a18171d66534ead792d677eeb6165e2a33b31ad6d9e9cd4c42b429f9308c18b5

Analysis

max time kernel
125s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BridgewChoiicesFabulousOffice+.doc
Size

25KB
MD5

9780508a612fb10cf8ee8fcedf73c2dd
SHA1

3dadb0c8e14cb523e5b09e62e3c6660644c976c9
SHA256

a18171d66534ead792d677eeb6165e2a33b31ad6d9e9cd4c42b429f9308c18b5
SHA512

0b4f7447eac26e9522cbbae30402f18377c3a3c470210ac584a1a2a01e6213383611df925fd601f916268608cf5ff3f373e7fa2f121e89b66adf0442be75bb0a
SSDEEP

384:L0CL3oiiSJPw+QD191pz1VtPxOri36r2nnlN2:LDK+kVRjpos0glN

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431406421"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000eaec93e8c4134989700a73d299eb19276939b17d15ac96c0adf590f5a116f56b000000000e800000000200002000000002602bde288b3679f765a1699b9f699d94c926ff02e4ba47eefcd0b238336f8f200000003a3701502a501826219ede8438dfd11d721bce5f2c05c0cff3d3df471f23b3284000000065a5bbae9c96cf2d2cd1efcda781c00b3eeac6b68ab0415f2da598bc8f26405369fe78919ee506712657a72ddf04ccc0079cad69f26c0094520422925ef7211c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902c82e8e0fcda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{136E2DF1-68D4-11EF-93C1-E2BC28E7E786} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd0000000002000000000010660000000100002000000027da4be4ebf648c301b9523a88c2b656b03c5bcbc69c4f9637f3d21fba26c02f000000000e80000000020000200000008b6863efa81c8acfa482783a8da152d1ad04ab5e5b9d7dd24b7d1248fd9f7efb9000000035018caadcdce950375fe23652b62d6534eacb16ab7d68f96c9080bba722939d6c6597910d2c8fdf0b63bc625a7dd25e5af55cf17103ff3b900e3353a442eb07271d7032d5b45ad485f48163acd83ff5fd0539e550ff8e1e103e2f9e8df5574777cb15265c8630362c5a050fabd1afea32fea0716f571d9e2a1ddbf28e837284dcca2c2617abe785f1f96fa3d1e45b03400000004e7001892830167c6c0acf35a58e5e780734e1c21dd7ae777d6b1e1ebefb791218c2e3a9f75f7d297b84cbb7bebaaa501a13a91c76763345f5f2f395f173bc80	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2292	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2832	chrome.exe
2832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: 33	1968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1968	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2124	iexplore.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2292	WINWORD.EXE
2292	WINWORD.EXE
2124	iexplore.exe
2124	iexplore.exe
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2612	2292	WINWORD.EXE	30
PID 2292 wrote to memory of 2612	2292	WINWORD.EXE	30
PID 2292 wrote to memory of 2612	2292	WINWORD.EXE	30
PID 2292 wrote to memory of 2612	2292	WINWORD.EXE	30
PID 2292 wrote to memory of 2124	2292	WINWORD.EXE	32
PID 2292 wrote to memory of 2124	2292	WINWORD.EXE	32
PID 2292 wrote to memory of 2124	2292	WINWORD.EXE	32
PID 2292 wrote to memory of 2124	2292	WINWORD.EXE	32
PID 2124 wrote to memory of 2492	2124	iexplore.exe	33
PID 2124 wrote to memory of 2492	2124	iexplore.exe	33
PID 2124 wrote to memory of 2492	2124	iexplore.exe	33
PID 2124 wrote to memory of 2492	2124	iexplore.exe	33
PID 2832 wrote to memory of 1328	2832	chrome.exe	36
PID 2832 wrote to memory of 1328	2832	chrome.exe	36
PID 2832 wrote to memory of 1328	2832	chrome.exe	36
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1684	2832	chrome.exe	38
PID 2832 wrote to memory of 1480	2832	chrome.exe	39
PID 2832 wrote to memory of 1480	2832	chrome.exe	39
PID 2832 wrote to memory of 1480	2832	chrome.exe	39
PID 2832 wrote to memory of 944	2832	chrome.exe	40
PID 2832 wrote to memory of 944	2832	chrome.exe	40
PID 2832 wrote to memory of 944	2832	chrome.exe	40
PID 2832 wrote to memory of 944	2832	chrome.exe	40
PID 2832 wrote to memory of 944	2832	chrome.exe	40
PID 2832 wrote to memory of 944	2832	chrome.exe	40
PID 2832 wrote to memory of 944	2832	chrome.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BridgewChoiicesFabulousOffice+.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2612
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://support.google.com/drive/answer/6283888
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f09758,0x7fef5f09768,0x7fef5f09778
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:2
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1408 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:2
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1304 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3980 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4128 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1388,i,6645882638981828932,9170934819484440444,131072 /prefetch:8
  2⤵
  PID:524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2904

