mylobot | 382e891853d6e7cc04ad6c569b64b2d6ef09d2b07740e15282708b322c3a2a6c

Analysis

max time kernel
296s
max time network
269s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
Size

261KB
MD5

e381028b496c601a9e0024d3a10b8d0e
SHA1

bc28c3e44f65bec3e9fc0e3112027a9ade6969c6
SHA256

382e891853d6e7cc04ad6c569b64b2d6ef09d2b07740e15282708b322c3a2a6c
SHA512

7c90bcd7a136288e9ecd819e87a857009ca5802e0a0e9aff034cdb1ea7c23688dbc0ed074fa2e9dc7cf9ddabc9bc3fdd935e97e08665cdaf3bc0695d919fbe3b
SSDEEP

6144:0eBlISBwLaYlW8n0WkmpTKLCldp47wifieoajIOi1Ab:DB/eLXlW8n1ZKOLdUn4A

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

eakalra.ru:1281

op17.ru:6006

ashfkwu.ru:9821

pomplus.ru:7372

fasefja.ru:3410

hpifnad.ru:3721

benkofx.ru:3333

fpzskbx.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2468 svchost.exe

pid	process
2468	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F8539989-087F-8164-6FB0-8B6621E198D2} = "c:\\programdata\\{6443B1B9-204F-1D74-6FB0-8B6621E198D2}\\c9fc6126.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe

description	pid	process	target process
PID 2452 set thread context of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeWINWORD.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417190561"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a960690000000002000000000010660000000100002000000089b5ce6aae4fb233aedb4355ec99e6504cacade58396e28944024dfda057cd54000000000e8000000002000020000000bf312855b64b944378040d0a57d4fd5b9b25b57af845fbe2762fd2fc46e0f30120000000a18a39200d5cb94088295b9f0eaf9433163a4fcc65fcbff82321bd6b805176e2400000002a1057c7feb1f900291c714c70b7a6d0eab1ed736a5ae76219432e819fe26fc33b1299b3c10da79e315ecb0ff156995a998a1dc03463d9bb06a856844484a6d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{31706791-E789-11EE-B991-7EEA931DE775} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000ca82d4680be4b6009dc215713b210c6189acff1be8d910a564a1df8105548f75000000000e8000000002000020000000556c067999f8b0a0ad393bf1a9003d5131ecdac9637e1e4afd5c29f5256caa51900000002788217e5a36a653b8ff148d9eb41b4906a2304c0eab55d07f75f5a49c3d2a48e112e8d68dddef86abe72b7d7c42aa29d7ea87419fa6fe780c3d299ab14fcf012166483d98da0cef9b56020d36cb1111556ac28d1764cdb84fe4f04987529e1d49bd290fdcf3fe319069d33626e4586cb4ac01c1718aabb7c005485137fa16fcdccab689db0f62f8f404f53ed08013b340000000521f4d9d60fddf34260bd6abeb4eeec4c85f1b71d586abd36a257c0af4e5fbc2dcd80dd9a36d465e57b6ec05d49317385fc2702687ab2ca713e8c447dfe2bf76	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03a0906967bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEnotepad.exesplwow64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	splwow64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	splwow64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	splwow64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	notepad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	splwow64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	splwow64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	splwow64.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

2564 WINWORD.EXE
1008 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exesvchost.exechrome.exe

pid process

2608 42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
2608 42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
2468 svchost.exe
568 chrome.exe
568 chrome.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe

pid process

2608 42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe

pid	process
2564	WINWORD.EXE
1008	WINWORD.EXE

pid	process
2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
2468	svchost.exe
568	chrome.exe
568	chrome.exe

pid	process
2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe
Token: SeShutdownPrivilege	568	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

iexplore.exechrome.exe

pid	process
1560	iexplore.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe
568	chrome.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

iexplore.exeIEXPLORE.EXEWINWORD.EXEWINWORD.EXEsplwow64.exenotepad.exe

pid	process
1560	iexplore.exe
1560	iexplore.exe
592	IEXPLORE.EXE
592	IEXPLORE.EXE
592	IEXPLORE.EXE
592	IEXPLORE.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE
1552	splwow64.exe
592	IEXPLORE.EXE
592	IEXPLORE.EXE
2460	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exesvchost.exeiexplore.exechrome.exe

