revengerat | d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a

Analysis

max time kernel
4294219s
max time network
166s
platform
windows7_x64
resource
win7-20220310-en
submitted
14-03-2022 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
Size

7.4MB
MD5

377a699b9cbc4b8928b16de46abf920f
SHA1

f2ab02632aef4141d13c3880973bc1003d1102ef
SHA256

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a
SHA512

4f916a51ec32d0c609d3c69a9b5f9c905c7c37850fdc77063db349fe4bb0ca24a9cea6180ebc59ee3754736947dafc8b54b831444b6bc585bd5a43e46bcb4ba5

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft

RevengeRat Executable 15 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
behavioral1/memory/1888-101-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/1888-103-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/1888-105-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/1888-107-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/1888-109-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe	revengerat
\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe	revengerat

Executes dropped EXE 8 IoCs

Processes:

._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exeSynaptics.exe1.exeGerenciador de audio HD Realltek.exe2.exeWindows Explorer.exeGerenciador de audio HD Realltek.exe

pid	process
596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
1912	Synaptics.exe
1320	1.exe
1104	Gerenciador de audio HD Realltek.exe
748	2.exe
1304	Windows Explorer.exe
1264
1632	Gerenciador de audio HD Realltek.exe

Loads dropped DLL 18 IoCs

Processes:

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe1.exeRegSvcs.exe

pid	process
1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
1320	1.exe
1320	1.exe
1320	1.exe
1320	1.exe
596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
1320	1.exe
1320	1.exe
1320	1.exe
1320	1.exe
1264
1888	RegSvcs.exe
1888	RegSvcs.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Gerenciador de audio HD Realltek.exeRegSvcs.exeGerenciador de audio HD Realltek.exeRegSvcs.exe

description	pid	process	target process
PID 1104 set thread context of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1888 set thread context of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1632 set thread context of 1604	1632	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1604 set thread context of 744	1604	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1260 EXCEL.EXE

pid	process
1260	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Gerenciador de audio HD Realltek.exeRegSvcs.exe2.exeGerenciador de audio HD Realltek.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1104	Gerenciador de audio HD Realltek.exe
Token: SeDebugPrivilege	1888	RegSvcs.exe
Token: SeDebugPrivilege	748	2.exe
Token: SeDebugPrivilege	1632	Gerenciador de audio HD Realltek.exe
Token: SeDebugPrivilege	1604	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1260 EXCEL.EXE

pid	process
1260	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe1.exeGerenciador de audio HD Realltek.exe2.exeRegSvcs.exe

