4f0d23f14800f69008bb2c8be79d35b003614326e423946bb54ac4b5efc8dad7

Analysis

max time kernel
33s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P7098769000.rtf
Size

105KB
MD5

1d3265911278f10d2dcfeeb108e98e5e
SHA1

aa4af107a2ed04e4d60f362040abc6924870b008
SHA256

4f0d23f14800f69008bb2c8be79d35b003614326e423946bb54ac4b5efc8dad7
SHA512

6f2b0bf3065b40f1abefbbd1f2044daac7bbd8327b976893e4edea0e05ed560f32514d29b6b64ff91b118da9f3c889fc65ff54b411feb6485036c83d9bb5f5b7
SSDEEP

768:8wAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWj24rBBBqAU8wz4AQChjI:8wAlRkwAlRkwAlRKBBqd4+9I

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2004	EQNEDT32.EXE

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 11 IoCs

pid	Process
2708	POSA55094.exe
2412	name.exe
620	name.exe
1980	name.exe
1204	name.exe
1956	name.exe
596	name.exe
2240	name.exe
3024	name.exe
1036	name.exe
792	name.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	EQNEDT32.EXE
2708	name.exe

AutoIT Executable 23 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000155fd-10.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-31.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-34.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-35.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-50.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-63.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-76.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-90.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-103.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-116.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-129.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-142.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-155.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-168.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-181.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-194.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-207.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-220.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-233.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-246.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-259.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-272.dat	autoit_exe
behavioral1/files/0x0006000000015c9a-285.dat	autoit_exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2004	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2152	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2152	WINWORD.EXE
2152	WINWORD.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2708	2004	EQNEDT32.EXE	29
PID 2004 wrote to memory of 2708	2004	EQNEDT32.EXE	29
PID 2004 wrote to memory of 2708	2004	EQNEDT32.EXE	29
PID 2004 wrote to memory of 2708	2004	EQNEDT32.EXE	29
PID 2708 wrote to memory of 2412	2708	name.exe	32
PID 2708 wrote to memory of 2412	2708	name.exe	32
PID 2708 wrote to memory of 2412	2708	name.exe	32
PID 2708 wrote to memory of 2412	2708	name.exe	32
PID 2152 wrote to memory of 2784	2152	WINWORD.EXE	33
PID 2152 wrote to memory of 2784	2152	WINWORD.EXE	33
PID 2152 wrote to memory of 2784	2152	WINWORD.EXE	33
PID 2152 wrote to memory of 2784	2152	WINWORD.EXE	33
PID 2412 wrote to memory of 620	2412	name.exe	34
PID 2412 wrote to memory of 620	2412	name.exe	34
PID 2412 wrote to memory of 620	2412	name.exe	34
PID 2412 wrote to memory of 620	2412	name.exe	34
PID 620 wrote to memory of 1980	620	name.exe	35
PID 620 wrote to memory of 1980	620	name.exe	35
PID 620 wrote to memory of 1980	620	name.exe	35
PID 620 wrote to memory of 1980	620	name.exe	35
PID 1980 wrote to memory of 1204	1980	name.exe	36
PID 1980 wrote to memory of 1204	1980	name.exe	36
PID 1980 wrote to memory of 1204	1980	name.exe	36
PID 1980 wrote to memory of 1204	1980	name.exe	36
PID 1204 wrote to memory of 1956	1204	name.exe	59
PID 1204 wrote to memory of 1956	1204	name.exe	59
PID 1204 wrote to memory of 1956	1204	name.exe	59
PID 1204 wrote to memory of 1956	1204	name.exe	59
PID 1956 wrote to memory of 596	1956	name.exe	38
PID 1956 wrote to memory of 596	1956	name.exe	38
PID 1956 wrote to memory of 596	1956	name.exe	38
PID 1956 wrote to memory of 596	1956	name.exe	38
PID 596 wrote to memory of 2240	596	name.exe	39
PID 596 wrote to memory of 2240	596	name.exe	39
PID 596 wrote to memory of 2240	596	name.exe	39
PID 596 wrote to memory of 2240	596	name.exe	39
PID 2240 wrote to memory of 3024	2240	name.exe	40
PID 2240 wrote to memory of 3024	2240	name.exe	40
PID 2240 wrote to memory of 3024	2240	name.exe	40
PID 2240 wrote to memory of 3024	2240	name.exe	40
PID 3024 wrote to memory of 1036	3024	name.exe	41
PID 3024 wrote to memory of 1036	3024	name.exe	41
PID 3024 wrote to memory of 1036	3024	name.exe	41
PID 3024 wrote to memory of 1036	3024	name.exe	41
PID 1036 wrote to memory of 792	1036	name.exe	42
PID 1036 wrote to memory of 792	1036	name.exe	42
PID 1036 wrote to memory of 792	1036	name.exe	42
PID 1036 wrote to memory of 792	1036	name.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\P7098769000.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2784