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d2a124c2835e5ff60d6f0edcb0d176f4

SHA1
7e9dace129b5978295df964c2e14d18305937f46

SHA256
6be0746f4a7581de78ef0e2e09622347d8a9a532ad535fa566c50b1a45195cd9

SHA512
0090326394552f0d30b575a32754d37ccf4c12a90e5bb6c7213a11d7078bcfbe7c1ec070a7ba0700013cc8f843191de17581658d8fa6d5f17fa66f180bdfd4e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_727931D1726A0A03C5F11524A07EE177

Filesize
472B

MD5
13a0b3087b2cdad637a1530765944caf

SHA1
1fe7d53d5307b28b9ba805e7098345075d5172c6

SHA256
2bca0d22640349c90aed454e1baead9cbc2e597f6279cd29c5d88571b77183e4

SHA512
6da076ac95d19a3cf32423494c42be7c30da2bcb5ff4c5c3be2d02ff6cd757d09ebcc22cc59b1975e93445c6bca3726b01d7d8d7e48c77d31643964e05fe9e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_E78AF556B931B27E99E310A416718F29

Filesize
471B

MD5
81b8bb56b44387bd7fe7e10c4bc09007

SHA1
a05cb65c165557e9a04c579322919ec3989782cc

SHA256
78a71bf84f349b06e23afc42c9659b6dc6a453139b8d16e900ff2902cde60526

SHA512
fc7afa5ddb10c574c963def97effd93ae6987f2840374ed33aaeb37257d4b8ef03a4758d6cbe70ce9a6dd15e83c8604d205df41cdccc42a74c59cabe48c5a72f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\818D529ACB6118B88BB160DCAB65E61E_AFF2F844E921D8F89B002F1558D84424

Filesize
471B

MD5
ca56bf5d7b1a44f53de7eaa8ec9b53ba

SHA1
54636afa31174d0bff750260c22bf28a26e29f2b

SHA256
55dd43a1fe7680d9e49bf73f9c0282676b3ab06b03f176facee2106acd9e0659

SHA512
b8251fa259ceb734e0a620da80886d934c605bad61ef4f934f11a5290340bed8c62f3689d07d516103da6634dc58d1d0556b08a1e56049fcf31b3f53c4304f21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_B86A9C8A9152AF29FC2845A9534B1470

Filesize
472B

MD5
097c3ea2b6eb546f46fa12498a0a411a

SHA1
341a08a18ee7e9e92fc443d240aced248440ed6d

SHA256
7aa6a1ec1dd243d0abd79f73ca458c18e2632b48abbbb6e0836b45ea939e50d5

SHA512
7149109c3eb9a167011382dbda9b6a736afb97aa9f5c5416bd15ceadd2ef51f41f5ffc12cee4178d85c7dce6a5efea042569090743dd0879f3fa407c64903e36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_F9CEB317B432F7A99879BBBA2E4E0F4A

