Malware Analysis Report

2025-08-05 12:44

Sample ID 230308-k4w19aee8y
Target 698904922815716351.zip
SHA256 e09294ca57361cdf65418a18b97e2b96f1ba106f155be598b9950f1033086978
Tags
emotet epoch4 banker persistence trojan macro macro_on_action
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e09294ca57361cdf65418a18b97e2b96f1ba106f155be598b9950f1033086978

Threat Level: Known bad

The file 698904922815716351.zip was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker persistence trojan macro macro_on_action

Process spawned unexpected child process

Emotet

Office macro that triggers on suspicious action

Suspicious Office macro

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 09:10

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 09:09

Reported

2023-03-08 09:13

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

160s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\698904922815716351.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bDMsnSNsFUb.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\YFGkPdvrhJrmRCg\\bDMsnSNsFUb.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\698904922815716351.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\101057.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YFGkPdvrhJrmRCg\bDMsnSNsFUb.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 35.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 141.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 esentai-gourmet.kz udp
KZ 94.247.135.151:443 esentai-gourmet.kz tcp
US 8.8.8.8:53 151.135.247.94.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 13.89.179.9:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 91.121.146.47:8080 91.121.146.47 tcp
US 8.8.8.8:53 47.146.121.91.in-addr.arpa udp

Files

memory/4992-133-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

memory/4992-134-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

memory/4992-135-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

memory/4992-136-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

memory/4992-137-0x00007FF7D4A70000-0x00007FF7D4A80000-memory.dmp

memory/4992-138-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmp

memory/4992-139-0x00007FF7D2740000-0x00007FF7D2750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\101059.zip

MD5 98f2c28db3044c0bb4f6532b4f63271a
SHA1 c7e464ad78ddc97d00f6bd5a25c463c4c4a693a9
SHA256 c0cc58370e1c362fb98653d01a3b36018775602ef2f115ca2ece20257f0e9aa2
SHA512 f0da48722a4d8fd2fc714e845b90de3727ff6d623054ca8dc23c319f2b1b2c31ff700a121cd0437cf8748cd8cb8df05c9698de88c66b74ba989fad89ea6877b1

C:\Users\Admin\AppData\Local\Temp\101057.tmp

MD5 69a5d6bff7916e89328735d6dfeb1969
SHA1 9b08a294c6f0c6cf91c023f8314a4434c23e0fd2
SHA256 d8b45395fabe03155050debe2c8669ebc3a38f0d151143129f4361d5dbf51616
SHA512 cb259efd4cd1824385e990b2bdedff62254e68655aa8cdf1b3f622a7c7047993980fd5f813bcf16e3efa6cd68ac4aeae07f2bbf0f848faf4389fbac137be1749

C:\Users\Admin\AppData\Local\Temp\101057.tmp

MD5 69a5d6bff7916e89328735d6dfeb1969
SHA1 9b08a294c6f0c6cf91c023f8314a4434c23e0fd2
SHA256 d8b45395fabe03155050debe2c8669ebc3a38f0d151143129f4361d5dbf51616
SHA512 cb259efd4cd1824385e990b2bdedff62254e68655aa8cdf1b3f622a7c7047993980fd5f813bcf16e3efa6cd68ac4aeae07f2bbf0f848faf4389fbac137be1749

memory/2512-179-0x0000000180000000-0x000000018002D000-memory.dmp

memory/2512-182-0x0000000001450000-0x0000000001451000-memory.dmp

C:\Windows\System32\YFGkPdvrhJrmRCg\bDMsnSNsFUb.dll

MD5 69a5d6bff7916e89328735d6dfeb1969
SHA1 9b08a294c6f0c6cf91c023f8314a4434c23e0fd2
SHA256 d8b45395fabe03155050debe2c8669ebc3a38f0d151143129f4361d5dbf51616
SHA512 cb259efd4cd1824385e990b2bdedff62254e68655aa8cdf1b3f622a7c7047993980fd5f813bcf16e3efa6cd68ac4aeae07f2bbf0f848faf4389fbac137be1749

memory/4200-187-0x0000000000400000-0x00000000004B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 09:09

