neshta | b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9

Analysis

max time kernel
161s
max time network
159s
platform
windows7_x64
resource
win7-en-20211014
submitted
03-11-2021 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT_0032411983221 advice.xlsx
Size

185KB
MD5

8601e9fbd0710b734aaa95ba56ebf397
SHA1

d5fefeba0606f92a7223bbe51091132404670daa
SHA256

b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9
SHA512

2f85167f109a1cbe77dcbe5bebbcd00f83abc72f34f491657f3e25319aaed07ee68e529287e500ca6220fb88f2b171f4b7cb0040de34c488d3d8b72c70abc95d

Score

10^/10

neshta xloader ga6b loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ga6b

http://www.egyptian-museum.com/ga6b/

Decoy

diasporacospices.com

sd-shenghe.com

onlinewritingjobs.net

greenstreamgroup.store

garageair.agency

idh-bf.com

middenhavendambreskens.com

szkoleniawcag.online

wiremefeelings.com

ottosperformance.com

brothermush.com

weiserpath.com

baohiemtv24h.com

glassgalaxynft.com

spiritualmind.space

18130072012.com

3v0.space

smartgadgetscompare.com

corvusexpeditii.xyz

egcontabilidade.website

Signatures

Detect Neshta Payload 7 IoCs

Processes:

resource	yara_rule
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\LOADER~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vbc.exe

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1088-74-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1088-75-0x000000000041D4E0-mapping.dmp	xloader
behavioral1/memory/896-84-0x0000000000070000-0x0000000000099000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 856 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1572 vbc.exe
1880 vbc.exe
1088 vbc.exe
Loads dropped DLL 8 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exe

pid process

856 EQNEDT32.EXE
856 EQNEDT32.EXE
856 EQNEDT32.EXE
856 EQNEDT32.EXE
1572 vbc.exe
1880 vbc.exe
1880 vbc.exe
1572 vbc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	856	EQNEDT32.EXE

pid	process
1572	vbc.exe
1880	vbc.exe
1088	vbc.exe

pid	process
856	EQNEDT32.EXE
856	EQNEDT32.EXE
856	EQNEDT32.EXE
856	EQNEDT32.EXE
1572	vbc.exe
1880	vbc.exe
1880	vbc.exe
1572	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.execscript.exe

description	pid	process	target process
PID 1880 set thread context of 1088	1880	vbc.exe	vbc.exe
PID 1088 set thread context of 1264	1088	vbc.exe	Explorer.EXE
PID 896 set thread context of 1264	896	cscript.exe	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

vbc.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

vbc.exe

description ioc process

File opened for modification C:\Windows\svchost.com vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	vbc.exe

NSIS installer 17 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\LOADER~1.EXE	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

856 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
856	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

476 EXCEL.EXE

pid	process
476	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

vbc.execscript.exe

pid	process
1088	vbc.exe
1088	vbc.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe
896	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.execscript.exe

pid process

1088 vbc.exe
1088 vbc.exe
1088 vbc.exe
896 cscript.exe
896 cscript.exe

pid	process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.execscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1088	vbc.exe
Token: SeDebugPrivilege	896	cscript.exe
Token: SeShutdownPrivilege	1264	Explorer.EXE
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

476 EXCEL.EXE
476 EXCEL.EXE
476 EXCEL.EXE

pid	process
476	EXCEL.EXE
476	EXCEL.EXE
476	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 856 wrote to memory of 1572	856	EQNEDT32.EXE	vbc.exe
PID 856 wrote to memory of 1572	856	EQNEDT32.EXE	vbc.exe
PID 856 wrote to memory of 1572	856	EQNEDT32.EXE	vbc.exe
PID 856 wrote to memory of 1572	856	EQNEDT32.EXE	vbc.exe
PID 1572 wrote to memory of 1880	1572	vbc.exe	vbc.exe
PID 1572 wrote to memory of 1880	1572	vbc.exe	vbc.exe
PID 1572 wrote to memory of 1880	1572	vbc.exe	vbc.exe
PID 1572 wrote to memory of 1880	1572	vbc.exe	vbc.exe
PID 1880 wrote to memory of 1088	1880	vbc.exe	vbc.exe
PID 1880 wrote to memory of 1088	1880	vbc.exe	vbc.exe
PID 1880 wrote to memory of 1088	1880	vbc.exe	vbc.exe
PID 1880 wrote to memory of 1088	1880	vbc.exe	vbc.exe
PID 1880 wrote to memory of 1088	1880	vbc.exe	vbc.exe
PID 1880 wrote to memory of 1088	1880	vbc.exe	vbc.exe
PID 1880 wrote to memory of 1088	1880	vbc.exe	vbc.exe
PID 1264 wrote to memory of 896	1264	Explorer.EXE	cscript.exe
PID 1264 wrote to memory of 896	1264	Explorer.EXE	cscript.exe
PID 1264 wrote to memory of 896	1264	Explorer.EXE	cscript.exe
PID 1264 wrote to memory of 896	1264	Explorer.EXE	cscript.exe
PID 896 wrote to memory of 1368	896	cscript.exe	cmd.exe
PID 896 wrote to memory of 1368	896	cscript.exe	cmd.exe
PID 896 wrote to memory of 1368	896	cscript.exe	cmd.exe
PID 896 wrote to memory of 1368	896	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TT_0032411983221 advice.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:476