Filesize
472B

MD5
62b8d2d253425d355354bcae2f0d5905

SHA1
6d6bc75c12f013a877f24a8f45152a3def7b4c6d

SHA256
90eeafea7b155bd62f83b84b4e5a77ea3256640cf5fea0d2b6461a9073a7ada5

SHA512
b4a5a2309333df0d19c122e1ec5eb493abfaaad5855cdcd152f8b6ae23898a1b5227281b9467db014cae2c07c323421da732df6ea236d4e183ef064a5bf4d995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
f2db1e74ab87cb0c58cbdc13188bba7d

SHA1
a5c56626826655a2f8a82b7281259d569a338ac8

SHA256
fa45cc13a7b14d9da700ff150b84c87f385f4e62ded566f27b6d1aa32f3a2765

SHA512
3e88e6a7fdaa4c305dff84549a431802a03044102a0e0996de66e7f757854da211b6df3835c68c0d18fb4a937ceda23356da640863c6b8575d28209efb7acf52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
af8339b41e368f075df84ae3f1be698e

SHA1
0a501f574fce0c8cb5c624c98958ab28f3d2b211

SHA256
62e722c4c6b8e82894b5ce523256f77d57b8344f88ea79e011da9efaf052de2b

SHA512
1a916a11243a332499a77047913bd5228afb7013833e24c6542881c37320d243996c643f247a6ca733c75c74d08ead7f4658418dc0c06a484bfe652da555d724

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
257a20d65c2454b868745cfcf4b05236

SHA1
c70ac685961e9c141e6d7c43ce344b11df0a6306

SHA256
0cdb147c10ccfd8fdfd627a74cdc0887bffece01e4eae84cddd9751a58d0fb2e

SHA512
4b573387b5be9ec3131086190bc76a21f76fa86929ac2b831e42526233328271d4894716c5acb278dc235042df5603c1818021b8cad0b8c615c8a3339ea7ea9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_727931D1726A0A03C5F11524A07EE177

Filesize
398B

MD5
9a3ee8893ac2389e70c9c137edeaa281

SHA1
77bbf3724acadd6f83a6750832db6e0114aa9ba4

SHA256
178371c58302255937417d1040d595c0308ad947debf99115386f4b5ef87cd9e

SHA512
cad2106900aaaf23d8eaf4a555aa5bfa58aad05b5a249dcee48b2564f2316eb8a4fe7ab33f245304b490a6b6a55585d952c2b26a875191df8a9ef4dd488d89c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_E78AF556B931B27E99E310A416718F29

Filesize
402B

MD5
3eff6820594771bb543a03f4d182e54b

SHA1
03c4d551cc94cf20a12d1513676e59f940811c8b

SHA256
9a69615fbfcc67fb80a1861fececf67947118364a12b5ed564e96369a556148c

SHA512
3ebdc424acaefb95332c4d9ce8437da3a808fdb0e1f4f3cc489c48e72ba06334f95eb75b65528017b48dbeef8935a90b099e03e475766cfb65cfb021415ed364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\818D529ACB6118B88BB160DCAB65E61E_AFF2F844E921D8F89B002F1558D84424

Filesize
422B

MD5
3fca7ab0333d9b311bee021b9ece2058

SHA1
9f0c593a83036a3d557b738313451546b0640660

SHA256
54d579fd628a2fca2f9ce35e386592f854d7d97cce9834d8ab6cc087d3844ded

SHA512
621dfbe6e70ff38a79045b3ef6bee9b3673603af78d9b8947b26ca9a88dd050954548e98cd61c0a04ac56bc33f1c1f1b8027a9e93edc23dea3a012338d028bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a2e553f6956e31ab047c85dd7e021f2

SHA1
5256cd14c7b4235cb8e9ec4bcc647d264fef2bd8

SHA256
17a3af045c797e3b8307c63f4b7803f599df78c29856c3e11187ffb5440b7c50

SHA512
6199d988bd08af9e4151fb4346c5c97bc9ef15f5edccafdc90b463a0a1ed9c21f2392b35cfa589a9844ab637e6f39b8cc97260b5478ab49318f4571f50da0a53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f6f9649af25ec5a481b3b3597f4705c

