID 2724 wrote to memory of 2068	2724	OUTLOOK.EXE	iexplore.exe
PID 2724 wrote to memory of 2068	2724	OUTLOOK.EXE	iexplore.exe
PID 2068 wrote to memory of 1120	2068	iexplore.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 1120	2068	iexplore.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 1120	2068	iexplore.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 1120	2068	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 2972	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2972	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2972	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2416	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2456	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2456	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2456	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 2772	1732	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\ORFEO _20246307407492 - URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdrive.google.com%2Fuc%3Fid%3D1DMMujrAVJiEDlzeZDtnSs3SX8mp_3JBh%26export%3Ddownload%26authuser%3D0&data=05%7C02%7Cradicacion.entrada%40adres.gov.co%7Caf084811c2714df2917208dcbc6bfc1d%7C806240d03ba34102984c4f5d6f1b3bc4%7C0%7C0%7C638592419199975042%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nTqmaxO6l42BhGK%2Fb184TjEh%2FuTAMZzDdGxd6YfMXO8%3D&reserved=0
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1120

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656\" -spe -an -ai#7zMap6578:214:7zEvent10784
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef64a9758,0x7fef64a9768,0x7fef64a9778
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:2
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1444 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:2
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2188 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3612 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3636 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3656 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3884 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3676 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3972 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2608 --field-trial-handle=1208,i,9540307111921511650,4232397432270285236,131072 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
739eb707c36625f012cf6e9e01df584b

SHA1
547d3fc30b39956a78df7a7456f6b0696839a56c

SHA256
5fdfd8c859cc0455b96477179e3b1464e73628b864ffc8a5298d7ec118695e50

SHA512
6531aa928a5e0270b2aa3acbef2fbcb2c6e67509fee9b9d4ebe1f47e1d0b0ba939f90190e8fe787bfe5de73174639b2ee621b4df20d7997a13b25aaeda62e167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_BE32D9F1882B93E37445F58E05C44495

Filesize
472B

MD5
cf2494f3acbc540611cc1db5ff399bd8

SHA1
9c8d0d49436be710e0408f15cc4641c515301bcf

SHA256
b9392ea37b3c34790e335c949c1fb3aaace1d1828aca7b61237cd15103639d33

SHA512
c4223a69dde8614cd92f05fb653507bd7d59f032adc99daff59a6e93b36fb5a53c99964e99e8915b4b48390b78f767680a9e045f224d03ab6e9c82e503adf745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552

Filesize
471B

MD5
422606778f6d2e49a58db1bbf3c1151a

SHA1
b14a21b8e924a3683118ecbf7e24ea7fabdc8d3b

SHA256
b8db68a61414973a8df9bf4eada88200d0d8780f6b8990d1b1a481f53872266d

SHA512
76f73bdc1a19ea67b6d8bbab025546f71d704b27622d3cbf4c8e62098fb25ca0d699d53ee551abbd4cbca7ea9ca0281c6dacd06d4af217b80539df5997a79de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
52dbaa0832e7f65ae46815995d5c22d0

SHA1
8842a2abd6f188792d82829bf2d116bc9a48f4cd

SHA256
674ae1fa3c0387d18baf8aeca1585d2280a744d7084d2a819d8707c05e9139f7

SHA512
dfa8472a7baa757589fa4973da2719c139c8973833f5d2c32daedd0d1b13f7443a331deae2334dc4e34a8b5804d165913a16b87541a14b87b2c6cea295ceac9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
ad1a6d7e57b6e3b2ef10fb79b4895d8e

SHA1
45ccdc246de24b46ed55e082de7560dd33122bbe

SHA256
2599abcf9f29cb2cf8006f619d17809a2d18ff9e8bc0023da959f46ebb8c8b8c

SHA512
95b7b0456c68ac2b21285c494f197d4c0c5c7f8f7a9b560ee428097d9a0f300b1d9be677a37c2cc76f9d393e19f6b2ed1794cb6d7136774bb88a5d1e7fa68b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d6048fbedc47e493c1e5178845f6eacc

