b4682c7198c6427d9bf2a7d1a3300b9836109ee2b716aee5ddabf4bbbfbc4f5b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Preview [email protected]
Size

126KB
MD5

7a51ecfb6939e6b8d9fb683622b8ddfd
SHA1

64792d2d3890effd9c63d10f3809a3f6e5c1e307
SHA256

b4682c7198c6427d9bf2a7d1a3300b9836109ee2b716aee5ddabf4bbbfbc4f5b
SHA512

001fadd039ace845fd9d5c6fa4fd03b3fd8ab47ee4d011a0dab21107a196b194eab236d43092d252b6892134db6ef7e8707745c82f6060b758adbc889aaf5312
SSDEEP

384:4fnDQ8B4vQtVDjhMXUqjbeNRwGWdNsY0NL7cPiwBrwa40Ti6rGsexJqjn8nhCqYx:4fnOtXRjCNRCNsYGSmMjn8l/NLSJ0c

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c60bd22f98e523439b8d571cdb5d5b9200000000020000000000106600000001000020000000e984af23949cb93722e49807ae394e0dc9fd9a5cf1335465ea3f4319c6cbc3fd000000000e8000000002000020000000734a220d2107dc908b1576693f671b1889761ca6898b09b2b605134dc5ce021f20000000b88ae5dee5c6e9499f1a3b8520e54eba1963ac86caeee62bfdd1a30bd480e8ea4000000054e4635846879b36af05aeb498e49db66a6f25d28929545eea6beee54bfd9d53b06d89d3f79f441b8603c7f639b9dd9b627304cf83f1c8fbe32fd28db1b32f6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4088264d82abda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{853573E1-1775-11EF-9FEE-EA42E82B8F01} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c60bd22f98e523439b8d571cdb5d5b92000000000200000000001066000000010000200000009367e9f18b5f5587dd849493b1ba98d4015cbd36b15eea190d7c92a89bacc171000000000e8000000002000020000000a15d2fb2c4b42a27cc72894dd90ce0992ee2bdb8b1b0853a80a3355eb214549990000000e663ee035707ff996c75505630f02e7c6971577484381af86269e58e44b8bed3a4d62a2c129c9f4a549a11e8bacc42af21b32cf01d4c78fa0db710ea8e4654be302d89fa3d19c4a63a8e83d84d393bb5d4c10d4f80424e8ad2b6cc4ff6ee40c3575136abc462e46792a447d30b874dba483a7eaaf6562cffb52d5df025f7b825822e549272923ab9b0762cd81b9d4dca400000005ca851275128c9071e87ca4ef5f06c15b2e85c0691b3ece6e02f3ade81afea02eb6590300b7a875f181096f09bc3f4bf51cc0ab57a76e07b25ebc471069cd9b8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2908	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1944	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2908	WINWORD.EXE
2908	WINWORD.EXE
1944	iexplore.exe
1944	iexplore.exe
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3024	2908	WINWORD.EXE	28
PID 2908 wrote to memory of 3024	2908	WINWORD.EXE	28
PID 2908 wrote to memory of 3024	2908	WINWORD.EXE	28
PID 2908 wrote to memory of 3024	2908	WINWORD.EXE	28
PID 2908 wrote to memory of 1944	2908	WINWORD.EXE	32
PID 2908 wrote to memory of 1944	2908	WINWORD.EXE	32
PID 2908 wrote to memory of 1944	2908	WINWORD.EXE	32
PID 2908 wrote to memory of 1944	2908	WINWORD.EXE	32
PID 1944 wrote to memory of 1876	1944	iexplore.exe	33
PID 1944 wrote to memory of 1876	1944	iexplore.exe	33
PID 1944 wrote to memory of 1876	1944	iexplore.exe	33
PID 1944 wrote to memory of 1876	1944	iexplore.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Preview [email protected]"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3024
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://url2.mailanyone.net/scanner?m=1s6kIZ-000572-3Q&d=4%7Cmail%2F90%2F1715662800%2F1s6kIZ-000572-3Q%7Cin2d%7C57e1b682%7C28613012%7C14303582%7C6642F047969FEFE0A793E0B429195554&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dat%2Fc%2F8DPSrf7ERNHS2DIKAPhbAQIADVtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2gc52oleiFocral%25e.lec2F252p%2552w%252F%2522C22%25tiRepecOdr2nti3%252%25os5BA%25222%257%25lA2%252ul%253n22C%253%252%2521DlAn7%257%25ultiD%26Les%3Ddg1YG7kHRkx5cnUq3SYFxvsECuuTIS91O94LWI0h67e3L4r%26sc%25Doeet%3DsinVrb7a5d97b85bb2d33b44ae63458b1fdee&s=JC5PlmnJ_xBFsPoyCtr2ByroAOY
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
df80f9ba75076db634761b6132e0d4e3

