e572751b2793c544ab7f6742a53e5779b35689e61edd8b2434fbcc30e2d65d51

Resubmissions

23-08-2024 15:04

240823-sfqtbstdnr 6

23-08-2024 12:46

240823-pz1absxcjr 10

23-08-2024 12:35

240823-psg56stfqf 6

Analysis

max time kernel
115s
max time network
297s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORFEO _20246307407492 - URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.eml
Size

15KB
MD5

b2e25716e5e73243001ddba02b023077
SHA1

d8ebde9deb98895999d08a482f100da3b18e9c0c
SHA256

e572751b2793c544ab7f6742a53e5779b35689e61edd8b2434fbcc30e2d65d51
SHA512

6415678e4fef5ceb29e159560b80c81926e5f509a378660f01ed2fe0eebda0bd8fc89ae60e6e99c9ba4dda89b7a4eee16304d25e832ad0bb686cfd4dbb0f1821
SSDEEP

192:aUdKM3CU9jeGADEAVKRzRqIQNAyRXS5wUGTw2usvGXwYSJ2hFj3k9OZ3XT9BQXKd:FKM3CUVeGAbVKRzRyAci5wUCu40zfd

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
16	drive.google.com
17	drive.google.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 409b29de6df5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430587379"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15FF46A1-6161-11EF-A748-EEF6AC92610E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000000e9787e08945008e3adb4fc79ccaeb3a5253987e99da64ac1d5244e404c74fbb000000000e8000000002000020000000327f2daa41712e3db96180f12e34e5f80ed5058747b1259952b0e045f74e9d872000000048d026028113667540bfd09f6eb83c1f2021ecfc4d68fc2a767de16de533531640000000a76cc136699328783d48f0967afb00e68c06a20866b012e2c14e0542b290ced247b3475ed02e2d63b13828ee418cfcc1f503d5ecfa28d4f971a70ea932a89253	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200558ed6df5da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000049b6c18dc5787d5a2f0dd6604145ad41b3cfefaad5155ad18a5162427a92b73f000000000e8000000002000020000000f1c25320a9436ca8b2b841928f75ea7ce0d2657a0ea0b3fad7f56969b209aa9590000000cd689d572f6e86920c004c808b2d975217481fe08e7b9746160d165f24a47b85fdbb24c038b0200fbebf18c609041fba5985b583f06240c099d4ea114bdaf860b3fd340987c9ccd5d342b8459d3dfb098456890759750dec2d79caaf14bbf66bccb16f99ee6f99e902b236a6b8b66d402f9fe0c4da6b6192768dcbdeddd1068de20befbbb9cc809b0cfd150e14b37ce1400000006de326fc10742f7eaeffd62e1146d3620c1386337a577ee94ccd197474a371381378cb1a2762e85961e3753e78e99a03f7ae9355b0385fbb0e548724d315812a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ = "_ExchangeUser"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ = "_Reminders"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\ = "_Inspectors"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\ = "InspectorEvents_10"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ = "OlkPageControlEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ = "OutlookBarStorage"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ = "_NoteItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ = "FormRegionEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ = "_RuleAction"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ = "_OutlookBarPane"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ = "_TaskRequestUpdateItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ = "_OlkCheckBox"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ = "NavigationPaneEvents_12"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2080	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2108	chrome.exe
2108	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2080	OUTLOOK.EXE
444	iexplore.exe
444	iexplore.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
2080	OUTLOOK.EXE
444	iexplore.exe
444	iexplore.exe
676	IEXPLORE.EXE
676	IEXPLORE.EXE
2080	OUTLOOK.EXE
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 444	2080	OUTLOOK.EXE	32
PID 2080 wrote to memory of 444	2080	OUTLOOK.EXE	32
PID 2080 wrote to memory of 444	2080	OUTLOOK.EXE	32
PID 2080 wrote to memory of 444	2080	OUTLOOK.EXE	32
PID 444 wrote to memory of 676	444	iexplore.exe	33
PID 444 wrote to memory of 676	444	iexplore.exe	33
PID 444 wrote to memory of 676	444	iexplore.exe	33
PID 444 wrote to memory of 676	444	iexplore.exe	33
PID 2108 wrote to memory of 2632	2108	chrome.exe	36
PID 2108 wrote to memory of 2632	2108	chrome.exe	36
PID 2108 wrote to memory of 2632	2108	chrome.exe	36
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 1692	2108	chrome.exe	38
PID 2108 wrote to memory of 2364	2108	chrome.exe	39
PID 2108 wrote to memory of 2364	2108	chrome.exe	39
PID 2108 wrote to memory of 2364	2108	chrome.exe	39
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40
PID 2108 wrote to memory of 1552	2108	chrome.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\ORFEO _20246307407492 - URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdrive.google.com%2Fuc%3Fid%3D1DMMujrAVJiEDlzeZDtnSs3SX8mp_3JBh%26export%3Ddownload%26authuser%3D0&data=05%7C02%7Cradicacion.entrada%40adres.gov.co%7Caf084811c2714df2917208dcbc6bfc1d%7C806240d03ba34102984c4f5d6f1b3bc4%7C0%7C0%7C638592419199975042%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nTqmaxO6l42BhGK%2Fb184TjEh%2FuTAMZzDdGxd6YfMXO8%3D&reserved=0
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:444 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6289758,0x7fef6289768,0x7fef6289778
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:2
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2196 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1292 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:2
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3328 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1192
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1402b7688,0x1402b7698,0x1402b76a8
    3⤵
    PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3944 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3668 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2260 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2748 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3668 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3352 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3932 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1104,i,8977786565437016117,6828505276785922623,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2888