SHA1
b3f5c5c7fa9f6cbdd703374f9f4c0f7ca4257210

SHA256
f077b94a087873fb1fa47f360855d402d76e4e9753c948dbaa39ebaa98b46a31

SHA512
6e6bce92177e82f84517c12ad842626cbb18968925592c3da447276114a12093c6ca94146adaed65e539c17bc5440c7ff18938e8bf16a9c2ae01f93dd8485f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_BE32D9F1882B93E37445F58E05C44495

Filesize
398B

MD5
a0be0337e151a1834d269a09be7f8220

SHA1
d433f50e82592e27c805ab39db5e0da9b9d064aa

SHA256
a223fbcdf169e108bf71959ad6e449471d74a30a81d40659122fd8abcae65280

SHA512
914e6a8e061bcebdd640fe1f4a5919b0ae5012b53f14820e71fd70bbb4e1677410bef7ae350b61feda2d3c94d600623aca6a26f5c56e4c1faf037a7be06f51b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b1ea7e92fd82f37721ed4e9fa2672ab

SHA1
1934cdcadf25c1ca7b8cb3465a8f3166891dfee1

SHA256
2a7b175fde70051ba7435af015af806b1d1c5b977758dbbf7a8e77f2719d3058

SHA512
df24719ee2c105fc4adffe9d748922c89c79f2d01644f89e1e7c677d9cfebf39e537057dff014be476fac0212069cc96e40f9ed8b850649d9e902728b67f91f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
809a35439ce3599e58775345d61ee2ad

SHA1
6f340eb9eddb1831ebbdcf65ff5b42ce7ccd38f0

SHA256
97474ac37fed7f3970f22126828431526c7ee30f0bd412210a6cdb195073d376

SHA512
fcbb9f271a1a4b7e6511c8da0b3dc7b8064f66d87ca92cac17d46403baeaf74296e44f21434db067ea0b9d14b6af668680c81f41398fdf286bece99d63209cb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
225026075ea7926cdc901692934c022a

SHA1
756d54899ac4643b218785798a032429b8ad1ea8

SHA256
84e110dbd2a636ce2e266c81fb27609fb40875834f5a43b4ef02b97d7475e0f9

SHA512
b90d84e481f7fd62c77933576d33a95180f7c1ec071d51abc1f2b5fc3e407a3eedcf9ba795bb3726cdcb2601c3533f9080e1fc4cbe4e07b758ea66c93740fdb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdb9e9305829af6d6d596a09dd1c8b64

SHA1
081f3d3b79fc4220329a7d20a7cd9b5c6c7a70c5

SHA256
cce6f4f644f3dc720448b703d7a091e1439992e407d38e67994e517017537d33

SHA512
5dadcaeaedfe262ef17209f6ba0f27e47cfe7dd90a09332a383312df30c49460068fc1c30c1cee786f89350f970a54b467d336afcdd106ed360c285ba1397e12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da409ea26662faa58d0e13c43c6f7c4b

SHA1
ce83091c9c5acb178271e3da527f6bc5a6ddbab1

SHA256
4291e00cfb7c6c35a15930ecc3067186b5910d828ab980438e2a695260349028

SHA512
ce658e4ded6418e43a1b045f4a6d9af5e1cedeb9f25c63d982f6f019a81f3926bde9ea1e7d462f530ed0609b7f3c50205771f6f9ba6abe11f18825678abe34fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be242ca5aef489be21a5792f4bc390e9

SHA1
48f49d1fd234d92906221e18acbc70b102f1ee1b

SHA256
de8f3ada367cab42c73a03a91d2a3b58b6eecfecf2a546670d3d3688816cb3bc

SHA512
f7beffb5710f88517fe1314e4dd6fe33280abae62144451c93a512078dc136f438503a6370bb985ebdc6fe10da6dfaaf08d5dd6b8c6d72d8600c504601c4dbcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66bbddb8e920e0da6eab66c1d7746d15

SHA1
8ad7a8aa301a2502e13136fd840cfc3edd379fee

SHA256
2c6b351b07493b4c6902a7830eb32de9bcd85eef6017236831408e216e8d937d

SHA512
92bb2a22ef916b02e1eb3ea55d3ac6a620be01fb9d13d16f641062d0721c447e84317a4d3c9f066c625170dda69cbe2b05945ae7b2139b07e0a140b5b4f8a8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53ead5261e6ba533c3f9010c50604cf8

