qakbot | aed3b7b54243021aa6b20fda0ea7bb46a2065a1371202b3bab86482fa3f5bd46

Analysis

max time kernel
150s
max time network
140s
platform
windows10_x64
resource
win10v20201028
submitted
05-02-2021 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CompensationClaim-2000459547-02022021.xls
Size

67KB
MD5

cb555300cee97b3250f5ca1650197f7b
SHA1

702beedaaef076fa9f8fd6510493925f090fe4a1
SHA256

aed3b7b54243021aa6b20fda0ea7bb46a2065a1371202b3bab86482fa3f5bd46
SHA512

a57dfeb94bf437df67bf7b13137aebe08b0ba1c04f3bf94cf98105c34683e96e6986495c157f83ff9cc93332680b1f280d9aa72c6f5d1196f5c7606dd4755ddf

Score

10^/10

qakbot abc123 1612349986 banker macro stealer trojan xlm

Malware Config

Extracted

Family

qakbot

Botnet

abc123

Campaign

1612349986

222.154.253.111:995

50.244.112.106:443

83.110.108.181:2222

105.198.236.99:443

74.77.162.33:443

106.250.150.98:443

196.151.252.84:443

45.118.216.157:443

140.82.49.12:443

80.11.173.82:8443

71.88.193.17:443

68.186.192.69:443

46.153.119.255:995

81.214.126.173:2222

108.31.15.10:995

197.45.110.165:995

81.88.254.62:443

86.97.8.249:443

202.187.58.21:443

41.39.134.183:443

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1420	496	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1728	496	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1776	496	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4044	496	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3680	496	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3140	3980	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4092	3980	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1772	3980	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2996	3980	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3632	3980	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\CompensationClaim-2000459547-02022021.xls	office_xlm_macros

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

2352 rundll32.exe
2264 rundll32.exe
3856 rundll32.exe
3856 rundll32.exe
1748 rundll32.exe
1748 rundll32.exe

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1832 schtasks.exe

pid	process
1832	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 67 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000005c51569212004170704461746100400009000400efbe5c5156925c5156922e00000027530100000001000000000000000000000000000000cf62b2004100700070004400610074006100000016000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000005c5156921100557365727300640009000400efbe724a0b5d5c5156922e000000320500000000010000000000000000003a0000000000949deb0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "2"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 4e003100000000004552a351100054656d7000003a0009000400efbe5c5156924552a3512e0000003b530100000001000000000000000000000000000000a5d14b00540065006d007000000014000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000064653bc456add601a0f9b7c656add601b049a7c656add60114000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000004552a751100041646d696e003c0009000400efbe5c5156924552a7512e0000001c530100000001000000000000000000000000000000d869c500410064006d0069006e00000014000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 50003100000000005c510f9510004c6f63616c003c0009000400efbe5c5156925c510f952e0000003a53010000000100000000000000000000000000000036f44a004c006f00630061006c00000014000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

496 EXCEL.EXE
3980 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2352	rundll32.exe
2352	rundll32.exe
2352	rundll32.exe
2352	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
3856	rundll32.exe
3856	rundll32.exe
3856	rundll32.exe
3856	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