SHA1
07983946fb660752c7cccb2ef82d01ec4c9ecc5d

SHA256
d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99

SHA512
4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
551a4bda42420e4992cbf6af7de8adfe

SHA1
4c5f34630e58015c5d3befeaa875aea1f624dc0f

SHA256
de6c5e04edd2de42c372166e05bce045b7bf24c67b8d6cd46b856304638c55e0

SHA512
a0c6d2186fe603070bba93dadfaef7fbab3f2db53137901e703f7062adc86d474537ed88b225c9043246496ac5e2d4eb560dea5c3845c0ae75bb1975413e49f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84d376c3380c155d8b1eb4b793269c9e

SHA1
5bf2de32100263baeeb98dbb7286062c2165faad

SHA256
097aea6ff9726154416c1f6d523c1dfbfead10b900bca7e952f7cd08e19fe9df

SHA512
17097a81465a5e91f83079f091863fb5974a2d97037d1749c98289241ca6c6a73ed1b4260b1a2237bafea6da1753cf3fd7d44b91c14a752af5b129edb1b81740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7ac9e00f6d14e13f30a01e62301139f

SHA1
04017c9f45afa5292f4ce5956e68d47103a60a28

SHA256
d387e9621307d170ac295dbc28191fcaa92d6099244f756c308e55b8342fe109

SHA512
cf9e8ec730a7a699e0df8cc934904321dde591ac7724105b56e233d578776ff041b4ed54a49863650bc5e1eb89a029e7c5a84c8f73dfc4d67ebfd9f3c04c2959

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
091a332dcc5e2c236ce99a5cad15006f

SHA1
37ffe05c061dfb00cc11c81a426c95d0ef293853

SHA256
354df92865d48fecee5f4c43f6c6d5ca58b9f16f671e34663e3f2411f5e8fa14

SHA512
ff352e211560166c849c6085022f8cb1855d55b3e96b9e65a40f2fd5c02bd46e4a0ec40dc63a628415165662704639aa01a5421d5c9ed45817fe620416f27435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
879ffadc388b555add28d463d5b98c89

SHA1
e93dcbcccfe8bbded1fb6b148e4588324ac39b33

SHA256
1abc65ee870a160cea6a7b73270a7a884f791e49a703c637270fdb06dc75e07f

SHA512
7712339719c318f958040931c1f918064d177802ce1262aa3b2eb835126187e09e3acd366b013a83862db97d84b08b6646094dbf0912a57211c5c61f4a62ef3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b667af8fe697bcce861c1cd2ffef21b9

SHA1
1ec97bf68501f85502bcf5098fd1dd4ddb873fab

SHA256
e7982f76f8c809bb429c834331509042eff1c1afb352d5c552d560445dbac721

SHA512
5686ace4db25e71f13a5706610d824737b121b417d6222e0ab2460a1be1ae09117af5fa692db4ef98a27f06ad30825218f409d012dbc1cd40e3927696656887e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d43795e00dcd35ed16ad26ad36c662bb

SHA1
cc4a40433b45638f786e873b728d931284c36e6a

SHA256
3fa1babed330efdbbe883019bde664268901c7215ad899f2cd5f3caa31c4d8b9

SHA512
ca4fee80ff6923f2483420aaadbd636c957c23a8c55ea2e11ee7cb8c10ee7d632bc364c0bb169fdc7e9a32fc496ec8e623bab77d2148f7e6ca1cb5d9432f14e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4519f58e42549757096a438c09f0065

SHA1
7910395e93c2be7e4031aff2becc1ea08c716793

SHA256
bc4f87cd1ad9b08147a4a2360a7ac557342134b730f2cc02f2058a59414cc961

SHA512
212960aed0febe287b1e402d827d3b89a77d811f4c86e5dc11f3dafa2bdbf7031385b15023d1d87f34fd8ab8b547b332712ae151d0b0510a3e14a3d3a4390153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
044d0b2fd905b64ae68a748d59f9fe21

