107303e82acc31cdd39920feb402e51744237c92a4a6620dbb5c3f36cb1c274f

Analysis

max time kernel
146s
max time network
181s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f2ed0a44bfe66ef53582a3cc55e4417.docm
Size

207KB
MD5

1f2ed0a44bfe66ef53582a3cc55e4417
SHA1

8ce71a8bd2933924fd840777711a34154e4c040d
SHA256

107303e82acc31cdd39920feb402e51744237c92a4a6620dbb5c3f36cb1c274f
SHA512

cbc8e5971306f890a193bac344f8a7adb504b1b2d5e5ea2aad5aad3b9ade29e253b60ffd7b207b6b785869744b7b894bd2c0c94c758912bece09a6d455c70749
SSDEEP

6144:uTxHzHVzJky3eEGVdajJ66tAhUJOO3NZ7xsego:uRbrkyuEGfMuhU7rN5

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\Total = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{54022931-6AB5-11ED-84FB-6AB3F8C7EA51} = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375921233"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbbf950a87f0364c9a52ac9ca8d98856000000000200000000001066000000010000200000008fa714ec2c6dabf46fc489005c71014ded481f5966596fac413af4042929da91000000000e8000000002000020000000bb7d184eb6e6225b6e60920ebcec8e902d533ba3fffb22a9d4bb02049806511f2000000049bde9a009eb79680cfb502b15892a5d756f8a809bb5c6e1cfb847d501a77021400000005b73eec22545509be7e9ef2d7de14405f4ac4b837d340010826d90a840fa89766f764d9fac8ce93973d8951d629dc6718fe10cc9fb143f68613c049399f49016	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbbf950a87f0364c9a52ac9ca8d9885600000000020000000000106600000001000020000000964d1dc075d10ee153ca27448f3c3b57f6ccad401c2de9d52546d3bf515b4eba000000000e8000000002000020000000705a4fb2fb4028f1ac8e13506debd0103f0181a0da6970c0bf253ddf9e7363cf900000006d75b8765c117882e320fe8ba6783ff6414bade9e032d20914608d9db2991597a103576e45fc39acb261580a69e5897bed55d9d0130a4758fb7454d1f66b2b2b95946f1834e93a2f9f8bffcc5cc054d93991f3195bb0f4d75c954e93f80a35404f56c27e8c56e0fdda0865141c82117cdf55c095866e75ba6a94d91e45ad8a26f85f5975995898e973bd7448399f347b4000000016a74c624bb1b984f9497246e8d8c27b50c6202b1985689fce909ac41862af26ce7038c5cd3d835147537436464354c4fa98c2793a1c2aa142c75e8b8245a449	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f084864ac2fed801	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\ = "18"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\TypeLib\{53E527DF-5241-4611-9F4D-9FA005949996}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1092 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1900 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXE

pid process

1092 WINWORD.EXE
1092 WINWORD.EXE
1900 iexplore.exe
1900 iexplore.exe
576 IEXPLORE.EXE
576 IEXPLORE.EXE
576 IEXPLORE.EXE
576 IEXPLORE.EXE

pid	process
1092	WINWORD.EXE

pid	process
1900	iexplore.exe

pid	process
1092	WINWORD.EXE
1092	WINWORD.EXE
1900	iexplore.exe
1900	iexplore.exe
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEiexplore.exe

