systembc | fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

Analysis

max time kernel
135s
max time network
140s
platform
windows7_x64
resource
win7-en-20211208
submitted
02-02-2022 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a04d8167d9f4313b9f1e6ba38900306c.xll
Size

646KB
MD5

a04d8167d9f4313b9f1e6ba38900306c
SHA1

3f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256

fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512

e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Score

10^/10

systembc vidar discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1828-81-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1828-82-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1828-84-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1828-85-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

sse.exeXSY3T53DQKGGHKN9.exeXSY3T53DQKGGHKN9.exe

pid process

580 sse.exe
1156 XSY3T53DQKGGHKN9.exe
1840 XSY3T53DQKGGHKN9.exe

pid	process
580	sse.exe
1156	XSY3T53DQKGGHKN9.exe
1840	XSY3T53DQKGGHKN9.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XSY3T53DQKGGHKN9.exeXSY3T53DQKGGHKN9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XSY3T53DQKGGHKN9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XSY3T53DQKGGHKN9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XSY3T53DQKGGHKN9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XSY3T53DQKGGHKN9.exe

Loads dropped DLL 9 IoCs

Processes:

EXCEL.EXERegAsm.exe

pid process

1652 EXCEL.EXE
1652 EXCEL.EXE
1652 EXCEL.EXE
1652 EXCEL.EXE
1828 RegAsm.exe
1828 RegAsm.exe
1828 RegAsm.exe
1828 RegAsm.exe
1828 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1652	EXCEL.EXE
1652	EXCEL.EXE
1652	EXCEL.EXE
1652	EXCEL.EXE
1828	RegAsm.exe
1828	RegAsm.exe
1828	RegAsm.exe
1828	RegAsm.exe
1828	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

XSY3T53DQKGGHKN9.exeXSY3T53DQKGGHKN9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XSY3T53DQKGGHKN9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XSY3T53DQKGGHKN9.exe

Drops file in System32 directory 2 IoCs

Processes:

XSY3T53DQKGGHKN9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Debug	XSY3T53DQKGGHKN9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Environment	XSY3T53DQKGGHKN9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

XSY3T53DQKGGHKN9.exeXSY3T53DQKGGHKN9.exe

pid process

1156 XSY3T53DQKGGHKN9.exe
1156 XSY3T53DQKGGHKN9.exe
1840 XSY3T53DQKGGHKN9.exe
1840 XSY3T53DQKGGHKN9.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sse.exe

description pid process target process

PID 580 set thread context of 1828 580 sse.exe RegAsm.exe

pid	process
1156	XSY3T53DQKGGHKN9.exe
1156	XSY3T53DQKGGHKN9.exe
1840	XSY3T53DQKGGHKN9.exe
1840	XSY3T53DQKGGHKN9.exe

description	pid	process	target process
PID 580 set thread context of 1828	580	sse.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

XSY3T53DQKGGHKN9.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	XSY3T53DQKGGHKN9.exe
File opened for modification	C:\Windows\Tasks\wow64.job	XSY3T53DQKGGHKN9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1684 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1276 taskkill.exe

pid	process
1684	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1276	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE

NTFS ADS 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\ProgramData\XSY3T53DQKGGHKN9.exe:Zone.Identifier	RegAsm.exe
File opened for modification	C:\ProgramData\XSY3T53DQKGGHKN9.exe:Zone.Identifier	RegAsm.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1652 EXCEL.EXE

pid	process
1652	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

RegAsm.exeXSY3T53DQKGGHKN9.exeXSY3T53DQKGGHKN9.exe

pid	process
1828	RegAsm.exe
1828	RegAsm.exe
1828	RegAsm.exe
1828	RegAsm.exe
1156	XSY3T53DQKGGHKN9.exe
1156	XSY3T53DQKGGHKN9.exe
1840	XSY3T53DQKGGHKN9.exe
1840	XSY3T53DQKGGHKN9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EXCEL.EXEsse.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1652 EXCEL.EXE
Token: SeDebugPrivilege 580 sse.exe
Token: SeDebugPrivilege 1276 taskkill.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1652 EXCEL.EXE
1652 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1652 EXCEL.EXE
1652 EXCEL.EXE
1652 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1652	EXCEL.EXE
Token: SeDebugPrivilege	580	sse.exe
Token: SeDebugPrivilege	1276	taskkill.exe

pid	process
1652	EXCEL.EXE
1652	EXCEL.EXE

pid	process
1652	EXCEL.EXE
1652	EXCEL.EXE
1652	EXCEL.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

