qakbot | bc29b497a95f0daba324ee877dca4b354b31d6179117ac1afb8f17d354358036

Analysis

max time kernel
1800s
max time network
1792s
platform
windows7_x64
resource
win7-en-20210920
submitted
01-10-2021 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Complaint-818191704-10012021.xls
Size

129KB
MD5

4867eebf4c3f7ee6b532e703d20d5585
SHA1

d772036f1ca3eab516f016aa5073ffc2a65142f4
SHA256

67173a667baf38b78448f969bcb53892536ddc279528553cadbf0a53d1637d5d
SHA512

4b7ccb534a546b70f2453bf2dc456a8cc6a384cdb3f511a55bcaa933a4d2617cfcf1d0871add4d64d5037c762b805f4effafbe7395499be9266a3dc508e04662

Score

10^/10

qakbot notset obama107 1632819510 1633078880 banker evasion stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://101.99.90.18/44470.6666363426.dat

xlm40.dropper

http://194.36.191.19/44470.6666363426.dat

xlm40.dropper

http://45.144.29.109/44470.6666363426.dat

Extracted

Family

qakbot

Version

402.363

Botnet

obama107

Campaign

1633078880

140.82.49.12:443

41.250.143.109:995

216.201.162.158:443

86.8.177.143:443

105.198.236.99:443

124.123.42.115:2222

217.17.56.163:443

37.210.152.224:995

190.198.206.189:2222

75.89.195.186:995

78.191.44.76:995

122.11.220.212:2222

68.186.192.69:443

159.2.51.200:2222

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

120.151.47.189:443

47.22.148.6:443

94.200.181.154:443

Extracted

Family

qakbot

Version

402.363

Botnet

notset

Campaign

1632819510

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	460	1308	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	792	1308	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1704	1308	regsvr32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

460 regsvr32.exe
792 regsvr32.exe
1704 regsvr32.exe
1684 regsvr32.exe
1064 regsvr32.exe

Drops file in System32 directory 14 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\openssl-1.1.1h.tar[1].gz	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\t4[1]	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\t4[1]	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	explorer.exe

Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1792 schtasks.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

744 net.exe
1556 net.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exeipconfig.exenetstat.exe

pid process

880 ipconfig.exe
380 netstat.exe
1596 ipconfig.exe
1204 netstat.exe

pid	process
1792	schtasks.exe

pid	process
744	net.exe
1556	net.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
880	ipconfig.exe
380	netstat.exe
1596	ipconfig.exe
1204	netstat.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lfbahxasir\bcc69991 = 502853fd860110dcaf3498820f061c402f15fb53d579341f35fb8673f749a6a59f9f548e	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lfbahxasir\47afef4 = 7b6cc00e03937df36229d2bad9031c912b531cdaa59fcbca8a2e410f5a4be3c3a34db7fd26977edd98cdc6d37e686c4017a10f21f953d4df2a73dfa88df2d946	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05D057F4-61FE-43A4-933A-6DBAF528F7EE}\b6-3d-e5-5b-ce-75	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-3d-e5-5b-ce-75\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05D057F4-61FE-43A4-933A-6DBAF528F7EE}	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05D057F4-61FE-43A4-933A-6DBAF528F7EE}\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lfbahxasir\7972b17e = 397c9411e1f2039486f40f30cefb4428ffe6641c43108c81f82a06f4afaff7c90e1437ea5307bf9e0f1c92196aa7e96d5e57a095a36d4a3d47376578995006ef44f1c4574ea6d1b8a3a9242347356c7944887c5ddc6b677171fd6fc41f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-3d-e5-5b-ce-75\WpadDecisionTime = c02eaaa2deb6d701	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05D057F4-61FE-43A4-933A-6DBAF528F7EE}\WpadDecisionTime = c051b2b2dfb6d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lfbahxasir\d9401e40 = e3549a667ac670b6f026f5c3f0ebf7f5472af716d45a6fed3450d37a7299c4db40e12a14dbb8aa1053	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05D057F4-61FE-43A4-933A-6DBAF528F7EE}	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lfbahxasir\d9401e40 = e3549a667ac670b6f026f5c3f0ebf7f5472af716d45a6fed3450d37a7299c4db40e6231adbb8aa1053	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-3d-e5-5b-ce-75	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05D057F4-61FE-43A4-933A-6DBAF528F7EE}\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lfbahxasir\7972b17e = 397c9411e1f2039486f40f30cefb4428ffe6641c43108c81f82a06f4afaff7c90e1437ea5307bf9e0f1c92196aa7e96d5e57a095a36d4a3d47376578995006ef44f1c4574ea6d1b8a3a9242347356c7944887c5ddc6b677171fd6fc41f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\TypeLib\{DDE59195-7639-458A-979F-17EA621D2B7D}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19AF5357-BBD8-4C9D-9AAB-4C2AD866EC48}\1.2\ = "Ref Edit Control"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19AF5357-BBD8-4C9D-9AAB-4C2AD866EC48}\1.2\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDE59195-7639-458A-979F-17EA621D2B7D}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19AF5357-BBD8-4C9D-9AAB-4C2AD866EC48}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDE59195-7639-458A-979F-17EA621D2B7D}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19AF5357-BBD8-4C9D-9AAB-4C2AD866EC48}\1.2\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\TypeLib\{DDE59195-7639-458A-979F-17EA621D2B7D}\2.0\ = "Microsoft Forms 2.0 Object Library"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	EXCEL.EXE