description	pid	process	target process
PID 1092 wrote to memory of 1900	1092	WINWORD.EXE	iexplore.exe
PID 1092 wrote to memory of 1900	1092	WINWORD.EXE	iexplore.exe
PID 1092 wrote to memory of 1900	1092	WINWORD.EXE	iexplore.exe
PID 1092 wrote to memory of 1900	1092	WINWORD.EXE	iexplore.exe
PID 1900 wrote to memory of 576	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 576	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 576	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 576	1900	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1556	1092	WINWORD.EXE	splwow64.exe
PID 1092 wrote to memory of 1556	1092	WINWORD.EXE	splwow64.exe
PID 1092 wrote to memory of 1556	1092	WINWORD.EXE	splwow64.exe
PID 1092 wrote to memory of 1556	1092	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1f2ed0a44bfe66ef53582a3cc55e4417.docm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XUTI5dlpFZE1hbTEwY0dVeE5IWklhSE5oWjBGelFrSjZjRzh4ZUU5eE5tSnVjWEpqU3paRmRVbzFNM2cxVnprME16QjBUR2xGZGs5T1JYcEhNek42Ym5kdVdsSldURmhxUzFoR1lWTkRPREY2U1hwcWNIVTFibGt4Y1hKb1dERkdaSE5ZZFVORlIzVTBhbFJHYTNGNmVqbEJaRE5NTDFsV1VtNVlWa3RvU1N0Q04xaHpMMlpGYUdSaWRrMW5Sa0Z4WTFNNFkwSlZTMWs0YWpaTGVEWk9SRUl4YlU5WVYwRTJhVkZGUFMwdGMwUkpOVkpMYkVOcFoxcG1iR1ZWYlhSWmVrRTBRVDA5LS02MzI4NzhmZWE4Njk4ZTgwYTU3MWJhYTQ1N2EyMmI1Y2Y1YjIyZDRj?cid=1373005365
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:576

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
1KB

MD5
f2a7177b141a80c4270da40d213df634

SHA1
7ebd6a9b793a8694ed74eb6e1a104f007832c40b

SHA256
875f1f2c5d040a7b3b94365dab9285f7a5f980ffa57653e30626a4d63f652f0a

SHA512
828325036a58ef6a7b26a10fd8e24c3dd44db12eed18c918858b91e9b2134e0f20030720fe4df898dc8c934da9859223559859871472402319fd9204206db71e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D6243C18F0F8F9AEC6638DD210F1984_8434FA76B854658C2E8270E57478BB65
Filesize
471B

MD5
975a6a74d387ab781e45a7d79d18cfca

SHA1
4f725c2e4a0fd902b74a96153abc72acba5067d7

SHA256
42deaf8eb982e692ce35f07eb57771c74d8bbbf463f6a286e15cb234d4e101ba

SHA512
1a8ca10c993ba55dbcb6c57d5892f9e9717e2dccc1f646031e3c57d45bf4987dc36236694526574742ce4b91b019bdcdf18991ec6182344865874bc5bba90652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
d854820d3bd82f640e0034aab23577a0

SHA1
6af83f7a1ff65cfc5bbc972852f507ec5483497d

SHA256
40574a3d8cd926832f3413f93d16a031f49524c4dace709054ce8fde45b0e33a

SHA512
f035c406f8f64768022bee927e1aa026d4ec1124c51396f27b2c4f41179fdba9ba562f382bac46b04ee976b5bdd1e2cfcc86bdc2a41fb79def5047630a0e18d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
e34e4ceea81b2b988eaa47991d858e72

SHA1
be9163e5e6e5f59354746911fad87279b6d0c8f2

SHA256
4881bd0c92b169abeaaadf878c070e54b9345bf2b154edcc3fd4a31f8b653a37

SHA512
2261d679305319dedfa8c6cfe799c8bc25224eaff70dd0edfe8d7e79d7260a2f5909421516e193aedd6c3822e41828d08b44cb873424fd95910c7d2ceead14e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
453e769cd1ee94975e2049de399ba426

SHA1
bfc11583ffc31d406d0457f4084f52a3afcd8650

SHA256
d85dbb93ce0fcfd795575655483164f3070e97540e6a2cc75b25ef3e042acfa5

SHA512
74dbf737980b850f798942586ac0a39e335fdb91c2b182e1a65ad670d6aa6b148f194d9554c6de733c4535ea3048002006a81781c5c136a76e1a9f910bb4fb91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
db8ca1469707c4f48720d25d2aef2285