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
739eb707c36625f012cf6e9e01df584b

SHA1
547d3fc30b39956a78df7a7456f6b0696839a56c

SHA256
5fdfd8c859cc0455b96477179e3b1464e73628b864ffc8a5298d7ec118695e50

SHA512
6531aa928a5e0270b2aa3acbef2fbcb2c6e67509fee9b9d4ebe1f47e1d0b0ba939f90190e8fe787bfe5de73174639b2ee621b4df20d7997a13b25aaeda62e167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_BE32D9F1882B93E37445F58E05C44495

Filesize
472B

MD5
cf2494f3acbc540611cc1db5ff399bd8

SHA1
9c8d0d49436be710e0408f15cc4641c515301bcf

SHA256
b9392ea37b3c34790e335c949c1fb3aaace1d1828aca7b61237cd15103639d33

SHA512
c4223a69dde8614cd92f05fb653507bd7d59f032adc99daff59a6e93b36fb5a53c99964e99e8915b4b48390b78f767680a9e045f224d03ab6e9c82e503adf745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552

Filesize
471B

MD5
422606778f6d2e49a58db1bbf3c1151a

SHA1
b14a21b8e924a3683118ecbf7e24ea7fabdc8d3b

SHA256
b8db68a61414973a8df9bf4eada88200d0d8780f6b8990d1b1a481f53872266d

SHA512
76f73bdc1a19ea67b6d8bbab025546f71d704b27622d3cbf4c8e62098fb25ca0d699d53ee551abbd4cbca7ea9ca0281c6dacd06d4af217b80539df5997a79de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
19aef08f73c859dcb2f4f0a99d52878f

SHA1
7f8830967b02841e12b6598aa1c5175704ec18cb

SHA256
3b2829b04cb38548c6440b58c95e96a2e6b7aafa3a7e72569dee7677980809fa

SHA512
2b34b1295793ed274884946a6b8ca90d23ab5d1152243dbebc4e1aa595bb69d2e74f1e1cfbff8dc6dce693f80e4e0b6b79385847743658e6fe1aea2a050f63ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a1f6415c6c15426ad94c2ab93dafbe92

SHA1
4874bebd5ab58048cf22e51d4854457952e8de99

SHA256
385b280c4104cc53e4a7de7121f001add812c9ca14e5b52009fa202c69a37438

SHA512
8335a3d4728fac017f419a0acef4f3468edb40fa1af7a60ad1df7fb439793e617347782c7ead834c200d9b51a23c4bb838d29e4a5dc9c534f716ff43ac4483af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1ba3c4217fbcfd1c2c7e6ec66e66eb68

