a949e11e4eba55b9cf6b17c195020fa33f66b5fd2fb9190a87cbaf1dbc527b02

Analysis

max time kernel
157s
max time network
192s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4807a5443c8d0f118221fdb8d183f473.docm
Size

207KB
MD5

4807a5443c8d0f118221fdb8d183f473
SHA1

2bbf2276294da53453710e688712e36f971cc9a5
SHA256

a949e11e4eba55b9cf6b17c195020fa33f66b5fd2fb9190a87cbaf1dbc527b02
SHA512

38876c4706966ddb745aeaaa9bae4ec5b91ae46d93501c6fa7888e966b5204b80fc38271a4b36f2333bbe78966602a10911a3efa882468d91897abc94c82cff5
SSDEEP

6144:vHbHtzJky3eEGVdajJ66tAhUJOO3NNzxsegZ:fzjkyuEGfMuhU7X1Q

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeWINWORD.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CA85991-6AB5-11ED-B3C3-5263E908E3CD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\Total = "18"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000006e4b7f370fb410cdfd576c4da5d2f91a72ecc149043664cad8bb828fc4954c2a000000000e8000000002000020000000755369bdbb3ea2096bcb65c501edeace6280b56a299a17fd5b64338e6deec36020000000ca551a6ce385d3494ca1c5a96ea0a95b2a8ee4b349f44d0fc7713455f9cd0c6d40000000815eb52c2982a3a1943e825ad3ddd44964e12ab61855ae8997dcd1cc44fba9bbc5400bbed3e3b8a02cfcebaa3f4a160219abbed7c72272719107514b3aa59dd7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375921299"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\secured-login.net\Total = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506d0f65c2fed801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000f48ccf551041d2107794a32f74d3512c55c6de33f0debaa5548b92a7d2b7b533000000000e800000000200002000000068faf4cb314da380eee9bc0a1901ebc9a76c7ec6aff66d42695a9aa6de536bda90000000dd0c57277d92dc575b53d44bf897ea12f73b25819c1263325297f5067ba37fff2b7f4905fa556cf2cf99934a58601e752e9ebabb7f601f1b116095f6ba592bb994fe1b7c42e6fd82b122539dd34f214e984fc3a7b54ea206f22c8d6ec64b99280479fe51fff2cd36dc4c9ec6d4d7fcff7d9a2bafb2b99c2513c9d6a158c6a856324d94210402f39bb194a8e06cfb308e400000008c653a7f901796d19016d1c56a8eced007d7119ef68f0a0aedf558ff8c71dc90fd226696276e41cab68f857735cf66513d6f496daaa53a89e85a9f989f7dad63	iexplore.exe

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\TypeLib\{48C370F8-E657-482D-8456-24ABA065122A}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48C370F8-E657-482D-8456-24ABA065122A}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48C370F8-E657-482D-8456-24ABA065122A}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\TypeLib\{48C370F8-E657-482D-8456-24ABA065122A}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48C370F8-E657-482D-8456-24ABA065122A}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1208 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1684 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXE

pid process

1208 WINWORD.EXE
1208 WINWORD.EXE
1684 iexplore.exe
1684 iexplore.exe
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE

pid	process
1208	WINWORD.EXE

pid	process
1684	iexplore.exe

pid	process
1208	WINWORD.EXE
1208	WINWORD.EXE
1684	iexplore.exe
1684	iexplore.exe
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEiexplore.exe