SHA1
f4b348bc6abda01701d45f5de1259de1c5a155b4

SHA256
19dd7dc80a1459a310ecfd2f57dd99a8e822e571821a6893f5164b1a71cdb72a

SHA512
8c4c4856ee34dc40f57ccdf271d0a346851c8c3e8a8161234e7d0b4a34454bb50230ddfe3661e223a2155c224a2a16a7925e99fc06b76f9f0f8a3eae643d8fb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6b4c382b27d53c2ff6f815dd591456d

SHA1
81c2d37ada4bafc96446903a7d53813aeb7b71e4

SHA256
691090900df512a95842cd2f8054548fbb9fd6e61328c18d11397cf81eae6fcd

SHA512
8d78c817cdc4059729f9ad85ac823bad327d2b45845ef0f87635f77115f39a0adcef515bd4af1cedd69714c92da0852dbb28ee25ee89bcc3697238c658e6d4e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c144477d4ceb7c557e9eff2e984c5bf1

SHA1
f9aed743bc6dc4f05f8dd5c9b1f6a61070a60bd7

SHA256
297e2b579910c44f710963616d7fda2fb3c1c8284249a4f1c67f30207b90c106

SHA512
8b327e2dfb4ab79acc300f28be101e032c5a7fe97245748959767cb78cbf52c499df7857def45f18b0ae54051a1d276e19ea3c3b756176e6e4343a871cebd7ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0816d87537fdaa449a343fe3a3117ec6

SHA1
cef03ef94a3873689fc96f01358873be74bf04fb

SHA256
09ec51502616b4da60fcb67d48740fe7975d7d79ac9ecce051f1ece2d09c3d4a

SHA512
5500adab50e147c27c795cbb52ab4717fe0cc54b69bf703f2aefb0c5cca07ee29654416ede72951bc3d7db5fd18f30d5b017d9022d712f680aee016d3844696a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fd73335285b0e9851fb6b34352af481

SHA1
a10b6cbed212487af3802d12b525fe5f1891ea66

SHA256
36651d38071f2680fe9c8b25a64672b39f4432ebc994afbc4f07b6b43ac7930f

SHA512
b0cd99ff08aa9c984bfbb7f99eb2dff8dfc46dca83784eb86a7401226c08ccd32ec8593232dfbf41f81cbd5d71b6f284ed4845fc3ef5fd47a88150059a477e34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42318feba72d81351859dfbdcafb8b55

SHA1
dbbc3e5aceae8d3c99172b5f868034cb5ccc77f9

SHA256
49f4fcf0f7fefc972f65c982a846ca0e5a9b310ff2cf1724a3598c14f57dfecb

SHA512
1812ab2e0c558960cc760150888c86f001cd252f56292d2341864d7dbdfabd198879a439c6d1348e72b35ee55ae13639c32ff37098d76c28ca5fe758c34afe4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10afb6839ed311f375371c02b8867041

SHA1
5924a29411e8228f13f76d84f82cef4b29bcc45a

SHA256
9b2f6d198201223a6d3a27fff72c21e097ee948d84c10cface893380fb5c6129

SHA512
9cff709dbc8816897d935796b52baf1cfd47ac85227cd7613b624f4bdb93bab1316152c9c1808492cdb54353690be9518ff7cbd8929e18c24170970cbc25bcdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60a54bb12266b628135f994a1dae8f66

SHA1
437681b9226a3928bc660281cec3bd6254133da3

SHA256
ce4de70ee9688aaf1e9467c0bc066982abc9224ced0bc4d1d5b13496b344ecc3

SHA512
18f12d1a6d679e488663740ec36d020782d613eaff31b0ccf4de924defc683f6484c30bdc4d9aaf20b3e6e53329b25f1ca5fef29f18445f86d9f48236dd93d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
718e66c2a91ea4b9980b0027b5321d4f

SHA1
2bfe769331625da8cae870f80b8f9d399009b974

SHA256
e1bb970313cc0fe5da7760b90ebb220bf8357e8e2c183bc0135401bb45af1520

SHA512
976609d9767a834335ffbc68374b6f03d7a09fba36715b34e391bbba971db03170e168d05afdab0ae5fb3dd8c48274f7d060652b61340dec255e26dafd32930f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc919734ec5edb69c2fa2c21dcacee7f