SHA1
8e353d5e574cb68b7810bf49b01e582ecb76640b

SHA256
827e09ff1be76a13c78ca4629561f0bd78da1f7d8c6ff5aedb96ca4180a1666a

SHA512
27933f2ed96f06d522fefda4ab02c01137eed7e3ee53f8d3670a5489e9f24f265d074b29a7fd4bba6d030d663540a72d118982380fe0c8a3de524acb79e3e480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f84212de14fd94010f6b6727eca169eb

SHA1
83203142bdcfbf6a960a645f7b8509d21b1c81d4

SHA256
2056a538deb6ca69889e71b03757ae5b216b909f9a5dd9dbf9b34258eed9b6ca

SHA512
4f50fb4b721ef7c822581781e1584b90504fd12f9e04d53108495decfb21464766c7e0053a3c283b87515c063f5b032261c46d99546a0492531571ef46693b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba9acbec3086a828ab1d9a0c9bf62f68

SHA1
847f09fe3aac20272b39064ea8d7cba89f8246b2

SHA256
543f622c0849fb5360e71f917bf6682313093f88b0610c27452ec60194b3a91e

SHA512
c90c150395a92416283e02125f128c5e230ba61fda43698d7618fad68f97059a345625018f0402264d208c8cddc52f89bd47ae8b3ee58d8c8873b031ff392f4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df2e91aa2a927b614f05eea18fafb406

SHA1
8fc7388e3b4fb6ca5accd90c20df2d76c5cab722

SHA256
458bae1641a05fde95e47ddc5913cb41182736b09be2867ce559cda7fbfd8174

SHA512
75f32712c2fa229a0199ce7a6c59e6710c74ef32369562ee8271b42283d1011e86272c467a82c319fbddf9d0d19ddce6d95ad525dac00310831efc4f86c2b269

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf9031985cf8b2292fecf7cd2ff04529

SHA1
0bb7081aea010ad2046eabd71bd981a2d986678b

SHA256
2648953efe9afa76f459da1f266205e6ddadb126cf6568e734337eb752f59beb

SHA512
547dec1bbf826d42fc10ded49db240894cd41fc06470dc792242c1f9a11e9703ee0b3e55ba493a36055dab5444a956e92e3ca61dd8ace3346dfb9ea7783ebbc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c178b287c9c09ea21ada6b629707c5

SHA1
9c8392aef05bde51adeccbf028f4a55533edbe22

SHA256
7a054f3a89152745369e56dde44c36c892f5a48f64513d11085607b6129d65cb

SHA512
b996c900d15125aec37824a208939cca6ce0939aed6ba266bcf0ea367b1ceb3e188a2f3b0b0eff345db0ecbb617ffccf317f6f9ede0bcaeb7a054bae6492611e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44552bf2e44a991fbfeaa2727dc04258

SHA1
f668f2e3695b8a7bfd52cd800866541c0fe3c8ae

SHA256
3751cb941b7dde4c5647fd457d0ce2bc605ac664fc56e11b5c1c363fc6ab4754

SHA512
d99cd0345b2f304255f45e4f2e12a35654a624bf678fb354f1d32ccc22a1e197ac79a4e6b012a00189285d36208121ca403022aaf18bfafb63ae4fe50e2c5868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a105ecf5a1526b9e7178791053552e2

SHA1
11bee11e52798a758af201298c03e6280184e91a

SHA256
ce4098a5403c21f8133f31abc0e2e5e761745a78a8f7a61877028ec79584c7f8

SHA512
84c8f212e00f621c0d75fa70a0a22cac7e7f6ce58a1fc18f9063793861f6fccafa923745c9f1bd507de6aba0cb5653a113de5f8a971c3a80efa8248b6fbd9f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80364c6da9e5a0892d063514953f7928