SHA1
c5b6a94309ee771f78b6d13b801c8ea9149fb58b

SHA256
7f40c0b8c9db91df0f2aee8c4869e5847dfeff2cde9c226fef825455789a4efe

SHA512
50c043cb491d6143cef19c19fcb5ef810fa6b1a16c066332b295c8788cf26416a624faf2fba123709f17580a8eb4c0f04012224c4b1606992c3abdf5f3b3fb7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_BE32D9F1882B93E37445F58E05C44495

Filesize
398B

MD5
741aeb99433b91b55b16218b8743cb0a

SHA1
b190fd6af0282e14d5bf7fcceec0ec60490e8265

SHA256
2e93a2a1271e2fa31079b3ecc9a89de78f25be2a8e6596fec632561fd8974c39

SHA512
e16d7f13851e03dbe9aaccf98ffad0b6ed2f7e95446d18bafc5104c5a2610ba30372feb43d882f216e0a60b42cfa9d5e72aa386f581685e35eec7c2f92c86d44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bdbcecdc14e8382c83c867940f69be7

SHA1
fe713f3c5efa82701f11d4de4f1340ac13fea837

SHA256
f185c6c895037ac10df1d15af1acc5af8dc35ad2a995529e1516363f59002118

SHA512
758a5fc2fdb53e91034e09c4b58c8b36be6cd566929cbc8a6d2301b5a38a19211f660feb34c2dacbb3e5adfa1fa5629c0c43307e88d18eacaf124da7e482fb6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
033584d50d3bb1f9b694a95c555be15a

SHA1
b0efa2b3e115d44763e093142bb56eb136620c0d

SHA256
5365907ef2d7c9c0507495b6dd1bfc4eada8b01d34770960e13974b132883eae

SHA512
5c615e3b2b9177a04c30908a7d635f1525cde96797fd19c8737ff9eaf5cc1f11772c62414ae821ca0a9492d85c70c260823118c856295459797b439c3e2410a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eca97565e416ac279738fcb0e30a75a6

SHA1
dfe817a952c7d8403761991759a05b9becb3c647

SHA256
8b81e22af9296aa704098b91fd0c760e3fe8a19676c3c096de3efabf75d7ac53

SHA512
244f365ccbe6bfa1ac72d093f57e938282229de071e03d6aed274888c07ab72f7e57b71c5e74f19f43fa4119bdc2746d1d4b5b3b77c4b82080d76ee60ff12826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99d239fc59e991210338553b1c8cf3bd

SHA1
d35a9cc6cfdf5ec294ba5b6f3f8ebe1eefbc767a

SHA256
08f6eb1f00859063146cb03472185c082dbbdf5a6f86b044315cfd02a9b533b6

SHA512
ab8145f7714519ec867a42f621532404f599f39aedacd2146a90444e93fbcbd423ccf728baec999246b638f5819a3156d3f167a0b6cb32c6702e3d6bfc4d9cf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e03ae4e48b76cf3717d172b3620efae5

SHA1
479ae931da9963426eff1f081ec4fae228c5c832

SHA256
8abfea4a895e6575d31c5fda6c5c3ec218edb45f8d5e62862b0fb8a7e2ed6fbf

SHA512
5dcf1489e1b1c5bb7fcc6a37392862d86fbf1d901c4e772ad85ef36e399d037b4ed9851972f8ec7a1e41c05eae7b587d6342a17df51b3b59438a24cbb25b25d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53f9114c89ab34bedacd918ef73161cd

SHA1
a05098dbdd91152da26871e5fc35bb66ba5c2110

SHA256
f1526d772c2061346c9bb74181996b8b1815bd6c2f628df4e4fa77a77426d8e7

SHA512
bb2c45db19058efa956098d06882560881648aa3c04de345d531ad1113fa78a9a457e70b3eb146053f579439a19a4aeaf9e9e18f90960b56ac10e1c7568c1e45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af0285de3f23f05c1e69992cbb923cc4

