trickbot | 804e3a6cde4114e76fa911b699891535c8ed8b637ee9eaad373619e3ce36ee19

Analysis

max time kernel
163s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

attendees.xlsm
Size

535KB
MD5

b556307e1e6462a9aea5dc1f76667d10
SHA1

e3525ffd85d51a0a502012492ed1ef54d22eec88
SHA256

804e3a6cde4114e76fa911b699891535c8ed8b637ee9eaad373619e3ce36ee19
SHA512

51666a80ae3ae2ba69954f47e36521ce08cece8dd258498a7cf88e6c2586fa9a66776c78d68538bca5568965ebca87e9d04ce79db2c2388716ab73182af7164b
SSDEEP

12288:E9ijex0VbLbGeH+59SjrPImbT4XXO8RGNQpRtL8PZY4krmStNpc:E9fKVbLte52rPImbCjGWpj8BYVmSt/c

Score

10^/10

trickbot banker discovery packer trojan

Malware Config

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

tar.exerundll32.exetar.exerundll32.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4724	3144	tar.exe	81
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5060	3144	rundll32.exe	81
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1272	4708	tar.exe	103
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4128	4708	rundll32.exe	103

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 4 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

Processes:

resource	yara_rule
behavioral2/memory/2312-56-0x0000000002BC0000-0x0000000002BF9000-memory.dmp	templ_dll
behavioral2/memory/2312-60-0x0000000002C00000-0x0000000002C37000-memory.dmp	templ_dll
behavioral2/memory/3568-258-0x00000000026C0000-0x00000000026F9000-memory.dmp	templ_dll
behavioral2/memory/3568-262-0x0000000002700000-0x0000000002737000-memory.dmp	templ_dll

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid	Process
2312	rundll32.exe
3568	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exerundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 50 IoCs

Processes:

EXCEL.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe1100000075b15b64d7e4da01f0936d6adbe4da01171b422c0c17db0114000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000075b15b64d7e4da017d75dd67dbe4da01d1d7df67dbe4da0114000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid	Process
3144	EXCEL.EXE
4708	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.exewermgr.exe

description	pid	Process
Token: SeDebugPrivilege	4040	wermgr.exe
Token: SeDebugPrivilege	576	wermgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid	Process
4708	EXCEL.EXE
4708	EXCEL.EXE

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid	Process
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeEXCEL.EXErundll32.exerundll32.exe

description	pid	Process	procid_target
PID 3144 wrote to memory of 4724	3144	EXCEL.EXE	85
PID 3144 wrote to memory of 4724	3144	EXCEL.EXE	85
PID 3144 wrote to memory of 5060	3144	EXCEL.EXE	91
PID 3144 wrote to memory of 5060	3144	EXCEL.EXE	91
PID 5060 wrote to memory of 2312	5060	rundll32.exe	92
PID 5060 wrote to memory of 2312	5060	rundll32.exe	92
PID 5060 wrote to memory of 2312	5060	rundll32.exe	92
PID 2312 wrote to memory of 4040	2312	rundll32.exe	93
PID 2312 wrote to memory of 4040	2312	rundll32.exe	93
PID 2312 wrote to memory of 4040	2312	rundll32.exe	93
PID 2312 wrote to memory of 4040	2312	rundll32.exe	93
PID 4708 wrote to memory of 1272	4708	EXCEL.EXE	108
PID 4708 wrote to memory of 1272	4708	EXCEL.EXE	108
PID 4708 wrote to memory of 4128	4708	EXCEL.EXE	110
PID 4708 wrote to memory of 4128	4708	EXCEL.EXE	110
PID 4128 wrote to memory of 3568	4128	rundll32.exe	111
PID 4128 wrote to memory of 3568	4128	rundll32.exe	111
PID 4128 wrote to memory of 3568	4128	rundll32.exe	111
PID 3568 wrote to memory of 576	3568	rundll32.exe	112
PID 3568 wrote to memory of 576	3568	rundll32.exe	112
PID 3568 wrote to memory of 576	3568	rundll32.exe	112
PID 3568 wrote to memory of 576	3568	rundll32.exe	112

