Malware Analysis Report

2025-08-05 16:22

Sample ID 231023-t1np5scb87
Target NEAS.1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757cxls_JC.xls
SHA256 1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757c
Tags
formbook sy22 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757c

Threat Level: Known bad

The file NEAS.1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757cxls_JC.xls was found to be: Known bad.

Malicious Activity Summary

formbook sy22 rat spyware stealer trojan

Formbook

Formbook payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Launches Equation Editor

Uses Volume Shadow Copy WMI provider

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-23 16:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-23 16:31

Reported

2023-10-23 16:39

Platform

win7-20231020-en

Max time kernel

150s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2628 set thread context of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2644 set thread context of 1300 N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe C:\Windows\Explorer.EXE
PID 868 set thread context of 1300 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2968 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\audiodgse.exe
PID 2876 wrote to memory of 2968 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\audiodgse.exe
PID 2876 wrote to memory of 2968 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\audiodgse.exe
PID 2876 wrote to memory of 2968 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\audiodgse.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\audiodgse.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\audiodgse.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\audiodgse.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2968 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\audiodgse.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2628 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2628 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2628 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2628 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 2628 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
PID 1300 wrote to memory of 868 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1300 wrote to memory of 868 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1300 wrote to memory of 868 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1300 wrote to memory of 868 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 868 wrote to memory of 1720 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1720 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1720 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1720 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\NEAS.1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757cxls_JC.xls

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\audiodgse.exe

"C:\Users\Admin\AppData\Roaming\audiodgse.exe"

C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"

C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"

C:\Windows\SysWOW64\wininit.exe

"C:\Windows\SysWOW64\wininit.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"

Network

Country Destination Domain Proto
LT 141.98.10.13:80 141.98.10.13 tcp
US 8.8.8.8:53 www.hbiwhwr.shop udp
US 3.33.130.190:80 www.hbiwhwr.shop tcp
US 8.8.8.8:53 www.91967.net udp
HK 20.205.142.141:80 www.91967.net tcp
US 8.8.8.8:53 www.vaskaworldairways.com udp
US 97.118.142.92:80 www.vaskaworldairways.com tcp
US 8.8.8.8:53 www.mercardosupltda.shop udp
US 8.8.8.8:53 www.sarthaksrishticreation.com udp
IN 119.18.49.69:80 www.sarthaksrishticreation.com tcp
US 8.8.8.8:53 www.travisline.pro udp
PL 188.210.221.221:80 www.travisline.pro tcp

Files

memory/3024-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3024-1-0x000000007251D000-0x0000000072528000-memory.dmp

C:\Users\Admin\AppData\Roaming\audiodgse.exe

MD5 df247bbfaf91dbe0da4d79a04cfb5ca3
SHA1 0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa
SHA256 354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579
SHA512 ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

\Users\Admin\AppData\Roaming\audiodgse.exe

MD5 df247bbfaf91dbe0da4d79a04cfb5ca3
SHA1 0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa
SHA256 354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579
SHA512 ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

C:\Users\Admin\AppData\Roaming\audiodgse.exe

MD5 df247bbfaf91dbe0da4d79a04cfb5ca3
SHA1 0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa
SHA256 354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579
SHA512 ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

C:\Users\Admin\AppData\Roaming\audiodgse.exe

MD5 df247bbfaf91dbe0da4d79a04cfb5ca3
SHA1 0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa
SHA256 354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579
SHA512 ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

MD5 9e519a78d2ee0e4fa641187866bc9703
SHA1 549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256 c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512 a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

MD5 9e519a78d2ee0e4fa641187866bc9703
SHA1 549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256 c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512 a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

memory/2628-26-0x00000000002D0000-0x00000000002D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iomgmdsgtbq.p

MD5 60d116c175aabe2c06bdd949a101127c
SHA1 63bb316383b4706d43f7882ee545031c4cac2505
SHA256 ee52d5afe32c612681d16c9bfee4cdb923ee5e54b84196b7b5ecc0aa4ad1df76
SHA512 d90f9148243101db90de1945854a9dd1e6aa6fd59ff0ccb1ff0053f7f91b8b40176a7d5401e63a5600474bfc8749733ff55cc76fa2094a697eb14726241a2fe9

C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

MD5 9e519a78d2ee0e4fa641187866bc9703
SHA1 549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256 c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512 a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

MD5 9e519a78d2ee0e4fa641187866bc9703
SHA1 549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256 c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512 a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

memory/2644-30-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

MD5 9e519a78d2ee0e4fa641187866bc9703
SHA1 549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256 c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512 a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

memory/2644-32-0x0000000000700000-0x0000000000A03000-memory.dmp

memory/2644-34-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1300-36-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2644-35-0x0000000000480000-0x0000000000494000-memory.dmp

memory/1300-37-0x0000000006CB0000-0x0000000006D9E000-memory.dmp

memory/3024-38-0x000000007251D000-0x0000000072528000-memory.dmp

memory/868-40-0x00000000001B0000-0x00000000001CA000-memory.dmp

memory/868-42-0x00000000001B0000-0x00000000001CA000-memory.dmp

memory/868-43-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/868-44-0x0000000001E50000-0x0000000002153000-memory.dmp

memory/868-45-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1300-46-0x0000000006CB0000-0x0000000006D9E000-memory.dmp

memory/868-48-0x0000000001D30000-0x0000000001DC3000-memory.dmp

memory/1300-50-0x0000000007020000-0x00000000070D0000-memory.dmp

memory/1300-52-0x0000000007020000-0x00000000070D0000-memory.dmp

memory/1300-53-0x0000000007020000-0x00000000070D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55C1D863.emf

MD5 a01b9617553432807b9b58025b338d97
SHA1 439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA256 7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512 312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

memory/3024-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3024-84-0x000000007251D000-0x0000000072528000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-23 16:31

Reported

2023-10-23 16:40

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\NEAS.1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757cxls_JC.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\NEAS.1f30b513d1315b7a9432f9cf2937d5c4728455fbd7c681a552b94f57a849757cxls_JC.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/3728-0-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-2-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-3-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-4-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-5-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-1-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-6-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-7-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-8-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-9-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-10-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-11-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-12-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-13-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-15-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-14-0x00007FF82E550000-0x00007FF82E560000-memory.dmp

memory/3728-16-0x00007FF82E550000-0x00007FF82E560000-memory.dmp

memory/3728-17-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-18-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-20-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-19-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-30-0x00007FF870E30000-0x00007FF871025000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A7D7B60D.emf

MD5 d69c22a341e111feea69df6d8c655d60
SHA1 ac862337f2efa43627508927f5052ce694012206
SHA256 05b2053bf1d070d6034b45cd79b54d80da3c6d88d016671a345e75048b1a68db
SHA512 d4db33ed046b3c9ba09c4b3feac17b1fe2e75fce67f4154fd795d504708c295a1e3c8331ed3d6c3ee9950c936c4cc25b5d690558c26f2e1f7771bd5eb275822c

memory/3728-67-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-68-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-69-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-71-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-70-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmp

memory/3728-72-0x00007FF870E30000-0x00007FF871025000-memory.dmp

memory/3728-73-0x00007FF870E30000-0x00007FF871025000-memory.dmp