Reported

2023-03-08 09:13

Platform

win7-20230220-en

Max time kernel

111s

Max time network

100s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\698904922815716351.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2044 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2044 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2044 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2044 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2044 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2044 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1904 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1904 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1904 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1904 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1904 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1904 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1904 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 612 wrote to memory of 884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 612 wrote to memory of 884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 612 wrote to memory of 884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 612 wrote to memory of 884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 612 wrote to memory of 884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2044 wrote to memory of 1264 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2044 wrote to memory of 1264 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2044 wrote to memory of 1264 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2044 wrote to memory of 1264 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\698904922815716351.doc"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\101057.tmp"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\101057.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CotiNmwpPVsxT\DNXkDgkZ.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 esentai-gourmet.kz udp
KZ 94.247.135.151:443 esentai-gourmet.kz tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp

Files

memory/2044-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2044-57-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-58-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-59-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-61-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-60-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-63-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-64-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-62-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-65-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-66-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-67-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-68-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-69-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-70-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-71-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-73-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-72-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-74-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-78-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-77-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-76-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-75-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-82-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-83-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-81-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-80-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-79-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-85-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-84-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-88-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-87-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-86-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-89-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-91-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-92-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-90-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-93-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-94-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-95-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-96-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-98-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-97-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-100-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-99-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-101-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-102-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-103-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-104-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-105-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-106-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-107-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-108-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-109-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-111-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-110-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2044-112-0x0000000000690000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5027.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\Tar53C6.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0adc2ef9fd46c31f3e8959a23c1bd69a
SHA1 4a4b489504a3c10b1b1480c3783b6c2a8ebdf4db
SHA256 bccd0f3e0e0af5e45b115f00dfa5cdf6b98627a1a86351daddc76dcc9ccce5af
SHA512 53dbbc7b329f2de6671056c27d354e8208b0941d7f0cd0d18e9ed1f09b64949b3403ee1852ae864c573976bc1d3ada8269d4bcdd362af0c77d79b1f7e0486bc0

C:\Users\Admin\AppData\Local\Temp\101108.zip

MD5 98f2c28db3044c0bb4f6532b4f63271a
SHA1 c7e464ad78ddc97d00f6bd5a25c463c4c4a693a9
SHA256 c0cc58370e1c362fb98653d01a3b36018775602ef2f115ca2ece20257f0e9aa2
SHA512 f0da48722a4d8fd2fc714e845b90de3727ff6d623054ca8dc23c319f2b1b2c31ff700a121cd0437cf8748cd8cb8df05c9698de88c66b74ba989fad89ea6877b1

memory/2044-1455-0x0000000006280000-0x0000000006281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\101057.tmp

MD5 69a5d6bff7916e89328735d6dfeb1969
SHA1 9b08a294c6f0c6cf91c023f8314a4434c23e0fd2
SHA256 d8b45395fabe03155050debe2c8669ebc3a38f0d151143129f4361d5dbf51616
SHA512 cb259efd4cd1824385e990b2bdedff62254e68655aa8cdf1b3f622a7c7047993980fd5f813bcf16e3efa6cd68ac4aeae07f2bbf0f848faf4389fbac137be1749

\Users\Admin\AppData\Local\Temp\101057.tmp

MD5 69a5d6bff7916e89328735d6dfeb1969
SHA1 9b08a294c6f0c6cf91c023f8314a4434c23e0fd2
SHA256 d8b45395fabe03155050debe2c8669ebc3a38f0d151143129f4361d5dbf51616
SHA512 cb259efd4cd1824385e990b2bdedff62254e68655aa8cdf1b3f622a7c7047993980fd5f813bcf16e3efa6cd68ac4aeae07f2bbf0f848faf4389fbac137be1749

\Users\Admin\AppData\Local\Temp\101057.tmp

MD5 69a5d6bff7916e89328735d6dfeb1969
SHA1 9b08a294c6f0c6cf91c023f8314a4434c23e0fd2
SHA256 d8b45395fabe03155050debe2c8669ebc3a38f0d151143129f4361d5dbf51616
SHA512 cb259efd4cd1824385e990b2bdedff62254e68655aa8cdf1b3f622a7c7047993980fd5f813bcf16e3efa6cd68ac4aeae07f2bbf0f848faf4389fbac137be1749

memory/612-1694-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2044-1700-0x0000000006280000-0x0000000006281000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 0785720aaa4c554fe82b8e4340c0229d
SHA1 8dd5f574eb5ff5c6d7b28a9cfd4d1a199adb01a3
SHA256 dd06b642bf5e6e2fcf5c7e1ea80d169e3c374131272232f8c298222cca07a430
SHA512 048383ea387385f854d02fdb8962fe227dafd62cba310a2f8ac72cdaabc2f752348e4e17258c5ec62bc5be694d9020fdfe5e33649b9f8c268de9b870ec90ea99