Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-vavlfafe49
Target 7ev3n.zip
SHA256 ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

Threat Level: Known bad

The file 7ev3n.zip was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:47

Reported

2024-03-02 16:48

Platform

win7-20240221-en

Max time kernel

33s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\system.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" C:\Windows\SysWOW64\reg.exe N/A

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\TV_TopViewVersion = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\system.exe
PID 2168 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\system.exe
PID 2168 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\system.exe
PID 2168 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\system.exe
PID 2480 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2480 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2480 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2480 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2684 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2684 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2684 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2684 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\system.exe C:\windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2624 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2624 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2624 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2624 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 2404 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 2404 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 2404 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 2404 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 2472 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 2472 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 2472 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 2472 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 2808 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 2808 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 2808 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 2808 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2840 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2840 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2840 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2840 N/A C:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\system.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\system.exe

"C:\Users\Admin\AppData\Local\system.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\del.bat

C:\Windows\SysWOW64\SCHTASKS.exe

C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 10 -f

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.info udp
US 104.17.138.37:443 blockchain.info tcp
US 104.17.138.37:443 blockchain.info tcp
US 104.17.138.37:443 blockchain.info tcp
US 104.17.138.37:443 blockchain.info tcp
US 8.8.8.8:53 jaster.in udp

Files

\Users\Admin\AppData\Local\system.exe

MD5 51edf9d3b666b2ac9ba583912315a599
SHA1 fe4e5afd2efa7276d18899b06c1608b1dc049aef
SHA256 2ca106b9f12b26929f660342133f6bed9ebe019480a587249408bd5523725ac7
SHA512 82c255417e1c61f71380f02298c81f89811817a9a275d8e41a0137fb823922f74643a6d2cbd0f61cc50c259d6be4af1b01c66e59ee1ebc2c3ebfe38bf8feb0b4

C:\Users\Admin\AppData\Local\del.bat

MD5 dda69d69d2bf9994650f6c0df260fd80
SHA1 94041b483a3b0cda19339bddf09f1bd1b2242fea
SHA256 a2126c0c0b9d7401a20582ada62be413320cebb86dff164e5cb91bec7b6aa898
SHA512 7e70d053cd60110011844a699eba9a25065cdb2827fd72f379a67f479eb2ddc346223c39e3c2781dc16b8e07915737aba513b5eae57d38e88d46eae318a579ac

memory/2788-101-0x0000000003630000-0x0000000003631000-memory.dmp

memory/2788-102-0x0000000003640000-0x0000000003650000-memory.dmp

C:\Users\Admin\Documents\8.R5A

MD5 b897695f2a141ad5d4d3a43689995766
SHA1 6481798f95fdb9b2515ac53ba61b3a7ffc67b868
SHA256 58b7bcb5e872ef7ad1582de1c669d6ed419ced828bbd0cd7eff7f3081f62fc20
SHA512 dce5e9c8ff98770513245022bac85ba8babb6838e13c5503e50d6eb2530cacfb208ba19784dbd701a2c2a0a3ef68119b824ddb2b3810829847f2e1bc0a5ee969

C:\Users\Admin\Documents\3.R5A

MD5 89599fa9cbfe8f76bc01aece893ea69b
SHA1 9a2d1dd8a60065895c9f126c71c21630b430cc3d
SHA256 4885851edadb2bc1c4063844d884c3228e473e2848bfc345e4584d4fdd61c11f
SHA512 9e9cdde83441b0f86dd373a8c3cedaedefd1e2f1cac6b6c5baba52d158c7c8eb7a13d06a149659698a67bc661cdbe3b57ee2bb5586c2332e36eae99792085eaa

C:\Users\Admin\Documents\4.R5A

MD5 7750c2660e1280ec6ca5afeff98bff57
SHA1 321429544fee0518119a8a501dc304f181dfba49
SHA256 f59ac0811b36edf973f14cfbdb43af2f4efe03ac5cff231ec76b0e43e5f2fb55
SHA512 982ee3a5c9d37b64572b1772eb748997c878e9d5ae7a3d1748b48c94c9b71fe63dc52d4c3edd7e74c462f7a33f763b0bd49fa10ca833dafd65912c582b051e51

C:\Users\Admin\Documents\5.R5A

MD5 cfaf5a3cfd727880ffa9cad8378ab27d
SHA1 95adbd2fcf96e714925d6d1033777f318c36cc86
SHA256 8a7df45e942d65a653f36662528974c36791687d4f3fcfc976378eb424b38432
SHA512 447dcb4ff4cbe06db57bfcc0c61da1ebf5501805f0664f35ca42e9c28f658ae840adf3a264f276a349b39caa23b845b09b1a5bf3a1345ca6ecae473fc9b74304

C:\Users\Admin\Documents\6.R5A

MD5 b6044f65a414faae440f08df3e0d5e0e
SHA1 5e81f3df21e1a71b6b2f8a92ac5b5d8944325d40
SHA256 53ce41885b9d87a9f8ebd67f00dceeadf289f3eeaf4e48b7c95f8f63fa7c9393
SHA512 45e87e59279e6918c016f5bc5086a67ec17b9647c5fcfa6fbd47dfb213f78261aa40c80a0316979db5e74012a9de1f9b0a221a6209b27a33ebb6ff068d371c27

C:\Users\Admin\Documents\7.R5A

MD5 8a83a64796f007abba309dedb7e2e0a5
SHA1 83452d93d7120f82d6b0a7b8b225ba6d1e736ed2
SHA256 8143db1d3a9d172bce528a3e4bdc10651835b37665c298fc815f5b517084de82
SHA512 d0d2008242da1eecc45fec5673c8dbf8a189060f015968bc69d730fba8bc1a937d3e356dedf46b8bd0e6902d88ffe0d3232804f2b2bf297f86a26a509f3b3148

C:\Users\Admin\Documents\2.R5A

MD5 b53435b65e8e54e8ef0821ef8fc18858
SHA1 a2875aa6726884bbd8a6b7662cf1ea4a132471b4
SHA256 fe6a36cf7c5426a71dd305cba3e45fe3e069e6a951a9880dc6110f7604b8f11f
SHA512 5ed6f091f3a9f97a7c024fd8e2b720380c6310d533e53acecf08ecc6ee9f03a7b54290921bea9adee917de72ff9f707c21d2b3096c8e290579dba2adf90a28d8

C:\Users\Admin\Documents\1.R5A

MD5 efb59856d6da6005405673e22c81eb68
SHA1 d34dcc9df9c4f8b172a9e43c204ee38a2a5febe6
SHA256 17f29595124e30cf515a8fe04239437b32f6a0edbcbd22bcfb373be3bd2fbc23
SHA512 71898e1fc305f5d992bcf7949eabf3ad52290df29a3742ebbabccae407ba2b676fb6e74a8c5c1867be501ad6d22c46780d45e8d3befecbc2f502d76d4834ffa2

memory/2848-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2848-122-0x0000000071D1D000-0x0000000071D28000-memory.dmp

memory/844-123-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2848-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2848-125-0x0000000071D1D000-0x0000000071D28000-memory.dmp

memory/2252-126-0x00000000026E0000-0x00000000026E1000-memory.dmp