qakbot | 51ff536b1f12c59753e3d3344b8df232c3fd7aafb49bf782e54058fc8f220e3f

Analysis

max time kernel
209s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 15 IoCs

resource	yara_rule
behavioral2/memory/4332-6-0x0000023075AB0000-0x0000023075ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4332-5-0x0000023075A50000-0x0000023075A7D000-memory.dmp	family_qakbot_v5
behavioral2/memory/4332-4-0x0000023075AB0000-0x0000023075ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4332-0-0x0000023075A80000-0x0000023075AAF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-9-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4332-21-0x0000023075AB0000-0x0000023075ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-14-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-24-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-27-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-26-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-25-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-28-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-30-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-173-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4044-174-0x000002057C170000-0x000002057C19E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 11 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\85008544 = 05d03ee7101ae592090aa2e0362030a5b7b0a5bfa82ca0f54bbb7312a99d5ed4100d7f7457914b3c7e8b6cfac6630b0a7a64190579899d8f8b83e2dfdb1838c804defde350b4fb80129dffe7c8f13dea1192108753202aee8b3103b59c305ceb218428ffa0ba746be684ccfd0f8d607dad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\9a4f9e6f = c6aa8dc33feacd326b5dd762066e82da15fe3dbecab2c0cbb39d1f05ee50e6906fc36dcd24cdafd2c82633c332783f052396aecc0118ed96a856deec09d9c1be86	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\cc67d6a7 = a768d3a707fde35e0e13e41ef43bd7886ed767bb1ec79f1f512c7689e490fed8b4d3f62d80cae23cb287be723bae5021177d9aeeea7bb33090fa0f08885baed9c0f8113a34c4c1be1f2fe9b139235a35daabc478cfdc3b8501516b0dbfc7f74bc17f8fc16413357cd64789353a18f90d6800dc48b01c809bf1f9f6ae169390af5f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\cde08b20 = 4545d7597cde7fa270f59de1ffbc436ede8eb3e10479666536769032640793b609b10859cfbc2bbc452a2dc36ef7342b49aa062de975e91e93494c4bf466d5fb039243ad50e0606b8f050207e62ca28b5489ebe27089ae24dad7be9e63fa96bf8d684676957e90f7124c811be45219ce80	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\9bc8c3e8 = e4e6ea6660025e2939115f5ef6854edf8e9f7d5a90f7e2f5ca91078f98beba6ee8ef06fc188c35a9a7cc12f739537ea5b418930b9c37b4ef3e2bb4e3df8b715dd4322e4e986a606b594d0d161267b94db6d3ae0b4b9cdc562c252cca7516a009e9755ea7b66049b7434ba4b06170f3b0440c8f26f0af6ae83a8eb52826e3ae1fc995f0e51b4b8b41cba0d1ccb555ae754cdebaffc33bc728755c4d8164ceb6280109dff5aa50653fbfd0e7be930bd48fba0358bf512f5b46d08ae85f5f296803e0673306d621e7a8e8a3f6e95c1ce4891f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\56e59ef1 = 04a47b2f717179782330796e0c0459e9e42dfc4231241458c5d5c860ccbee5b40e7b85285c3698b1f0c1e1ce48a1300ec6ab2909e5047f52503be817bdb9231d617fb627561ebc4c57c2b7bd20f57ca2e020493f270a5246403c0d9f6fd6533ac6cd25a2acd5f30a06f31e0015736177ebf588e1d2f39540d77b92aa52689286ca	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\5762c376 = 650e88477bbf8b431b8cdd86dc87134756699e6591b1ec3ecf60c9538ac866810645b53d2a3fa0937a4d80197fd1b2c1be	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\cde08b20 = c6b68eee9adcc14ae404d168a58a0fd383547bbec015dd47467e3900c197044db41405468d4ac97ac83a3c9b29b80488f011ed15f3fcca2dc9afc2185a7e8e1b5c81b5ab2bdd10938aea4b1783b52ea0e7b37a6b51b5a6c29dd03645e8a57f08ce17af14d69c3f56b8f7472854fe7af83f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\cde08b20 = 2653af6daef2841d67f4b7ea2c8e192a004dae349c0fff2f7742d094009e96a45f0d7d5c27fbd7d5ad07f6380cff44866e2214f4af0c6cca93a3702ac23357317747c4f3539cfcbf38bb92544cfa75b24409bba032ea8e0b726e5589651b216700	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mvaokhkaqrgrz\49aa85da = 868a3c416cfdcce224cd1a34406d1596bd2c910bdeaf4d7bda4af6a6683a533504a538abec80b2c8884d980cb1a3b22b0cbc6ea416134138c4fc4a6dfce8992c3949ca44d51466316baddaf70f165dacaf185b5024c76b57ccbe94a2e330985186f9c99ea4b8181755d7f50f1fd903de2950c7d170934b0b9799faca23bac35bff	wermgr.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3968	EXCEL.EXE
4452	EXCEL.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4332	rundll32.exe
4332	rundll32.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe
4044	wermgr.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
3968	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
4452	EXCEL.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4044	4332	rundll32.exe	89
PID 4332 wrote to memory of 4044	4332	rundll32.exe	89
PID 4332 wrote to memory of 4044	4332	rundll32.exe	89
PID 4332 wrote to memory of 4044	4332	rundll32.exe	89
PID 4332 wrote to memory of 4044	4332	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\t.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4044