SHA1
29389c26c6c4efb63c312d74613590cd4fc49ada

SHA256
cfc9ddafcf0501af2f6ad2192fe1d15e00040b2ced24466cfbde51e42aa6d0f9

SHA512
c4ddcdd06b3d3a67d4742d8fde6830a0be31a7dfb62c57a954ad894bbcdf9b5462d818942d93ab1192dd7bc3673167a55d2c9417f6000c1e3ae1cab239349136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
583ea9c463adce121dfd6fea739bb15b

SHA1
beefd76858e51cb0292f9008f431c7c29c31fee8

SHA256
b949f6674999274b25590368beed008c9e93a56da3cace362468e2bef042610f

SHA512
533ce8c30b1e41f43ac4c51cc34b4e310a678be7eafa677aa3a60f30547f37972359c45454a86f21c2c3567cb150fda94490b972c5378f478012123f768e3f4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8206f7ce1e721627c917571f472d10f

SHA1
b34eb909ff5e6912e94bf0fd2f1c3a954558a519

SHA256
edff09df15852fa34d94c8aae608d466dc15a615c7ca5ae81442cedd1675c39a

SHA512
02a7bbc88a465022f9384a8b64fdd93a56f054329ac8a1eefc0a297440d3822f59d3be42391fdacfaf259a9f251d4126f342a0a43675abb69e069eb57d53f562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53506a143eb0a5608df61bc6bdcea0d5

SHA1
fdedebb7bf50363b4d4d777de7f3e4ef4ac8831c

SHA256
89048a48291e3229ae9b019fa068d43f4fb5b19008339034683e0601f270ede0

SHA512
3ecce94130332b324aa1822f06c8f6815523d2e63b5545ce48373130dd76f691d83461ead8d08aad7403f8464e887a787fbe629f7b7ed9610c2ed98b498fd887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f68fa7880c1292d405e1a050a5cb58a8

SHA1
df4ba8eedb0d972bb071539a1de756115e6fde05

SHA256
18c0b9953e1a930d571663d67cf7acb38e5ed68bd09d7c5df373daa1512c8f25

SHA512
a14765b176c371711d4ce86a127762514f34235a77abcded54521c25a62b6c586c0ff64a04bd1434110aa5e92afc533076573cb7984c4feb0e307f6af760ae1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1155fb8ba8c8ea4adfc1c087e58adb5a

SHA1
8cc02b64bdd480fa01d347fbbe0a983f91cc4069

SHA256
6514fedb069b14ad58112a953364589b5cfa1ff42851453bb5963befc214d185

SHA512
0e346cef7904bf51900d81132ca24267365500adb9dd5b0fc823a4522577429b89564a54dee9bf53fc9c62aa7f79803b02caa7ba93262c287409ca1dfa6ff052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c995e23d4450fb885c582e9e6ecda75

SHA1
124abff7380d9018d6fcb1ba5bd2a71ccc3c96e0

SHA256
a013517c2e90316f652269ae55e7d3ed6ed178e49178bfa6ad2fb90e2b45c96c

SHA512
bfb2f132dfc6d7f1161d0cb8f493d57847520d5e8a52b8db3edab05bfc1433f879ac79a48888da01231f2e1287179e058a6ef134fe6ada10e4f5cbe1ac4c9cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5edbbc7b16daee19189a7a742b853e5

SHA1
e4ecf1314400abfb29075a0d3957a08f8005741d

SHA256
775be590686b5eaf102c1d09bb2405f6562c2e9af6d8ebee61112c52b00c0cec

SHA512
f517cbfc94425ca46329da4c40610fdaa3d281e6f1a6201e91726e31a36aa77b8a1b69bba5f99349fbe62a9ff3e165efc62797bbafea683abf0f29f0a0b0ee20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e82f08dd796d61a4a28725da73d1c674

SHA1
746164350736d3b9820dc9c75aaaf2cea9a6af9b

SHA256
35d79425d4cbaf1acb9b8c7926df57c49e625ea15592f088cafa736ffc18495d

SHA512
3c2de6a987eae3d64005b6cd41d810430127dac1ed7c057983228a2567218327db8f1b409a11a008a14ddc7acf345eeab5c598530624e93010fa2974fa55f137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef6a342729e36eaebbd5a88dc1347fd9

SHA1
ddc4d7310b83126a01b739bb843545034c95ca5b

SHA256
3d5a08ed21e8f2f26421d49e4e9984ad4c93cec29e18a45988958d6c25b165f1

SHA512
1b9d4c421fc123e1cae0d3926165ad1a2b52198a2f51e88143e50cb65252e244278921901fbd5302a20fb2c86623a31f1c85cd8adc8d3756ef39e76f30e7919b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e26f5a347b40c1194a59218d8d04e20

