Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27-09-2021 05:12
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Purchase Order.xlsx
Resource
win10v20210408
General
-
Target
Purchase Order.xlsx
-
Size
290KB
-
MD5
79dbf0cb4518f97174ee4535672a0a60
-
SHA1
5dd9de078a0945c39431df3bcb44151637331353
-
SHA256
b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577
-
SHA512
8f4b5e00c90f960d7b6d931267ec59f28e37a54248ab0bbae5bd94a2cc6ca294cd3ab0065eb8fde2ed32963e5976772ec2ec85f0e79c2635351f935d2d5f01af
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
)fjqy!s9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta Payload 10 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\MALCOM~1.EXE family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-96-0x00000000004375EE-mapping.dmp family_agenttesla behavioral1/memory/2040-93-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2040-98-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 772 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
vbc.exevbc.exesvchost.comsvchost.comvbc.exevbc.exevbc.exepid process 1288 vbc.exe 840 vbc.exe 1720 svchost.com 1680 svchost.com 1588 vbc.exe 1696 vbc.exe 2040 vbc.exe -
Loads dropped DLL 9 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exepid process 772 EQNEDT32.EXE 772 EQNEDT32.EXE 772 EQNEDT32.EXE 772 EQNEDT32.EXE 1288 vbc.exe 1288 vbc.exe 840 vbc.exe 840 vbc.exe 840 vbc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\NLKBQYR = "C:\\Users\\Admin\\AppData\\Roaming\\NLKBQYR\\NLKBQYR.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 840 set thread context of 2040 840 vbc.exe vbc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE vbc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe -
Drops file in Windows directory 5 IoCs
Processes:
vbc.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1612 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
vbc.exevbc.exepowershell.exepid process 840 vbc.exe 840 vbc.exe 840 vbc.exe 840 vbc.exe 2040 vbc.exe 2040 vbc.exe 1468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exepowershell.exedescription pid process Token: SeDebugPrivilege 840 vbc.exe Token: SeDebugPrivilege 2040 vbc.exe Token: SeDebugPrivilege 1468 powershell.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEvbc.exepid process 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 2040 vbc.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exesvchost.comsvchost.comdescription pid process target process PID 772 wrote to memory of 1288 772 EQNEDT32.EXE vbc.exe PID 772 wrote to memory of 1288 772 EQNEDT32.EXE vbc.exe PID 772 wrote to memory of 1288 772 EQNEDT32.EXE vbc.exe PID 772 wrote to memory of 1288 772 EQNEDT32.EXE vbc.exe PID 1288 wrote to memory of 840 1288 vbc.exe vbc.exe PID 1288 wrote to memory of 840 1288 vbc.exe vbc.exe PID 1288 wrote to memory of 840 1288 vbc.exe vbc.exe PID 1288 wrote to memory of 840 1288 vbc.exe vbc.exe PID 840 wrote to memory of 1720 840 vbc.exe svchost.com PID 840 wrote to memory of 1720 840 vbc.exe svchost.com PID 840 wrote to memory of 1720 840 vbc.exe svchost.com PID 840 wrote to memory of 1720 840 vbc.exe svchost.com PID 1720 wrote to memory of 1468 1720 svchost.com powershell.exe PID 1720 wrote to memory of 1468 1720 svchost.com powershell.exe PID 1720 wrote to memory of 1468 1720 svchost.com powershell.exe PID 1720 wrote to memory of 1468 1720 svchost.com powershell.exe PID 840 wrote to memory of 1680 840 vbc.exe svchost.com PID 840 wrote to memory of 1680 840 vbc.exe svchost.com PID 840 wrote to memory of 1680 840 vbc.exe svchost.com PID 840 wrote to memory of 1680 840 vbc.exe svchost.com PID 840 wrote to memory of 1588 840 vbc.exe vbc.exe PID 840 wrote to memory of 1588 840 vbc.exe vbc.exe PID 840 wrote to memory of 1588 840 vbc.exe vbc.exe PID 840 wrote to memory of 1588 840 vbc.exe vbc.exe PID 840 wrote to memory of 1696 840 vbc.exe vbc.exe PID 840 wrote to memory of 1696 840 vbc.exe vbc.exe PID 840 wrote to memory of 1696 840 vbc.exe vbc.exe PID 840 wrote to memory of 1696 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 840 wrote to memory of 2040 840 vbc.exe vbc.exe PID 1680 wrote to memory of 1644 1680 svchost.com schtasks.exe PID 1680 wrote to memory of 1644 1680 svchost.com schtasks.exe PID 1680 wrote to memory of 1644 1680 svchost.com schtasks.exe PID 1680 wrote to memory of 1644 1680 svchost.com schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1612