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ExpandComplete.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ExpandComplete.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MergeWait.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
fb6d48dad9b7772689e7f825b3774772

SHA1
be3ec403f876cc98263290a8fd1c1b5e55649098

SHA256
d21e170115828f1cab36a101f06c2212596bfbc6bcdae8ec2cf34e48fbbe6f19

SHA512
ac808ab2652e911fea4a3177102bca8e24245be005e49960c8dbce32a061c264551e33bbf7396ad120342d7e7fc9d8d9c9bcbbd182a5537d803b6cc18de63afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
d5dc0b6ef71a194359b5ff4a452cec7e

SHA1
70f8a0dbdb03636d22620fa78cf8da269515ff20

SHA256
092fd3fbc673ee363b1d5c94e1d6d04a745c9aa086d4a0fb67fc68dd32e877c0

SHA512
d90da914d31123ba97ed9005410aef5032cd0768c9382519f61338f311b7d7a8dc7b15e3cddcbaecf1feb6f5b44b76306e863d04a32f93c9b47000b58427161c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AB2ABB9B-8D70-4259-9595-15A1CCDAF893

Filesize
170KB

MD5
fc08624f7a8698f38c0c25bf40d8aefe

SHA1
047300b012186c347cf9153fc8cbb69b43e70537

SHA256
1a3d007461c7c03b5d79947e09837b764e2f1ccd741a3a0d33e9cf3ba8b4b548

SHA512
469adf40640364e39fa479653780644ab71a9f9d6cd21e5460de3f3d582436548cc2b3d656aa207cedf8ca2bbb772878b2c2ef77eec1556dd14bec8d04207342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
b65fd7d922a9d8a410cd3c64ea03ee5c

SHA1
787d1ef29c0f47b12f0b293d12fc9c4b27c235db

SHA256
94d4cabfbda9ca9f88da1b35f86912de60145c12ba97ae27d90fa79c8bcc9199

SHA512
94eb8e95f79f52e995e859a6582096c40e60d02b6bab93e610884f3d4f242cdca00b6c385e747f45c58004fc045edcaf87a275a12b027889941371798b66d03c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
e4636498b473b8be4cdef8eea9cb6ee4

SHA1
c94105ab355e65e71a4625d3173f7efb07834932

SHA256
190397769266b1fbe57ae016f22501863c97d0a1c6def7f3518f0a688259c632

SHA512
b88a3c49437226f22b7977aea799da45a9586404761d71019e824b6427fc77b1077ec0e49609950459ebe2d627bc68bbf251547c12ab2fdc06ff199a9fc71418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
05556fa518483f5ef89327c0c14d40b1

