neshta | e6b973beff845a214101c3f4714d32f15112b86a9fbfbd301914063f2e4e5677

Analysis

max time kernel
155s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
03-11-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RIOSAT_DOC.xlsx
Size

201KB
MD5

4ed0940e6e53d246dae50a1a7dda5f68
SHA1

4439f0cdb3937226cb4015ec4c2df54a36c29f65
SHA256

e6b973beff845a214101c3f4714d32f15112b86a9fbfbd301914063f2e4e5677
SHA512

7f7734d8f9983339f279e95b76ce78743875889e5a1e7951f80e9e984ac34b31312ee0f80682976895e030d0784ec17be5b0ec65536a86b448706979a0f288f9

Score

10^/10

neshta xloader ht08 loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ht08

http://www.septemberstockevent200.com/ht08/

Decoy

joye.club

istanbulemlakgalerisi.online

annikadaniel.love

oooci.com

curebase-test.com

swisstradecenter.com

hacticum.com

centercodebase.com

recbi56ni.com

mmj0115.xyz

sharpstead.com

sprklbeauty.com

progettogenesi.cloud

dolinum.com

amaroqadvisors.com

traininig.com

leewaysvcs.com

nashhomesearch.com

joy1263.com

serkanyamac.com

Signatures

Detect Neshta Payload 5 IoCs

Processes:

resource	yara_rule
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\VBC_1_~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vbc.exe

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1604-77-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/1604-80-0x0000000072480000-0x00000000724A9000-memory.dmp	xloader
behavioral1/memory/1292-96-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 836 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1164 vbc.exe
868 vbc.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEvbc.exe

pid process

836 EQNEDT32.EXE
836 EQNEDT32.EXE
1164 vbc.exe
1164 vbc.exe
1164 vbc.exe
1164 vbc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	836	EQNEDT32.EXE

pid	process
1164	vbc.exe
868	vbc.exe

pid	process
836	EQNEDT32.EXE
836	EQNEDT32.EXE
1164	vbc.exe
1164	vbc.exe
1164	vbc.exe
1164	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qmvtdvov = "C:\\Users\\Public\\Libraries\\vovdtvmQ.url"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exehelp.exe

description	pid	process	target process
PID 1604 set thread context of 1368	1604	logagent.exe	Explorer.EXE
PID 1292 set thread context of 1368	1292	help.exe	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

vbc.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

vbc.exe

description ioc process

File opened for modification C:\Windows\svchost.com vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

836 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\svchost.com	vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
836	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXEvbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1120 reg.exe
1484 reg.exe
984 reg.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

428 EXCEL.EXE

pid	process
1120	reg.exe
1484	reg.exe
984	reg.exe

pid	process
428	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

logagent.exehelp.exe

pid	process
1604	logagent.exe
1604	logagent.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe
1292	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.exehelp.exe

pid process

1604 logagent.exe
1604 logagent.exe
1604 logagent.exe
1292 help.exe
1292 help.exe

pid	process
1368	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

logagent.exehelp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1604	logagent.exe
Token: SeDebugPrivilege	1292	help.exe
Token: SeShutdownPrivilege	1368	Explorer.EXE
Token: SeShutdownPrivilege	1368	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

428 EXCEL.EXE
428 EXCEL.EXE
428 EXCEL.EXE

pid	process
428	EXCEL.EXE
428	EXCEL.EXE
428	EXCEL.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.execmd.execmd.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 836 wrote to memory of 1164	836	EQNEDT32.EXE	vbc.exe
PID 836 wrote to memory of 1164	836	EQNEDT32.EXE	vbc.exe
PID 836 wrote to memory of 1164	836	EQNEDT32.EXE	vbc.exe
PID 836 wrote to memory of 1164	836	EQNEDT32.EXE	vbc.exe
PID 1164 wrote to memory of 868	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 868	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 868	1164	vbc.exe	vbc.exe
PID 1164 wrote to memory of 868	1164	vbc.exe	vbc.exe
PID 868 wrote to memory of 1604	868	vbc.exe	logagent.exe
PID 868 wrote to memory of 1604	868	vbc.exe	logagent.exe
PID 868 wrote to memory of 1604	868	vbc.exe	logagent.exe
PID 868 wrote to memory of 1604	868	vbc.exe	logagent.exe
PID 868 wrote to memory of 1604	868	vbc.exe	logagent.exe
PID 868 wrote to memory of 1604	868	vbc.exe	logagent.exe
PID 868 wrote to memory of 1604	868	vbc.exe	logagent.exe
PID 868 wrote to memory of 552	868	vbc.exe	cmd.exe
PID 868 wrote to memory of 552	868	vbc.exe	cmd.exe
PID 868 wrote to memory of 552	868	vbc.exe	cmd.exe
PID 868 wrote to memory of 552	868	vbc.exe	cmd.exe
PID 552 wrote to memory of 304	552	cmd.exe	cmd.exe
PID 552 wrote to memory of 304	552	cmd.exe	cmd.exe
PID 552 wrote to memory of 304	552	cmd.exe	cmd.exe
PID 552 wrote to memory of 304	552	cmd.exe	cmd.exe
PID 304 wrote to memory of 1120	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1120	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1120	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1120	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1484	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1484	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1484	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1484	304	cmd.exe	reg.exe
PID 304 wrote to memory of 2020	304	cmd.exe	schtasks.exe
PID 304 wrote to memory of 2020	304	cmd.exe	schtasks.exe
PID 304 wrote to memory of 2020	304	cmd.exe	schtasks.exe
PID 304 wrote to memory of 2020	304	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 1292	1368	Explorer.EXE	help.exe
PID 1368 wrote to memory of 1292	1368	Explorer.EXE	help.exe
PID 1368 wrote to memory of 1292	1368	Explorer.EXE	help.exe
PID 1368 wrote to memory of 1292	1368	Explorer.EXE	help.exe
PID 868 wrote to memory of 2040	868	vbc.exe	cmd.exe
PID 868 wrote to memory of 2040	868	vbc.exe	cmd.exe
PID 868 wrote to memory of 2040	868	vbc.exe	cmd.exe
PID 868 wrote to memory of 2040	868	vbc.exe	cmd.exe
PID 2040 wrote to memory of 984	2040	cmd.exe	reg.exe
PID 2040 wrote to memory of 984	2040	cmd.exe	reg.exe
PID 2040 wrote to memory of 984	2040	cmd.exe	reg.exe
PID 2040 wrote to memory of 984	2040	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RIOSAT_DOC.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Trast.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
6⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
6⤵
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
6⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\nest.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\VBC_1_~1.EXE
MD5
30c7103e4ac74802a7c3695736d2592e