description	pid	process	target process
PID 1656 wrote to memory of 596	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
PID 1656 wrote to memory of 596	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
PID 1656 wrote to memory of 596	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
PID 1656 wrote to memory of 596	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
PID 1656 wrote to memory of 1912	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	Synaptics.exe
PID 1656 wrote to memory of 1912	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	Synaptics.exe
PID 1656 wrote to memory of 1912	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	Synaptics.exe
PID 1656 wrote to memory of 1912	1656	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	Synaptics.exe
PID 596 wrote to memory of 1320	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	1.exe
PID 596 wrote to memory of 1320	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	1.exe
PID 596 wrote to memory of 1320	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	1.exe
PID 596 wrote to memory of 1320	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	1.exe
PID 1320 wrote to memory of 1104	1320	1.exe	Gerenciador de audio HD Realltek.exe
PID 1320 wrote to memory of 1104	1320	1.exe	Gerenciador de audio HD Realltek.exe
PID 1320 wrote to memory of 1104	1320	1.exe	Gerenciador de audio HD Realltek.exe
PID 1320 wrote to memory of 1104	1320	1.exe	Gerenciador de audio HD Realltek.exe
PID 596 wrote to memory of 748	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	2.exe
PID 596 wrote to memory of 748	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	2.exe
PID 596 wrote to memory of 748	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	2.exe
PID 596 wrote to memory of 748	596	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	2.exe
PID 1320 wrote to memory of 1304	1320	1.exe	Windows Explorer.exe
PID 1320 wrote to memory of 1304	1320	1.exe	Windows Explorer.exe
PID 1320 wrote to memory of 1304	1320	1.exe	Windows Explorer.exe
PID 1320 wrote to memory of 1304	1320	1.exe	Windows Explorer.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1104 wrote to memory of 1888	1104	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 748 wrote to memory of 1964	748	2.exe	arp.exe
PID 748 wrote to memory of 1964	748	2.exe	arp.exe
PID 748 wrote to memory of 1964	748	2.exe	arp.exe
PID 748 wrote to memory of 1824	748	2.exe	arp.exe
PID 748 wrote to memory of 1824	748	2.exe	arp.exe
PID 748 wrote to memory of 1824	748	2.exe	arp.exe
PID 748 wrote to memory of 1988	748	2.exe	arp.exe
PID 748 wrote to memory of 1988	748	2.exe	arp.exe
PID 748 wrote to memory of 1988	748	2.exe	arp.exe
PID 748 wrote to memory of 744	748	2.exe	arp.exe
PID 748 wrote to memory of 744	748	2.exe	arp.exe
PID 748 wrote to memory of 744	748	2.exe	arp.exe
PID 748 wrote to memory of 360	748	2.exe	arp.exe
PID 748 wrote to memory of 360	748	2.exe	arp.exe
PID 748 wrote to memory of 360	748	2.exe	arp.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe
PID 1888 wrote to memory of 1644	1888	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
"C:\Users\Admin\AppData\Local\Temp\d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
      "C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        
        PID:1644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\11dtvzsi\11dtvzsi.cmdline"
        6⤵
        
        PID:1372
      - C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe
        
        "C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        8⤵
        
        PID:744
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      Executes dropped EXE
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1964
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1824
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1988
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:744
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:360
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:896
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1208
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1544
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1980
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1824
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1988
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:860
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1000
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:1408
  - - C:\Windows\System32\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      PID:988
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:1912

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
6344cb4cdf62d7e060d8a02fb0586ea1

SHA1
2e3882753e2b5293454487d3323c4403fb4ca6e5

SHA256
b4e1de9e2e1312ff886b59bf7fd24798f5ed5f8b40d627ca3e7b37214085e18b

SHA512
2f304c1f4a293128c8764966436cad033979871801718952a6448aa18e9767f57c70ae4970919381d2aff8c182b80c095d00d624f92d5eab478c589085addee4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

MD5
6344cb4cdf62d7e060d8a02fb0586ea1

SHA1
2e3882753e2b5293454487d3323c4403fb4ca6e5

SHA256
b4e1de9e2e1312ff886b59bf7fd24798f5ed5f8b40d627ca3e7b37214085e18b

SHA512
2f304c1f4a293128c8764966436cad033979871801718952a6448aa18e9767f57c70ae4970919381d2aff8c182b80c095d00d624f92d5eab478c589085addee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

MD5
dc70508f10ea72c1ad810c72b179bf28

SHA1
5c7ef633b20ad47c1a9967a181ebf42a5094c07d

SHA256
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e

SHA512
8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

MD5
dc70508f10ea72c1ad810c72b179bf28

SHA1
5c7ef633b20ad47c1a9967a181ebf42a5094c07d

SHA256
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e

SHA512
8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\11dtvzsi\11dtvzsi.cmdline

MD5
7ca8ad48376b761ff2e288d93526777f

SHA1
46a56276c9980c342cc920d8e2c5e948e0e9cb03

SHA256
379bbd4d7121a5f34d65b4e630fccd93ff38ea2966b47c821af7ab3caa83e8d3

SHA512
661dc29e7d06446ebaa902938f18636a05068d8b505330a10879249a200e9f8d9ec7abb4bf52268e4ebbcbef3cc1ab1b7913bff7f8fa9b2f4194c07b64cf3a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUmMBORL.xlsm