SHA1
3547d34acbdd88608997dc19606c0c3cd234af2a

SHA256
123b59e6a427c8670bec5da5bf27f267a820c3abd4e52fe97be00d09cd1cdaf9

SHA512
1bbac14c27b5c031c0c4a3a4c0361ec231b0b6f331c1728cfa704c2cdd4bbd61eaf5306c857447d9ef37bccf357d801f3158687686a5c5f502a1fae3ffc8a6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
3626ba373e1c12993f99bf988e85411e

SHA1
a155d5e91cae270c905f4286be9475fe0ac672c4

SHA256
5a421eccb5ab72da0b66f7e8ab0f333d639b23028998a3bc8562858341b7c27f

SHA512
c64b70256c62fdc9e85c5654399632df793c239d265163d7a59cc1db96f894a1e9f0f379b03359cf712217b9ba3d5abc9baf3895b34cf303ea2732a3e3eb6868

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\ExpandComplete.xlsx.LNK

Filesize
547B

MD5
7f5f0798f4abc934390570ba59df787e

SHA1
e9eb5271c27fb84a009b4a54a9f77acaacc8976f

SHA256
0b2095c93017117356cb607b1a67445a5a987af325c9e6958edf0c1ab820324e

SHA512
1cfad3abe38f5cc0e1d36952a5780b71f0c20ba180490c8cefaafd4364871874c41359663b125d7d24b58db46f71be4e9ee2b1f4f8d6a8622fb29856d1fe4ec3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
315B

MD5
0453a7b9cbba0468b81671daa9e69676

SHA1
acd99c7984fd6ea829604a579c038787e8c26eaf

SHA256
1c75025071d73afbc53804f9ab2885d4c3db4e7a81b7c29e3486f1a912df43b0

SHA512
8026426644333a67b6a4f35a02761dc006f116ba28bcca5fd7bf08a98422617f6646495e2fc0a8f7bde0b1d90696dec9879cd876c23a3a44430904d7ad07a8d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
315B

MD5
aaffc0862004a6021adac96064846153

SHA1
2f564286955efa1e633452e254861f3b2b584bc7

SHA256
9fe125ca330fe0da9ebc4d35305fd3666c6477c318c89fce3d891c6d2d56e540

SHA512
fc83dc1a45d62900628291bb73f947b46388908102e27cbecca1515f1477a54d067ffc32a2f748aea6c0a993806cee884a41f3a4143f56183263163fffac9148

Download Submit
memory/3968-40-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-100-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-32-0x00007FFC61D6D000-0x00007FFC61D6E000-memory.dmp

Filesize
4KB

Download
memory/3968-36-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-35-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-37-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-41-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-43-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-44-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-42-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-45-0x00007FFC1F7C0000-0x00007FFC1F7D0000-memory.dmp

Filesize
64KB

Download
memory/3968-96-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-39-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-47-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-48-0x00007FFC1F7C0000-0x00007FFC1F7D0000-memory.dmp

Filesize
64KB

Download
memory/3968-46-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-38-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

Filesize
2.0MB

Download
memory/3968-34-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-31-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-33-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-97-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-98-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/3968-99-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

Filesize
64KB

Download
memory/4044-173-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-24-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-26-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-25-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-28-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-30-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-14-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-174-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-27-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-9-0x000002057C170000-0x000002057C19E000-memory.dmp

Filesize
184KB

Download
memory/4044-7-0x000002057C1A0000-0x000002057C1A2000-memory.dmp

Filesize
8KB

Download
memory/4332-21-0x0000023075AB0000-0x0000023075ADE000-memory.dmp

Filesize
184KB

Download
memory/4332-4-0x0000023075AB0000-0x0000023075ADE000-memory.dmp

Filesize
184KB

Download
memory/4332-5-0x0000023075A50000-0x0000023075A7D000-memory.dmp

Filesize
180KB

Download
memory/4332-0-0x0000023075A80000-0x0000023075AAF000-memory.dmp

Filesize
188KB

Download
memory/4332-6-0x0000023075AB0000-0x0000023075ADE000-memory.dmp

Filesize
184KB

Download