SHA1
eaf5c73886876973e92568806f2fa35bd30dd627

SHA256
59e9e6150dfa694a7fabf3ea48e623a9688450e6e7065cabd61c1c860a4cf829

SHA512
7be0be1e532445570efad5044f066a12f9fcb809b8dc44ac6b2d647ea10d05098e855cc8954cf6712cd3dcd166ce339857288403c1f4c4342ece9b4bc0c7a3f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af85a5c8a63146ec8793a07cc3c0a548

SHA1
7133a1e887263e7eb6f87db78d5dc7a3c8437a3f

SHA256
f90e5e0d9e06fae93896d265480b69dff9e349205a7ced5ee2a68bf1e52a6abc

SHA512
3e17a61ecba7cc957fbaa4a676fe871afd86ccdfea9c6df7578171668ac0fa41bf8206f192a558838c438752e584fd1b0aceb652fb0331edf5150a43ec1f4485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac598286e68f9b80a9ec584fa57e9087

SHA1
3602db2b547588bc907ba911a9e3fdc059f14974

SHA256
03f24baed168928ec8f9a955b678df066770281acbb50052f4c510a174d0b70d

SHA512
d8d094b0cde91f740c49f3cf8718ebeffb9c7c51d38f3e81337e58f4c21fec2136d49b9402ba67739eab1110179ac1427d70ca2800f018e34f162f30683758ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
429b31127bcea1e3b5a0505ea13b0b7e

SHA1
57c8d93e3426e58b771c5a5e58ac922262bad3b8

SHA256
88699a74afad668fb240d1ad9bdc595fb0297ef296e5102a62b14d2383a1b06f

SHA512
90ac6314a1a71db26189765342d277f9e49eb7a2e2fd53be9c73352617675cba6eaf789864d6c7be2190b6ec1d00d1ca1801e73c8c120702fe60a6e00036741c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67fa8a24d35a0c8568c023eec70f4407

SHA1
07df2cd72566ef8cf8e9ba9640bf632da93d7c0f

SHA256
26637a1e62e84d2863a12e0b7eaf395d9324c1d05c3d2f62c163a16b0dd0f101

SHA512
68ecb4466ef955ac94bbb866ee8a95eb6f603a2ef4c655e433d1e25fbf9f985b5bfd87819eca521d84df87f7b127a84604fd670d06024461ba189d6e5750eefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edd4fa21adfec6b71d6ea44623a7cbf7

SHA1
e55aa7c2e210046da547fbf01da47eef02f147db

SHA256
181c17a575cd1c740d7982c89692ce46cdf5818b0b3d43f7867e7c01bc612e23

SHA512
a2e69579a691f9b3068463dc76b3c9e12c1a27698785ee10a4f53e261e254beab83ec4c226c24d476f59ce4af2191c07ed637433565d87edea4214bdfa849195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89e702a0d0149adae2b999d20ca75aad

SHA1
3cc7ef597d7bb412a709a515c3b030c3ab07ca30

SHA256
e9af252165e4c74c37ebd4756407317f0531b53c485bfb7475138ecba366b28a

SHA512
6af625b825d38ccce118235d5834419fbf6608be3632b00dce74429ccc9d317c19adcbc1eaf942bf68f4422cf324c30b5ae316e2e27212d8f4757b51881ec855

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
230bbb77f06758c2f09f3bf10c33b671

SHA1
bc0bfcbccb6565f73dcd3b79b84666660fa29f94

SHA256
62c94639524d1dce370ae07acb99f49ac21af37abe23d5a90e436b25ec6fc9cc

SHA512
48f0288b0ead44ba0275f17245bf3d836edc2949b347a0f9abd670bbb4dd6a05c6d8beafb320d09573662882a3ab8f52c5a72a04a0d4cdffc2710319c2aebc47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c099cf13663d431ab0d8ba84f064968a