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Roaming\POSA55094.exe
  "C:\Users\Admin\AppData\Roaming\POSA55094.exe"
  2⤵
  - Executes dropped EXE
  PID:2708
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Roaming\POSA55094.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        7⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        12⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        13⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        14⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        15⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        16⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        17⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        18⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        19⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        20⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        21⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        22⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        23⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        24⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        25⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        26⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        28⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        29⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        30⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        31⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        32⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        33⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        34⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        35⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        36⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        37⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        38⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        39⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        40⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        41⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        42⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        43⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        44⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        45⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        46⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        47⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        48⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        49⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        50⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        51⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        52⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        53⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        54⤵
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Maianthemum

Filesize
9KB

MD5
d64c1f140703eff69c3f6ae9538ea06f

SHA1
7aa1b34ba3e3290a9115af7d88b7ea7571cbf9b6

SHA256
aae143eb597b08f9cbebaaaad25f1a28d6b4aa705914d69d4b6884c84f5e7107

SHA512
76ac96db8b9002daa0af3a88163822a57ae5045a3beb53fa8f36d0c26f0e1eb3fe331e4683b9adcd36859c8b9214e8cc728d5f97541939bb344d9b104fadf1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maianthemum

Filesize
128KB

MD5
0c7c6d65a2e4ecee45a6d34bc3308a00

SHA1
aeaf5530cf331f24f91141776d5bed7eb37771a9

SHA256
a4e8be3d16a47cec7d05c27b807d93ba83528fdba2ec41de02df6064a50f87f0

SHA512
a63b9903f21adaa3466cd37c2d8a4be2dabdf133d6986f7575e874b53ecf916533c57b74cde2158f04971cd2096dbdb7ffad9c16c726fc90ce1419f50e6e8868

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maianthemum

Filesize
482KB

MD5
c685f603c8675e4c9fa9389db00c953e

SHA1
297749c3a642d5bb5d9533f5c76f53e371525087

SHA256
5837d05bcb557ce901c43b499413860276ac5f8ff8606bd67c596755a78bf39f

SHA512
8c4369e1bf4dcc80a80ff66ac205382b0f70bde0a317ebd14d0c1544d26a84c995180261aaad8a056d3a0c3ec6358a5c1f089c96de3788fa0aa8d3d9c1046c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5ADC.tmp

Filesize
427KB

MD5
1243b1bdf3ada3fa0ac3413b5c3d5192

SHA1
06570221030ced927f4755a105ce06ab9b1b25fe

SHA256
d1d124c21c11c370c1d9fa75dfeebaac4139752e78a8418153fe5dbba06a166a

SHA512
e13ee060e3616a307bae731ce87f11163e22edd990808247cf33a405b1234d8fdf4d959f673034a41bfac7b949e606abdb06c5e7fcc0f5f03624894c3da54d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5AFD.tmp

Filesize
9KB

MD5
31d5d14fd5a63a274ee6280a2ed273ce

SHA1
a188e901f850967aac513e3b0bcc87d77a682bce

SHA256
3310b7905a2cfa88729f20bc67a1dd52e0fdfe89c36751a4d41ba347886bad6b

SHA512
26b7f3d6e924b8d398978dfaf0d5a3492877ee07717bbbde1cbec58be8af64f36fa2fad2d0a7ee393e785aa34bcd352f6338c77f82e09ea056183854ce619d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\underbalanced

Filesize
29KB

MD5
6095b3a6322d084d755577894297de0f

SHA1
b8c97c4350364e2157376b90f0b66a40e9bfbbea

SHA256
bfd80df7b9ce9e3299227cbb03fa95142bed451d842b50a0523bcaa532ae7a06

SHA512
7700d0090e812b3c195246df71901c51383c810b962aafd94f006caa7e3353a83308fb905c3800488ed1300d4c7cd49602696f1871db9fa20bb7efe8d9940427