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\attendees.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SYSTEM32\tar.exe
  tar -xf ..\Nioka.meposv -C ..\
  2⤵
  - Process spawned unexpected child process
  PID:4724
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\xl\media\image2.bmp,StartW
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\xl\media\image2.bmp,StartW
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4040

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\attendees.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SYSTEM32\tar.exe
  tar -xf ..\Nioka.meposv -C ..\
  2⤵
  - Process spawned unexpected child process
  PID:1272
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\xl\media\image2.bmp,StartW
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\xl\media\image2.bmp,StartW
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
5c70e4c7473a751dd1c49bf0b8f15552

SHA1
449e8e29b512b3377a4d012d42f29cfd6dc43b8c

SHA256
606bdc54867bc753f1bb3c16c8262e17e99e34639a9fbd9f5e5e07cacf885fff

SHA512
5fdfdf6e0187fa8c259babc8926df771c656f4541fb4809516d3ebcc8b2fb92cd960670cbc8fd6536fd081e041331af6f40064db6fc9bde6de62a393c5340e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
60cfc5deb8d45f5abbc920b28f30261b

SHA1
aed7937d2c38f602b8043745afb5a3712156adbf

SHA256
21511372fbaae2849057a29f03d39d76ac8803129d394c625ce6f918adc5a49d

SHA512
6ff75fecb640d0636b3261afa19c59be12ed938850da7e431fdfa201ab7f293cde374fb17e309bb0865b8ee3f02da898699c14305ee993da7efb4b43c20118de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\BF9991AD-38B5-4EF7-80C6-FC639085AFBE

Filesize
397B

MD5
2f82426450332b558a61ae9ca551abd9

SHA1
abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d

SHA256
57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52

SHA512
dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\C4B17461-6E12-4E07-A569-70FA444E1B35

Filesize
1KB

MD5
85ad173999ed440af6120f3b4fd436fa

SHA1
eebe3bae40b0c82db581b905e2a4c4a90055c9b3

SHA256
2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165

SHA512
3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\44F9C876-ACD4-418D-B993-3A7F30B41401

Filesize
172KB

MD5
21ae4ac1d27c72da891e6225eb2a61b5

SHA1
8e18241da323db957719fc1af78ff24f70701b06

SHA256
0fc7786fa951e4fd162d8cc0824b6ea31229d2ba0028e3692497ae7ae74cd0fd

SHA512
fc52acd33e43cdf299009c6b575aa464a72de418e30cddb34b4330a6df5caf8772e6475f4a442e1433e7e8899e327db5e4f69f9c9f3a6ffbaa9428137625349d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
322KB

MD5
317f1f9edf5959a34124294155ba2ebb

SHA1
494e587b8a5bba0e7c486fa43417dea9cc48e6e3

SHA256
2c90ea17b0fb5989229335f384fbcc84e07fa6f42a9f41f87588b8d474101f26

SHA512
2a3f4f97ee09fe340d39dc8bbef48c7cbbe6c1d63f71a14cef4694436f50c8d6d48b73be47103d7f3acc26902fcaa69040348e907396cd1aa2299ebedce462c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
d41c635226b073d7965839b13fbbf8cb

SHA1
5436f73e6b13b5373ab944a623d0e7edf988f017

SHA256
b7c7c5886546935a2d733f05f1f48aeab456d8c54f59b1eb0c8d5fc5eb758c39

SHA512
2edc189cfb297d1ec82a669ff3eb57a991a980859a13d21603f1df606c22c2ce783f4ee3e07d2ca00f834a330dade08247725116adb3e4d932d29b26e0796277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
f14fb1ca9a9537294b973ed47a78628f

SHA1
2b7479323a7f864375262038cb63667d4fe9f172

SHA256
d42ba880a5c68e21be990a696e4646a56a4e499ae518ec482b2e89c4def9eb24

SHA512
777227796bbaa462f7ec601e84fb831aeb5af3bc3cc3ec3af7ba5d6eff39e21c766dc119f300ead3a191e7dfd66a17febd786302e13f583b6286a4029b3ae6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
5feac4e4c9a07392e6f9a5672b10169d

SHA1
d8033f0cbb2e3856e7e9f8753788c18ceec54a1d

SHA256
b5d366d170fb8b4d7ad6b840af2f10600db5d65b2e35a84081384873ab9a0db6

SHA512
f6b0ad859cfc20fd551fc444ceb5ddaebb93fba97be66713ad2d87e862cceb878638e1c79bc47fcdd2a4beb739cbaf531ed5ca32aa1c372f2e795d2a4abfcc05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\attendees.xlsm.LNK

Filesize
522B

MD5
03daef91b1124c7dae24929dc2e5987e

SHA1
a2c7f24feff34c0a80b5b350e42b5111064e835c

SHA256
78ff45e864336a0d01305abba09a770bd89981bedbbc686217fcff47f5077bf2

SHA512
cdeed1203fa8703aaef7a0d529efd895b83c49a29d257535aa93252605242b45bfa11fd21ce22185482a395447215dc85b09ec5441ae8dad849f245902fbfcb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
364B

MD5
9948b36454c69c34a20154d05a273ad0

SHA1
1d03ab499b323cc737191549ffaedc3a38d13f6f

SHA256
eb6888a0763ca3b77d96150bd1a1d286e7e64c8d2f9712e072f78cc4d93e0471

SHA512
2d7be17b71f3ace8ea46d3d0ed1867e03f2bfef5a4d3723f2f8f2ad8d6527beda5910c2ee281d43a5065bfdfa6ffebc6125eeca983ab7b1ccb9c13a69c248583

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
707b3b85d023d950640da366a63566f3

SHA1
d7d546e7fca7df30bd196c35b5ccb1f2c26efc40

SHA256
a2f7a882eb5ca77aa93990744270a0c20b46d0d04810e9e7d02a317d9dc2cb5a

SHA512
20b41e2f2e9eb8f800507768c5a3eb8d18c51a4be85f0778ca356f935b38e2b18ded60d058321c608e97802ee66c07b93ef9bed87c187e01a71158dbf6e492af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
386863530e6f1c12abd842c703942194

SHA1
60526da9712f9f5ea705ada558b769fe9b40db7f

SHA256
88e1993ca77f75cd3285ad836f34086f8784d9dfaced400309d346e36c1772af

SHA512
cd47584e744473497a5b57a89f87e8fb7da559dc24d76fff84bf049d20fc53e24a90d11fb465752eea5ff04f125ea37ded2dc68a0eaeff9a656d43e3108c8a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
958c21faad2f720ac5b58b019b1f6141

SHA1
c506db485bdd8779114e0b6d59ce5d98f7aa2474

SHA256
cf792e5c0e9e8f8cc208b735d83df226f959339feb380cc5b2309849d17e7af8

SHA512
6dd2a650a704d42609fc3190c892faf25bd1e3f4ef200ef33b1b1043ea87d759e34c8c844d53df6b49337477a3c54ca6f7601292eb45356900fcd50c930a07b0

Download Submit
C:\Users\Admin\Desktop\attendees.xlsm

Filesize
535KB

MD5
f1c4d209b9c87a691c3bf46e01c24325

SHA1
541e28d36f4e958b99b35082c5a266a177691486

SHA256
d2c2c605b211ea4e99370c283ca53fc1880b6fafa186ae94fe49d13c6f4ece26

SHA512
a1477a530915a7f4fad168b124feb3b2dbe63f2c8f6e984fb79e88db0a69c1d056c6779d015f12c633df5d76326556f71a564377931f1c98df9f143e87cd88e9

Download Submit
C:\Users\Admin\Nioka.meposv

Filesize
535KB

MD5
17572d5b363a24e869ee82d7552a519f

SHA1
7cea8e8199ca9b1f10d2d915ef8b4b94bba40daf

SHA256
4600e2577529005f10bc00a2d9839f80949366e4b590892558699065e44b4008

SHA512
4872334392710f1ff865489e443a94a2c3f8ccf8a96efe8ddf5fa7bfd4528e3401a34f53809070722f32a1ae3f8d7fbd5f34f034eea557e0f7729ac172c32ec9

