Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-09-2021 07:20
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Purchase Order.xlsx
Resource
win10-en-20210920
General
-
Target
Purchase Order.xlsx
-
Size
290KB
-
MD5
79dbf0cb4518f97174ee4535672a0a60
-
SHA1
5dd9de078a0945c39431df3bcb44151637331353
-
SHA256
b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577
-
SHA512
8f4b5e00c90f960d7b6d931267ec59f28e37a54248ab0bbae5bd94a2cc6ca294cd3ab0065eb8fde2ed32963e5976772ec2ec85f0e79c2635351f935d2d5f01af
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
)fjqy!s9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta Payload 10 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\L1Y3K90W\MALCOM~1.EXE family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/868-100-0x00000000004375EE-mapping.dmp family_agenttesla behavioral1/memory/868-98-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/868-103-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 768 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
vbc.exevbc.exesvchost.comsvchost.comvbc.exepid process 1696 vbc.exe 1640 vbc.exe 1744 svchost.com 1476 svchost.com 868 vbc.exe -
Loads dropped DLL 9 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exepid process 768 EQNEDT32.EXE 768 EQNEDT32.EXE 768 EQNEDT32.EXE 768 EQNEDT32.EXE 1696 vbc.exe 1696 vbc.exe 1696 vbc.exe 1696 vbc.exe 1640 vbc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NLKBQYR = "C:\\Users\\Admin\\AppData\\Roaming\\NLKBQYR\\NLKBQYR.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1640 set thread context of 868 1640 vbc.exe vbc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe vbc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Temp\GUMFBCB.tmp\GOFB2B~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe -
Drops file in Windows directory 5 IoCs
Processes:
vbc.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1832 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepowershell.exepid process 868 vbc.exe 868 vbc.exe 1688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exepowershell.exedescription pid process Token: SeDebugPrivilege 868 vbc.exe Token: SeDebugPrivilege 1688 powershell.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEvbc.exepid process 1832 EXCEL.EXE 1832 EXCEL.EXE 1832 EXCEL.EXE 1832 EXCEL.EXE 1832 EXCEL.EXE 868 vbc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exesvchost.comsvchost.comdescription pid process target process PID 768 wrote to memory of 1696 768 EQNEDT32.EXE vbc.exe PID 768 wrote to memory of 1696 768 EQNEDT32.EXE vbc.exe PID 768 wrote to memory of 1696 768 EQNEDT32.EXE vbc.exe PID 768 wrote to memory of 1696 768 EQNEDT32.EXE vbc.exe PID 1696 wrote to memory of 1640 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1640 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1640 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1640 1696 vbc.exe vbc.exe PID 1640 wrote to memory of 1744 1640 vbc.exe svchost.com PID 1640 wrote to memory of 1744 1640 vbc.exe svchost.com PID 1640 wrote to memory of 1744 1640 vbc.exe svchost.com PID 1640 wrote to memory of 1744 1640 vbc.exe svchost.com PID 1744 wrote to memory of 1688 1744 svchost.com powershell.exe PID 1744 wrote to memory of 1688 1744 svchost.com powershell.exe PID 1744 wrote to memory of 1688 1744 svchost.com powershell.exe PID 1744 wrote to memory of 1688 1744 svchost.com powershell.exe PID 1640 wrote to memory of 1476 1640 vbc.exe svchost.com PID 1640 wrote to memory of 1476 1640 vbc.exe svchost.com PID 1640 wrote to memory of 1476 1640 vbc.exe svchost.com PID 1640 wrote to memory of 1476 1640 vbc.exe svchost.com PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 868 1640 vbc.exe vbc.exe PID 1476 wrote to memory of 524 1476 svchost.com schtasks.exe PID 1476 wrote to memory of 524 1476 svchost.com schtasks.exe PID 1476 wrote to memory of 524 1476 svchost.com schtasks.exe PID 1476 wrote to memory of 524 1476 svchost.com schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1832
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exeC:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DasQupfvgQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9E9.tmp"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\schtasks.exe /Create /TN Updates\DasQupfvgQ /XML C:\Users\Admin\AppData\Local\Temp\tmpD9E9.tmp5⤵
- Creates scheduled task(s)
PID:524 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\L1Y3K90W\MALCOM~1.EXEMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmpMD5
5604eae191a7b77d3f939d02bbb028dd
SHA145c3f1d96f661abb05c248ec80e8bb1dd8c7fe86