SHA1
c95412e5fdfe1a6a5052a83e4114cda1418b1e16

SHA256
60e16bc4febfe66da16aab1b1e4e6195cb136d21cc27699a7ca37f665094650f

SHA512
3ad2f10e48ea9be50c24d682e33b7ddedf4ba0dafd52f374c0c6a103fd913a74a1dac22e766498d0edd58d67c75e72ee1b6dd518c9c80b99b029f18a04bb3c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb14b7cbc7a7ba9b5190a60184c6c821

SHA1
9a842e94505ee1a01d031d1be5d376b6952cd4b2

SHA256
9cea1fcd12c01463424d4052d63e2ccf399f245ca8216d20f1b0f88477f81224

SHA512
0448049412684eab33b065ce89206cee633e7f0ef9e633f347ecc80be08ae0e7ad4b9b1766bd96d0d6fc383d75171fba0c2c9d9e3c24d3ba84d9ff00702e7071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a5229e46f8c528e23d26ff50aaa6b60

SHA1
b24424a07496387863ff03db49ad44fb85e1263b

SHA256
db0658929bc8b22b57846297689eb2d9ea3bcd79faf518b87781feb77e254604

SHA512
8245285c7941d1d7d0c4d9947b9c34aa988604c29e2531d032ca173d56e66e75ea3dfa30e76ee7e43d8f6e667e1d44d9f2d22513a2c51f364a488ff22893e7f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa922728f20560b46476a8818468f9a6

SHA1
db4cf79b215cfb9f88cdf90c60c9008718d36f91

SHA256
90a5188b44335e5cf441dcbb213f99fa5842bd488c88d89f6dd3570ab027900f

SHA512
94d6218065c7db5dd84e75882d9ce8f24d71c2237e16c9bd98ea7c74c5e9ac27fb6d0acc0001e53e03c0ccaa452f7ecc8a90b2815b3db313d78c1093d6270411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dca97f75046cd08152c266841d87ed24

SHA1
87b939776ee55d99a2cd3a3837cb1bf3d62ae85f

SHA256
acfdc235498e60ab3432821643db9971d6df9fe19c3e8151e0d2f73c069296ed

SHA512
9eb9111e2abb9482e65e17ae2685edefc94131aa3324041a04c7fd2c72e1590a074f5d0737f2009e78ce93cfef104b6819aad23fc657da951e0b81c8a87a6c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0652b6287811e18cc434f9212101416

SHA1
448601a4f7f12cb0bf7fb29e33a8c4df0d39c23a

SHA256
ee048680cc739cef36cdbb9b996c0b156e9d1eb89215d412a5b0b8a7d79b6e2d

SHA512
f8442a2e45605ad8746abad7d2f07a84896f91cb0b446f667630a7c845b044b70919dcbac0479951a84768e02f3b44cb02c7698b01257c4a115ee48b450412bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f17e573edf3ecff16dd03d03e2c7c1b

SHA1
5ee316cb8f05f2b693d34e4d9cf440c2cec10696

SHA256
612be07b0c5529ba1a9c52c5bcc2282085c5568797465c409686d50afad22cb9

SHA512
3d1198d7c05dcbfc127a0a8e76aef83bf45177f463a548dad2eba7678bbee2d8bfc373d5872bb2e68dd87e1da07a0080532f471019d5bf25862e480bbced9689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e372bfada6ef77860409b80ffe74f4d9

SHA1
aa5ec622ab5168ae688e0105a7f69b9fbf7cfcb3

SHA256
980f86c7e4f90bda55edd1888d6051650e99f9569b384f757baea1e71dda0934

SHA512
f3c0e48fddc9a810a9c47d7982414b854a32a777d7ed9d53a111cb72df9a8ba0220d70b1f942156f621147642a127048382a83ae6001abd20ef8ba814e2296c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22db79e78ffa8fd11052e7661807350a

SHA1
e2f5a9786118b300c1b705aa3250f082ba4a0489

SHA256
09cc89d8313d6b98f27a597142f7534a837106918786fc22b34f6fd4b206c29f

SHA512
d859b56af874be7522551606c564ad3d129b3578c843d07f1c25cf4bf68d42ffdc80c0166d000c2ea8df06afb7feff37e3689b81c00ddfd0e07d523bdbe87d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db733f00f63845ceb0840c9e9ec4d407

SHA1
c6711e49582cd6eaf7e16149b6304272fe26a7d8

SHA256
b6028440e39097c38fb1e8baf62f1a7a5bb2e6aeb1204d59198eb74eff70bc27

SHA512
34da593e22fa3b0a210a270ae083690d6eff8fe2ea22e53922317d0de3b309272b00819612627c55416af464fd0ff5187c87ca0716eb46bea2dad672c6e9493e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cac59b8d58b025d269e13f5d52afa0d

SHA1
fb61e3e0d096251689a50012479ea10722faf37d

SHA256
ea7e195d4a2a27e2d903ee860b6cf6b1a6801cc3567700fe346e6812171eb2ea

SHA512
c64a0073b374098c902446246acaf3da053647162f1e9f3a45e28ae60f06db490825efacf3a97b3bb605aaef55455fbb772c336ebae189b6f5d70cfc5fa68391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67331f6a7d856f6f2450a3955f5bc31f

SHA1
5b499e1a38a332dd4b1db99d7eb100269e0b2e5e

SHA256
b623377ae2a2d6dac395cd30067fb6f4795c5658d2e56ca2a7ff1c7e25e9b7a1

SHA512
1b92e87299790e3b97cd2abd54004fa49b7d8d897587aa5fd9fa8260fd37e0c84cf58a85f21ed317f2200008422df1fcd31bd82bb6691476064526bbd3598412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f58c26eb72bdeb658d838160b8bfcc7c

SHA1
5a1438da21dbd105a9c304816aeda3be18f6e765

SHA256
88a2524bdd5be471bf86376761f7291363ad4fa0c34608296e10c9c93a881fd6

SHA512
4ffa82cda72278dbc089812858ba184aa1da07cbb7ae4a7341de424c7682b1e761557aae90ee55b9da01c1df8a0fb5b912cafc940802518a02fc7510a8a741a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f39ac587ed9b2e7d5aaef9070a7abfb3

SHA1
30fa1e5acd0cc0d4ddd86e7571c4597de4735ce4

SHA256
7603b45bda54f8d6529aa6961b739a487e75914f7ece4a1010c01a5c1cad2839

SHA512
7082214c3c5d62fb08f73a09173f93dfd6abea84dd3a8dbdf5af2202a110e5a6ace43919958a4392290fe7105c535aab4f07063dc9100648cd175f5e754b78ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552

Filesize
406B

MD5
417df943c33323af83036ab518fd5cc3

SHA1
4165dc17a27ed1944f5cf59d04989d6fbef2f648

SHA256
44d3f13f11f0c7f1a93d9ed68a844caafdc138eb1c65b4d74a1ad2792e073100

SHA512
f161fd180523bee71618c78c903f2a00d8a779158ac388452e6881817dca85d9f2dfb928ea91b015a01e7beab9933191a7dda7f441f43c7b869c4ed14c5ee046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b859b2a88fa3797ccc7e6d5cccd09d67

SHA1
dafc5acbd1596d437ce249ab027e612e26044b59

SHA256
6891aea2b3f380cc95c93fd27ab6ff83b7c64aeb825fcc7ef95c165716fc25e4

SHA512
91f6f2bf6f128045036acd3303443cc2f1f8f2667f7e8d6d2e2f9268f2f472735f9b331b1577c3439e73b87901bfca6578f60be1217e20dc73064dfc170ca4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6002f05d-c73e-4023-a743-42c52d2444d6.tmp

Filesize
6KB

MD5
f713ee2360c19f2eaf15cce148be66cc

SHA1
5ded284eb1085c477479699fb7234e5ba48a236c

SHA256
4c0e1ba245417f028f29cdb1e0aefc5677ea4ee3343d522a1beab38e492beed1

SHA512
4d5c480beb2cbddbca189f0dd1aeb496cf6ea12f3d93e829037402b1dd2bed024c830d2197db66e3c2377767a79877090e7fcd5dc6e59630a883fede23203928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a6ec40a9a0140175fe43794d96fc08ff

