formbook | 9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI.xls
Size

572KB
MD5

bb4c1fc0513552cb4a5845d8acad983c
SHA1

176b67e99bb252345bf71b30e909a47f6f95333d
SHA256

9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca
SHA512

d6c0db3f2bb3bc1fcdf2f3dd42f7e8f4971b1163c219e7482734ca8feca0d2211fa0089096d0cf3a093b076898b4b260b8e48f271a27e75cff592744b47f0ace
SSDEEP

12288:l5UMHq/88o5zJOcVLEP9iEtHlifM9fGaHC:l2M2C5zJwbtHv9fGa

Score

10^/10

formbook nurs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nurs

Decoy

caixinhascomcarinho.com

abinotools.com

oporto-tours.com

iruos.com

yesmamawinebar.com

wwwscu.com

habit2impact.com

antigenresearch.com

ux4space.com

diarypisces.com

cryptopers.com

lovingmoreband.com

beerwars.net

ascariproject.site

livesoccerhd.info

bluestardivingschool.com

pluik.com

snorrky.space

lcoi9.com

phantomxr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/904-107-0x0000000000400000-0x0000000000435000-memory.dmp	formbook
behavioral1/memory/904-108-0x0000000000401190-mapping.dmp	formbook
behavioral1/memory/904-111-0x0000000000400000-0x0000000000435000-memory.dmp	formbook
\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe	formbook
behavioral1/memory/904-113-0x0000000000400000-0x0000000000435000-memory.dmp	formbook
\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe	formbook
C:\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe	formbook
C:\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe	formbook
behavioral1/memory/1868-130-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1868-135-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

svchost.exegtolaje.exeFB_BC3E.tmp.exeFB_BD77.tmp.exesvcupdater.exe

pid process

1500 svchost.exe
864 gtolaje.exe
1672 FB_BC3E.tmp.exe
268 FB_BD77.tmp.exe
1624 svcupdater.exe
Loads dropped DLL 6 IoCs

Processes:

EXCEL.EXEWScript.exeRegSvcs.exe

pid process

1348 EXCEL.EXE
1904 WScript.exe
904 RegSvcs.exe
904 RegSvcs.exe
904 RegSvcs.exe
904 RegSvcs.exe

pid	process
1500	svchost.exe
864	gtolaje.exe
1672	FB_BC3E.tmp.exe
268	FB_BD77.tmp.exe
1624	svcupdater.exe

pid	process
1348	EXCEL.EXE
1904	WScript.exe
904	RegSvcs.exe
904	RegSvcs.exe
904	RegSvcs.exe
904	RegSvcs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gtolaje.exeFB_BC3E.tmp.exechkdsk.exe

description	pid	process	target process
PID 864 set thread context of 904	864	gtolaje.exe	RegSvcs.exe
PID 1672 set thread context of 1208	1672	FB_BC3E.tmp.exe	Explorer.EXE
PID 1868 set thread context of 1208	1868	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

428 schtasks.exe

pid	process
428	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchkdsk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1348 EXCEL.EXE

pid	process
1348	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

gtolaje.exeFB_BC3E.tmp.exechkdsk.exe

pid	process
864	gtolaje.exe
864	gtolaje.exe
1672	FB_BC3E.tmp.exe
1672	FB_BC3E.tmp.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe
1868	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

FB_BC3E.tmp.exechkdsk.exe

pid process

1672 FB_BC3E.tmp.exe
1672 FB_BC3E.tmp.exe
1672 FB_BC3E.tmp.exe
1868 chkdsk.exe
1868 chkdsk.exe

pid	process
1672	FB_BC3E.tmp.exe
1672	FB_BC3E.tmp.exe
1672	FB_BC3E.tmp.exe
1868	chkdsk.exe
1868	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