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exeC:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DasQupfvgQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC947.tmp"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\schtasks.exe /Create /TN Updates\DasQupfvgQ /XML C:\Users\Admin\AppData\Local\Temp\tmpC947.tmp5⤵
- Creates scheduled task(s)
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\MALCOM~1.EXEMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmpMD5
6c79e96f3a7e9eff998aeecd796f7c6a
SHA16de5f2785014f956f118b0996fc18709d87dfea7
SHA2568c0d54d02b6561c769008c6d876e0c77bc24799405660b6f62e49b974f234624
SHA512b3085e4c1dade42b311a9f80f9b80bf3e93a3fe84590dfdc1135ef3bb6a86cbcbd35199a599d90d56a69ea51ed4af5a8b35a2712e83903932df28e107cc9dcdb
-
C:\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
C:\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
C:\Windows\directx.sysMD5
7779b7aac555eb734d1d878a0dfce1e2
SHA14216e4f627f3933d918ae4b86683e205e630d3a5
SHA25662263e548942d1b55bc1f1c79489ddf0fc111a11df3660b30e202a8472fc7331
SHA512e9608bb14045f4789c367771fd2a043a13e9732dd3daa4bd41bed753f46d9e0334d4af9bff59a755e8511988dea3b3a88f887940a09668eff07eb7e4b2ad209b
-
C:\Windows\svchost.comMD5
ac3aa03e4370013a0dfd295363e22ec7
SHA1320ad9813cd7be1a24f2b530af1edc52f5ea76b1
SHA256821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181
SHA512e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8
-
C:\Windows\svchost.comMD5
ac3aa03e4370013a0dfd295363e22ec7
SHA1320ad9813cd7be1a24f2b530af1edc52f5ea76b1
SHA256821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181
SHA512e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8
-
C:\Windows\svchost.comMD5
ac3aa03e4370013a0dfd295363e22ec7
SHA1320ad9813cd7be1a24f2b530af1edc52f5ea76b1
SHA256821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181
SHA512e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
memory/772-57-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/840-76-0x0000000005150000-0x00000000051C2000-memory.dmpFilesize
456KB
-
memory/840-70-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/840-77-0x0000000004A90000-0x0000000004AD5000-memory.dmpFilesize
276KB
-
memory/840-67-0x0000000000000000-mapping.dmp
-
memory/840-73-0x0000000000540000-0x000000000055D000-memory.dmpFilesize
116KB
-
memory/840-72-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/1288-62-0x0000000000000000-mapping.dmp
-
memory/1468-82-0x0000000000000000-mapping.dmp
-
memory/1468-103-0x00000000024B0000-0x00000000030FA000-memory.dmpFilesize
12.3MB
-
memory/1468-104-0x0000000004BE0000-0x0000000004CE4000-memory.dmpFilesize
1.0MB
-
memory/1468-100-0x00000000024B0000-0x00000000030FA000-memory.dmpFilesize
12.3MB
-
memory/1468-101-0x00000000024B0000-0x00000000030FA000-memory.dmpFilesize
12.3MB
-
memory/1612-105-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1612-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1612-55-0x0000000071B41000-0x0000000071B43000-memory.dmpFilesize
8KB
-
memory/1612-54-0x000000002F231000-0x000000002F234000-memory.dmpFilesize
12KB
-
memory/1644-95-0x0000000000000000-mapping.dmp
-
memory/1680-85-0x0000000000000000-mapping.dmp
-
memory/1720-79-0x0000000000000000-mapping.dmp
-
memory/2040-102-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/2040-98-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2040-93-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2040-96-0x00000000004375EE-mapping.dmp
-
memory/2040-106-0x0000000004CB1000-0x0000000004CB2000-memory.dmpFilesize
4KB