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1308 EXCEL.EXE

pid	process
1308	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeexplorer.exeexplorer.exeregsvr32.exeexplorer.exe

pid	process
460	regsvr32.exe
792	regsvr32.exe
1704	regsvr32.exe
1684	regsvr32.exe
1656	explorer.exe
1792	explorer.exe
1064	regsvr32.exe
1732	explorer.exe
1732	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

1308 EXCEL.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeexplorer.exe

pid process

460 regsvr32.exe
792 regsvr32.exe
1704 regsvr32.exe
1684 regsvr32.exe
1064 regsvr32.exe
1820 explorer.exe

pid	process
1308	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

EXCEL.EXEwhoami.exenetstat.exemsiexec.exewhoami.exe

description	pid	process
Token: SeShutdownPrivilege	1308	EXCEL.EXE
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	380	netstat.exe
Token: SeRestorePrivilege	188	msiexec.exe
Token: SeTakeOwnershipPrivilege	188	msiexec.exe
Token: SeSecurityPrivilege	188	msiexec.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe
Token: SeDebugPrivilege	1692	whoami.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1308 EXCEL.EXE
1308 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1308 EXCEL.EXE
1308 EXCEL.EXE
1308 EXCEL.EXE

pid	process
1308	EXCEL.EXE
1308	EXCEL.EXE

pid	process
1308	EXCEL.EXE
1308	EXCEL.EXE
1308	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1308 wrote to memory of 460	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 460	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 460	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 460	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 460	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 460	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 460	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 792	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 792	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 792	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 792	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 792	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 792	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 792	1308	EXCEL.EXE	regsvr32.exe
PID 460 wrote to memory of 1656	460	regsvr32.exe	explorer.exe
PID 460 wrote to memory of 1656	460	regsvr32.exe	explorer.exe
PID 460 wrote to memory of 1656	460	regsvr32.exe	explorer.exe
PID 460 wrote to memory of 1656	460	regsvr32.exe	explorer.exe
PID 460 wrote to memory of 1656	460	regsvr32.exe	explorer.exe
PID 460 wrote to memory of 1656	460	regsvr32.exe	explorer.exe
PID 1656 wrote to memory of 1792	1656	explorer.exe	schtasks.exe
PID 1656 wrote to memory of 1792	1656	explorer.exe	schtasks.exe
PID 1656 wrote to memory of 1792	1656	explorer.exe	schtasks.exe
PID 1656 wrote to memory of 1792	1656	explorer.exe	schtasks.exe
PID 1308 wrote to memory of 1704	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 1704	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 1704	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 1704	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 1704	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 1704	1308	EXCEL.EXE	regsvr32.exe
PID 1308 wrote to memory of 1704	1308	EXCEL.EXE	regsvr32.exe
PID 792 wrote to memory of 1676	792	regsvr32.exe	explorer.exe
PID 792 wrote to memory of 1676	792	regsvr32.exe	explorer.exe
PID 792 wrote to memory of 1676	792	regsvr32.exe	explorer.exe
PID 792 wrote to memory of 1676	792	regsvr32.exe	explorer.exe
PID 792 wrote to memory of 1676	792	regsvr32.exe	explorer.exe
PID 792 wrote to memory of 1676	792	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1616	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1616	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1616	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1616	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1616	1704	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1616	1704	regsvr32.exe	explorer.exe
PID 708 wrote to memory of 1964	708	taskeng.exe	regsvr32.exe
PID 708 wrote to memory of 1964	708	taskeng.exe	regsvr32.exe
PID 708 wrote to memory of 1964	708	taskeng.exe	regsvr32.exe
PID 708 wrote to memory of 1964	708	taskeng.exe	regsvr32.exe
PID 708 wrote to memory of 1964	708	taskeng.exe	regsvr32.exe
PID 1964 wrote to memory of 1684	1964	regsvr32.exe	regsvr32.exe
PID 1964 wrote to memory of 1684	1964	regsvr32.exe	regsvr32.exe
PID 1964 wrote to memory of 1684	1964	regsvr32.exe	regsvr32.exe
PID 1964 wrote to memory of 1684	1964	regsvr32.exe	regsvr32.exe
PID 1964 wrote to memory of 1684	1964	regsvr32.exe	regsvr32.exe
PID 1964 wrote to memory of 1684	1964	regsvr32.exe	regsvr32.exe
PID 1964 wrote to memory of 1684	1964	regsvr32.exe	regsvr32.exe
PID 1684 wrote to memory of 1792	1684	regsvr32.exe	explorer.exe
PID 1684 wrote to memory of 1792	1684	regsvr32.exe	explorer.exe
PID 1684 wrote to memory of 1792	1684	regsvr32.exe	explorer.exe
PID 1684 wrote to memory of 1792	1684	regsvr32.exe	explorer.exe
PID 1684 wrote to memory of 1792	1684	regsvr32.exe	explorer.exe
PID 1684 wrote to memory of 1792	1684	regsvr32.exe	explorer.exe
PID 1792 wrote to memory of 1352	1792	explorer.exe	reg.exe
PID 1792 wrote to memory of 1352	1792	explorer.exe	reg.exe
PID 1792 wrote to memory of 1352	1792	explorer.exe	reg.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Complaint-818191704-10012021.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -silent ..\Drezd.red
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dfpqspfre /tr "regsvr32.exe -s \"C:\Users\Admin\Drezd.red\"" /SC ONCE /Z /ST 16:02 /ET 16:14
4⤵
- Creates scheduled task(s)
PID:1792