SHA1
f697d51cd07651251d7ce5d95242b85efcb93724

SHA256
176a3987fee51b650e3f79c3d0871bf33376685e9ba6a37247aea063a150d03d

SHA512
55af9954da325555047f35ade4b6e091757e6795be141c09c618141209a0ece45935c9ea048982f7e940713955e7e4fe1e259f7741580fe3260f3a84a6ecc4e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
db8ca1469707c4f48720d25d2aef2285

SHA1
f697d51cd07651251d7ce5d95242b85efcb93724

SHA256
176a3987fee51b650e3f79c3d0871bf33376685e9ba6a37247aea063a150d03d

SHA512
55af9954da325555047f35ade4b6e091757e6795be141c09c618141209a0ece45935c9ea048982f7e940713955e7e4fe1e259f7741580fe3260f3a84a6ecc4e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
442B

MD5
b2ba0c196dd4f11ebda609754616e0bd

SHA1
1555c4efd299d8cd6485971ea493080e1efbddfc

SHA256
eb6602042fb8415b1437cee9334232931ab194884b7e6932bdd52f16518de414

SHA512
f5b2b941cc3e1b04023949c473dae39c94059dfb387e1c09b6f2b72f29cb72e525b91d8886843e88b2744e8db41bea8827fd39d0be77773b97e718463903fd14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_8434FA76B854658C2E8270E57478BB65
Filesize
414B

MD5
a135091cc9a160d753467eff36fd890f

SHA1
9b1a119885b797e3507864ec36ba198f1738595b

SHA256
fee75c186c03800b30552a2d4ccceec49c62ae99ed42133dfc110aab8cd5283d

SHA512
1c4db33c5f95d4f7357ff006bf8151d3406e1fcab77665e000565a85d4993eb2fc887443d2b304e8a755a64375e572b3994ab21f1d73ad8531c03bd2dae00b84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
72f559075e71dd13d32ca1c060b56d05

SHA1
17af33df52ac8112181cfecdbacd152bad2304a7

SHA256
55277919fab353a2681e7d393327ec4a028dcca718335b7759b49d0feff9bc95

SHA512
425ba3a6595b0bb12f2b96bdcf719a095c8500bc8f7722ed31f5ef6f12069ed98594d812fa6cf97e7a5ac4eb4acc977e580eebac48003bfb8859cd7e01ae1f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3ca77e12e1868a59fc98d566dd958278

SHA1
c54085379b5b421ada67efc9fdefcec180d43199

SHA256
e510f7131852ca64c76f9d6d18cf03b4f4287b1314fc48be8c8c5817656f56dd

SHA512
aadcd6268894c8d7ace504cd7f38aa15a8f68d6ac7cb4e6d164524ab6ced2e923cd17b0f0f4edbbfac23834d93cf6f9940f4cdec335c926aecf2ead1339073a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9e6953e3a66e37bb13f8841801816244

SHA1
0290ad29793742087342ac268be9fe28fee8fe9a

SHA256
6fe820981231d1e8df725ca0e6c28e2618fbbfa1af50f4db944dd265c76fa741

SHA512
acacec984b567d9680ffb274bcc8b0ec0071707ffccf756b98940c457547b16a277d569fead59f596749a4980d7f013e70b14dfd90ef0bf542219aa47050dbfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0bf12a274e2aa81691baa546dad191bd

SHA1
7430e432ba984a61c5338738f3c4fe4566f0b5a5

SHA256
eba2358bd94a22d1c425c789a74794d3eb52b89641ae6c22fc03e1fe70a6f8a2

SHA512
8cc1256b031ca30325738eaaf998c36003e52aa67765922bfa0bffed1a02de62c9b8f33049f41ea1455d9e8dc56b082fb94331e7c59853add45098a03e0bec80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
026ee6d25c1cd671847b4453e19a7c42