SHA256fc7ba4771f04fee9f36203f396b41da634c9e639a8eada6766ed4038cc08e9f0
SHA5128d2dcbc6bb26dd9f1c1d0c5413772df4bb437d1756de743695cf9a164a51d91dc1011e0f0d7af41aa9290f1b8097eccdf0e99af3c06758b94028f47e670b0e21
-
C:\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
C:\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
C:\Windows\directx.sysMD5
7779b7aac555eb734d1d878a0dfce1e2
SHA14216e4f627f3933d918ae4b86683e205e630d3a5
SHA25662263e548942d1b55bc1f1c79489ddf0fc111a11df3660b30e202a8472fc7331
SHA512e9608bb14045f4789c367771fd2a043a13e9732dd3daa4bd41bed753f46d9e0334d4af9bff59a755e8511988dea3b3a88f887940a09668eff07eb7e4b2ad209b
-
C:\Windows\svchost.comMD5
ac3aa03e4370013a0dfd295363e22ec7
SHA1320ad9813cd7be1a24f2b530af1edc52f5ea76b1
SHA256821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181
SHA512e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8
-
C:\Windows\svchost.comMD5
ac3aa03e4370013a0dfd295363e22ec7
SHA1320ad9813cd7be1a24f2b530af1edc52f5ea76b1
SHA256821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181
SHA512e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8
-
C:\Windows\svchost.comMD5
ac3aa03e4370013a0dfd295363e22ec7
SHA1320ad9813cd7be1a24f2b530af1edc52f5ea76b1
SHA256821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181
SHA512e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\Google\Temp\GUMFBCB.tmp\GOFB2B~1.EXEMD5
583ff3367e050c4d62bc03516473b40a
SHA16aa1d26352b78310e711884829c35a69ed1bf0f9
SHA2566b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146
SHA512e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0
-
\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXEMD5
583ff3367e050c4d62bc03516473b40a
SHA16aa1d26352b78310e711884829c35a69ed1bf0f9
SHA2566b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146
SHA512e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
6427002ddf28933e5df19b7b8dcb159a
SHA1138ff1f042b2f5984a8b57939d8586b26127e729
SHA2564b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0
SHA512cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
\Users\Public\vbc.exeMD5
1ad95ef0201298ba4966062d800ae957
SHA1855db465c5aa7dc416a0fad8e55cebb1c8a46363
SHA256784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731
SHA512fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba
-
memory/524-101-0x0000000000000000-mapping.dmp
-
memory/768-63-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/868-98-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/868-145-0x0000000004B11000-0x0000000004B12000-memory.dmpFilesize
4KB
-
memory/868-108-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/868-103-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/868-100-0x00000000004375EE-mapping.dmp
-
memory/1476-93-0x0000000000000000-mapping.dmp
-
memory/1640-78-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/1640-85-0x0000000001EF0000-0x0000000001F35000-memory.dmpFilesize
276KB
-
memory/1640-84-0x0000000005700000-0x0000000005772000-memory.dmpFilesize
456KB
-
memory/1640-83-0x00000000003D0000-0x00000000003ED000-memory.dmpFilesize
116KB
-
memory/1640-73-0x0000000000000000-mapping.dmp
-
memory/1640-76-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1688-119-0x00000000061A0000-0x00000000061A1000-memory.dmpFilesize
4KB
-
memory/1688-113-0x000000007EF20000-0x000000007EF21000-memory.dmpFilesize
4KB
-
memory/1688-143-0x0000000006500000-0x0000000006501000-memory.dmpFilesize
4KB
-
memory/1688-142-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB
-
memory/1688-104-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/1688-128-0x0000000006160000-0x0000000006161000-memory.dmpFilesize
4KB
-
memory/1688-106-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/1688-107-0x00000000049E2000-0x00000000049E3000-memory.dmpFilesize
4KB
-
memory/1688-90-0x0000000000000000-mapping.dmp
-
memory/1688-109-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/1688-110-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/1688-99-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/1688-114-0x0000000006120000-0x0000000006121000-memory.dmpFilesize
4KB
-
memory/1688-127-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/1688-120-0x0000000006360000-0x0000000006361000-memory.dmpFilesize
4KB
-
memory/1696-68-0x0000000000000000-mapping.dmp
-
memory/1744-87-0x0000000000000000-mapping.dmp
-
memory/1832-60-0x000000002F7A1000-0x000000002F7A4000-memory.dmpFilesize
12KB
-
memory/1832-61-0x0000000070E31000-0x0000000070E33000-memory.dmpFilesize
8KB
-
memory/1832-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1832-144-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB