formbook | f3e7f68430934e19e618b8d6772b90ac3a7d42369058af3cdd35593266f28604

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statements and Invoices July 2022.xlsx
Size

829KB
MD5

100959adfeea88d0b3026adffa0356a1
SHA1

bc1b255735f03b5f9b4d43cf2f308b9f2531e08f
SHA256

f3e7f68430934e19e618b8d6772b90ac3a7d42369058af3cdd35593266f28604
SHA512

b5a5b0bccee60d3c5ff7507a485453fa8d40b57fe5f214e2373179f8f8b7133f986e9baf505af058fa33499ff5e6a533c39bd4477fe29b1f8ec226361d0a0b73
SSDEEP

24576:QNr57jDMyDt1B1mY7pV71WDOvFDuPGilG0m6gUaxRraJrNtDtPK:QZxDNb3jl51gOvFS+iIIgR0C

Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==

bfkA4IUaSgYi7IA=

ezX5yHeR21O3h2RCgQ==

x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==

xJuAYwcZLAfqrVazWjvkirgFxDSf

qrGugLdannLYegX5dCtFMA==

i61nMddueAYi7IA=

RoNMKNhtdDWpeiYoaB37TPiHTLo=

RFj3UHHrDtAktSZhYku36opnsaMbNA==

lx0g+6RPl4jwwNPRPuTD

MyEQ4oGk6vXrMM4V

0IVWH0rfKe1J4nn6J9XB

SYVlN3Zrnq2OaWpDiQ==

fNa0jy3P8KQK25rpmwqd0t8=

UZuSZpW+9ffX9KXzmgqd0t8=

Vxf85YCWvYNZjkcDdCtFMA==

0gG1EzLP7/DrMM4V

WExRGVAEE6YS5tJkTxMhR636+A==

6Tv7U4QdURt1KUI+gw==

ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/668-96-0x00000000000C0000-0x00000000000EC000-memory.dmp	xloader
behavioral1/memory/668-100-0x00000000000C0000-0x00000000000EC000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1576 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

name.exerbmfvturtqrygp.exerbmfvturtqrygp.exerbmfvturtqrygp.exe

pid process

964 name.exe
960 rbmfvturtqrygp.exe
1668 rbmfvturtqrygp.exe
1144 rbmfvturtqrygp.exe

flow	pid	process
3	1576	EQNEDT32.EXE

pid	process
964	name.exe
960	rbmfvturtqrygp.exe
1668	rbmfvturtqrygp.exe
1144	rbmfvturtqrygp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rbmfvturtqrygp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	rbmfvturtqrygp.exe

Loads dropped DLL 14 IoCs

Processes:

cmd.exename.exerbmfvturtqrygp.exerbmfvturtqrygp.exeWerFault.exe

pid	process
320	cmd.exe
964	name.exe
964	name.exe
964	name.exe
964	name.exe
960	rbmfvturtqrygp.exe
960	rbmfvturtqrygp.exe
960	rbmfvturtqrygp.exe
1736	rbmfvturtqrygp.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	raserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KHJ8UFWH2T = "C:\\Program Files (x86)\\P4hz\\gdiyvnpdxh8.exe"	raserver.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rbmfvturtqrygp.exerbmfvturtqrygp.exeraserver.exe

description	pid	process	target process
PID 960 set thread context of 1736	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 1736 set thread context of 1224	1736	rbmfvturtqrygp.exe	Explorer.EXE
PID 668 set thread context of 1224	668	raserver.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

raserver.exe

description ioc process

File opened for modification C:\Program Files (x86)\P4hz\gdiyvnpdxh8.exe raserver.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1720 960 WerFault.exe rbmfvturtqrygp.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1576 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\P4hz\gdiyvnpdxh8.exe	raserver.exe

pid	pid_target	process	target process
1720	960	WerFault.exe	rbmfvturtqrygp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1576	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEraserver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1972 EXCEL.EXE

pid	process
1972	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

rbmfvturtqrygp.exeraserver.exe

pid	process
1736	rbmfvturtqrygp.exe
1736	rbmfvturtqrygp.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

rbmfvturtqrygp.exeraserver.exe

pid process

1736 rbmfvturtqrygp.exe
1736 rbmfvturtqrygp.exe
1736 rbmfvturtqrygp.exe
668 raserver.exe
668 raserver.exe
668 raserver.exe
668 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rbmfvturtqrygp.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1736 rbmfvturtqrygp.exe
Token: SeDebugPrivilege 668 raserver.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1972 EXCEL.EXE
1972 EXCEL.EXE
1972 EXCEL.EXE
1972 EXCEL.EXE
1972 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1736	rbmfvturtqrygp.exe
Token: SeDebugPrivilege	668	raserver.exe

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1972	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

EQNEDT32.EXEcmd.exename.exerbmfvturtqrygp.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1576 wrote to memory of 320	1576	EQNEDT32.EXE	cmd.exe
PID 1576 wrote to memory of 320	1576	EQNEDT32.EXE	cmd.exe
PID 1576 wrote to memory of 320	1576	EQNEDT32.EXE	cmd.exe
PID 1576 wrote to memory of 320	1576	EQNEDT32.EXE	cmd.exe
PID 320 wrote to memory of 964	320	cmd.exe	name.exe
PID 320 wrote to memory of 964	320	cmd.exe	name.exe
PID 320 wrote to memory of 964	320	cmd.exe	name.exe
PID 320 wrote to memory of 964	320	cmd.exe	name.exe
PID 964 wrote to memory of 960	964	name.exe	rbmfvturtqrygp.exe
PID 964 wrote to memory of 960	964	name.exe	rbmfvturtqrygp.exe
PID 964 wrote to memory of 960	964	name.exe	rbmfvturtqrygp.exe
PID 964 wrote to memory of 960	964	name.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1668	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1668	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1668	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1668	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1144	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1144	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1144	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1144	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1736	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1736	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1736	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1736	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1736	960	rbmfvturtqrygp.exe	rbmfvturtqrygp.exe
PID 960 wrote to memory of 1720	960	rbmfvturtqrygp.exe	WerFault.exe
PID 960 wrote to memory of 1720	960	rbmfvturtqrygp.exe	WerFault.exe
PID 960 wrote to memory of 1720	960	rbmfvturtqrygp.exe	WerFault.exe
PID 960 wrote to memory of 1720	960	rbmfvturtqrygp.exe	WerFault.exe
PID 1224 wrote to memory of 668	1224	Explorer.EXE	raserver.exe
PID 1224 wrote to memory of 668	1224	Explorer.EXE	raserver.exe
PID 1224 wrote to memory of 668	1224	Explorer.EXE	raserver.exe
PID 1224 wrote to memory of 668	1224	Explorer.EXE	raserver.exe
PID 668 wrote to memory of 2024	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 2024	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 2024	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 2024	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 852	668	raserver.exe	Firefox.exe
PID 668 wrote to memory of 852	668	raserver.exe	Firefox.exe
PID 668 wrote to memory of 852	668	raserver.exe	Firefox.exe
PID 668 wrote to memory of 852	668	raserver.exe	Firefox.exe
PID 668 wrote to memory of 852	668	raserver.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Statements and Invoices July 2022.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe"
3⤵
PID:2024

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:852

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Public\name.exe
C:\Users\Public\name.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
"C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
"C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe"
5⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
"C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe"
5⤵
- Executes dropped EXE
PID:1144

C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
"C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe"
5⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 216
5⤵
- Loads dropped DLL
- Program crash
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kaqfjxguz.fox
Filesize
176KB

MD5
b2eda46f03c3dbf044a6d10834eae748

SHA1
8ed37218304b92928bfaa78f247e56e4aef49783

SHA256
342ce14adb2373ff1dcbf9f8aaf7fa4f2ef71740f832ce30a30d7ec2ae2043ab

SHA512
d8500dd72f4fe355744d6da3b4519f7592c7cf688da8b9b80326bbd197273a93d38c9dfafe0d62edfb0c437ab57396bf160cc92766027dea57871383b42f6ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnaqtrntmcr.ce
Filesize
4KB