Download Submit
C:\Users\Admin\Nioka.meposv

Filesize
535KB

MD5
4629a82337b52195c323db34fde5da6c

SHA1
d010ee784bd6052434d9f6993eb5fa79b7e4c295

SHA256
33e5e73aa77876076f2b56e41e0b4bed6dff86e883c6453133d4f063966a5b43

SHA512
833e6ef594dddf550f3fd90873d233e901d8822aefe6ff5d8fbacd7ed351807b07585ccebb789f994b27dd2fa90fd93269a14995a1cedaebaa143f89698d88ec

Download Submit
C:\Users\Admin\[Content_Types].xml

Filesize
1KB

MD5
91621ff3f98ac0a30c10cd6ff11a6f8f

SHA1
36223b5d4e4756ff9065c6fc0b2762995caef51c

SHA256
14e2dd14d74ea174fb70fb58a84ace0a8403297b74929ef7309b197c6f095911

SHA512
b352cc6fe0ff7df49723290da7b7c37edfae0223bcf567a4b9042a69ba73276f53b4097a5475720a5e6576d3df1fd7101b71e27d08612983c1f04d6c8f5adf6b

Download Submit
C:\Users\Admin\_rels\.rels

Filesize
588B

MD5
69984e911a8e36d7f6eab75bf36c6d01

SHA1
255a73c97d1feca34a138cfd2d69ac422e73d207

SHA256
73e5a29f48d5ab979eeda062493bc7e679265c1344ef936978b8becec5549497

SHA512
4362fbc18aced124ef3178a28ce077ed32b309108578e1ddee11326d2af568392d3603b3aae96b3a408c0049a788e42d6a2d04c65468918017d1257af692b0bd

Download Submit
C:\Users\Admin\docProps\app.xml

Filesize
968B

MD5
1932796a97dc576b90011a54f7251603

SHA1
4e1760108a6f9558dcae52e700ad909300b1e087

SHA256
99c76a212af7a0b4b607637816abda0301e2347ec96ff4eceb33dfa01db1223c

SHA512
4ea731e52445ae316736c117eb4fcc43270baf4a5fd1bf8a9f14e47affce6a3aeff9ab07a2030aac56335c9ce114fb02ffed92bf363e78b93eb932aa8d276aec

Download Submit
C:\Users\Admin\docProps\core.xml

Filesize
604B

MD5
20cbe176716a59b9dffc7cb0fef91962

SHA1
d5b6b8b9b2db9266d051051800d02c6724545aaf

SHA256
4fc143760812d00a09310ae1ffd14f581022e9924e066382f358768e32321a7e

SHA512
69bcf6d704d63d1f2ab0f550d1724a8fe2798bfe23b36a69f0627481e0523a476ad7d026e136455d4ae131fdb3b5c97f683dfa20bd686a1d7b2837d91018821a

Download Submit
C:\Users\Admin\xl\_rels\workbook.xml.rels

Filesize
1KB

MD5
2a0d4d6585150e29fd441707480c5ec7

SHA1
bca5b7b39fec96f13e215ada6053d32adb47419f

SHA256
d006cefac7d937d8a93cc1fd9ee78472a1dc0edc2d959c08f3a8f50a7817f6fd

SHA512
c9e8d00fe48952ddec7e798fa03a58abb42e477f47c4896b77ebee5451e6b6932901808f5f773e0119fe7222b439e9377e0e88285b9b135f5b9d93806a7367c6

Download Submit
C:\Users\Admin\xl\drawings\_rels\drawing1.xml.rels

Filesize
293B

MD5
ba93cd25ab2e6505f947208f833301c3

SHA1
208bd8f1169da5c37ed3ec074018a97e50555a2b

SHA256
551874bae68eb9dcecb1875260e298e5644e8cfa6a4729e3ed687d419fdf5557

SHA512
e4b6945a2a00d7e7210938a624e6027bc335983b9a47f96f7af6411416aa82a7bba9d083fefc87d55a854bc16793fed67e08344ffad883abace513900c2b010b