SHA1
aa151cf41f533688026f84316328a409323ac426

SHA256
cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117

SHA512
60668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
c345295004c073b4ffd93d6b1bcbe07b

SHA1
38dd21c44fc9a358ad260a98b39f9522a444231f

SHA256
674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253

SHA512
918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
c345295004c073b4ffd93d6b1bcbe07b

SHA1
38dd21c44fc9a358ad260a98b39f9522a444231f

SHA256
674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253

SHA512
918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0

Download Submit
C:\Users\Public\LIBRAR~1\Qmvtdvov\Qmvtdvov.exe
MD5
24aaa6b488ab77b9b4a28c0d0a60141a

SHA1
5280ab8f4061fc75921e9a3fdfe67c222c4acef2

SHA256
3973f0d23af9f2f090dca5b50d628f41dd5b848157e2470bcd146f3eb6236ea8

SHA512
719d3f72fbc148f5240c5d12289a01ce804e7e74bfc7acb104ac5092a4a238f66ed121abb385ddb3b3c1b526c5910f8c9787a2b4af6c27ea133e9194cf25b69c

Download Submit
C:\Users\Public\Trast.bat
MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat
MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat
MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
C:\Users\Public\vbc.exe
MD5
30c7103e4ac74802a7c3695736d2592e

SHA1
aa151cf41f533688026f84316328a409323ac426

SHA256
cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117

SHA512
60668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35

Download Submit
C:\Users\Public\vbc.exe
MD5
30c7103e4ac74802a7c3695736d2592e

SHA1
aa151cf41f533688026f84316328a409323ac426

SHA256
cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117

SHA512
60668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
c345295004c073b4ffd93d6b1bcbe07b

SHA1
38dd21c44fc9a358ad260a98b39f9522a444231f

SHA256
674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253

SHA512
918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
c345295004c073b4ffd93d6b1bcbe07b

SHA1
38dd21c44fc9a358ad260a98b39f9522a444231f

SHA256
674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253

SHA512
918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0

Download Submit
\Users\Public\LIBRAR~1\Qmvtdvov\Qmvtdvov.exe
MD5
24aaa6b488ab77b9b4a28c0d0a60141a

SHA1
5280ab8f4061fc75921e9a3fdfe67c222c4acef2

SHA256
3973f0d23af9f2f090dca5b50d628f41dd5b848157e2470bcd146f3eb6236ea8

SHA512
719d3f72fbc148f5240c5d12289a01ce804e7e74bfc7acb104ac5092a4a238f66ed121abb385ddb3b3c1b526c5910f8c9787a2b4af6c27ea133e9194cf25b69c

Download Submit
\Users\Public\vbc.exe
MD5
30c7103e4ac74802a7c3695736d2592e

SHA1
aa151cf41f533688026f84316328a409323ac426

SHA256
cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117

SHA512
60668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35

Download Submit
\Users\Public\vbc.exe
MD5
30c7103e4ac74802a7c3695736d2592e

SHA1
aa151cf41f533688026f84316328a409323ac426

SHA256
cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117

SHA512
60668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35

Download Submit
memory/304-82-0x0000000000000000-mapping.dmp

Download
memory/428-55-0x000000002FAE1000-0x000000002FAE4000-memory.dmp

Filesize
12KB

Download
memory/428-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/428-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/428-56-0x0000000070EB1000-0x0000000070EB3000-memory.dmp

Filesize
8KB

Download
memory/552-78-0x0000000000000000-mapping.dmp

Download
memory/836-58-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download
memory/868-67-0x0000000000000000-mapping.dmp

Download
memory/868-71-0x00000000003E1000-0x00000000003F5000-memory.dmp

Filesize
80KB

Download
memory/868-70-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/984-100-0x0000000000000000-mapping.dmp

Download
memory/1120-84-0x0000000000000000-mapping.dmp

Download
memory/1164-61-0x0000000000000000-mapping.dmp

Download
memory/1292-96-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1292-94-0x0000000000000000-mapping.dmp

Download
memory/1292-101-0x00000000004F0000-0x0000000000580000-memory.dmp

Filesize
576KB

Download
memory/1292-95-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1292-97-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1368-102-0x0000000009960000-0x0000000009AE3000-memory.dmp

Filesize
1.5MB

Download
memory/1368-91-0x0000000007C60000-0x0000000007E00000-memory.dmp

Filesize
1.6MB

Download
memory/1484-85-0x0000000000000000-mapping.dmp

Download
memory/1604-79-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1604-80-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/1604-77-0x0000000000000000-mapping.dmp

Download
memory/1604-75-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1604-90-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/1604-89-0x0000000002120000-0x0000000002423000-memory.dmp

Filesize
3.0MB

Download
memory/1604-74-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/2020-86-0x0000000000000000-mapping.dmp

Download
memory/2040-98-0x0000000000000000-mapping.dmp

Download