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjWSTUK.txt

MD5
f45d326b2e70f86c04c202ca0c4178f8

SHA1
d6abdb718d980bd3b63f6ac640c0a2719d8aefaa

SHA256
45cd2299ff183f0567df478da15cdfdf51d25e2671e7f95f2c93e2a93ef5d560

SHA512
d4a75b15417ea248b70b5f14a60ef0d17297ddd84e3f68c4c75ba7fe16abf387ba37fe6dd82b1e05641f1f8bf1932244d3d39c028c97f31e7a55d141e0fadfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjWSTUK.txt

MD5
e6fa607296233e83ee3597c318f55536

SHA1
f0cd761788b279505e961579b4d383346e66dc64

SHA256
78820d96ca547a76741750caa67b7c29add4dbbbe5b6e13c744ff5da0d765c30

SHA512
7f13c0e62ea5e939f4812ab3003328bd68e4f17d05b7750d9a133bd1b33a761e7d06f973f9ddb0f96436eccf01bf4f4213989960b615170f35aac93dfdf764cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
6344cb4cdf62d7e060d8a02fb0586ea1

SHA1
2e3882753e2b5293454487d3323c4403fb4ca6e5

SHA256
b4e1de9e2e1312ff886b59bf7fd24798f5ed5f8b40d627ca3e7b37214085e18b

SHA512
2f304c1f4a293128c8764966436cad033979871801718952a6448aa18e9767f57c70ae4970919381d2aff8c182b80c095d00d624f92d5eab478c589085addee4

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
6344cb4cdf62d7e060d8a02fb0586ea1

SHA1
2e3882753e2b5293454487d3323c4403fb4ca6e5

SHA256
b4e1de9e2e1312ff886b59bf7fd24798f5ed5f8b40d627ca3e7b37214085e18b

SHA512
2f304c1f4a293128c8764966436cad033979871801718952a6448aa18e9767f57c70ae4970919381d2aff8c182b80c095d00d624f92d5eab478c589085addee4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

MD5
dc70508f10ea72c1ad810c72b179bf28

SHA1
5c7ef633b20ad47c1a9967a181ebf42a5094c07d

SHA256
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e

SHA512
8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe

MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
memory/744-174-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/744-177-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download
memory/744-176-0x000000006DDE0000-0x000000006E4CE000-memory.dmp

Filesize
6.9MB

Download
memory/744-171-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/748-94-0x000000013F080000-0x000000013F6A8000-memory.dmp

Filesize
6.2MB

Download
memory/748-86-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/748-113-0x000000001B3B0000-0x000000001B3B2000-memory.dmp

Filesize
8KB

Download
memory/1104-93-0x0000000073220000-0x00000000737CB000-memory.dmp

Filesize
5.7MB

Download
memory/1104-90-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1104-89-0x0000000073220000-0x00000000737CB000-memory.dmp

Filesize
5.7MB

Download
memory/1260-96-0x000000006EE21000-0x000000006EE23000-memory.dmp

Filesize
8KB

Download
memory/1260-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1260-112-0x000000006FE0D000-0x000000006FE18000-memory.dmp

Filesize
44KB

Download
memory/1260-95-0x000000002F4E1000-0x000000002F4E4000-memory.dmp

Filesize
12KB

Download
memory/1304-92-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1304-91-0x0000000073220000-0x00000000737CB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-175-0x000000006DDE0000-0x000000006E4CE000-memory.dmp

Filesize
6.9MB

Download
memory/1604-178-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1632-158-0x0000000073220000-0x00000000737CB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-124-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1644-114-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1644-116-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1644-134-0x000000006DDE0000-0x000000006E4CE000-memory.dmp

Filesize
6.9MB

Download
memory/1644-125-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1644-136-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/1644-129-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1644-132-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1644-120-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1644-118-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1656-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1656-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1888-133-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1888-110-0x000000006DDE0000-0x000000006E4CE000-memory.dmp

Filesize
6.9MB

Download
memory/1888-109-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-107-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-105-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-103-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-101-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-99-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-97-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1912-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download