description	pid	process	target process
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2452 wrote to memory of 2608	2452	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2608 wrote to memory of 2468	2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	svchost.exe
PID 2608 wrote to memory of 2468	2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	svchost.exe
PID 2608 wrote to memory of 2468	2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	svchost.exe
PID 2608 wrote to memory of 2468	2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	svchost.exe
PID 2608 wrote to memory of 2468	2608	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe	svchost.exe
PID 2468 wrote to memory of 2452	2468	svchost.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2468 wrote to memory of 2452	2468	svchost.exe	42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
PID 2468 wrote to memory of 2424	2468	svchost.exe	notepad.exe
PID 2468 wrote to memory of 2424	2468	svchost.exe	notepad.exe
PID 2468 wrote to memory of 2424	2468	svchost.exe	notepad.exe
PID 2468 wrote to memory of 2424	2468	svchost.exe	notepad.exe
PID 2468 wrote to memory of 2424	2468	svchost.exe	notepad.exe
PID 2468 wrote to memory of 2424	2468	svchost.exe	notepad.exe
PID 1560 wrote to memory of 592	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 592	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 592	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 592	1560	iexplore.exe	IEXPLORE.EXE
PID 568 wrote to memory of 1848	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 1848	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 1848	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe
PID 568 wrote to memory of 2744	568	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
"C:\Users\Admin\AppData\Local\Temp\42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe
"C:\Users\Admin\AppData\Local\Temp\42fee21b-30a2-ac48-bbb9-c6eae04ce8ae.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
4⤵
PID:2424

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ConvertFromUnregister.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:592

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CompressConvertFrom.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5699758,0x7fef5699768,0x7fef5699778
2⤵
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:2
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:8
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:8
2⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:1
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1288 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:2
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2268 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:1
2⤵
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:8
2⤵
PID:276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3696 --field-trial-handle=1212,i,15568287363046368979,11797236361528888017,131072 /prefetch:1
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1852

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CompressConvertFrom.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2504

C:\Windows\system32\notepad.exe
notepad
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{6443B1B9-204F-1D74-6FB0-8B6621E198D2}\c9fc6126.exe
Filesize
261KB

MD5
e381028b496c601a9e0024d3a10b8d0e

SHA1
bc28c3e44f65bec3e9fc0e3112027a9ade6969c6

SHA256
382e891853d6e7cc04ad6c569b64b2d6ef09d2b07740e15282708b322c3a2a6c

SHA512
7c90bcd7a136288e9ecd819e87a857009ca5802e0a0e9aff034cdb1ea7c23688dbc0ed074fa2e9dc7cf9ddabc9bc3fdd935e97e08665cdaf3bc0695d919fbe3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5acd79c368f49aa192ba64d559c65430

SHA1
d53c4ab125cdec56beba714b50d71a0626ba06af

SHA256
29344d77b509d736a070345bb7289dd5d895f60279bf3722d2dab45226ff7729

SHA512
d2a80cb63c4e2369035c434ca1f61c5ef4385a968264e0dea925a6e8df32facbe36cdd36d9f8de957293ffbcc46f820d204f6f791346ee8238d011bfac2a2cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8acf4119087efad6e3ccbe9a0ee7b19a

SHA1
04d9956bee914049dbb044912f686f0cb3358ee6

SHA256
7938adf365260409fc4e362b80431dbc989a7c18936aaacc2cf0ce583d3b76e5

SHA512
296984fbee52b11b806edc5dee3f6811367c6801be8ff085a325d5efc0156b0e9447bc907dd301d8e8c874298f7416a8c6d1cd05fb954a33f582c344c1bbd3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5a724e98d508e62872d6c95b2e7c1472

SHA1
0fce96d8a621625aeff055fad3e6cc88ad7b8617

SHA256
72c0915873379a1bccdfc7f6b34ff76f1ee90adaea4ee58c317ab309f5223d0e

SHA512
6bbc64513a21f2a7fc743fbd26ade7e7a6bd594adea1dfdf5ff8a1aff9c62ef72761d0cd1d2e8f6a8659c33bea385d176982d9a7b7b030c531193dfd6ad01f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ede791fd7818a92bbddab9d0cbd045b1

SHA1
fb35526ba48bee02c4fc9db812e8eb0df7c5bd39

SHA256
d3ae23553151b0e1d67ab17e50d4e1e2d72ac6452546ae7e964fd2c903391c18

SHA512
90103c768881692d1f15800cb3de1440e0dc4e361e46fe7b1869e461c9da49de300031e060d30600fffaa80fe5d54dce6f5d8c1986e2941b39f732e716ead5a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d88e51270a856e5ccb58bd181dd67e8f

SHA1
f733f5d81cf98755dc987d9d09edae81d9a4271e

SHA256
20f5b73200f62d51e0f816061940d2c2b4906a213176d629b473c47ec2028918

SHA512
cb82db7f84155d9e29fdd56087e3dc78bc230e30052ee357042e62b8f8099e708707188792b5a49a5e20dc4b3ce821ab4c02ab836a573058d09f1b562c32c085

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d33420e71d8d73f2c778370969dc5021