FB_BC3E.tmp.exechkdsk.exeExplorer.EXEsvcupdater.exe

description	pid	process
Token: SeDebugPrivilege	1672	FB_BC3E.tmp.exe
Token: SeDebugPrivilege	1868	chkdsk.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1624	svcupdater.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1348 EXCEL.EXE
1348 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1348 EXCEL.EXE
1348 EXCEL.EXE
1348 EXCEL.EXE

pid	process
1348	EXCEL.EXE
1348	EXCEL.EXE

pid	process
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

EXCEL.EXEsvchost.exeWScript.exegtolaje.exeRegSvcs.exeExplorer.EXEchkdsk.exeFB_BD77.tmp.execmd.exetaskeng.exe

description	pid	process	target process
PID 1348 wrote to memory of 1500	1348	EXCEL.EXE	svchost.exe
PID 1348 wrote to memory of 1500	1348	EXCEL.EXE	svchost.exe
PID 1348 wrote to memory of 1500	1348	EXCEL.EXE	svchost.exe
PID 1348 wrote to memory of 1500	1348	EXCEL.EXE	svchost.exe
PID 1500 wrote to memory of 1904	1500	svchost.exe	WScript.exe
PID 1500 wrote to memory of 1904	1500	svchost.exe	WScript.exe
PID 1500 wrote to memory of 1904	1500	svchost.exe	WScript.exe
PID 1500 wrote to memory of 1904	1500	svchost.exe	WScript.exe
PID 1904 wrote to memory of 864	1904	WScript.exe	gtolaje.exe
PID 1904 wrote to memory of 864	1904	WScript.exe	gtolaje.exe
PID 1904 wrote to memory of 864	1904	WScript.exe	gtolaje.exe
PID 1904 wrote to memory of 864	1904	WScript.exe	gtolaje.exe
PID 1904 wrote to memory of 864	1904	WScript.exe	gtolaje.exe
PID 1904 wrote to memory of 864	1904	WScript.exe	gtolaje.exe
PID 1904 wrote to memory of 864	1904	WScript.exe	gtolaje.exe
PID 864 wrote to memory of 1976	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 1976	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 1976	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 1976	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 1976	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 1976	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 1976	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 864 wrote to memory of 904	864	gtolaje.exe	RegSvcs.exe
PID 904 wrote to memory of 1672	904	RegSvcs.exe	FB_BC3E.tmp.exe
PID 904 wrote to memory of 1672	904	RegSvcs.exe	FB_BC3E.tmp.exe
PID 904 wrote to memory of 1672	904	RegSvcs.exe	FB_BC3E.tmp.exe
PID 904 wrote to memory of 1672	904	RegSvcs.exe	FB_BC3E.tmp.exe
PID 904 wrote to memory of 268	904	RegSvcs.exe	FB_BD77.tmp.exe
PID 904 wrote to memory of 268	904	RegSvcs.exe	FB_BD77.tmp.exe
PID 904 wrote to memory of 268	904	RegSvcs.exe	FB_BD77.tmp.exe
PID 904 wrote to memory of 268	904	RegSvcs.exe	FB_BD77.tmp.exe
PID 1208 wrote to memory of 1868	1208	Explorer.EXE	chkdsk.exe
PID 1208 wrote to memory of 1868	1208	Explorer.EXE	chkdsk.exe
PID 1208 wrote to memory of 1868	1208	Explorer.EXE	chkdsk.exe
PID 1208 wrote to memory of 1868	1208	Explorer.EXE	chkdsk.exe
PID 1868 wrote to memory of 1128	1868	chkdsk.exe	cmd.exe
PID 1868 wrote to memory of 1128	1868	chkdsk.exe	cmd.exe
PID 1868 wrote to memory of 1128	1868	chkdsk.exe	cmd.exe
PID 1868 wrote to memory of 1128	1868	chkdsk.exe	cmd.exe
PID 268 wrote to memory of 1888	268	FB_BD77.tmp.exe	cmd.exe
PID 268 wrote to memory of 1888	268	FB_BD77.tmp.exe	cmd.exe
PID 268 wrote to memory of 1888	268	FB_BD77.tmp.exe	cmd.exe
PID 1888 wrote to memory of 428	1888	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 428	1888	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 428	1888	cmd.exe	schtasks.exe
PID 2024 wrote to memory of 1624	2024	taskeng.exe	svcupdater.exe
PID 2024 wrote to memory of 1624	2024	taskeng.exe	svcupdater.exe
PID 2024 wrote to memory of 1624	2024	taskeng.exe	svcupdater.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PI.xls
2⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_26\ojulmltrx.vbe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\4_26\gtolaje.exe
"C:\Users\Admin\AppData\Local\Temp\4_26\gtolaje.exe" pbotw.xml
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\Temp\FB_BD77.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_BD77.tmp.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /tn \oflgwXquKB /tr "C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
8⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\schtasks.exe
schtasks /create /tn \oflgwXquKB /tr "C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
9⤵
- Creates scheduled task(s)
PID:428