SHA1
4884484f634c04d41171a0cc741c222feb7d2306

SHA256
b533c78f71409d8051fb8f4aa84d59d39d7ec6358704b99f45282765a3c05e60

SHA512
0bc47581c9d61cc3a67163d7df62b225e10b82b1f99a4f7ae51f29988e9ec071164cc341a34fd7c2be2ebdf9d629e3a3291faf1033339ebb7c32933e9856f839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f03dd0b6e62404cce647522945511e0c

SHA1
61495958c40c07ba7f36e010e496cf9b1859a6ab

SHA256
42cff399fce57b5606af939d76520541603e094e2c0389c56ef9b1d17ff7d25b

SHA512
950a6ed2991565e1584e928c1f75d12d55e39edcf5514cd871afe9299af4e2c145f5b4b0fd104a5f1a6453c84f2d9f34579234a75c1aba7bf6eefb4fb9bb88fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47fd6d4a8ff1683daf273e4c474e3522

SHA1
785a472454823c27552ab9bbddd9b3abeb904f64

SHA256
9dbe1417e29feb387714448b9741cf2f74deea1f8ccbd3480620b2399173e87f

SHA512
f7409d09318990137bbea1f6bbc6e7ceb201faa9f37d29d85f19d1b4b00356f7354194a5c8e6cfe0e0d708f78acb8d7c9398d2a93a536559e555802f04415c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57baccf42e6513a978cac11cac0f18c0

SHA1
df53014390bff3c9b534e09c4007c55d79b7bb54

SHA256
aab8c36902983b9ad1bf40bab85e75c742a3e4054c077a67838e6e0aa8e7bed0

SHA512
2240b7644d06973c357034f89132fd28b0d9bf6418dafd8c43cbe1e32a52c5193af3cdc5df81ffe747e8c670d38592c3b3ea6d534ee32cf5e2d54f1f8249cc20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d950d0081d5f4551caa1951fcdbf511

SHA1
9b470aa04f3d17b6b472c173f9901b6e73bba21a

SHA256
b2a8597b4817ec8dc85eaf327851933ba492e3578583b4f2ab9f0abcd5893661

SHA512
24b8bcdefd1dc521a49a193c29f27eb121662fe305e5bee0fa0341d49584fae5f7612c6bfd33db1a74cb520b95c1fdbaf4b2955fcf66ee274ff7de049bda78f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552

Filesize
406B

MD5
5c8f5e01be26c8566b5ea43b9230aab0

SHA1
83f16f71e0188f8e9fa326c1eca8e22fc9efe08e

SHA256
d24a4fbf9074193e7ce041e6019f0f06cae3031ac5d9d25693fd1c79d7b06257

SHA512
82c109a1b0b536f74d597ebc6de15becbc42e51cefa35f448e7a5f9dd6ea82c316f5f2afe0c00d332a3c0693001ac3ad4238a82a73db871757cee56a4ac35995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
04e258f22af2bc06fc724ae4be5289bf

SHA1
3ecb6fe8a8088472d3e22343f8bc18056a8b86e4

SHA256
4a8a0936d20c3013d247725e7f138e6cc91783812ca1505269dabf68a228c0d5

SHA512
c7793f4fd3a290bed91bd442a67d09d9afa1bdc1f3e5a1b72280a55a6c8d6a11e228c797c88fb2f008e0386173fac8a7c30e29a87f8da17dc6694cc701a8df60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
f9ed6445cb4d1745635afb471f0ad207

SHA1
bbafb4d371c26bf776d011b5685db866c9bd57e6

SHA256
5f8f52333d9b8f369a99603ab40a37f65a5f7439fe03a3299e29d1a96e2021e2

SHA512
d23be8e9b4979c8c0b543df31d834ac319b5e1739e7f0aa358646cec509fc42b2f77e9c0537a009b510ff60f93fa7605f94fe9441eaae4a387557b235e01e0e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
55ca53ebc1a33ee3468352d0238bcc15