C:\Windows\SysWOW64\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c set
4⤵
PID:1740

C:\Windows\SysWOW64\arp.exe
arp -a
4⤵
PID:1832

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:880

C:\Windows\SysWOW64\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:744

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
4⤵
PID:824

C:\Windows\SysWOW64\net.exe
net share
4⤵
PID:1688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:1640

C:\Windows\SysWOW64\route.exe
route print
4⤵
PID:732

C:\Windows\SysWOW64\netstat.exe
netstat -nao
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\net.exe
net localgroup
4⤵
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
5⤵
PID:1628

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -silent ..\Drezd.red1
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:1676

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -silent ..\Drezd.red2
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {8C415B64-0758-4405-B27A-84A33F6E35D7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\Drezd.red"
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\Drezd.red"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Mipynv" /d "0"
5⤵
PID:1352

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Dzwjsvzv" /d "0"
5⤵
PID:1572

C:\Windows\SysWOW64\whoami.exe
whoami /all
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c set
5⤵
PID:852

C:\Windows\SysWOW64\arp.exe
arp -a
5⤵
PID:912

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1596

C:\Windows\SysWOW64\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:1556

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
5⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net share
5⤵
PID:748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:1868

C:\Windows\SysWOW64\route.exe
route print
5⤵
PID:1812

C:\Windows\SysWOW64\netstat.exe
netstat -nao
5⤵
- Gathers network information
PID:1204

C:\Windows\SysWOW64\net.exe
net localgroup
5⤵
PID:1948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:860

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe -s "C:\ProgramData\Microsoft\Mipynv\uqgrxvnipkgec.dll"
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: MapViewOfSection
PID:1820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Windows\system32\taskeng.exe
taskeng.exe {3C9F8F61-CC82-4D8B-AA37-4A40439B53B7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1808

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\Drezd.red"
2⤵
PID:1756

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\Drezd.red"
3⤵
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Mipynv\uqgrxvnipkgec.dll
MD5
9ad3a0d8b2064d12a9098952c7ac3ee2

SHA1
bf59513b280b6a3d4fb7bf6c5c2836fa6d5ee4a2

SHA256
dd8b18f31dcfa89865629c0264283f6631d38d535b077a8afb3c55d8b677075c

SHA512
7a7e152c08889e399af1e126efa3f74638d2273ffecc8e779d752052bf75e2288b915909cd4d633045be9cb02bb84b948a82b958e1f8bdba200787320d23374e