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe"
3⤵
PID:1128

C:\Windows\system32\taskeng.exe
taskeng.exe {5357C605-23EC-4029-8E66-3EE4C0524218} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe
C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4_26\crga.xl
Filesize
49KB

MD5
65c6c8f6b3a823b991728d34bb147987

SHA1
50a8bb000801df7866fe37acbd8e8e8d0ba52e38

SHA256
0d64e271164958c877b0bf44b16e1ae00382e0d7db304e2458aaa810973b5393

SHA512
30ce653a8e526fc68ee2055fd88748e97134a4d41284e6c35ca02557892fe4f7ea621139b4fbd8a22430d1a7f53da1f29b6dde8bc2c5ae33acfd3427bb84b80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4_26\gtolaje.exe
Filesize
925KB

MD5
4897990addbe336ab1dda8e97d159d34

SHA1
0914b338d061b85e55cd40dbec926ce0d47c9fd5

SHA256
a1556a7149f87c7b52f95ab2109a945c917a6876a50d1a3750594224649c0120

SHA512
14f6513fe1ec061e18a995de1516768fa76c3e6c988015deb298c451b188964d5ca88ff14409ac755f82604961b89619f47cfb9b1229192369182c9e34668946

Download Submit
C:\Users\Admin\AppData\Local\Temp\4_26\gtolaje.exe
Filesize
925KB

MD5
4897990addbe336ab1dda8e97d159d34

SHA1
0914b338d061b85e55cd40dbec926ce0d47c9fd5

SHA256
a1556a7149f87c7b52f95ab2109a945c917a6876a50d1a3750594224649c0120

SHA512
14f6513fe1ec061e18a995de1516768fa76c3e6c988015deb298c451b188964d5ca88ff14409ac755f82604961b89619f47cfb9b1229192369182c9e34668946

Download Submit
C:\Users\Admin\AppData\Local\Temp\4_26\pbotw.xml
Filesize
102.7MB

MD5
dd7643205dc0fd6c4ff299c91bddf8c9

SHA1
1acaf73a9fb77ddc58c01ecb312f3ec8d973f0b0

SHA256
9ccf2d739a9b8abf4771bfcd1552939e2d38cb69772f473ebd9f4541474a5242

SHA512
2186bc19c42ae586ea660dca2b2644f8d30e707f456e1cb90660edcf762ec86c65c8c111835c5d53cc50b8fb3c78df054f14885a5a4d900dc777fd4ef6bf425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4_26\uwsrkdh.dkl
Filesize
422KB

MD5
b584955531ad9e56ad06887281079f54

SHA1
f5284434cd7f5066e4458ff910421646892936ec

SHA256
b4012b8bad7ae693fcaaf4ce1fbe53d82a119a6f39b035ae5eb71a75438f1ecf

SHA512
bb124bdf1cada4528cb10920ba276a7c9b307e8e5a247dc92c53930d09452ef5fa1d96e4ab2e94498380dccbb88e8972c53a18003835d541f36dbc5fd9f64277