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
591KB

MD5
945a745106041fdd95f46711944de846

SHA1
f8618d4fc4eb02616c7eb514ecd603ea99450f46

SHA256
22922355b6e6af4b8675087972944b1bc916a8ec5f8b59ba4a1c6c05c0a0e623

SHA512
ae9df86d4b3ee64e935e6a7264bc0a1bdc505a4dfa2ce7f4e506a9f59013d06e033775b72ebad1402bf88418f2df3038247b01df4c3f9dddce32d6c271edae24

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
2.8MB

MD5
8a191f9c5565e59108a8b3466caae2a1

SHA1
9d3f8ecb8ccd1128eb972393f87b43b7b572d6c2

SHA256
757b5236cca014ad68e9d0750bd2734d665147ebddae037a1a3404b40c2be87d

SHA512
be110a9c56652cde8bc50c9563e0c5bdc09008c9a285d3fb2f5b90a404b19788e3e89e4721e972a2fa59c26ac86baa51b2936b6d92781f8b8c10e6e3b2714793

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.2MB

MD5
64d05ca34c7781c4808312d8e9926c65

SHA1
ae2872c29fe501371b602194a55700412bcb6b43

SHA256
51de9e4937bff420c42d1112a04c3e5cb797bb2a4e80afb41256fb9f17de56b2

SHA512
3078677d2fb121986a52f11567e8222816a93dd5a2cdf8c5e1f8e7ef675711ea10ede39130785935140fe36eba6486c04323c607aaf66497ab3b0e99ef249e17

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
150KB

MD5
db47bd2986e3021d65832b4790912a3e

SHA1
db6d31a19c931200f006701dfe01e55f0be25272

SHA256
fe2d5dc9587f6bf7d83f2de87c10ed3726c1827c157152092647e7f40335578e

SHA512
577ceb7130dcd9a98a6c5cd2c2f56da0a7f3dceb392039a76b7fd0cd900a0e8c7f37e8fd09ccd57d808531aaa37ed7cfbd41cf6b19234cdf90490335ea33c159

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
536KB

MD5
1dbd696ccd103a5d24cda866b0ca2eaa

SHA1
f97b691e94b729cb3ffa80b4db89df09bddd1b46

SHA256
11820423bae6b8c5126d11ece721582e5ee9b457f76be48c79c5d179b34bd344

SHA512
732b603e7a667f6ae2725327e43f6f6900187eeafcb873fe12080cd2d93aace4b5bfdbc7593a7d4978c8668674ce15e779a0938a7445e9c16e0cfd43afb9fb96

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
179KB

MD5
a1ff16177066de20ef1e79ef2ebd1b47

SHA1
9c9587d6964d224e8f57cd257caf2d29b0b6ea78

SHA256
e6e73d596983ff58d68125bab2b4dbe304611ed31263c353fc9192e542ed7767

SHA512
05a5ee23ff53401b3f15ed91ae13dab5b524aabc3c040a837c7d600ada02333b5650e48f633b217935ac600ce111e31277bc9a4452fbd4174c2bed3248959ade

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
551KB

MD5
0f68ba905c709e9fffc390b06aa19425

SHA1
ba585e7dc3606e5247c41d6d5c8893bb3f51860f

SHA256
86e55dc4e0227e7a883b24a4f0258141499e449f78fb3f21c1ac28ba6478ac62

SHA512
8cbf86a4b846909db75939e7f4f9c513483939b61d5a8e10101d8ddcdc09307afc590dd00b5b698b7434179dbec110a67c084589cf86810ab88fb5d32650f772

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
574KB

MD5
e6e76c18601657cd75f7e862ca8a0d7b

SHA1
9a68dd5425f73fa8f4711f538afb557fdd2faa76

SHA256
f2d9cedb2633ff4b3fe3caa77c23dcc62e159565f25c8bb1aba6a699e80f4295

SHA512
bb0106320c677df5a90fcad2666c774859ee7df1ba851170fdf919a1080195c9ed8d707edc80e99dffe198ce8eba88826480d19b98ac3f4686a2d1c46d4eadac