SHA1
5b02761533e1bed53eab27dbdce7adc0c7945ab8

SHA256
c66e4472b4b2d886bbda5238033e07fbf27e32cad94a90d735db6f8880b73b7a

SHA512
34707dfa298921b7fd321f6bcdf29ef704c15cf177bbe5496691d7e833d5fbe793d6c9cd8e260ca03df74fa3d0aca45add4ccdae51ec8077e7a437c816f826c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
821fe04e373530bd662fb2c1c12220ac

SHA1
36682cba8e5b72a3f3934d5fab33daa199e0c33d

SHA256
8307d8b84e6c21b86fbcd61057b8a66db2e4e26605951667d223c48072a92242

SHA512
8a156225e6f2bce03d300f89474418ac495761327cf6cd74dc622d150469f72b746b202812ed0e558f9bfb028a6af9041a156f6406835f7c20714e4a75396e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4aff67f8e2d2011a07a47256621031f

SHA1
f011574bf4bfb33a1fab804820f09861b82bb314

SHA256
c5f9f1d8aa5a879a32de03d2d747189d8b9b4f367382550005bd09a14b681548

SHA512
dc8b8a8ba66bf523a7fd083538f24631e9508cd676bee7458d3a8078c155b34d5c8b4bcf36101f712401a48d86b8ea5c920c5efd43ec96d4220387d529fdbeae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_B86A9C8A9152AF29FC2845A9534B1470

Filesize
398B

MD5
f89c109aa818a87807a87c6c924d8174

SHA1
d326b504b48309c6acedd76f62823647b4a965fd

SHA256
d1db210256ab2a68367b74b0ab664e2cfdbaa35c7e6b990e9a80a338760ae97f

SHA512
1cdcab3c75778d69bb3878d861313b1b8e7f6a3b2491e6a80c5e69d81635ca4edbf45bdf7a42c31a75630fe636de63f8d384d90bec5659dad6f5ced229ecd974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_F9CEB317B432F7A99879BBBA2E4E0F4A

Filesize
398B

MD5
aec94f12829cce2b53350c91d27434dd

SHA1
1b338d7f6a2d5236dfd664837e4ae5604ab077ca

SHA256
20398264c3b12cc1145d961edc8366c9ad5f9a586dd1399aff70d61926b9909e

SHA512
394203bf5151e2ccebd7cbfc21014fa70fda026823dcecf67a52f08c67e1df15dfe23c336de73d57a748fa792d5d8f7063cd2fa8a0b383305c61948d89a550ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
43ac667d95eab93c63854ea3f921c1e4

SHA1
d9fbbb7fdf935f2b64e2c7856cbc17541674aa2a

SHA256
5e9eb5f03f3b2691ec15f6d845a6348031b94d7c5c2354a43f48caaeccf1af93

SHA512
e2a5bf8754718ae332b4d2446bf8eac148ef5016b910e9ee5752dfb2d899888d10f7a0648fdbb38853903bdef45b47b539d21ddbc46a005b54b8f1314a9d2bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\681fd24c-55ae-4662-8204-f6894a34dd37.tmp

Filesize
321KB

MD5
adb054cd8ab9e28169a9338f681edffb

SHA1
0843976a1864391cc5f97e1975101eeeba4af2dc

SHA256
1656ddaa3255fcf2dd7d54890bf27d6a96336d851e689f4dab866fbd0062d040

SHA512
361574e4afe77480daa1d2bf3949fa2c8b835c6c356d3c4029036413fcebc610694ff09a7cadba69c50e63b557dd1313b92ee262839ec9b15e9a49b62fb1bbba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c142038f7c7c15b889aa0e490947e11d

SHA1
81d3f1372a4d2a9b6fb343a4e0d2b7b6c1cc54b8

SHA256
45ff7eb048e748b520e1f9221aeabd79b36ad30cb540c9dfc72066a738109404

SHA512
a2d72285a720d637350ec4e3caf6a10edeab06eee79be6c0b39a431d642ce2ebc36d65eeb7fd36eb60ba778fb1d9048eb28ea5484b0721de9a82a90176dfb67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
85ef17cc0df8870911c9b0feaeb918f9