SHA1
42cceb2b8b9a4581b43509058f4c7c606701abb9

SHA256
1c8976f498c0db215b0208eed79c6d46fe42bf4bed257e0e94ab7808c9d69bb5

SHA512
bd1327d3424e4f9c743e2b1d1422977a55d66e5ffe8d54522f0a337894c52baa02c839521f0854e76b1eb00201477c307b6139e9fdf503c1837cc9a6dfaca457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cafa6f22924611e2c57cf130a627d377

SHA1
ece991b4844a67227944c041696ca6f0fd77718d

SHA256
780a3a3574bf743bb077d152fff500de890562953e8fcc876a9882327193ab7b

SHA512
0e35d4c7fef9134584356d3ef7965c9d6a92f6f834288b498e6e5f106fa4faab45d74ef1b51beaa5084d1230239ff2b7143559f758a6ee0498edb487a3397328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bccaf4ecc0ec79006a29069548908567

SHA1
db0a8f77703607f9890985c1fc3356853f3a0ba0

SHA256
87fb5461f6c3976c35c596c1de3fad14318e9946e366eb3277ac1df07f4fd0c5

SHA512
6c89c9cf57e57c871ac77b8eb1f403a46ccd22a394b15297598fca297df3e7f964fc976b7a844f72dc1baeee89010b57054abd1b1e2e5ad4f9b8864795664fab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d7c1eb7b5e0567a58404487a4de546ef

SHA1
c6a7c473fb342195c104f5e499d95b1ded6cbed3

SHA256
3e8885311aa96967c2aa6eb30bd448926ec9154076dd6af2cdc9547c620636a1

SHA512
37e7ee8d8297c42305be08bbe528b7cc1da7fe866d19ab1bbe74edc54b4e3ad8ca8a6b6254e42ca78d4ff515e9640a3d9466c2b91462e3ad8740f5736a655ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2bb50d68ef9ce9e9fb76eb5930fdaaa0

SHA1
cc4c1913ea8bb6d723ffaa498d544b24faaf3600

SHA256
891f9a60366407e32381ed9ff06acf94a6dea9a9ed5ebba7d600cff425f8104f

SHA512
a44387963180d538597f1ee01e946ede4c90bcac58856bdec90a72e6aaa4a1941e1c4df0fa503a66de32171f2bc99c0c26c51a14e09030051f0e44a4e3912dd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3ff7092f7f5c6566a2bd273250c4ed38

SHA1
9007ea14f09adaf5f087b8722342c79c89079109

SHA256
1ccd275a37d35e7512a8a21eca3aa65f43007f82a73531a9df4e90ba20ead2e3

SHA512
fa08fe6d9c59d6dc27644db103f09a1c05e56f1c32a0872047bd8f0c32a48b1cf5419ecab28cf65e5caf4372f6c3fd3ff5dd285b5720b669fddab988ad3ba0c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8a23b2d82848b8c6be2ee0f0b47d50ef

SHA1
09c10b8bfc31db4f5d1b47ae7dd68b75677d5e2e

SHA256
eaba67ec6c0ae11a00b36cce306443f2c7636f4645b8682be14a92768ff5f0ef

SHA512
b340cb9534b9f628037951baa88e49c45065371ccb608047940dca0b7ed30a785167ee9cf2ee9a2716a364e97c2a6d611604c5074630500dc85056ec99a27d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
e44712759b5d47b437d4fc62c9716e97

SHA1
48f2589989611cbaf4994947c858f5a7f8d5d24b

SHA256
535b638adef3232aab3d9281e828f9b673b223e0378409c634f95c497c599ca6

SHA512
fea17df59ebf07aa0d2239540fe99939805b1aeca33d2dcbb7ab1d9d0ae4c36a5fc1479edc7ff9b0df7fad1ebc5eeb23fa515f75efafd3ddc7936ffd3f5dde91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dcef6e29da47ec57f4b0e95247161c73

SHA1
efb485762d920896bb1ce8308ec7d43f0516edc0

SHA256
3083d5a45f1a6e70e64a6a457abbe5f6cb7d03dae58a493ddc0867109a5e7d40

SHA512
853551c5722b89351458319e00045133c2ca80bf8cfb44cae6f5badc79e69f67f07abf4e5e4898a045d901fdf0a691f620120a57072322b7491602a8ec5373d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
5432937cd326631caea52e36c8d7d574

SHA1
c79880c40d7af88d85c657b8dcaf94f82a30241d

SHA256
c02dbe085cb9055339e98ab3496cc180ad056199a2338f55a97c2b45f07fb847

SHA512
1d188088cfeb93e4c57c44b0e2d3c1a8e940db65abb5ae5a6bb5a38e617873ba61568204f90035a195acce84a70c7a174c38ec9ea24b4f76ba7a20f1b3d52564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cd0d2a85-ff3b-4aeb-9f88-acdc8e84691d.tmp
Filesize
259KB