description	pid	process	target process
PID 1208 wrote to memory of 1684	1208	WINWORD.EXE	iexplore.exe
PID 1208 wrote to memory of 1684	1208	WINWORD.EXE	iexplore.exe
PID 1208 wrote to memory of 1684	1208	WINWORD.EXE	iexplore.exe
PID 1208 wrote to memory of 1684	1208	WINWORD.EXE	iexplore.exe
PID 1684 wrote to memory of 1680	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 1680	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 1680	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 1680	1684	iexplore.exe	IEXPLORE.EXE
PID 1208 wrote to memory of 1600	1208	WINWORD.EXE	splwow64.exe
PID 1208 wrote to memory of 1600	1208	WINWORD.EXE	splwow64.exe
PID 1208 wrote to memory of 1600	1208	WINWORD.EXE	splwow64.exe
PID 1208 wrote to memory of 1600	1208	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4807a5443c8d0f118221fdb8d183f473.docm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://spamchallenge.msftemail.com/XZGxBeE5FTTFTekl6ZW1ORVRrbDZibkp1T1ZaMVYyNWxiVTVzZVZkR05FbDBRMGRZYmxSTUwyZG9hR2xPTTIxdVNESm1lbXMxYWtoRFdGZE5MMGhpYlhoQ1dIRXlNalZyYjJvME1EaFlkbGhrTlZKb2J5OVBZakZ2YVVoRFF6bDNhblYzWld4d2VqbDRObk5vVVd4a2FYZDZiVWczWlZwSEwzcE5kVzFwWkRKdlRVcDZObTlCYzFGTE5HMVpZMnBxYTJwd2JHcHlNbFY2V2xkcmVGWktiMFJTTldwM2NpdHBOa001ZDJNeWFVeHFTa2hyVjFOTVFWUnJjRlpDV0RWcExTMVZNRUZHV2xKelZXUTNjR0ZITkZaUFVYbzFhekJSUFQwPS0tOTM0Mjc0ZDgzNjMxMjAxNzJmZmNkNDcxYjE0OGZkN2YxMGYyMWMyMQ==?cid=1358712581
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
1KB

MD5
f2a7177b141a80c4270da40d213df634

SHA1
7ebd6a9b793a8694ed74eb6e1a104f007832c40b

SHA256
875f1f2c5d040a7b3b94365dab9285f7a5f980ffa57653e30626a4d63f652f0a

SHA512
828325036a58ef6a7b26a10fd8e24c3dd44db12eed18c918858b91e9b2134e0f20030720fe4df898dc8c934da9859223559859871472402319fd9204206db71e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D6243C18F0F8F9AEC6638DD210F1984_E3AAD38D981108133736A437FAB2E7C7
Filesize
471B

MD5
87558ebd1b8815077d1b0014e91bd6b4

SHA1
b2d28e4a0a46e9df76c7fce9847d01e3ba348bb2

SHA256
c76b7264b173195e8f5ed6aff97ee5eba9b640606f976d838ace781bf934ac35

SHA512
bf8d3d1f6c8fbea384b2eb2b3dcfbe22c751c89ff13d0ae4155ababfc1a563eaecbe6235d458b56a647da04c9aa34b0e4248217f6de2b6ab4c7da432a7cac386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
d854820d3bd82f640e0034aab23577a0

SHA1
6af83f7a1ff65cfc5bbc972852f507ec5483497d

SHA256
40574a3d8cd926832f3413f93d16a031f49524c4dace709054ce8fde45b0e33a

SHA512
f035c406f8f64768022bee927e1aa026d4ec1124c51396f27b2c4f41179fdba9ba562f382bac46b04ee976b5bdd1e2cfcc86bdc2a41fb79def5047630a0e18d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
e34e4ceea81b2b988eaa47991d858e72

SHA1
be9163e5e6e5f59354746911fad87279b6d0c8f2

SHA256
4881bd0c92b169abeaaadf878c070e54b9345bf2b154edcc3fd4a31f8b653a37

SHA512
2261d679305319dedfa8c6cfe799c8bc25224eaff70dd0edfe8d7e79d7260a2f5909421516e193aedd6c3822e41828d08b44cb873424fd95910c7d2ceead14e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
d3f53c72b5ddf7e3c1dfb06947da05b7