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
3⤵
PID:1368

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\LOADER~1.EXE
MD5
36ca5751b0b2d9321215f223a18aefbf

SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be

SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
C:\Users\Public\vbc.exe
MD5
36ca5751b0b2d9321215f223a18aefbf

SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be

SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Download Submit
C:\Users\Public\vbc.exe
MD5
36ca5751b0b2d9321215f223a18aefbf

SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be

SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
2cdc3d96a11abe92e9869d888d6c1696

SHA1
910cb0036b3e9a2834208a2361ca28912ade8f6c

SHA256
34957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd

SHA512
dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy734D.tmp\tdledysx.dll
MD5
ab2962aabbe70e27d355dacf203405e6

SHA1
729bb1a7412903e2574ccc129409b70cbd55e01a

SHA256
dc3786cc8cbf1abd5261926553b407c82c97eefa6d4cafdb3c7147295a65e450

SHA512
3e8c94d585a02f108fd2fd0bfef3a252e196280e03a2e17e3b5d978a6d9ae5652cdfc5bc9ddd5df2f986a1d1e3fe959391be75a49e84d51771dea3d0854f3d40

Download Submit
\Users\Public\vbc.exe
MD5
36ca5751b0b2d9321215f223a18aefbf

SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be

SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Download Submit
\Users\Public\vbc.exe
MD5
36ca5751b0b2d9321215f223a18aefbf

SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be

SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Download Submit
\Users\Public\vbc.exe
MD5
36ca5751b0b2d9321215f223a18aefbf

SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be

SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Download Submit
\Users\Public\vbc.exe
MD5
36ca5751b0b2d9321215f223a18aefbf

SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be

SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4

SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c

Download Submit
memory/476-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/476-55-0x000000002FA11000-0x000000002FA14000-memory.dmp

Filesize
12KB

Download
memory/476-56-0x0000000071261000-0x0000000071263000-memory.dmp

Filesize
8KB

Download
memory/476-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/856-58-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/896-83-0x0000000000D40000-0x0000000000D62000-memory.dmp

Filesize
136KB

Download
memory/896-85-0x0000000002170000-0x0000000002473000-memory.dmp

Filesize
3.0MB

Download
memory/896-86-0x0000000000970000-0x0000000000A00000-memory.dmp

Filesize
576KB

Download
memory/896-84-0x0000000000070000-0x0000000000099000-memory.dmp

Filesize
164KB

Download
memory/896-81-0x0000000000000000-mapping.dmp

Download
memory/1088-78-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/1088-79-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/1088-75-0x000000000041D4E0-mapping.dmp

Download
memory/1088-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1264-80-0x0000000006BD0000-0x0000000006CD9000-memory.dmp

Filesize
1.0MB

Download
memory/1264-89-0x0000000006EA0000-0x0000000006FE6000-memory.dmp

Filesize
1.3MB

Download
memory/1264-91-0x000007FEF5FA0000-0x000007FEF60E3000-memory.dmp

Filesize
1.3MB

Download
memory/1264-92-0x000007FECDDE0000-0x000007FECDDEA000-memory.dmp

Filesize
40KB

Download
memory/1368-82-0x0000000000000000-mapping.dmp

Download
memory/1572-63-0x0000000000000000-mapping.dmp

Download
memory/1880-68-0x0000000000000000-mapping.dmp

Download