SHA1
404e8dc1ff69db1105bfd2f7279ac42b561743ee

SHA256
69552841f93ae431f57ba0012ac1bd8980b390bf88e90eef6ab24ff71846fe80

SHA512
89cf51fcb757b43061080e603b88c78630d0bad8efb9fbf3b826b16d68982ac5c6aea0d84bb03b6b6cc849f8e7d71990d627fd0985de34d84171bfb5325531dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
08298299dc9be22b5e5014e8d979190f

SHA1
de8338c7c955e1a0645a2117ea2785790e0d1958

SHA256
13e457c8df04190c629628f67cd3ec61070f755730de8481ac0cafa07d35e9c1

SHA512
ab9cbc4c7135af83a4c0ac4f0e73f1e8d8a3532a967156ebf49af69176327d7ce0243f5a1052bc25b39e7704f9b3fbcb5cbf6aef25a452835da6811dfd354fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
6103701bbc30f6ad38bd29b3969215e4

SHA1
396e6426b56bc4d900d9a8ab3985b55f7665dd5c

SHA256
75c6b8fec8c754e19c2b153cc9b240bc9b64236940485b74ac5c8cd5e1017d3d

SHA512
3c204db4378cb727b7f549f2d9d7a5d6457d9d8dabefebe18e06d6681c82c252cd82b638a15444a18a3e116692e9e7b5e4b1709d272ad5f7c6a3ea40934a5101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
1f31ee4dba9ee949272d952600367965

SHA1
4f2f13a125238ebdd5b5920bd9e50648e1c6d203

SHA256
984c628cd9e2accef4cd29d231a48c647053acf97e0e3e9841a35c858e4849e8

SHA512
7869a87717e58aa7114c51c74ea9cad94e3f43e86d8070bac4965899454164a76160b9f41b665860bd69f1302162f01d8c988a85bb62faa28ea0b3997afef0f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
10797bdf78c5386ed1deb500838766e8

SHA1
536a8223260bebf72dd72ca2e898994a4f97fc12

SHA256
ed63abd286d7b908dac2eb0dccb37685361186157b83aa70ef7d696b3b152699

SHA512
7b70c77736405e6ed6a28ea026dd83e6f25e0aafb9b6927ed16141fd26d9a060871b766dd602f7df218dbe7cc2f7bd0dff9deb58dc357bd090035b9329c8daa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
51dead7f3d9993eeba3984e78cd4ea3a

SHA1
e4874d4969efafd463f7b1ed85a08c2269dd728f

SHA256
0c15bcb39c3243dcd89b433ceceaff430d41e40d84a48b21a1cc799654618a32

SHA512
c3149640f9356a54bfb537779b132953efc66d299f859b89ed48d393c1cbba173c2e0ee718434c1db2e17a16c15ec1c9eb6f268b0c0ac558061b4c055d307417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ce45901492e0717cb33bb2f1212d9212

SHA1
d65c91ddce905a74474a8b6eeb27ea5dbed74b3e

SHA256
03f3a3a154d3a1f144975af8d756c3412e6b7c02e7bbc261d18bd0eb9aa94d23

SHA512
f10d60822857f03c4dc5e5d9f3be2d4108145d09632ae1254302c6d7ff20e5c9241a70dc1c8332423adeaf8157ba85896b0d906ed64c9af87f52847fadd5342e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f269c56f0475acbeca179d24d7f02dac

SHA1
04bd8f3ce5777d1861ad9d4430143c0538458bfe

SHA256
4244e1bad27dff93a2a84c1dcb0f8bfdea01f9942c95986b54e93fd2e2351d9b

SHA512
b407d18f33528d82460305306d4177ea512530d8dc3168123c1ad52d9b6a35d4579da1c4626e19c7ffd4092d6f77e67680ec4e45fade24da3f682d85df045743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0402a6cc71d356d776f3c4f24d49db70

SHA1
b252dedb469d9f777ce811713371063989e58751

SHA256
d95683e870494b413767d1fa0a59dfd3e03a0b932b1d05edcedea01a552063c5

SHA512
1d2a5e338cfca380a275b6e61ac6b56ad1836728f685b515736ec69013c60bbdb3bd284fe8e0a72c50fb5fa3fc1919e4d2b7038ee0a13034607f791d8aa242e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b79e6b669ff966a9c16eb803a0a84320