Download Submit
C:\Users\Admin\Drezd.red
MD5
4106ecc0609d74c1f810b52b4dfd97de

SHA1
72a8fe9d2cc754d2405f65f5fb1693a7ffbd75f0

SHA256
4bd1f8c261fbd5e0d29d6574be4d184578b8dc71454266481c7904903dd1b3ff

SHA512
b020385b047f7c3af9505fb7058d23d723b33fe78e28bc24dbdc11d11d56b68294ccfae47497cc1010d168077a594eb969fb12199b86cb0662880902ed5e56f9

Download Submit
C:\Users\Admin\Drezd.red
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
C:\Users\Admin\Drezd.red
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
C:\Users\Admin\Drezd.red1
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
C:\Users\Admin\Drezd.red2
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
4f2516c501054b3ff729ff0b60453ae6

SHA1
4577ba21bcf741af0ea9d7067d2668c835ba087a

SHA256
27bba22d0ee8d378ef0d4728ed02a34b406ac8ca81dcb5da7b6e439dc4da00a0

SHA512
d7cbc9f663bec182dacf63ca5c3980db822ab969ede717c408fc713ac4557e373ef530d9cc3de5307541085e1fb27362885e9ebfdfbb6b0d230177572b18855d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8f2fdbe937b0cbbf4539956eb6e7a841

SHA1
0466f0dd2105cc9dfeca767e7a2e9d38d2bb0962

SHA256
a3b63633eea31368929c0259d5be22b3c134d81f2e7dd32fde21bb6dec953fa1

SHA512
29eb844ef098fe81fae3a98a21115cd78ac5ad7fbea3be7ee6d6e48d8b71783b109946ae1cb6b8b4454e6f85f476d63f95c6be8586b421124b14ef8a518b3db0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
4ab17ca1bf1e29df9815be2b72cbf64a

SHA1
e19ff058cc489ee80662ad3c471bd4ddcf2c694d

SHA256
7946c9d1720b3bedf32ee10c52c758b64f5c7ec1aafc2e4a9e569bf536b5f06c

SHA512
9d0f84ab0914853a725ac3f6936e82a42a25660d6a2811c5d62860173cec63616aa462dcd41619fd978f1b55c83a836e559ea7fc1a49cc76149082380bcdf5c2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a1f8c9e45baffb82e77e5f24d02eac84

SHA1
167a555bf8c973d45c50464b1368c5d35ef506ee

SHA256
e49796b55bb0a8344722c70ae657e8019a751ce27c637bb2b39b8b943b3e74df

SHA512
9e5a209cdf1a317c97fd04a67f36f9b5e2cade29da1f64eba4bd34ed3a2f95e50df881fa1a9fdbd59f8f0c745a0fddf803f44b139adeebb3b07da33bfbe32e22

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Microsoft\Mipynv\uqgrxvnipkgec.dll
MD5
9ad3a0d8b2064d12a9098952c7ac3ee2

SHA1
bf59513b280b6a3d4fb7bf6c5c2836fa6d5ee4a2

SHA256
dd8b18f31dcfa89865629c0264283f6631d38d535b077a8afb3c55d8b677075c

SHA512
7a7e152c08889e399af1e126efa3f74638d2273ffecc8e779d752052bf75e2288b915909cd4d633045be9cb02bb84b948a82b958e1f8bdba200787320d23374e

Download Submit
\Users\Admin\Drezd.red
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
\Users\Admin\Drezd.red
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
\Users\Admin\Drezd.red1
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
\Users\Admin\Drezd.red2
MD5
12901df11d4b984c96b1acecaf003c5e

SHA1
1bf80548184933e8ad4c2f8c7fd9a6edcbd01659

SHA256
573756552faa64af9e40c4cde3eba7a88f07a3179aff03490634eb75a98d3e4c

SHA512
1567cf45f6a4b5b862494ad0d39f0051de45fe5cada6865bf613d6785147b45d5856e2b999586e384ea2e745be18d647c9b732e6344bf76ff57863917dd9e56b

Download Submit
memory/380-118-0x0000000000000000-mapping.dmp

Download
memory/460-59-0x0000000075651000-0x0000000075653000-memory.dmp

Filesize
8KB

Download
memory/460-68-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/460-67-0x000000006C620000-0x000000006C6C0000-memory.dmp

