agenttesla | b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-en-20210920
submitted
27-09-2021 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.xlsx
Size

290KB
MD5

79dbf0cb4518f97174ee4535672a0a60
SHA1

5dd9de078a0945c39431df3bcb44151637331353
SHA256

b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577
SHA512

8f4b5e00c90f960d7b6d931267ec59f28e37a54248ab0bbae5bd94a2cc6ca294cd3ab0065eb8fde2ed32963e5976772ec2ec85f0e79c2635351f935d2d5f01af

Score

10^/10

agenttesla neshta keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
)fjqy!s9

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Neshta Payload 10 IoCs

Processes:

resource	yara_rule
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\MALCOM~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vbc.exe

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2040-96-0x00000000004375EE-mapping.dmp	family_agenttesla
behavioral1/memory/2040-93-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2040-98-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 772 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

vbc.exevbc.exesvchost.comsvchost.comvbc.exevbc.exevbc.exe

pid process

1288 vbc.exe
840 vbc.exe
1720 svchost.com
1680 svchost.com
1588 vbc.exe
1696 vbc.exe
2040 vbc.exe
Loads dropped DLL 9 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exe

pid process

772 EQNEDT32.EXE
772 EQNEDT32.EXE
772 EQNEDT32.EXE
772 EQNEDT32.EXE
1288 vbc.exe
1288 vbc.exe
840 vbc.exe
840 vbc.exe
840 vbc.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	772	EQNEDT32.EXE

pid	process
1288	vbc.exe
840	vbc.exe
1720	svchost.com
1680	svchost.com
1588	vbc.exe
1696	vbc.exe
2040	vbc.exe

pid	process
772	EQNEDT32.EXE
772	EQNEDT32.EXE
772	EQNEDT32.EXE
772	EQNEDT32.EXE
1288	vbc.exe
1288	vbc.exe
840	vbc.exe
840	vbc.exe
840	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\NLKBQYR = "C:\\Users\\Admin\\AppData\\Roaming\\NLKBQYR\\NLKBQYR.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 840 set thread context of 2040 840 vbc.exe vbc.exe

description	pid	process	target process
PID 840 set thread context of 2040	840	vbc.exe	vbc.exe

Drops file in Program Files directory 64 IoCs

Processes:

vbc.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	vbc.exe

Drops file in Windows directory 5 IoCs

Processes:

vbc.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	vbc.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1644 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

772 EQNEDT32.EXE

pid	process
1644	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
772	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1612 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

vbc.exevbc.exepowershell.exe

pid process

840 vbc.exe
840 vbc.exe
840 vbc.exe
840 vbc.exe
2040 vbc.exe
2040 vbc.exe
1468 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exevbc.exepowershell.exe

description pid process

Token: SeDebugPrivilege 840 vbc.exe
Token: SeDebugPrivilege 2040 vbc.exe
Token: SeDebugPrivilege 1468 powershell.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXEvbc.exe

pid process

1612 EXCEL.EXE
1612 EXCEL.EXE
1612 EXCEL.EXE
1612 EXCEL.EXE
1612 EXCEL.EXE
2040 vbc.exe

pid	process
1612	EXCEL.EXE

pid	process
840	vbc.exe
840	vbc.exe
840	vbc.exe
840	vbc.exe
2040	vbc.exe
2040	vbc.exe
1468	powershell.exe

description	pid	process
Token: SeDebugPrivilege	840	vbc.exe
Token: SeDebugPrivilege	2040	vbc.exe
Token: SeDebugPrivilege	1468	powershell.exe

pid	process
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE
2040	vbc.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exesvchost.comsvchost.com

description	pid	process	target process
PID 772 wrote to memory of 1288	772	EQNEDT32.EXE	vbc.exe
PID 772 wrote to memory of 1288	772	EQNEDT32.EXE	vbc.exe
PID 772 wrote to memory of 1288	772	EQNEDT32.EXE	vbc.exe
PID 772 wrote to memory of 1288	772	EQNEDT32.EXE	vbc.exe
PID 1288 wrote to memory of 840	1288	vbc.exe	vbc.exe
PID 1288 wrote to memory of 840	1288	vbc.exe	vbc.exe
PID 1288 wrote to memory of 840	1288	vbc.exe	vbc.exe
PID 1288 wrote to memory of 840	1288	vbc.exe	vbc.exe
PID 840 wrote to memory of 1720	840	vbc.exe	svchost.com
PID 840 wrote to memory of 1720	840	vbc.exe	svchost.com
PID 840 wrote to memory of 1720	840	vbc.exe	svchost.com
PID 840 wrote to memory of 1720	840	vbc.exe	svchost.com
PID 1720 wrote to memory of 1468	1720	svchost.com	powershell.exe
PID 1720 wrote to memory of 1468	1720	svchost.com	powershell.exe
PID 1720 wrote to memory of 1468	1720	svchost.com	powershell.exe
PID 1720 wrote to memory of 1468	1720	svchost.com	powershell.exe
PID 840 wrote to memory of 1680	840	vbc.exe	svchost.com
PID 840 wrote to memory of 1680	840	vbc.exe	svchost.com
PID 840 wrote to memory of 1680	840	vbc.exe	svchost.com
PID 840 wrote to memory of 1680	840	vbc.exe	svchost.com
PID 840 wrote to memory of 1588	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 1588	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 1588	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 1588	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 1696	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 1696	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 1696	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 1696	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 840 wrote to memory of 2040	840	vbc.exe	vbc.exe
PID 1680 wrote to memory of 1644	1680	svchost.com	schtasks.exe
PID 1680 wrote to memory of 1644	1680	svchost.com	schtasks.exe
PID 1680 wrote to memory of 1644	1680	svchost.com	schtasks.exe
PID 1680 wrote to memory of 1644	1680	svchost.com	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DasQupfvgQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC947.tmp"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\DasQupfvgQ /XML C:\Users\Admin\AppData\Local\Temp\tmpC947.tmp
5⤵
- Creates scheduled task(s)
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
4⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
4⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scheduled Task

T1053

Scripting

T1064

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\MALCOM~1.EXE
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
6c79e96f3a7e9eff998aeecd796f7c6a

SHA1
6de5f2785014f956f118b0996fc18709d87dfea7

SHA256
8c0d54d02b6561c769008c6d876e0c77bc24799405660b6f62e49b974f234624

SHA512
b3085e4c1dade42b311a9f80f9b80bf3e93a3fe84590dfdc1135ef3bb6a86cbcbd35199a599d90d56a69ea51ed4af5a8b35a2712e83903932df28e107cc9dcdb

Download Submit
C:\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
C:\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
C:\Windows\directx.sys
MD5
7779b7aac555eb734d1d878a0dfce1e2

SHA1
4216e4f627f3933d918ae4b86683e205e630d3a5

SHA256
62263e548942d1b55bc1f1c79489ddf0fc111a11df3660b30e202a8472fc7331

SHA512
e9608bb14045f4789c367771fd2a043a13e9732dd3daa4bd41bed753f46d9e0334d4af9bff59a755e8511988dea3b3a88f887940a09668eff07eb7e4b2ad209b

Download Submit
C:\Windows\svchost.com
MD5
ac3aa03e4370013a0dfd295363e22ec7

SHA1
320ad9813cd7be1a24f2b530af1edc52f5ea76b1

SHA256
821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181

SHA512
e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8

Download Submit
C:\Windows\svchost.com
MD5
ac3aa03e4370013a0dfd295363e22ec7

SHA1
320ad9813cd7be1a24f2b530af1edc52f5ea76b1

SHA256
821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181

SHA512
e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8

Download Submit
C:\Windows\svchost.com
MD5
ac3aa03e4370013a0dfd295363e22ec7

SHA1
320ad9813cd7be1a24f2b530af1edc52f5ea76b1

SHA256
821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181

SHA512
e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
memory/772-57-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/840-76-0x0000000005150000-0x00000000051C2000-memory.dmp

Filesize
456KB

Download
memory/840-70-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/840-77-0x0000000004A90000-0x0000000004AD5000-memory.dmp

Filesize
276KB

Download
memory/840-67-0x0000000000000000-mapping.dmp

Download
memory/840-73-0x0000000000540000-0x000000000055D000-memory.dmp

Filesize
116KB

Download
memory/840-72-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1288-62-0x0000000000000000-mapping.dmp

Download
memory/1468-82-0x0000000000000000-mapping.dmp

Download
memory/1468-103-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/1468-104-0x0000000004BE0000-0x0000000004CE4000-memory.dmp

Filesize
1.0MB

Download
memory/1468-100-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/1468-101-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/1612-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1612-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1612-55-0x0000000071B41000-0x0000000071B43000-memory.dmp

Filesize
8KB

Download
memory/1612-54-0x000000002F231000-0x000000002F234000-memory.dmp

Filesize
12KB

Download
memory/1644-95-0x0000000000000000-mapping.dmp

Download
memory/1680-85-0x0000000000000000-mapping.dmp

Download
memory/1720-79-0x0000000000000000-mapping.dmp

Download
memory/2040-102-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2040-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-96-0x00000000004375EE-mapping.dmp

Download
memory/2040-106-0x0000000004CB1000-0x0000000004CB2000-memory.dmp

Filesize
4KB

Download