496 EXCEL.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

2352 rundll32.exe
2264 rundll32.exe
3856 rundll32.exe
1748 rundll32.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid	process
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE
3980	EXCEL.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exerundll32.exerundll32.exeEXCEL.EXErundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 496 wrote to memory of 1420	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 1420	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 1728	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 1728	496	EXCEL.EXE	rundll32.exe
PID 1728 wrote to memory of 2352	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2352	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2352	1728	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2660	2352	rundll32.exe	explorer.exe
PID 2352 wrote to memory of 2660	2352	rundll32.exe	explorer.exe
PID 2352 wrote to memory of 2660	2352	rundll32.exe	explorer.exe
PID 2352 wrote to memory of 2660	2352	rundll32.exe	explorer.exe
PID 2352 wrote to memory of 2660	2352	rundll32.exe	explorer.exe
PID 2660 wrote to memory of 1832	2660	explorer.exe	schtasks.exe
PID 2660 wrote to memory of 1832	2660	explorer.exe	schtasks.exe
PID 2660 wrote to memory of 1832	2660	explorer.exe	schtasks.exe
PID 496 wrote to memory of 1776	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 1776	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 4044	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 4044	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 3680	496	EXCEL.EXE	rundll32.exe
PID 496 wrote to memory of 3680	496	EXCEL.EXE	rundll32.exe
PID 3680 wrote to memory of 2264	3680	rundll32.exe	rundll32.exe
PID 3680 wrote to memory of 2264	3680	rundll32.exe	rundll32.exe
PID 3680 wrote to memory of 2264	3680	rundll32.exe	rundll32.exe
PID 2264 wrote to memory of 2140	2264	rundll32.exe	explorer.exe
PID 2264 wrote to memory of 2140	2264	rundll32.exe	explorer.exe
PID 2264 wrote to memory of 2140	2264	rundll32.exe	explorer.exe
PID 2264 wrote to memory of 2140	2264	rundll32.exe	explorer.exe
PID 2264 wrote to memory of 2140	2264	rundll32.exe	explorer.exe
PID 3980 wrote to memory of 3140	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 3140	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 4092	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 4092	3980	EXCEL.EXE	rundll32.exe
PID 4092 wrote to memory of 3856	4092	rundll32.exe	rundll32.exe
PID 4092 wrote to memory of 3856	4092	rundll32.exe	rundll32.exe
PID 4092 wrote to memory of 3856	4092	rundll32.exe	rundll32.exe
PID 3856 wrote to memory of 2300	3856	rundll32.exe	explorer.exe
PID 3856 wrote to memory of 2300	3856	rundll32.exe	explorer.exe
PID 3856 wrote to memory of 2300	3856	rundll32.exe	explorer.exe
PID 3856 wrote to memory of 2300	3856	rundll32.exe	explorer.exe
PID 3856 wrote to memory of 2300	3856	rundll32.exe	explorer.exe
PID 3980 wrote to memory of 1772	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 1772	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 2996	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 2996	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 3632	3980	EXCEL.EXE	rundll32.exe
PID 3980 wrote to memory of 3632	3980	EXCEL.EXE	rundll32.exe
PID 3632 wrote to memory of 1748	3632	rundll32.exe	rundll32.exe
PID 3632 wrote to memory of 1748	3632	rundll32.exe	rundll32.exe
PID 3632 wrote to memory of 1748	3632	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 1880	1748	rundll32.exe	explorer.exe
PID 1748 wrote to memory of 1880	1748	rundll32.exe	explorer.exe
PID 1748 wrote to memory of 1880	1748	rundll32.exe	explorer.exe
PID 1748 wrote to memory of 1880	1748	rundll32.exe	explorer.exe
PID 1748 wrote to memory of 1880	1748	rundll32.exe	explorer.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CompensationClaim-2000459547-02022021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1420

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jdjezzpg /tr "regsvr32.exe -s \"\"" /SC ONCE /Z /ST 10:15 /ET 10:27
5⤵
- Creates scheduled task(s)
PID:1832

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1776

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4044

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:2140

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\CompensationClaim-2000459547-02022021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3140

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:2300

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1772

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2996

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:1880

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s ""
1⤵
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
cfca4ffae84f254cc62c1fef19f1f794

SHA1
ae595934fb34ebd5e3e0865d9c589656d44c124c

SHA256
767ea3e7dc7dc1eccda73b1f470b368e73304958676c6029811d83d32ac896f1

SHA512
0aa944842b97472a1d91c5af06ba83c89620a87889c5e4b8a53c1901ecbf573b3b58c52a530f2171d2cb69b1a49b36ef7769f22456e60be00d7b25a2844403e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
c37c95dc9a87da18c53c08029a41abeb

SHA1
90c549ae8eaf332b672db2c10f831fce4692b831

SHA256
5c9c979d2bbada34b875bcb41e506056a65bde2d16dceaa4ce2b39d894ef0c83

SHA512
fa01cee73f8f9bdcd3f7ab3ec6274272962555816d2185566ef7f0ad978d1d96a57b9fc19c204243ddca456d706b292c3184694c2ec684e90c4321e4df31c39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
2481ec3d3680811abaf4fd4fbe0520d7

SHA1
c1a50e27c349a3690309e19f9723665ec2362d5c

SHA256
03d79e2043cf7894df751fd645f38532793fa2758962c0912ad498bd6c4b719b

SHA512
cbfe8e63f8768a0659f50418809f1e9f9cc6112e2ed75a8a922f1fcab790060be2b8d56bd06cb05f228a191f5ced7f727b8a036ca53fa7859907ac24f6ac54be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\CompensationClaim-2000459547-02022021.xls.LNK
MD5
9c5051df5e867fe3c443176b50ee382e

SHA1
1c4cc2057c88537bceaea7216ae8d729775de3b4

SHA256
d7ca1037547fd2827fda591b88bf3a5c40ec30bee2f716a370aa0d7a0a86aa28

SHA512
51c693a8090f0354d23fdc9b14460cf4f2faef41ad7f8202efe1f95a6f241cb6c13abf7775008d9636453cdfe23e0a913d06ee28400afe2d08fade8e1348046b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\CompensationClaim-2000459547-02022021.xls
MD5
81127c17bb440dd839851ac20b92a862