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe
Filesize
185KB

MD5
73128d61a0c856672854627f377cd9f7

SHA1
37f2763211c230274ae08f1c0b8b4c656c13c51d

SHA256
332e3acb8e9f9a237095848c94153160b9b1a44426c6c2bf0084e9de7e08335d

SHA512
7c44c0dcde380656ab754274618125ef56faa5ea4f33aabb0d27ec4bf35f3f15692d670dfa3e33c48b53d7dfbed2798aad7da9c13fe77948fa981f31d23d8f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe
Filesize
185KB

MD5
73128d61a0c856672854627f377cd9f7

SHA1
37f2763211c230274ae08f1c0b8b4c656c13c51d

SHA256
332e3acb8e9f9a237095848c94153160b9b1a44426c6c2bf0084e9de7e08335d

SHA512
7c44c0dcde380656ab754274618125ef56faa5ea4f33aabb0d27ec4bf35f3f15692d670dfa3e33c48b53d7dfbed2798aad7da9c13fe77948fa981f31d23d8f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BD77.tmp.exe
Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BD77.tmp.exe
Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
d997a93c96c04fccf6ebe280ab6b025b

SHA1
27627f774f7a30428e4a7be77a49f413fd16f740

SHA256
ebb76e46e178491fd48787e80ce952910124d6f1a00c92744a5f84278192030c

SHA512
abe758baa50d9929fd364ac68559b89b310db4e2805bef1e909e4f9ec0a3d941b9298cc1693b590265a92e6e21459abda1e5b90ec5816d37ab7a23d7711310b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
d997a93c96c04fccf6ebe280ab6b025b

SHA1
27627f774f7a30428e4a7be77a49f413fd16f740

SHA256
ebb76e46e178491fd48787e80ce952910124d6f1a00c92744a5f84278192030c

SHA512
abe758baa50d9929fd364ac68559b89b310db4e2805bef1e909e4f9ec0a3d941b9298cc1693b590265a92e6e21459abda1e5b90ec5816d37ab7a23d7711310b1

Download Submit
C:\Users\Admin\AppData\Local\temp\4_26\ojulmltrx.vbe
Filesize
56KB

MD5
16e38ea83da0c42e00bf40ac9ebe50bd

SHA1
76b93af0fba674698f0ea93bbff0e3c086c0b109

SHA256
c8a7ef3351c9161bd92123a88407654cf6ff2075158c3bd0eb41429ccf40ab20

SHA512
773f9434ce500113c5a99bc0c6e70b237e93bd464f5419e0fde8b03e5396cdefe67414dc42b8b732b83602d8f9362eb836e51ea52663d3a63dc8df7b04f99162

Download Submit
C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe
Filesize
237.3MB

MD5
4f7cbb897d729c4d3136fb73ab9a1e21

SHA1
cc7caadbd72ecbe70fee8911325bbb2d5bd4c005

SHA256
e72e97bdc371e58557687cc525aa36473e950a3dd71f83e59591f51f58488907

SHA512
1bb23a45d9c3c3e8d2c569528bd3ac723ebea7dc6508a9eb03f1b12fc5cdba6cbf0c0155219f163c89dba8533dfbd9bc5d8a3e20db483591516c9b6f113126bf

Download Submit
C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe
Filesize
239.9MB

MD5
45534589e2cad0b2ae5cbe6d808fc6a7

SHA1
f13efe6a4752dac10cfc29f085e2f0a76d082e78

SHA256
747e579e8654613feb94cdc24e7873232b3224b734225010b5544d9a9a7c1d91

SHA512
88df91c5b1297be644bc5ed24220183c5eab083fd202f383df656b48495dea51bf3a0b4188f6755c095983d81e1d3527d880c630bdd9c2df1f969ac0801f2b61

Download Submit
\Users\Admin\AppData\Local\Temp\4_26\gtolaje.exe
Filesize
925KB

MD5
4897990addbe336ab1dda8e97d159d34

SHA1
0914b338d061b85e55cd40dbec926ce0d47c9fd5

SHA256
a1556a7149f87c7b52f95ab2109a945c917a6876a50d1a3750594224649c0120

SHA512
14f6513fe1ec061e18a995de1516768fa76c3e6c988015deb298c451b188964d5ca88ff14409ac755f82604961b89619f47cfb9b1229192369182c9e34668946