Download Submit
C:\Users\Admin\xl\drawings\_rels\drawing2.xml.rels

Filesize
292B

MD5
10ecdef875e382885e3a37fecd104541

SHA1
95794b676fd2170bc8189d234b402380651f49e1

SHA256
d7b26854d59f1a46ca1c6ae6ab888a6cc9d235d12e74bcfc91f2327fb1a6964d

SHA512
6ae2cabba9b322e250202dde283223085e2009c0e765f639c9307305b5da08664ae40d5a2c8926434f3a80e9ac3206c732a8699f767b60683102458897498f94

Download Submit
C:\Users\Admin\xl\drawings\drawing1.xml

Filesize
1KB

MD5
0abbbfcf578e0cfbc52714ffcbd34f10

SHA1
9d1020809ec19a818972b421edf7b0e6d4b2a91d

SHA256
ad333976eab1f74a05a43f8cb8f9072242eba709a1ad37b791e1fe520d4326e0

SHA512
88cc34d6924fc63a84b9bbb01ee203a07e70ad109eecba0001351b4c21c5e8373d87e98bdb4490eb420e4950db3609c784f5abd09286ac4e24df160c40930715

Download Submit
C:\Users\Admin\xl\drawings\drawing2.xml

Filesize
1KB

MD5
61db3044f2315ca88fd9369d85a7bb07

SHA1
13920eb4e8db9a61ce185c85f113f8949e4b1d29

SHA256
1dc0bfaf1103873b404dd5c40b3656abe9b803b8d3bce394338c562f43a31530

SHA512
dcb34c9cc3016ed4c796febd6f042bb4407dcaceb6b86022dfb17f7bf59ccfd8a2ef4442680b04498a2ee4d447d7c3593d6ed1d3562e71f4f8ccd798b884c47f

Download Submit
C:\Users\Admin\xl\macrosheets\_rels\sheet2.xml.rels

Filesize
322B

MD5
84e8b9d96cb68587472f221694514bae

SHA1
1153e0247e5f563531bb39e1d59a338b57068e3c

SHA256
65cefb6727e21f882eb83bb6c10370afa59aafda7f007f531df0c30026dc4684

SHA512
c54575f7f9b606cef756402f4f47023ad4ea5184dacac830716585c68fc43f37d047efc531992a5510f879735ee1aa08f6c704711a25600761d0907f759271e3

Download Submit
C:\Users\Admin\xl\macrosheets\sheet1.xml

Filesize
1KB

MD5
0b393e7f0f425567fc907890841fedd5

SHA1
7b4095fcd26d8cd4094e7a7b27a3276f4c5878e8

SHA256
27d4e33f73f1a260fa564bca6053f074c8b991489b47d3c6cf5c274fc21b3e00

SHA512
4968355eb9b85bff2b1e9ccc69bb5b690645e4662a07f8c9e083043ac89271a2311d78a4314143b838f748cc2f3252d303e7d0cb9bfb8aab33f896a9491e52a5

Download Submit
C:\Users\Admin\xl\macrosheets\sheet2.xml

Filesize
2KB

MD5
5cecb55984dbff762af53af2ad6470b7

SHA1
53530b5b2f67b23bbc6a30a26cd01ec11e68e4d6

SHA256
af7be7ad0c8fc433f7ace58c4e89b9401fa3fc7fc0d4ec131bbfb8c26808456d

SHA512
94602b10eb95b8c826cc9905653e93aa3fa8d93fd121e4906658b18f1706b02170a3242b395df5df4dc742bbbec286f5db3580ef01e47ba4a8865397824cbba6

Download Submit
C:\Users\Admin\xl\media\image1.jpeg

Filesize
181KB

MD5
a6e3680b30cec6746291e55b7d9b6975

SHA1
e45c3a057f840ef4c96ab8233e1e21700bbda199

SHA256
89934494b26bca1a6b28c2d262392548fa12cebdf648e5f2dcd793cbf71fb261

SHA512
fd0de48198b51f437adffc5a0f12880334047d177e67d92199efef09f697fc0771d738b28e47eab17fd52a772ae74ceafabfd0f7253c526b86d5add4912f712b