MD5
bd64922a9fbc4591c70981a5fb19b9a2

SHA1
2a859e5fcdf032eb6d71e721f0c48ac786a21a4b

SHA256
594727869b87f33de56d81755da0e93ade4ede16bd3465652c9ce3a0027e156a

SHA512
07eb7fb5fb99edb3d961dd33f3249c9072d499790453bfbbc091d0ba8a5f4727fea90f6667ab7708a79688e6c0473249452369551eb462b19f0c4d7cba0ce3d6

Download Submit
C:\Users\Public\name.exe
Filesize
479KB

MD5
c785cff5261dc195e6acaff0f814e57b

SHA1
4a529517826527076af2e7049dbb3b8cb89dcc4c

SHA256
51986665322a79945ae565a363862e8007b3be459855f27c11c062da0eb59db8

SHA512
a1d1b0432cb1842fecba8d5ffb27658ae880cb20786bfe76a959357840b6f23d8e0657dc73b7ea9158adfbaf6468ee24c4574f64d2c152a468ca681b52bb6baa

Download Submit
C:\Users\Public\name.exe
Filesize
479KB

MD5
c785cff5261dc195e6acaff0f814e57b

SHA1
4a529517826527076af2e7049dbb3b8cb89dcc4c

SHA256
51986665322a79945ae565a363862e8007b3be459855f27c11c062da0eb59db8

SHA512
a1d1b0432cb1842fecba8d5ffb27658ae880cb20786bfe76a959357840b6f23d8e0657dc73b7ea9158adfbaf6468ee24c4574f64d2c152a468ca681b52bb6baa

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Admin\AppData\Local\Temp\rbmfvturtqrygp.exe
Filesize
59KB

MD5
4bd233a9628aea8c4a4114f208caeeca

SHA1
2984f0fd5660ad234687acaa6755fe0e8ce2518f

SHA256
6d9aec5a1b1f5038826c321b45b0aeeef4f6704cc479d9fa3a0689bfd576b629

SHA512
0e9f5b440b5aa3062c530e6ae2268ea893c0efe485d539a088835c26ba5811fccf071e8bb8f419d22d5aa0c4a93dba2fb378859c5b3dade030d23954f94a173a

Download Submit
\Users\Public\name.exe
Filesize
479KB

MD5
c785cff5261dc195e6acaff0f814e57b

SHA1
4a529517826527076af2e7049dbb3b8cb89dcc4c

SHA256
51986665322a79945ae565a363862e8007b3be459855f27c11c062da0eb59db8

SHA512
a1d1b0432cb1842fecba8d5ffb27658ae880cb20786bfe76a959357840b6f23d8e0657dc73b7ea9158adfbaf6468ee24c4574f64d2c152a468ca681b52bb6baa

Download Submit
memory/320-60-0x0000000000000000-mapping.dmp

Download
memory/668-92-0x0000000000000000-mapping.dmp

Download
memory/668-100-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/668-99-0x0000000000910000-0x00000000009A0000-memory.dmp

Filesize
576KB

Download
memory/668-96-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/668-95-0x0000000000EE0000-0x0000000000EFC000-memory.dmp

Filesize
112KB

Download
memory/668-97-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/960-70-0x0000000000000000-mapping.dmp

Download
memory/964-63-0x0000000000000000-mapping.dmp

Download
memory/1224-101-0x0000000006C40000-0x0000000006D7A000-memory.dmp

Filesize
1.2MB

Download
memory/1224-102-0x0000000006C40000-0x0000000006D7A000-memory.dmp

Filesize
1.2MB

Download
memory/1224-91-0x0000000006270000-0x00000000063D0000-memory.dmp

Filesize
1.4MB

Download
memory/1720-83-0x0000000000000000-mapping.dmp

Download
memory/1736-81-0x0000000000420000-mapping.dmp

Download
memory/1736-90-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1736-89-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/1972-54-0x000000002F7C1000-0x000000002F7C4000-memory.dmp

Filesize
12KB

Download
memory/1972-98-0x000000007235D000-0x0000000072368000-memory.dmp

Filesize
44KB

Download
memory/1972-58-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000071371000-0x0000000071373000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1972-57-0x000000007235D000-0x0000000072368000-memory.dmp

Filesize
44KB

Download
memory/1972-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1972-104-0x000000007235D000-0x0000000072368000-memory.dmp

Filesize
44KB

Download
memory/2024-94-0x0000000000000000-mapping.dmp

Download