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
159KB

MD5
45128ab401c4370a7c0e257b03bf75c0

SHA1
7e578e94a91ff5c5647725e68efe858e24e23783

SHA256
63c37a0ea165c5e5ef293e9a21e7c895d3ab603fc868d96ccfd341b463f2abb8

SHA512
c8b790e98a91d852d45e85ca6f9b73deb17fdb4f1bdb2df87ab5895b5976bd318bc579c9dfa3cfbffb5c3dd1869f324583ccedb46bab58ab07439e7b109f292f

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
683KB

MD5
2656931fb37a5db053bf10664961e3fe

SHA1
afb2dee4f764e046cf9738ea329382fbb11bb694

SHA256
9d3eb0be0cb3e1f616ae4e4fd885480ec3572b99366cbd123a70067a8fb732a3

SHA512
2973eb8926db5ed737f2603247a5a3efe7013bd721256a05050cf9028dad226deb80d57b71068575e3bc0bb6addc8ea7a502e387af11ab92957ea93fd0e6c85f

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
684KB

MD5
a3f72e98bf527c7deb4dbaf4cc91c22f

SHA1
ade641af56f7fdbea56795d832afbac301201905

SHA256
a71dca7fd93f41801a4f224089714fead50835e1d1ba574725c3e0b15ed6bbe9

SHA512
5a848d8c46dcd7bffd6306d9a6b90b590f209a6533949ed5711c438c43d440d60245a71cbc7095dcbf56b13620d4dea1b04648b1a6f512b8cdbdf15ea2878b91

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
3.2MB

MD5
2b44caf133bbe5f35eb1b3587ebd0e50

SHA1
470401ab27012a775e4d1c81c7fad2f877ed9f8f

SHA256
c06d5d58ff8e4cfa5962cdb62d772ebdf9d4c1fb60cda0c5bd43f3aba1d16eb1

SHA512
fb16eb5189634b7051bbb04504f757ab7b34f1b4a28df09917d0754809e9007b9832b589893e4a78014bcb00c7ecfed20338317abd9d500ff0a250f8ee944747

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
2.6MB

MD5
1a0c039b65cdf29d24289b4f11b89806

SHA1
f1d83216c39d34fc5f899370218e42ca09a63a4e

SHA256
457ed4139290c99ea4f638202a2ccea14de85640c4504c3cac9b8d83b15f9f16

SHA512
79ee567bdb81e773bc97fda34435aba8fa4625a1671bbe63328e4ec9a8c629b49c855c65c17a713e2f752e2d535b1db6144f94ab4a49f517b7fe80a4acff45c2

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
500KB

MD5
d73a42452570aa40b2441a58c796b441

SHA1
635afa75856dec1785312b00e70a92fc29a6abea

SHA256
c0bf270d98f2323636a32077ab8cfde1d3dfe364049c33e431ef737f6b529996

SHA512
cff055342c64d30d179c2e14f93fc51db81da7d6247ea55b45daf60687631e484a0500425d435b29843be850a03d75447948b733e27f258f50f3c4a72cd3ab7d

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
399KB

MD5
43d7cbb04163503d20e1ead4ee6d189e

SHA1
606f54f199fca8e61b9443bf56127d20c754b0ad

SHA256
66fa86d09fb2cf3bb1004599173b6e76308d0c8d26b70ae59a993334af59308a

SHA512
f48d4cf592231b81d68739826ca7dedd43df2e8b2dfbb0b3af9d6e1c43f0bf9fa19eecc0dd1a963ab500831e8a5b096f113bda23cdf75bb1e653de824245b297

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
4.3MB

MD5
3f768141f7a982b322af4d61710b270e

SHA1
c666c97a0d2634070c96e54fce45f159794176d5

SHA256
9874806e553c7a91f3ac8ccf5f055d1f44517f3fa8707870bda443c57f926dec

SHA512
5e89acecc770ac98b84c86f8c0657df1be5171f8cdf2321e3c7169a8720a8b996820d3524d004ad6035e19039225415018f9c9f46325ef5f326bb2bd36c58816

