Malware Analysis Report

2024-10-16 02:53

Sample ID 240626-zv1qeawfkr
Target 4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726
SHA256 4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726
Tags
macro macro_on_action
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726

Threat Level: Known bad

The file 4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action

Process spawned unexpected child process

Office macro that triggers on suspicious action

Suspicious Office macro

Loads dropped DLL

Executes dropped EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 21:03

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 21:03

Reported

2024-06-26 21:04

Platform

win10v2004-20240611-en

Max time kernel

60s

Max time network

60s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls"

C:\Windows\SYSTEM32\cmd.exe

cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\icoi6lau3irx.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\icoi6lau3irx.cs"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9F0.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC745A0317A25B44C9A5295B1388E147AA.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 secure.gayporndownload.xyz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 secure.gayporndownload.xyz udp
US 8.8.8.8:53 secure.gayporndownload.xyz udp
US 8.8.8.8:53 secure.gayporndownload.xyz udp
US 8.8.8.8:53 secure.gayporndownload.xyz udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 secure.gayporndownload.xyz udp

Files

memory/3952-2-0x00007FFDF0210000-0x00007FFDF0220000-memory.dmp

memory/3952-1-0x00007FFDF0210000-0x00007FFDF0220000-memory.dmp

memory/3952-3-0x00007FFDF0210000-0x00007FFDF0220000-memory.dmp

memory/3952-0-0x00007FFDF0210000-0x00007FFDF0220000-memory.dmp

memory/3952-4-0x00007FFDF0210000-0x00007FFDF0220000-memory.dmp

memory/3952-5-0x00007FFE3022D000-0x00007FFE3022E000-memory.dmp

memory/3952-6-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-8-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-7-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-9-0x00007FFDEDC20000-0x00007FFDEDC30000-memory.dmp

memory/3952-12-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-11-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-13-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-10-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-15-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-18-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-17-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-16-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-19-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-14-0x00007FFDEDC20000-0x00007FFDEDC30000-memory.dmp

memory/3952-32-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-71-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

\??\c:\Users\Admin\AppData\Roaming\Microsoft\icoi6lau3irx.cs

MD5 3d6a86624aed949ac6b72ecfac76ff6d
SHA1 bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94
SHA256 b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0
SHA512 b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae

\??\c:\Users\Admin\AppData\Roaming\Microsoft\CSC745A0317A25B44C9A5295B1388E147AA.TMP

MD5 a2045b809a28a1cef9cd029c087ef40d
SHA1 e26c0b36c1ae50b06bd5d3a59db5c39dd32b5f58
SHA256 fd784622589e7e6c3d05a1f91b76cd315b1e29dabd52dcce3ee0f5fe9fb23bb8
SHA512 4604bfa641c7888c3219db8485f36a51022da2db2079b7d3b7aff5fd57e17bd454f1d665f0501babe631961f06e5eb660d95d79221010922e492154317890b74

C:\Users\Admin\AppData\Local\Temp\RESF9F0.tmp

MD5 bb0ad78687610883c7f0f6cc1ffcf73c
SHA1 dee8062e1c6e217525edf89bc66a965f549f679a
SHA256 a0f4113062f75845aa89e51502e3a260698f7c804f8048ec1d9491af5a0ed29b
SHA512 48c4a07e1dad1e3524bf9278d5ed4981fcf03575c8d9b5bdc35285a7113debf46aa81f02f4a7f1f2d8be877a5ea63c9bf33d310ea2bcf72833463be8418bb5e0

C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe

MD5 e41e4c64a02480aa1a18581a017cee87
SHA1 102b57582148ea3e0ebb017dee8599fa749deb27
SHA256 8fc0903d877ce418637cc2c207a22f33f678ff704de4d53a8ca6ee92dfbc9922
SHA512 0e1cfdb4eb9aa95e043c05380a6c271602569362cbb6ca2226df84665f368bc22e42f64d2557242a972daf0543714dfacd6b8e289ab7dde0afbce52984a5c7dd

memory/1808-85-0x00000000009B0000-0x00000000009B8000-memory.dmp

memory/3952-91-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

memory/3952-92-0x00007FFE30190000-0x00007FFE30385000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 21:03

Reported

2024-06-26 21:04

Platform

win7-20240611-en

Max time kernel

49s

Max time network

45s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2876 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2876 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2876 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2668 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2668 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2668 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2668 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2876 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe
PID 2876 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe
PID 2876 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe
PID 2876 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\tx9pwrvpflgb.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\tx9pwrvpflgb.cs"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77EE.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC6D81EBE549C74F0C9EA053A37F8CA9.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.gayporndownload.xyz udp

Files

memory/2764-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2764-1-0x0000000072AFD000-0x0000000072B08000-memory.dmp

memory/2764-3-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-6-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-7-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-5-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-4-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-2-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-9-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-10-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-14-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-16-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-24-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-23-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-22-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-21-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-20-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-19-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-18-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-17-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-31-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-30-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-29-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-28-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-27-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-26-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-25-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-12-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-15-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-13-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-11-0x0000000000390000-0x0000000000490000-memory.dmp

memory/2764-8-0x0000000000390000-0x0000000000490000-memory.dmp

\??\c:\Users\Admin\AppData\Roaming\Microsoft\tx9pwrvpflgb.cs

MD5 3d6a86624aed949ac6b72ecfac76ff6d
SHA1 bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94
SHA256 b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0
SHA512 b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae

\??\c:\Users\Admin\AppData\Roaming\Microsoft\CSC6D81EBE549C74F0C9EA053A37F8CA9.TMP

MD5 94a974d8227970402968cf2e7bac141b
SHA1 755edcec1ad453c2f1758c6f8013bc1c5a37816f
SHA256 230f902aa9529fb85a0c4f3ac72c72389115b8f701449743248e5513f6f80e42
SHA512 947a41a714391e40c06bc9547f6332d40fd1eabc8c402a0adefe8fbcff8f4d06d63d69dc2008010aa32e9c4c0f8384fe6086f92ffcac5590d004f8a3375e6bf5

C:\Users\Admin\AppData\Local\Temp\RES77EE.tmp

MD5 f6922b9f9d0ee0cff0bab62da454bb53
SHA1 ff17f601ddca0aa358f2c8c847220ed9b173690d
SHA256 4ab1ca76eaea89f89423b1447f63a9b08019a668bec84c8e0abaf7411e2892cf
SHA512 34d43b22bfb87e3a1a84a196f0b27aa3ffab0d08f4b59ac7f1dc9d630e1db2a0192f2323d57dd26e7e73b39d50f4967245227bd826042e972620014a1e68f006

\Users\Admin\AppData\Roaming\Microsoft\yfhcan76zc84.exe

MD5 6ccf81c7296c66fd4d75cc45b041fea3
SHA1 7dfe733b4ac8cdf84acc9340a9bec20231d7bd01
SHA256 3bbc81d6b1be73e9bf47fb67c4a4f2d68fdf4d5c19309ba7a017a476890f00bd
SHA512 8bfe7324c3c2714746200a9c3395ac1bb7520ac6261e5928af4d2c42b298565a5e486236119456e5d06da849975223263947fdc379782526d119d7499675055e

memory/1200-44-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

memory/2764-45-0x0000000072AFD000-0x0000000072B08000-memory.dmp

memory/2764-46-0x0000000000390000-0x0000000000490000-memory.dmp