lokibot | 591eabded5e77dfd437b36706f36d41b4f1c580e945a85a9e7904c8e35dc8f7d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
05-07-2022 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Draft Of Shipping Docs.xlsm
Size

203KB
MD5

e0e217bf187d940292bf1e3bd743ed2e
SHA1

37698145a8bdf43c3b4dc77f2e234b715f1953ee
SHA256

591eabded5e77dfd437b36706f36d41b4f1c580e945a85a9e7904c8e35dc8f7d
SHA512

5ac9bc896ec907598688bc3090b07ccd2ecab6ffe7d0be9bf71bfc3e7ecb7e3579b89b45dda199192163baa3fadd00562a3d22948595355dd7f1afbe17d9f452

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

http://sempersim.su/gf10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

jGwtsgfcAwgrRaYqBrXLHt.exevbc.exevbc.exe

pid process

4876 jGwtsgfcAwgrRaYqBrXLHt.exe
2040 vbc.exe
2948 vbc.exe

pid	process
4876	jGwtsgfcAwgrRaYqBrXLHt.exe
2040	vbc.exe
2948	vbc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jGwtsgfcAwgrRaYqBrXLHt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	jGwtsgfcAwgrRaYqBrXLHt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 2040 set thread context of 2948 2040 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2040 set thread context of 2948	2040	vbc.exe	vbc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEchrome.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 43 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000002ef0764c6350d8018f24df4f6c50d80111faba275290d80114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000008f54520f10004c6f63616c003c0009000400efbe8f54c206e554c64b2e0000009de10100000001000000000000000000000000000000e64e11014c006f00630061006c00000014000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000e554cd4b100054656d7000003a0009000400efbe8f54c206e554cd4b2e0000009ee10100000001000000000000000000000000000000ec99fd00540065006d007000000014000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c004346534616003100000000008f54c206120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe8f54c206e554c84b2e0000008ae101000000010000000000000000000000000000008338f4004100700070004400610074006100000042000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4068 EXCEL.EXE
4644 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1656	chrome.exe
1656	chrome.exe
2228	chrome.exe
2228	chrome.exe
1548	chrome.exe
1548	chrome.exe
5608	chrome.exe
5608	chrome.exe
5292	chrome.exe
5292	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

2228 chrome.exe
2228 chrome.exe
2228 chrome.exe
2228 chrome.exe
2228 chrome.exe
2228 chrome.exe
2228 chrome.exe
2228 chrome.exe
2228 chrome.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEvbc.exe

description pid process

Token: SeAuditPrivilege 4644 WINWORD.EXE
Token: SeDebugPrivilege 2948 vbc.exe

description	pid	process
Token: SeAuditPrivilege	4644	WINWORD.EXE
Token: SeDebugPrivilege	2948	vbc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

EXCEL.EXEWINWORD.EXEchrome.exe

pid	process
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4644	WINWORD.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4644	WINWORD.EXE
4068	EXCEL.EXE
4644	WINWORD.EXE
4068	EXCEL.EXE
4644	WINWORD.EXE
5292	chrome.exe
5292	chrome.exe
5292	chrome.exe
5292	chrome.exe
5292	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEEXCEL.EXEjGwtsgfcAwgrRaYqBrXLHt.exevbc.exechrome.exe

description	pid	process	target process
PID 4644 wrote to memory of 4316	4644	WINWORD.EXE	splwow64.exe
PID 4644 wrote to memory of 4316	4644	WINWORD.EXE	splwow64.exe
PID 4068 wrote to memory of 4876	4068	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 4068 wrote to memory of 4876	4068	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 4068 wrote to memory of 4876	4068	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 4876 wrote to memory of 2040	4876	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 4876 wrote to memory of 2040	4876	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 4876 wrote to memory of 2040	4876	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2948	2040	vbc.exe	vbc.exe
PID 2228 wrote to memory of 832	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 832	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 2040	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 1656	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 1656	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 3468	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 3468	2228	chrome.exe	chrome.exe
PID 2228 wrote to memory of 3468	2228	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Draft Of Shipping Docs.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2948

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdf73d4f50,0x7ffdf73d4f60,0x7ffdf73d4f70
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2044 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
2⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6420 /prefetch:8
2⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6288 /prefetch:8
2⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:5188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:5172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:8
2⤵
PID:5164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:8
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5540 /prefetch:8
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
2⤵
PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
2⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
2⤵
PID:5928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
2⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
2⤵
PID:6000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 /prefetch:8
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16933198967264778042,12066444226797202985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
eca7833f6b4f55e44cbadee40156d7f1

SHA1
6c760b93ee650f7523caa6669440f72ebcf88ddf

SHA256
eb75f88d3116c55533d2aa5a7485158126c773dcc40785255d667a643e933336

SHA512
7dc84c0f706998b6f50037ebd3951992b140f76f15afba83e7825256a51b6f39e652690386a43a948eccb344a04dc6c5ea0923f2c1b1bb1a462eadf96bbb596f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
412B

MD5
44592d38413f318ca4cef0553f76050e

SHA1
60c372f0ad3f204b7065e6bb97e8f76f6d70c2df

SHA256
1a9ba097dca600daba5881b8e9b7f81136804f32460be402b4f3c0a9fc60f453

SHA512
e59c5f5820b3f2b36dc55cfc0c27489acb31d760f28b49ae3b7bf0ea9923d2abdccf7a6281a2c7515876b218a2172055bbedd309de6efd92f83326af568e931d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AWDQ28Q6\receipt[1].doc
Filesize
20KB

MD5
420c0ada5b084930072500dda293f55b

SHA1
f0e5d7edfde6641670c79ecf0ae4e70ea78e5387

SHA256
1b7f1ee778e86d3e4ee56ea99b6c1951f2be2ad261d4a5ff691de4437e6dc1a0

SHA512
c0d5adb3912f2d7293e4bd0455352feedfa2e9dea8d78cb827fa22d3c20b0d14db89024ea1c3aa6e71e8d84a9ac298584b3064e4e2a47d6deeed57e37dcbfb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\??\pipe\crashpad_2228_AQDYOQQFTZLQEBCS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2040-160-0x00000000086B0000-0x0000000008716000-memory.dmp

Filesize
408KB

Download
memory/2040-156-0x0000000004A40000-0x0000000004A4A000-memory.dmp

Filesize
40KB

Download
memory/2040-155-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/2040-150-0x0000000000000000-mapping.dmp

Download
memory/2040-159-0x0000000008570000-0x000000000860C000-memory.dmp

Filesize
624KB

Download
memory/2040-154-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/2040-153-0x0000000000010000-0x000000000009A000-memory.dmp

Filesize
552KB

Download
memory/2948-161-0x0000000000000000-mapping.dmp

Download
memory/2948-162-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2948-167-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2948-166-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2948-165-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4068-136-0x00007FFDE4FD0000-0x00007FFDE4FE0000-memory.dmp

Filesize
64KB

Download
memory/4068-134-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4068-130-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4068-135-0x00007FFDE4FD0000-0x00007FFDE4FE0000-memory.dmp

Filesize
64KB

Download
memory/4068-133-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4068-132-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4068-131-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4316-145-0x0000000000000000-mapping.dmp

Download
memory/4876-149-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4876-146-0x0000000000000000-mapping.dmp

Download