EXCEL.EXEsse.exeRegAsm.execmd.exetaskeng.exe

description	pid	process	target process
PID 1652 wrote to memory of 580	1652	EXCEL.EXE	sse.exe
PID 1652 wrote to memory of 580	1652	EXCEL.EXE	sse.exe
PID 1652 wrote to memory of 580	1652	EXCEL.EXE	sse.exe
PID 1652 wrote to memory of 580	1652	EXCEL.EXE	sse.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 580 wrote to memory of 1828	580	sse.exe	RegAsm.exe
PID 1828 wrote to memory of 1156	1828	RegAsm.exe	XSY3T53DQKGGHKN9.exe
PID 1828 wrote to memory of 1156	1828	RegAsm.exe	XSY3T53DQKGGHKN9.exe
PID 1828 wrote to memory of 1156	1828	RegAsm.exe	XSY3T53DQKGGHKN9.exe
PID 1828 wrote to memory of 1156	1828	RegAsm.exe	XSY3T53DQKGGHKN9.exe
PID 1828 wrote to memory of 1156	1828	RegAsm.exe	XSY3T53DQKGGHKN9.exe
PID 1828 wrote to memory of 1156	1828	RegAsm.exe	XSY3T53DQKGGHKN9.exe
PID 1828 wrote to memory of 1156	1828	RegAsm.exe	XSY3T53DQKGGHKN9.exe
PID 1828 wrote to memory of 1696	1828	RegAsm.exe	cmd.exe
PID 1828 wrote to memory of 1696	1828	RegAsm.exe	cmd.exe
PID 1828 wrote to memory of 1696	1828	RegAsm.exe	cmd.exe
PID 1828 wrote to memory of 1696	1828	RegAsm.exe	cmd.exe
PID 1696 wrote to memory of 1276	1696	cmd.exe	taskkill.exe
PID 1696 wrote to memory of 1276	1696	cmd.exe	taskkill.exe
PID 1696 wrote to memory of 1276	1696	cmd.exe	taskkill.exe
PID 1696 wrote to memory of 1276	1696	cmd.exe	taskkill.exe
PID 1696 wrote to memory of 1684	1696	cmd.exe	timeout.exe
PID 1696 wrote to memory of 1684	1696	cmd.exe	timeout.exe
PID 1696 wrote to memory of 1684	1696	cmd.exe	timeout.exe
PID 1696 wrote to memory of 1684	1696	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1840	1948	taskeng.exe	XSY3T53DQKGGHKN9.exe
PID 1948 wrote to memory of 1840	1948	taskeng.exe	XSY3T53DQKGGHKN9.exe
PID 1948 wrote to memory of 1840	1948	taskeng.exe	XSY3T53DQKGGHKN9.exe
PID 1948 wrote to memory of 1840	1948	taskeng.exe	XSY3T53DQKGGHKN9.exe
PID 1948 wrote to memory of 1840	1948	taskeng.exe	XSY3T53DQKGGHKN9.exe
PID 1948 wrote to memory of 1840	1948	taskeng.exe	XSY3T53DQKGGHKN9.exe
PID 1948 wrote to memory of 1840	1948	taskeng.exe	XSY3T53DQKGGHKN9.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a04d8167d9f4313b9f1e6ba38900306c.xll
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\sse.exe
  C:\Users\Admin\AppData\Local\Temp\sse.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\ProgramData\XSY3T53DQKGGHKN9.exe
      "C:\ProgramData\XSY3T53DQKGGHKN9.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im RegAsm.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RegAsm.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {4E77BDA4-FE9B-46BD-A272-6A1792560907} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\ProgramData\XSY3T53DQKGGHKN9.exe
  C:\ProgramData\XSY3T53DQKGGHKN9.exe start
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XSY3T53DQKGGHKN9.exe

MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
C:\ProgramData\XSY3T53DQKGGHKN9.exe

MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
C:\ProgramData\XSY3T53DQKGGHKN9.exe

MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
C:\ProgramData\freebl3.dll

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.exe

MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.exe

MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
\ProgramData\XSY3T53DQKGGHKN9.exe

MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\a04d8167d9f4313b9f1e6ba38900306c.xll

MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\Users\Admin\AppData\Local\Temp\a04d8167d9f4313b9f1e6ba38900306c.xll

MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\Users\Admin\AppData\Local\Temp\sse.exe

MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
\Users\Admin\AppData\Local\Temp\sse.exe

MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
memory/580-73-0x0000000000040000-0x0000000000068000-memory.dmp

Filesize
160KB

Download
memory/580-75-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/580-76-0x0000000004DD5000-0x0000000004DE6000-memory.dmp

Filesize
68KB

Download
memory/580-77-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/1156-106-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1156-107-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1156-95-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1156-105-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1156-104-0x0000000000810000-0x0000000000856000-memory.dmp

Filesize
280KB

Download
memory/1156-103-0x0000000076250000-0x00000000763AC000-memory.dmp

Filesize
1.4MB

Download
memory/1156-101-0x0000000076DA0000-0x0000000076DE7000-memory.dmp

Filesize
284KB

Download
memory/1156-108-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1156-99-0x0000000076580000-0x000000007662C000-memory.dmp

Filesize
688KB

Download
memory/1156-98-0x00000000766C0000-0x00000000766F5000-memory.dmp

Filesize
212KB

Download
memory/1156-97-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1652-53-0x000000002FE21000-0x000000002FE24000-memory.dmp

Filesize
12KB

Download
memory/1652-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1652-67-0x00000000053F5000-0x00000000053F7000-memory.dmp

Filesize
8KB

Download
memory/1652-68-0x00000000053FB000-0x000000000540C000-memory.dmp

Filesize
68KB

Download
memory/1652-65-0x00000000053F3000-0x00000000053F4000-memory.dmp

Filesize
4KB

Download
memory/1652-64-0x00000000053F1000-0x00000000053F2000-memory.dmp

Filesize
4KB

Download
memory/1652-63-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1652-60-0x0000000003850000-0x000000000386C000-memory.dmp

Filesize
112KB

Download
memory/1652-59-0x000000006D121000-0x000000006D123000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1652-54-0x00000000718D1000-0x00000000718D3000-memory.dmp

Filesize
8KB

Download
memory/1652-61-0x00000000045A0000-0x00000000045DC000-memory.dmp

Filesize
240KB

Download
memory/1652-66-0x00000000053F4000-0x00000000053F5000-memory.dmp

Filesize
4KB

Download
memory/1652-62-0x0000000004910000-0x000000000491E000-memory.dmp

Filesize
56KB

Download
memory/1828-78-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1828-79-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1828-80-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1828-81-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1828-82-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1828-84-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1828-85-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1840-110-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1840-121-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1840-122-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1840-120-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1840-119-0x0000000000DA0000-0x0000000000DE6000-memory.dmp

Filesize
280KB

Download
memory/1840-118-0x0000000076250000-0x00000000763AC000-memory.dmp

Filesize
1.4MB

Download
memory/1840-116-0x0000000076DA0000-0x0000000076DE7000-memory.dmp

Filesize
284KB

Download
memory/1840-114-0x0000000076580000-0x000000007662C000-memory.dmp

Filesize
688KB

Download
memory/1840-113-0x00000000766C0000-0x00000000766F5000-memory.dmp

Filesize
212KB

Download
memory/1840-112-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download