SHA1
82c5123d2161101d5a4625b5070cff82e8d5b8d6

SHA256
c500f364cd5dd330dea06f3c08154b552651b8a928a5be053285a55c0fd5647a

SHA512
77fcc5c739d7db68c3520268b59b13de185cfebe790600caeedb77a7fe713cbe923c0fae1192209b8bed8657391b89a6ac7b0137933b06794432aca3445af622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf77f72b.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
33ca28755b6054721bb2be23867f854b

SHA1
97f0c47278677654483f6f496b9d65268cf4a0bc

SHA256
ddbd3b117d5e35dd27700d58d67c0e6dd559b9e62a3893f61b939fecad7d3f4f

SHA512
a6da6075ca36621a2c2c8f1ad022f4a2abe1fa0cc4264f44739cf786cf9591d7f9997620e4aca089b4629c1ac9f863ff009ae7fa2cb818f05f350720140d1a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
b93dc002f71a684d443f7da76f07d106

SHA1
d1f754b214dca350ac1695280cc20b3ea9074e55

SHA256
2f0b26a97824c8010b3917716328d260194ca47804c3b3e8d7ae029fcfd0dbb2

SHA512
66aa51514cf379f7509f129d0260785c721e645517680a1e34b9fc8556f7a20139bf737b5dbe101c1469384a16f3abaaea23f97995735bdd7331b2adf370a7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

Filesize
1KB

MD5
54ed77c547d3ad0929475c8e9042b2f8

SHA1
35686ebb67698bcadf313a56ed238fe07b46b7dd

SHA256
52f44811fa3c21c7d7f882360f3ab36274a06fb0da0ff1195445b634c57d056d

SHA512
a2de3051f98ed70dfb12b66e0766f962e1c3735f8fb020fbf2d34d83a24b78d8d00703a327cdb3b500fe521617b636dbe32f209ab9aa9de4005db74fef65d8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\URGENTE%20requiere%20POR%20SEGUNDA%20VEZ%20Respuesta%20al%20oficio%20No.111%20RD%20Rad.%202013-656[1].REV

Filesize
1.2MB

MD5
e8a7e910aec12a584bcfe6925be20efe

SHA1
59f5c8dace1da214bc8e6086b21a6bbfeb114449

SHA256
0e559172d232f5fd5fe97331941cc210ed8de9d7ca09636514f536fd1797c69d

SHA512
1a4d7802ca16b191fc1571fafd79f2f96a5dc7e8987c554046a544c99c45f4703dabf78efbad3257ae5be0d07ff538fceb3251c0b0306f5631534dfe3d4d5e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE37E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE380.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{670422EC-216C-49BF-8C12-0D049BB532C3}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFDD15C3E1E1B9CA8B.TMP

Filesize
16KB

MD5
0b03f371771302aa514e817dab6daf08

SHA1
c5353b49be03ba842f57c579d569140c7790b81b

SHA256
6176b978415d263d1974a30d6335c129ba76a37be5204dd756d0f2c50d7a0158

SHA512
e293237eea50bf7a83c08563f2a65a39027acdece394f5b8b545e0fbba8665d2a8b4c86b1c8f5fdf79481d9dadbba1987daaeba5fd8ce8353b085dbaccebb30a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656\URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.exe

Filesize
1.3MB

MD5
634d083e156932ad463d0b6d565b1864

SHA1
08efee0f93d8437fc78c1b072bab1bf656ba0446

SHA256
961e1a9e87354282994687dd1fcedab938d86b3444c60fb800693c12eba7992b

SHA512
544f2a497ee106fbca9d57322a13b03a7267d07829e6c170b1f8207b0a418c3ea4d2a043063aa99451f7c322d29159f398affe21e5ba72acd6ad123b099440a4

Download Submit
\??\pipe\crashpad_1732_QWTPYXTQHFVHSCBH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2724-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2724-161-0x000000006B531000-0x000000006B532000-memory.dmp

Filesize
4KB

Download
memory/2724-1-0x000000007405D000-0x0000000074068000-memory.dmp

Filesize
44KB

Download