Filesize
640KB

Download
memory/460-58-0x0000000000000000-mapping.dmp

Download
memory/460-66-0x000000006C620000-0x000000006C641000-memory.dmp

Filesize
132KB

Download
memory/732-117-0x0000000000000000-mapping.dmp

Download
memory/744-113-0x0000000000000000-mapping.dmp

Download
memory/748-135-0x0000000000000000-mapping.dmp

Download
memory/792-74-0x000000006C410000-0x000000006C431000-memory.dmp

Filesize
132KB

Download
memory/792-75-0x000000006C410000-0x000000006C4B0000-memory.dmp

Filesize
640KB

Download
memory/792-81-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/792-62-0x0000000000000000-mapping.dmp

Download
memory/824-114-0x0000000000000000-mapping.dmp

Download
memory/852-129-0x0000000000000000-mapping.dmp

Download
memory/860-140-0x0000000000000000-mapping.dmp

Download
memory/880-111-0x0000000000000000-mapping.dmp

Download
memory/912-130-0x0000000000000000-mapping.dmp

Download
memory/1056-108-0x0000000000000000-mapping.dmp

Download
memory/1064-148-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/1064-147-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1064-149-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/1064-145-0x0000000000A60000-0x0000000000BA7000-memory.dmp

Filesize
1.3MB

Download
memory/1064-141-0x0000000000000000-mapping.dmp

Download
memory/1204-138-0x0000000000000000-mapping.dmp

Download
memory/1308-57-0x0000000005F40000-0x0000000005F42000-memory.dmp

Filesize
8KB

Download
memory/1308-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1308-54-0x000000002FB51000-0x000000002FB54000-memory.dmp

Filesize
12KB

Download
memory/1308-55-0x0000000071B11000-0x0000000071B13000-memory.dmp

Filesize
8KB

Download
memory/1352-104-0x0000000000000000-mapping.dmp

Download
memory/1556-133-0x0000000000000000-mapping.dmp

Download
memory/1572-105-0x0000000000000000-mapping.dmp

Download
memory/1596-131-0x0000000000000000-mapping.dmp

Download
memory/1616-91-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1616-87-0x0000000000000000-mapping.dmp

Download
memory/1628-120-0x0000000000000000-mapping.dmp

Download
memory/1640-116-0x0000000000000000-mapping.dmp

Download
memory/1656-72-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1656-71-0x000000006C271000-0x000000006C273000-memory.dmp

Filesize
8KB

Download
memory/1656-69-0x0000000000000000-mapping.dmp

Download
memory/1676-80-0x0000000000000000-mapping.dmp

Download
memory/1676-84-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1684-106-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1684-98-0x000000006C450000-0x000000006C471000-memory.dmp

Filesize
132KB

Download
memory/1684-99-0x000000006C450000-0x000000006C4F0000-memory.dmp

Filesize
640KB

Download
memory/1684-95-0x0000000000000000-mapping.dmp

Download
memory/1688-115-0x0000000000000000-mapping.dmp

Download
memory/1692-128-0x0000000000000000-mapping.dmp

Download
memory/1704-76-0x0000000000000000-mapping.dmp

Download
memory/1704-86-0x000000006C0A0000-0x000000006C140000-memory.dmp

Filesize
640KB

Download
memory/1704-85-0x000000006C0A0000-0x000000006C0C1000-memory.dmp

Filesize
132KB

Download
memory/1704-90-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1732-159-0x0000000000000000-mapping.dmp

Download
memory/1732-163-0x00000000001A0000-0x00000000001BC000-memory.dmp

Filesize
112KB

Download
memory/1732-162-0x00000000000A0000-0x00000000000C1000-memory.dmp

Filesize
132KB

Download
memory/1740-109-0x0000000000000000-mapping.dmp

Download
memory/1756-123-0x0000000000000000-mapping.dmp

Download
memory/1792-73-0x0000000000000000-mapping.dmp

Download
memory/1792-101-0x0000000000000000-mapping.dmp

Download
memory/1792-107-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1812-137-0x0000000000000000-mapping.dmp

Download
memory/1816-119-0x0000000000000000-mapping.dmp

Download
memory/1820-150-0x0000000000000000-mapping.dmp

Download
memory/1820-154-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1832-110-0x0000000000000000-mapping.dmp

Download
memory/1868-136-0x0000000000000000-mapping.dmp

Download
memory/1900-126-0x0000000000000000-mapping.dmp

Download
memory/1948-139-0x0000000000000000-mapping.dmp

Download
memory/1964-93-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download
memory/1964-92-0x0000000000000000-mapping.dmp

Download
memory/2020-134-0x0000000000000000-mapping.dmp

Download