SHA1
f9eb0d015a31f51ee681d1b09295e4ed83b90045

SHA256
3b9278a58c00901f90486d391c26ad49d38f1d4cf856b079a3c42ec6f9e8d851

SHA512
de37822d0394a1175745ab4be456660556947aaf3445e7571e420b1f8a7134025888878406312f3e7dff33e27b3d02e51896c17eb097b28312ba1767422df59e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
d3f53c72b5ddf7e3c1dfb06947da05b7

SHA1
f9eb0d015a31f51ee681d1b09295e4ed83b90045

SHA256
3b9278a58c00901f90486d391c26ad49d38f1d4cf856b079a3c42ec6f9e8d851

SHA512
de37822d0394a1175745ab4be456660556947aaf3445e7571e420b1f8a7134025888878406312f3e7dff33e27b3d02e51896c17eb097b28312ba1767422df59e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
442B

MD5
946d2156fd69dc9dac2da97237b35de4

SHA1
10d756117366e8603fb5a265955dae669ce9d812

SHA256
d76a09a9e38fc6dd48da37b2c78e0c16a69bed8131fdf8b7e23a971b21dff360

SHA512
88dc7e62309fa97a185b57dcf0c03beec4c59c791c291855eba74987589746f8741c0184b6c507dc6493775ac6d5d744a53c38a0c0bece44707ede2bc55c5560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_E3AAD38D981108133736A437FAB2E7C7
Filesize
444B

MD5
477e2e9ad460fd2f95cd170a5c3884c7

SHA1
7a8862a505625712a8054afdf313bbbba6a7e661

SHA256
68b8fd40306f7c9f39f4586e67de1a9c9b26d537395c19781667ca5002695391

SHA512
128d68d8cd8675f485bdd8f6159576ea94c62320284da3ba5717b6fb3070c27b626b0396458d1b63e54f37594fb944f9a6ba9b04389b191a3a44bbbbe27c001c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
977bc042c9fe47ec24a6d7771f5e16d1

SHA1
7dfdb18c11bcd4f41bbc3bb43d659c66f2a1f805

SHA256
4078e7f0b7b14062d40df85ca4fc0c3fdddea271810c05d381d800899f6994f6

SHA512
18ee1cba6a386f334a352994891bf6e96e5a0acb132607033c983133c19c3594f274fe68a16bfd7679f397af75ee451992e7971746ce683efdf6f742e9ac2c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d03a855594d6a07b536c004cc603b9ae

SHA1
0f0bb2dd51b34db8d72578108ae77ccb88fc168c

SHA256
c1c289e67b11d2a24c36dffa86fc870c629f96f79fd0545a03bd79a0432812da

SHA512
28626d404b1be13085b440d413f9fae70912e764e6a8280eece9d6f6b9b5d217830570f776b73ef292354ab2cb5f83154e019c0ffba14b6bf681d801eada1922

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2b57f5c934c7ae84bad2da0e5f11f7f4

SHA1
ee6d24f9512ec57853252b43fc177abe17b8bba3

SHA256
c3f74061af3be68df9da79e04364dcacbcb036445bff79fb690b6eb8027e6519

SHA512
9987337643500418112c2ef8b7db5a07cd26455663ca565dc25645f35b4a76146a15d0bce17e6d270fcd6d8d0edc38859299a6339adf00f89ecdb65697759800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
69d79ff2fb92679eb942f772db3d441d

SHA1
b9061f8c53805de5f3dd92f28c9723886246c564

SHA256
cab95ebb819bda850900f69973deb3be312724e2ec7827e1bf5cf155648f18f2

SHA512
74c662d2308d19bb61391a519db59a944bda03b3df8fa9910010a05c0a8070f378d2f2bd2aa2a1e49531c58af68ebaf792a60794c6eee1fa37823a0d1749f626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3cf92153d0831c9b0e766354163476b0