SHA1
0221a3e1f6f19f2adc12c34256ff6c3a66211c77

SHA256
fde10c56f22504097992be069919023c7106b53fb353f8e162da27b47c8bd3c4

SHA512
7bc860283bc477ce7b0fd7126767d72669c1a4cb413af1032dfd68148b8b432359ae2ee632b42b7c2db663149a87f4c66b409759c5e77242d0a61aefe8a07103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
44d737f1c21857203d0d150cdb28877b

SHA1
9444f0dd5859f88acbb1b63661bd409163e58a3f

SHA256
fda2bd7d089a1445ec1dbed1c4e1e1a0925a589592753c7b794f387e1c3ea34f

SHA512
3f1cd31408da8e3d4330144508f0b38396b9e9794191afbac621fcb27911e63a93c1dd3741fd4504ccb3f870a3184d56a7942ac8a3c06c1043ab2204a3e7795c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
8d173374546ccc213443758e0e8c9c0a

SHA1
5299a49be46de787823770f70eaa72f6124ae528

SHA256
a890a3e0567d5df9f581c4cd1636b2eb850e11912336781e21358024a0d6ce28

SHA512
261758b8da5c8ed04668438c4a531cd555517f29fe046a3fbb0c4c7f854a37bc2d676c1d7fc1581a886440e030d018e229cfe6f06e6c384a4f9fb213ac0ad739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d090d03e662b2c74a80cbad78752596e

SHA1
a1b6ced36d2bea8c1b78dc3d095bdebb4c1f4f79

SHA256
2419610236af1f5faa8006a1b5e1e303f90795c80eef9acd459f4fe4850ce7f4

SHA512
ae5638aa6e96f55e24460f0bd29f4ac6a26f22419f3cbfda0c2a836c7ed7283aff69bfa73e295d500c05064fef11867a612db4695e72411f58f647e315a8bada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4bf3e324209f19811a4921e3ae18c715

SHA1
2d7ca92d776c4e5591af496383875994db99597e

SHA256
96c7d7f331a357498a6eb767a6a774527100adb0f1ad5a4339e6b9f538252147

SHA512
97d104520e3392edc127dd987760d5efafa97ed8d57769e85977aefdf16ab7b12330e4c5a824a74a8a2e6a9419719f9542336c12a45b0bfa1ad54faac84e273b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf780aca.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
caac0b420f7835e05c25325810b7ae44

SHA1
5a91eb813415f94b5c981fd3d6404e64dbcc9a9d

SHA256
ec3fafb2cc526e948fafb2d3e876a57f77b4069b1314eb3e73618c9b53452c18

SHA512
6a7be9689cad781a0e3ca14082515e8dcd3d7f1e37c6a784a2ed1caa1fa848d7512c0e833a8c875a501ba5261f78cf226b10b9fdef1af488f046b248f454d5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ivwlua0\imagestore.dat

Filesize
1KB

MD5
ab8acc5dc9d8d62873ad0c079f8226c6

SHA1
e2024914a8b26f9f0ef9cc68ddd407ae54ae7e11

SHA256
ff638907d538e08bcb16b756384b97fae173db1ac137c0dd70c0d828d5175def

SHA512
1829d92850fd7298328aed3805b37f10456243f1df73c12a10da4597ffd7154977a5ca30b619eff2ce550ea1757798b76e585df59c56971e5af7b4ede42cca95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\URGENTE%20requiere%20POR%20SEGUNDA%20VEZ%20Respuesta%20al%20oficio%20No.111%20RD%20Rad.%202013-656[1].REV

Filesize
1.2MB

MD5
e8a7e910aec12a584bcfe6925be20efe

SHA1
59f5c8dace1da214bc8e6086b21a6bbfeb114449

SHA256
0e559172d232f5fd5fe97331941cc210ed8de9d7ca09636514f536fd1797c69d

SHA512
1a4d7802ca16b191fc1571fafd79f2f96a5dc7e8987c554046a544c99c45f4703dabf78efbad3257ae5be0d07ff538fceb3251c0b0306f5631534dfe3d4d5e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab737C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar737F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2EBA3874-0A0E-4A4E-8633-857E778792A7}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2080-161-0x000000006ABF1000-0x000000006ABF2000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x000000007357D000-0x0000000073588000-memory.dmp

Filesize
44KB

Download
memory/2080-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download