SHA1
b29e5cbc5b223636190900a7447e58a5595f55ac

SHA256
175ef443932d8d47c81e91f4cd3b7f29a465a8954110d86545aaefed5da3692f

SHA512
e75552e33aa113d11c274bd32f70408c27051580990fac865935802a32f96eaee205c316e897e2a546d75c9b87195e854079ca22fa2b19d0b906de3de97278d8

Download Submit
C:\Users\Admin\HYGFR.HYGF1
MD5
6e0a15ac62d32983e782c715ed4b5ec8

SHA1
f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

SHA256
08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

SHA512
29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

Download Submit
C:\Users\Admin\HYGFR.HYGF1
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
C:\Users\Admin\HYGFR.HYGF4
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
C:\Users\Admin\HYGFR.HYGF4
MD5
6e0a15ac62d32983e782c715ed4b5ec8

SHA1
f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

SHA256
08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

SHA512
29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
6e0a15ac62d32983e782c715ed4b5ec8

SHA1
f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

SHA256
08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

SHA512
29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
6e0a15ac62d32983e782c715ed4b5ec8

SHA1
f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

SHA256
08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

SHA512
29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

Download Submit
\Users\Admin\HYGFR.HYGF4
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
\Users\Admin\HYGFR.HYGF4
MD5
6e0a15ac62d32983e782c715ed4b5ec8

SHA1
f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

SHA256
08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

SHA512
29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

Download Submit
\Users\Admin\HYGFR.HYGF4
MD5
6e0a15ac62d32983e782c715ed4b5ec8

SHA1
f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

SHA256
08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

SHA512
29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

Download Submit
memory/496-31-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-30-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-33-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-3-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-32-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-2-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-4-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-5-0x00007FF8091A0000-0x00007FF8097D7000-memory.dmp

Filesize
6.2MB

Download
memory/496-6-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/1420-7-0x0000000000000000-mapping.dmp

Download
memory/1728-8-0x0000000000000000-mapping.dmp

Download
memory/1748-66-0x0000000002A31000-0x0000000002AD0000-memory.dmp

Filesize
636KB

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/1748-71-0x0000000002B80000-0x0000000002BB5000-memory.dmp

Filesize
212KB

Download
memory/1748-69-0x0000000002B80000-0x0000000002BB5000-memory.dmp

Filesize
212KB

Download
memory/1748-67-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1772-58-0x0000000000000000-mapping.dmp

Download
memory/1776-18-0x0000000000000000-mapping.dmp

Download
memory/1832-16-0x0000000000000000-mapping.dmp

Download
memory/1880-70-0x0000000000000000-mapping.dmp

Download
memory/1880-73-0x00000000005B0000-0x00000000005E5000-memory.dmp

Filesize
212KB

Download
memory/2140-28-0x0000000000000000-mapping.dmp

Download
memory/2140-29-0x0000000001270000-0x00000000012A5000-memory.dmp

Filesize
212KB

Download
memory/2264-23-0x0000000000000000-mapping.dmp

Download
memory/2264-25-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/2264-27-0x0000000004C40000-0x0000000004C75000-memory.dmp

Filesize
212KB

Download
memory/2300-56-0x0000000000000000-mapping.dmp

Download
memory/2300-60-0x0000000000650000-0x0000000000685000-memory.dmp

Filesize
212KB

Download
memory/2352-10-0x0000000000000000-mapping.dmp

Download
memory/2352-12-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/2352-14-0x0000000004B30000-0x0000000004B65000-memory.dmp

Filesize
212KB

Download
memory/2352-13-0x00000000049D0000-0x0000000004A17000-memory.dmp

Filesize
284KB

Download
memory/2660-17-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/2660-15-0x0000000000000000-mapping.dmp

Download
memory/2660-20-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/2996-59-0x0000000000000000-mapping.dmp

Download
memory/3140-46-0x0000000000000000-mapping.dmp

Download
memory/3632-61-0x0000000000000000-mapping.dmp

Download
memory/3680-21-0x0000000000000000-mapping.dmp

Download
memory/3856-53-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3856-57-0x0000000005E10000-0x0000000005E45000-memory.dmp

Filesize
212KB

Download
memory/3856-55-0x0000000005E10000-0x0000000005E45000-memory.dmp

Filesize
212KB

Download
memory/3856-52-0x0000000004221000-0x00000000042C0000-memory.dmp

Filesize
636KB

Download
memory/3856-49-0x0000000000000000-mapping.dmp

Download
memory/3980-38-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/3980-37-0x00007FF809BC0000-0x00007FF80A1F7000-memory.dmp

Filesize
6.2MB

Download
memory/3980-36-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/3980-35-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/3980-34-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/4044-19-0x0000000000000000-mapping.dmp

Download
memory/4092-47-0x0000000000000000-mapping.dmp

Download