SHA1
f98f385a22cb3770333b21c35a6173db5ab1e4b0

SHA256
2b63dff50c66b07ba2cd1090cd51ea0ae166c9135c88c3e8e2b561c6f17b8d61

SHA512
0f79e957fb45caffb3d206deea0e67300fa4b292fdb9e0963314cdfb7834be3effe10d4360302e3f8925a53f3afb3de828a4570460a48a2bf2131d3cdf99ac38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
61105750284606c6e785fedc68d3d0ec

SHA1
cc160bcdfe185299d3c6d5b4c508b54f96f69e26

SHA256
396f8ac9c1ed46b1628f8e284bc38595c40b19c9d4111b8162a649e519e07a61

SHA512
6e5e4743b27d9099cbd8ece211be71e0d51a551c3d671e63a3e2a742b4f162269c002b4d6f26295044111022a489f1b09cffdb4dbb3ccdda99db725f2d187fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ecbd95b72c3594413427d143f8a73a60

SHA1
669afc6a8354b2e0dd9adec3ee1927caad86f2b1

SHA256
0d2db40fb2013da6f35d05cdde92bda56d365934ea3f80132461a08a5d1b4323

SHA512
681dbb56fda56e7edd50d1d6490b2911c574e6a2ba4b2efd4494f2761e32613efbd9426f24d7776828c76d0c833b35cd914d0e8d7b52a15e4a11f8ccfe017490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
9d2ffdc9bc31fd76258bb6ddf2cd142e

SHA1
6c4cad17542ab8ce6a2af9a146d34d8dc072ec3d

SHA256
f79bbf1e06e4b0da0480f289dab8ac1bd43983772cbff9dce663747c82c7d68a

SHA512
218fca7c785c4f1d7862285c08516dc2a95fbf3c8f7527ed22c39131d7c72287ebbd4bbf331a963f393497fcedac2d1981716aba4cadc530983c91b50f98584f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
9d2ffdc9bc31fd76258bb6ddf2cd142e

SHA1
6c4cad17542ab8ce6a2af9a146d34d8dc072ec3d

SHA256
f79bbf1e06e4b0da0480f289dab8ac1bd43983772cbff9dce663747c82c7d68a

SHA512
218fca7c785c4f1d7862285c08516dc2a95fbf3c8f7527ed22c39131d7c72287ebbd4bbf331a963f393497fcedac2d1981716aba4cadc530983c91b50f98584f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
6cdac8c905d9d50f54f682d11fc38393

SHA1
f043dab1aed1842242ad70289e26774953ae93bf

SHA256
7ca22c61a12fb350c9dda5af1c1f760761fa00af6bead24257d2cb5c3ec97ef0

SHA512
a8a473b7a406667f9ac0fa815732bd2c47fa3362fe83d97cf928fd267eee979ce272fe31a9d8b112ff64c58298b866f3b6f35ac98937c4ea5eb689aa13a817a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JMMJVZS5.txt
Filesize
608B

MD5
b8391f6ac9548e241297fcb0b04bf6ad

SHA1
0c412dd02e7c25af169c65ceeac2dfd606b221d5

SHA256
1c96a8defa54cd3b38ce232e8b278bfb851487b9736edd2bf70fa945d88dad1f

SHA512
5ce3e6a10e9153e3334e49e780bfc7b5d16e2e78ff1bf6d6d8bcd5e94030db624be7335dc267c2177ba597a678643c9e68c786d16a08a28d6a3ab1cc1505a6a9

Download Submit
memory/1208-61-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-70-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-64-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-63-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-111-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-62-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-65-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-110-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-100-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-90-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-80-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-54-0x0000000072801000-0x0000000072804000-memory.dmp

Filesize
12KB

Download
memory/1208-60-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-68-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-59-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/1208-69-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-58-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/1208-57-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/1208-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1208-55-0x0000000070281000-0x0000000070283000-memory.dmp

Filesize
8KB

Download
memory/1208-66-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1208-145-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/1208-67-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/1600-141-0x0000000000000000-mapping.dmp

Download