MD5
b772a6552c7d0a47dd94adff42d0629c

SHA1
52763b41af6ddc42030f99a12b2e1a72919325c0

SHA256
4130976c62ccca1a714d9a75f226c8d0bafc69ba65b5ae959471ef9af31bf77b

SHA512
ccc8b56c8ad147cee41600302b6efab8f80ca3a158543e41f61d59d601cd234a14ff43cd96d8f6a1ed79e35bfc5c4b3dc27f04886b82892ea39050a01b568481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc
Filesize
1.2MB

MD5
02af98ed35bdefe30ca743b8c96bef74

SHA1
d1e789c549e57964e28bdcfc2430493a3db1653a

SHA256
8d24b88e20d1dab4087aed2974668af2f406360f30f722964fa303f26761e2f5

SHA512
59fb7fbb0b89540ba776de87837d93d9541ceef205daf0dfe7842785a6ff6df79badda3c2d911660ad718d781432fc1df04a704087baa7eafd57730015d5a1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4EAF.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar500E.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\CompressConvertFrom.doc.LNK
Filesize
1KB

MD5
43189c97da3531a56eef527757842d54

SHA1
96242b0ca6fd8fb88233a5f91a69e29494716e8b

SHA256
e1b0ac071664bcc401748d2e47883083ac2bf15ee5f3061572c615039e22cc48

SHA512
72c7daa39c4a0ea799c859f707d18cddd620d251f76f808b4c5a275257c379fd0cfa15cdd4d66f99f4147bd43798ee1928202a1cefafa4b0b7535aff925ef67b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
132B

MD5
382f1f56e3bea97d98418dff3f5cc58b

SHA1
9cb747e23662d48e8fcb5067c7c4eaa387f17d0c

SHA256
9856f3cdfe8b95239587f8287a29fce66b9df54ca5b66c171f711cff5038dc76

SHA512
b027201d9c6c95fbcd5d9d7bd721af6dc6879b775aedc041a557a552625f9fc36b8e0f57a787d2a64519459c67f789423d13f9c4f4fd07a91982c9728396c1cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
132B

MD5
2a5d8d289aecf4104298bb7652570942

SHA1
eef2ac1195428835e7a9f6eba705a5ab8ed583b0

SHA256
6ab7227426d11d25481864a4295f675cfa8d2b1b60049896d89db633217dc233

SHA512
c712f545c1dd16c7a28657794f6cd0ba6567e6980213fa7fc4fb6c50ad911a188a1059d1f071438096641cce42e5f7e82ddc37ba739cf6d6a692f93b2f6abc6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
80B

MD5
fb731fd9f751d9728e0d3a4ccc02cbd9

SHA1
e8f0bc1454434cbcbbe1937f2638c4570fc36576

SHA256
b841ceea563ec651d3d08cf503ebecca210b32baec490de2a8bc93c2b834d824

SHA512
fa92853ad2f727f626fb6f574db2d3cb1b78126d577f1b8c1088a1f7f3ba586a3738ab6fb0a088c176a32102eaf79aa6a297ebbdc55f2c538e206555feb7135d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
261ccbde3cdd4feb98d66c3462dd10bf

SHA1
d3042c68342996e694358b05c623f793e36893d6

SHA256
2d75f466abc2250275ae9a9aa3e552451ddaf8d992c17491b6c6b09ad4e4803f

SHA512
1d12f3ea45d091bfb0d0f5f3e5b0fff4b70439b65594d614cebce239d45aa6aaa02b3b8fa825c39bd0aa4aa9a5a71d3aefe4a271a94f43a441a1d3d360524898

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\crashpad_568_GRWMAFLWZNIFPWLX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1008-1390-0x000000006EF9D000-0x000000006EFA8000-memory.dmp

Filesize
44KB

Download
memory/1008-1353-0x000000006EF9D000-0x000000006EFA8000-memory.dmp

Filesize
44KB

Download
memory/1008-1352-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1008-1351-0x000000002F141000-0x000000002F142000-memory.dmp

Filesize
4KB

Download
memory/1552-1386-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1552-1387-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1552-1394-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2424-33-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2452-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2452-26-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2460-1412-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/2468-17-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/2468-19-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2468-34-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2468-23-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2468-18-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2468-22-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2468-21-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2468-20-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2564-608-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2564-534-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2564-533-0x000000002F231000-0x000000002F232000-memory.dmp

Filesize
4KB

Download
memory/2564-535-0x000000006EFBD000-0x000000006EFC8000-memory.dmp

Filesize
44KB

Download
memory/2564-609-0x000000006EFBD000-0x000000006EFC8000-memory.dmp

Filesize
44KB

Download
memory/2608-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download