Download Submit
C:\Users\Admin\xl\media\image2.bmp

Filesize
496KB

MD5
814071ec92b0429d274082e3993aa5af

SHA1
0f191570dcbecda0c18c48eac960c0def6779e2f

SHA256
e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

SHA512
a6b4013630655a6754b59e0cdb76d85a3a165bc8506ce55fd4aef99bf1790e7abc9dfa071dcd7ce0fcf528a9a483ff91f14fa7f8d80048a4e41c4c9f2d38cf68

Download Submit
C:\Users\Admin\xl\printerSettings\printerSettings1.bin

Filesize
5KB

MD5
9531b74b57444f1723c690b1872071e3

SHA1
b7bd7ebd98f5b3e14b47280feadc09b90cbd0d5c

SHA256
4da03a297fd24563e99a26ac4bc286091148fe6153a50946aa2334ecb6e26c6f

SHA512
c6a832337d63f722c42917efd13730abbe0b2f40d4605e3a07c0175b01ba26331cfbc0f6e0fd0af180156be8a61ee6c35089be2e5f35c340f10e717b2939a3d5

Download Submit
C:\Users\Admin\xl\sharedStrings.xml

Filesize
277B

MD5
16f0f2edfa4fd9aa4cae752cb696e99c

SHA1
2f3660eac4b3d1902770f843f88a463d847a7877

SHA256
5b6553b6782bf72365e23f0a344ed947a51949d338e87d3fe8e4e900f2d83c0e

SHA512
f9c03133ca0202f893fd1c95289ec987bfb933db027de01a6e5de1b0ff636221a747270ae12878bd86996844e4dec0a78215bf1407317334ddb009938ecdfe80

Download Submit
C:\Users\Admin\xl\styles.xml

Filesize
3KB

MD5
c392364f58f70a94ad0954dd8d600ea2

SHA1
7382e444d54c3a550f33adf2043188ca0a98f14b

SHA256
d928e7df06e66b397e6e18e3a0cf859f783e955e64e4c348382fc755c2d72b56

SHA512
9151e8a6039f3f4c779ec6988221803ea767513ff787a4f00bcd86e66e4e9216d50338edfad165095a6b00e6de39122c437b513c5c7e81cc535dda9db57fd8e6

Download Submit
C:\Users\Admin\xl\theme\theme1.xml

Filesize
8KB

MD5
e2f9dba7631be3d0f4bc36b8624e7461

SHA1
e22ee248db12f95b27690c4a13a176961cf24d12

SHA256
b16106f4229f6ece6d74426b3e73ff6a677df2908d2a06f76ef0329fa27c0282

SHA512
0b047df756d0acae99d38240d3a881bc94ae99748c45fc811a0f355bcf3c1ae4a4e14f0f5814909d45977c3acb9f4e6b35599c9b0b90499c957b65c4ef1d2e92

Download Submit
C:\Users\Admin\xl\workbook.xml

Filesize
2KB

MD5
03af3f7d6ffc78bce8ee479bb55e334a

SHA1
fdc5fd39d733049ad1983a964361631c890abbd5

SHA256
295d5a66d15cd1ea4a548b94439d05257f1622abfa5d65f831fd09d255aa3814

SHA512
567fa2f710fe2c61c15516cbd82d76e97d59578b700f3abe527edbbacd8fb321586e7da63ef529b7816719c27b2bad3a1622cc34c5af7783944b01f3a10105c1

Download Submit
C:\Users\Admin\xl\worksheets\_rels\sheet1.xml.rels

Filesize
299B

MD5
84544d82569111767d12019e66416d1e

SHA1
6f95f4be0de5b2ef6749e80f11813f84473f32e1

SHA256
ee9fa12d10c5ee0ae23c711aad3be36f1d99d87934a588aac4ecaf1028bdef16

SHA512
018bd3043fa87934e782e035b97ec39c21d7f3fd3e2f54ef8fe1d9dc48c127360ba4b2f97c7bff3c06c2395f13ac1039bfefecbada55df7c688eda8a372fe422