SHA1
5e4021d947b798971d913baf0086368c9f8fb552

SHA256
d7136ebc96d76e150da30002214cb043baa521ce1d91e16196e232e94e396aae

SHA512
36d4a66e5f7d2976fbe5044b8aa2d89a57dfbe68ce70e604e7e2760bc0e989b5727e796847c81b2d7c3db9b8553807475ed7dd21ea2b34a0b362c6d5e056ac03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d496450ae3fa05b63bc76328cb0377e0

SHA1
90733c553ed9f45fad46400a8e9153896683494f

SHA256
d1721c8758a22aa0a77048e65b624376e6e87929efa576af9e6519e8d3650af6

SHA512
4086a83deb4496eba2fa1972159a04e10bb8ce268f24ca878bf76760e9f1f10a897013be573def670826b004a6c659ecf6729da09a632c6ac6b0fcaed8fb5883

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
83764acb0e851ed018cebcbb5b0c4573

SHA1
87937057a35d7d32860223379c63f3659fb2dc17

SHA256
0796df489bf76b01cab54d11b19a696071b73a80018d487209ce66f6ed06b60c

SHA512
f15e6e221d108d4dc72993ef14f0cbd14c442892ca8cdb73b659d23b577d06498bc3e4483932c278d479340cd99ed77ffb943e7db32d6b61245ac7a6e1593568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
92e47a4773e0108e5dca43f5ca7fb866

SHA1
0ae25afe247ec7ff069242b0630288c290e8ab57

SHA256
5d754ce3aec56485c3ce6e38b8a568947f6f5dd0df2d252104a8c4d049ea52fe

SHA512
f87214b614805536703515f60819e8a0fd7b465fbdfd21d6f64350f37e9a930f47f5c853030639643dd37f9d4c4681d9ce990295095714a5c84ba56effefc59e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
52713f3209dc2631164b05ca6304fd39

SHA1
a9f04dabf034f72e19122cb5fa1bbeabc2657f56

SHA256
6d4032c7a21d01506beea7ab2d55ada81faeabd153dbe303024b5fbab47ff24f

SHA512
905df657e714efd2c6a5a87f171190e1a2ac20905122b2a38d20d03e330d67563755c6062840d20800a8027fa3dda118526cb24040e6bc096742947d16a631b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
746e7034d7f7218579aea7584ad88358

SHA1
dc4a9476fa95eb9a994046a2f1daef0407dfd973

SHA256
2b9ce9ece7304e4b00b463a48e2f6fdc8e023c39c4a35b6187b92edcfc7a5e19

SHA512
6967481bbed8a1619c741aa089c2260812af32185fd5f6e002ea674521aca93f8f5e0bfed3787dec5ae5817d9bc7182bff1874d22a4acfaa8ae6b62eabe1e76f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\91KW19TR.txt
Filesize
608B

MD5
1e14c70f11420c26cb2cbd3327617c87

SHA1
6e17bd817f171ebdfbcd40bfd298e81daa0e1b89

SHA256
83e40145ca335ca7052b6e27e167388ae63364ee6a4b23a4f0b9fd4cab52a9e4

SHA512
0c4dc9744eb7505eff9ed4610e75987d3ad77c6f31af2ee223e43a5f53ad05297ecc7c83d1daf96adec3b15ca2a7f31e171e5adf179b4044d2388737e947139e

Download Submit
memory/1092-61-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-54-0x0000000072701000-0x0000000072704000-memory.dmp

Filesize
12KB

Download
memory/1092-68-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-67-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-120-0x000000007116D000-0x0000000071178000-memory.dmp

Filesize
44KB

Download
memory/1092-65-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-66-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-64-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-63-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-110-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-62-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-69-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-79-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-60-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-89-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-99-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-59-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-58-0x000000007116D000-0x0000000071178000-memory.dmp

Filesize
44KB

Download
memory/1092-57-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1092-109-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1092-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1092-55-0x0000000070181000-0x0000000070183000-memory.dmp

Filesize
8KB

Download
memory/1556-128-0x0000000000000000-mapping.dmp

Download