SHA1
f5485bc8f0e42ab9d9a120e1157f9628a3749b6e

SHA256
16a2ef1d51cedccee0b685a9654d08c6f5ef0e308482b73f33d134e87f5435d9

SHA512
83fd7750245ab03c85383b968be1544fab5164b153c62ed52b72d7c9dee00da0598a6d28407291b7903d143b90cac35eea645e97ee6ed449d413d5098360acd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
321KB

MD5
f11a093a5610c1fa12f33a94d4e7384c

SHA1
b1e856bfad5d155cb1f966a619724812c6e7b201

SHA256
434869cdbf2926972e991f1379b552dc97c8e6690d85473c6c409f87dc753bbe

SHA512
4872c46274b446336a43e55e34fc63fb8f9c84bcf069daaef185b1330f9061c0272152beeb70539bc87a2d12baf769e4c65c452a6a20c282d33120a9d356ad82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\n4uupnw\imagestore.dat

Filesize
5KB

MD5
b997574865f9e2324b0448ecdd85ffc9

SHA1
52ff269bc905e03675a1d794c830c479e388689f

SHA256
4e18b170641fadb8e8ddf637bdcdcea1b548183f5b0cad496dd6d32cb7f74170

SHA512
046675db2745987c1e05847f606a238c30451d6b6d82471fef42e4581a6da8e1fd3ea2bfa2f5448f449910b6d8f2d5666d50291a5cd3724ef86d4295caab375f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\analytics[1].js

Filesize
51KB

MD5
575b5480531da4d14e7453e2016fe0bc

SHA1
e5c5f3134fe29e60b591c87ea85951f0aea36ee1

SHA256
de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

SHA512
174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\favicon[2].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\6283888[1].htm

Filesize
1.2MB

MD5
c6398ea2fe76f5db495acbfbf3411494

SHA1
65793779ba2810b8a21315c9fd95468d36ee0511

SHA256
6fd7eaeaf6c42f2b857ce12ab6e9df6fb5535bc1a2dfab9123e4624eb3e71cb7

SHA512
05a19cb494ee6164312f16fbac8e3c19cd706bcde5707e4538451f6fbf3cf54ad3ecf9b919f5ad352b6704c243bb7b44cd463b9948450502485f8b8d73511aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA1BD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA1BE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
03b54cd49afcbe4acd6fd00c3cbb4b5e

SHA1
4da6531ac01f5df468ae663f696d46deb378faf7

SHA256
1a837cf84f410502b84a1c37486ab64922338305f6107f971b6df6a30681c8df

SHA512
1eaa0c3cf9ce10cd45e9bd39574dbf89190c7dddaefc4195e0b565d2500053fc9a7beffa78bdb8a625af95b6180ff28dce76023a71c5e94e6aaa8252f8116ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CG0CCFPP.txt

Filesize
238B

MD5
4b01823d9c56c2eb63f8a10efd1b1653

SHA1
4892c93684086fcec98994c63b0d0138a7b10b34

SHA256
200fde7dc321d08e3e56dbf02e8069a5f9f1906e13d93e213d6ded578934caf7

SHA512
29cf48ec36b9af441f89a226178bdb85444d50f216ccee3cd3fd850917adf63ec4dcb32e47a187779890f95c1cfa9ba4d787ab39d6d64d7fad1d49604b54d9b9

Download Submit
memory/2292-920-0x0000000070D8D000-0x0000000070D98000-memory.dmp

Filesize
44KB

Download
memory/2292-919-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2292-0-0x000000002F6A1000-0x000000002F6A2000-memory.dmp

Filesize
4KB

Download
memory/2292-19-0x0000000070D8D000-0x0000000070D98000-memory.dmp

Filesize
44KB

Download
memory/2292-2-0x0000000070D8D000-0x0000000070D98000-memory.dmp

Filesize
44KB

Download
memory/2292-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download