Download Submit
C:\Users\Admin\xl\worksheets\_rels\sheet2.xml.rels

Filesize
299B

MD5
81da7655851447470e1c26c2a49d1efd

SHA1
d95f6849a4c88bd76645b85ec523b05d40617c88

SHA256
8cbf659667dc36ce4ce997b47ab3ccbcee31e619e4909ecd7c03625203c7784b

SHA512
00679f1538092efcfab34de760ea3eaa10229730c053791546f7b11010207e28666aa611c9569a9a389d6970b27072edb947beb8c76e0034c4816dfeaaf4cdc9

Download Submit
C:\Users\Admin\xl\worksheets\sheet1.xml

Filesize
1KB

MD5
91f2ed251b9bfa1913b657d342813034

SHA1
e3656ed6fb26b2fdcd1057a3448db5e4307170ed

SHA256
d2030e540acdd035d0fb112f02378d0ac0b9eb4d3a8c94ef59b259359887fe34

SHA512
17de9cf7a131422e72128bfeeb3f58c9c3b0e12306259d622f2ef697515c9bff07a6393ceb7580b18702801927c9222253d668f9db2154536abbecd8e4570720

Download Submit
C:\Users\Admin\xl\worksheets\sheet2.xml

Filesize
938B

MD5
54988c5f27e54eac3dfc9127ee1162ce

SHA1
516fd4dcd8b0cc4f0f89b340b7c85e043a2ae190

SHA256
1647e65b4b909d9494be40f06b4e1beb7e7cadc8ccce7d37b16ee715d1d4c713

SHA512
59302d4ac9cc7961d97d049c9c4eaef6f6b4ca2b9fa53e76df16b84f94b3d1e9e3d02405373b480915c4857605a70807703317de9b9d1dfc7a321f87bfb5eb1a

Download Submit
memory/2312-68-0x0000000002E70000-0x0000000002EB3000-memory.dmp

Filesize
268KB

Download
memory/2312-64-0x0000000002E70000-0x0000000002EB3000-memory.dmp

Filesize
268KB

Download
memory/2312-56-0x0000000002BC0000-0x0000000002BF9000-memory.dmp

Filesize
228KB

Download
memory/2312-60-0x0000000002C00000-0x0000000002C37000-memory.dmp

Filesize
220KB

Download
memory/3144-63-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-12-0x00007FFCD5D90000-0x00007FFCD5DA0000-memory.dmp

Filesize
64KB

Download
memory/3144-16-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-17-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-19-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-18-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-15-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-2-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-69-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-3-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-4-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-14-0x00007FFCD5D90000-0x00007FFCD5DA0000-memory.dmp

Filesize
64KB

Download
memory/3144-0-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-66-0x00007FFD1870D000-0x00007FFD1870E000-memory.dmp

Filesize
4KB

Download
memory/3144-13-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-8-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-10-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-1-0x00007FFD1870D000-0x00007FFD1870E000-memory.dmp

Filesize
4KB

Download
memory/3144-67-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-178-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-179-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-11-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-180-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-182-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-9-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-181-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-7-0x00007FFCD86F0000-0x00007FFCD8700000-memory.dmp

Filesize
64KB

Download
memory/3144-5-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3144-6-0x00007FFD18670000-0x00007FFD18865000-memory.dmp

Filesize
2.0MB

Download
memory/3568-267-0x0000000002740000-0x0000000002783000-memory.dmp

Filesize
268KB

Download
memory/3568-262-0x0000000002700000-0x0000000002737000-memory.dmp

Filesize
220KB

Download
memory/3568-258-0x00000000026C0000-0x00000000026F9000-memory.dmp

Filesize
228KB

Download
memory/4040-65-0x0000020C0A350000-0x0000020C0A351000-memory.dmp

Filesize
4KB

Download