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
5.1MB

MD5
eae05e9cdeaaedf454605827673bb238

SHA1
da5fbbefd832f89e07ca87784116817d3e4a9496

SHA256
861c4e7a705d03a741b97bf716e7a5405d4cb644bda96ccbd6465ebea82c7ca4

SHA512
e0fe378efd2513c043fb3a842a66ffb266b9e90c3b29425faedb860938010557e613558424400dc33542b14834a7e9f1e75bbdb0aceb5992f782c6540e7ab6af

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
889KB

MD5
5310876d033424ad8a14760d99532895

SHA1
f289ca9c6c20f182da1e9a1f2fee1cab644eeed1

SHA256
f30795e2334e3a8658b4f7e1bca30d5e22921afc47f378b74625c4988dbea2df

SHA512
61845a46dbc978d68180294be2f88a22683f529e3a8f778604be972fe730316041c0deed0c6c1b6dbc865e69f1f2ed3c5daf4dc23bf9b387ae83adf2dd09107b

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.4MB

MD5
f977a1bc472172282e150560c444af2c

SHA1
c74e91ee67cf001879b7371d164196b75fa05e69

SHA256
dc3510101e268cdd7833ed2947cb8048a46fbaef39f90ee61099307c8fe0c59c

SHA512
158b7d2244505eeca594a71d462f6ee4fef252407557e78800d1d30cca7935a0d809c333e982cc66a29fd67e25faac72e052c593d2e7e19e497a9251aa613c7e

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.9MB

MD5
89adfbec66795d3437f77963e5d5235b

SHA1
efda4f165065584e533b93414b819324d53a59c5

SHA256
eb35d60a5c6bc28fa9e077ded8e90ccfe8cd7661837afb7df23c75451289a621

SHA512
10680fbdd99d41510ec2ef86cb3cdcfb8e016dd6b7a298760512890527e2104be13d06e1b44116dcaf4770d09787ea26516e6d64ee4a026253c02b78d10764b6

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.2MB

MD5
62ebbad58a5282e8bb75d75c5ebbf7eb

SHA1
ccd79d81b0942f62249014fbbf20a01d58405585

SHA256
f1bbbcaa441759f463fd4c00109a2b665c370cd221f7228a916a10915bbf8e2e

SHA512
fafd492fa451d80c6f91161e9dbd5ec0cefb4b24e86e5c1cbc4b2ce4a5b4f3c8bd92caae3b8e3d0aa431692b66d1fd3b493f8447941eccffe8b6e9805fa29667

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
fb48afeecb1c6e35624f6f3229cbd5f2

SHA1
44c1f40b1dfa4abe7c2136284c3ae8df8ca3ac6a

SHA256
276fc74482b0be9387c1c6e2427d355aabbb59ff26d8e203da9a0e7b5b6b1b9e

SHA512
f3730b550c516b4af90afc92ca1385d57d15ab6b74dbee8669c79817efcfc7ade22a43e2c3a574ce48d3028ba04044c7dfb7dbd99cefb810f5857692f215bd87

Download Submit
C:\Users\Admin\AppData\Roaming\POSA55094.exe

Filesize
1.3MB

MD5
a4b8aa74ad2cbd0637fde253fe274e83

SHA1
33fcb9720d1995b44b04851ef407e6ad0e50a268

SHA256
20a6b7999fb3ff90688026a1c27ba38b36a2b164f949fc340373832388abf727

SHA512
82ee46fc2122fae3d168e06f0fdb39090135d6a5464072fa7ba74799a2bd18a98eb68f7e1b34b23f46641322e930e10f5cde38a956672f3d0f1ee09e17c181d3

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
2.9MB

MD5
ffaa58e7d84ebd1e1e1d766e685a12fc

SHA1
5db33347d7bd9d05dbf1358a9a412e672e7b462a

SHA256
0a818a29bf621cbc277da486796452fa1156384a2659c2467d9dd70271f03944

SHA512
143cc7515e41d2a967755c5160fcd1f14269aa6bd835154b183f1fad1a683fe4373218e5dcc1d90cee0b9ee09a813458688eaeaacd420c753d42abf8500867ef

Download Submit
memory/2152-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2152-2-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/2152-0-0x000000002FF11000-0x000000002FF12000-memory.dmp

Filesize
4KB

Download
memory/2152-89-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/2152-447-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-25-0x00000000005E0000-0x00000000005E4000-memory.dmp

Filesize
16KB

Download