SHA1
97d6ec575554f41c41e6732086e81af28c81843b

SHA256
034d4c8261e1eec8eef4f2f1caf516f56afc72b4e052a2cacf88436029636e63

SHA512
01b2e4fdc970def5b3d85a741fd26f496ed261cebe721a6d87eebd60ef2a3e29e60f06da529abd27d92eb1f45a111960a2ac4d6875eb0728fd00c629afa46e02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1187642ace50273733f661c4e7b40c3d

SHA1
c36ba1907d991e50f74b9d3ebdd21f44bfbf085f

SHA256
c08b2b0d9fdda6de6b8012f71fd88b7c98421e57effabbbbe39ba9e0b47837e8

SHA512
f5185787681a30a3e7f4190bd5d1ec5bb42ed7c7eb5fcb7783560bd4ff4d9067d6938529f5916af9a03b61231ad4be13ea98d3e68371b1f5568a1bd9102f1411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
f0318e5562c920882e6cb862b99e5f8a

SHA1
eec100aa317c5047d6d2ba00010d60e16c66685c

SHA256
0a0e8b1c4a54bc0ece45aa766a78a65c9902751880debdb904069e2f22ff23b9

SHA512
0ef0e042c8eeb9d34e4ee75315b50a97a726427c9b16b5a9369593326127157a984fa725dd487e9c8ddb947010f402b548f2efc9487d66613b9af912bf066cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
15KB

MD5
506a0543206d609c94846399c6ee57a3

SHA1
045b604a85972265e5819401f3b7be8e33b83ff7

SHA256
4cfbfbe3ef2164c5268b35d83b37fd5c925c23aea9213e970c9b386210c348ab

SHA512
d1c95bcfa278f0fe8fbc5b623800b54ba5b121f6d27463000f6f80454ba536613d4a3775cab9ccca91bbe4f18c53e299b79d7114c594a99ddbca90095782a9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\favicon[1].ico

Filesize
15KB

MD5
9d62dcc244c0f3d88367a943ba4d4fed

SHA1
5fc5ec953d4344422eb686b9fc61ea31caed360e

SHA256
fddf75d3376bb911db3189aa149f508317799b10611438b23d688b89db208da7

SHA512
78cd9a7a2cdafcc378a3cb1215325be78d54a4459d5c4c7271de617a272aad10a951bd7f2efe15ebf4e70a059420d988ac093c481af02c788d864aa9e316df22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\scanner[1].htm

Filesize
3KB

MD5
cab6057f3fb0bd14fdb154c9636f2acd

SHA1
dee42b01b6c0c8c4244309249bed3dac8a875caf

SHA256
48cc5fbca021072cf7be4f476ddf522623aa9abf483623e1722a92f074644324

SHA512
7363c7604577ab5fffe08d60bcd92852fb9724b8b95a08d8cd910859ec17ee7c57adfb7aa39b54344ca89c830e0edd94776da47d924aa389c48fef5c6c7d814e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB6A2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEA9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF79.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF298A458F6295646B.TMP

Filesize
16KB

MD5
c600719cc62d69b502d4b0006cce5e3b

SHA1
0e994a4bfa5b3d7c3e9b1cc1600060a6f75bd157

SHA256
6005ed4e39ccba1fcc0d07ec7af75d287bfc69dfa57579ed291cbd596880bc96

SHA512
a4b4af9c1e5c54a9bafe52bb699ff6469c61ca27c2d35254936fe35dc68624cc710102b634c4025ccfcd4f603c0b8c76828c0c820e5db5cabffe6ba5e204bfc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P4G2GW9L.txt

Filesize
221B

MD5
278d2ec1b61fd2f15e526a3305fa060b

SHA1
ced32d83ab13ee03203e33d33b2f477966fb385f

SHA256
a95b26959f750b6ccbf74b5e2e06c098c4e11f2eb50331e5799e74ca72ac0d48

SHA512
35773a341ad6caedc793b31118c9a2fc644b064a1de7acebe831be763f05b453f145d8fe83c344d53ac8c3babcad98ddf24c65a1a64afdb3376c559db8f8b730

Download Submit
memory/2908-2-0x0000000070C2D000-0x0000000070C38000-memory.dmp

Filesize
44KB

Download
memory/2908-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2908-0-0x000000002FF91000-0x000000002FF92000-memory.dmp

Filesize
4KB

Download
memory/2908-11-0x0000000070C2D000-0x0000000070C38000-memory.dmp

Filesize
44KB

Download