Download Submit
\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe
Filesize
185KB

MD5
73128d61a0c856672854627f377cd9f7

SHA1
37f2763211c230274ae08f1c0b8b4c656c13c51d

SHA256
332e3acb8e9f9a237095848c94153160b9b1a44426c6c2bf0084e9de7e08335d

SHA512
7c44c0dcde380656ab754274618125ef56faa5ea4f33aabb0d27ec4bf35f3f15692d670dfa3e33c48b53d7dfbed2798aad7da9c13fe77948fa981f31d23d8f39

Download Submit
\Users\Admin\AppData\Local\Temp\FB_BC3E.tmp.exe
Filesize
185KB

MD5
73128d61a0c856672854627f377cd9f7

SHA1
37f2763211c230274ae08f1c0b8b4c656c13c51d

SHA256
332e3acb8e9f9a237095848c94153160b9b1a44426c6c2bf0084e9de7e08335d

SHA512
7c44c0dcde380656ab754274618125ef56faa5ea4f33aabb0d27ec4bf35f3f15692d670dfa3e33c48b53d7dfbed2798aad7da9c13fe77948fa981f31d23d8f39

Download Submit
\Users\Admin\AppData\Local\Temp\FB_BD77.tmp.exe
Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
\Users\Admin\AppData\Local\Temp\FB_BD77.tmp.exe
Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
d997a93c96c04fccf6ebe280ab6b025b

SHA1
27627f774f7a30428e4a7be77a49f413fd16f740

SHA256
ebb76e46e178491fd48787e80ce952910124d6f1a00c92744a5f84278192030c

SHA512
abe758baa50d9929fd364ac68559b89b310db4e2805bef1e909e4f9ec0a3d941b9298cc1693b590265a92e6e21459abda1e5b90ec5816d37ab7a23d7711310b1

Download Submit
memory/268-119-0x0000000000000000-mapping.dmp

Download
memory/268-122-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/428-133-0x0000000000000000-mapping.dmp

Download
memory/864-95-0x0000000000000000-mapping.dmp

Download
memory/904-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-102-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-108-0x0000000000401190-mapping.dmp

Download
memory/904-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-128-0x0000000000000000-mapping.dmp

Download
memory/1208-125-0x00000000064E0000-0x0000000006686000-memory.dmp

Filesize
1.6MB

Download
memory/1208-136-0x0000000004F90000-0x00000000050CD000-memory.dmp

Filesize
1.2MB

Download
memory/1208-137-0x0000000004F90000-0x00000000050CD000-memory.dmp

Filesize
1.2MB

Download
memory/1348-92-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/1348-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1348-58-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1348-139-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/1348-54-0x000000002FBA1000-0x000000002FBA4000-memory.dmp

Filesize
12KB

Download
memory/1348-57-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/1348-55-0x00000000711D1000-0x00000000711D3000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1500-85-0x0000000000000000-mapping.dmp

Download
memory/1624-141-0x0000000000000000-mapping.dmp

Download
memory/1624-143-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/1672-124-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1672-123-0x00000000007A0000-0x0000000000AA3000-memory.dmp

Filesize
3.0MB

Download
memory/1672-115-0x0000000000000000-mapping.dmp

Download
memory/1868-126-0x0000000000000000-mapping.dmp

Download
memory/1868-135-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1868-134-0x0000000001E70000-0x0000000001F03000-memory.dmp

Filesize
588KB

Download
memory/1868-131-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/1868-130-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1868-129-0x00000000004E0000-0x00000000004E7000-memory.dmp

Filesize
28KB

Download
memory/1888-132-0x0000000000000000-mapping.dmp

Download
memory/1904-89-0x0000000000000000-mapping.dmp

Download