Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
02-02-2022 18:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mainpagedir.xyz/invoice.xll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
https://mainpagedir.xyz/invoice.xll
Resource
win10v2004-en-20220113
General
Malware Config
Extracted
Signatures
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1768-95-0x0000000000400000-0x00000000004A9000-memory.dmp family_vidar behavioral1/memory/1768-96-0x0000000000400000-0x00000000004A9000-memory.dmp family_vidar behavioral1/memory/1768-98-0x0000000000400000-0x00000000004A9000-memory.dmp family_vidar behavioral1/memory/1768-99-0x0000000000400000-0x00000000004A9000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
sse.exeZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exepid process 1328 sse.exe 996 ZBGKY1LECO59B8WT.exe 1832 ZBGKY1LECO59B8WT.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZBGKY1LECO59B8WT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZBGKY1LECO59B8WT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZBGKY1LECO59B8WT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZBGKY1LECO59B8WT.exe -
Loads dropped DLL 12 IoCs
Processes:
EXCEL.EXERegAsm.exepid process 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 1768 RegAsm.exe 1768 RegAsm.exe 1768 RegAsm.exe 1768 RegAsm.exe 1768 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
ZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ZBGKY1LECO59B8WT.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ZBGKY1LECO59B8WT.exe -
Drops file in System32 directory 2 IoCs
Processes:
ZBGKY1LECO59B8WT.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Debug ZBGKY1LECO59B8WT.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\.obs32\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Environment ZBGKY1LECO59B8WT.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exepid process 996 ZBGKY1LECO59B8WT.exe 996 ZBGKY1LECO59B8WT.exe 1832 ZBGKY1LECO59B8WT.exe 1832 ZBGKY1LECO59B8WT.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sse.exedescription pid process target process PID 1328 set thread context of 1768 1328 sse.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
ZBGKY1LECO59B8WT.exedescription ioc process File created C:\Windows\Tasks\wow64.job ZBGKY1LECO59B8WT.exe File opened for modification C:\Windows\Tasks\wow64.job ZBGKY1LECO59B8WT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1504 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1752 taskkill.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 7038dfc76818d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
Processes:
iexplore.exeEXCEL.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0E31C71-845B-11EC-A52F-56E7B8E0DA42} = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350594019" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE -
NTFS ADS 2 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\ProgramData\ZBGKY1LECO59B8WT.exe:Zone.Identifier RegAsm.exe File created C:\ProgramData\ZBGKY1LECO59B8WT.exe:Zone.Identifier RegAsm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEpid process 2020 EXCEL.EXE 1736 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
sse.exeRegAsm.exeZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exepid process 1328 sse.exe 1328 sse.exe 1768 RegAsm.exe 1768 RegAsm.exe 1768 RegAsm.exe 1768 RegAsm.exe 996 ZBGKY1LECO59B8WT.exe 996 ZBGKY1LECO59B8WT.exe 1832 ZBGKY1LECO59B8WT.exe 1832 ZBGKY1LECO59B8WT.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
EXCEL.EXEsse.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2020 EXCEL.EXE Token: SeShutdownPrivilege 2020 EXCEL.EXE Token: SeDebugPrivilege 1328 sse.exe Token: SeDebugPrivilege 1752 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1324 iexplore.exe 1324 iexplore.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
iexplore.exepid process 1324 iexplore.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
iexplore.exeIEXPLORE.EXEEXCEL.EXEEXCEL.EXEpid process 1324 iexplore.exe 1324 iexplore.exe 848 IEXPLORE.EXE 848 IEXPLORE.EXE 848 IEXPLORE.EXE 848 IEXPLORE.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 2020 EXCEL.EXE 1736 EXCEL.EXE 1736 EXCEL.EXE 1736 EXCEL.EXE -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
iexplore.exeEXCEL.EXEsse.exeRegAsm.execmd.exetaskeng.exedescription pid process target process PID 1324 wrote to memory of 848 1324 iexplore.exe IEXPLORE.EXE PID 1324 wrote to memory of 848 1324 iexplore.exe IEXPLORE.EXE PID 1324 wrote to memory of 848 1324 iexplore.exe IEXPLORE.EXE PID 1324 wrote to memory of 848 1324 iexplore.exe IEXPLORE.EXE PID 2020 wrote to memory of 1328 2020 EXCEL.EXE sse.exe PID 2020 wrote to memory of 1328 2020 EXCEL.EXE sse.exe PID 2020 wrote to memory of 1328 2020 EXCEL.EXE sse.exe PID 2020 wrote to memory of 1328 2020 EXCEL.EXE sse.exe PID 1328 wrote to memory of 864 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 864 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 864 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 864 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 864 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 864 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 864 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1328 wrote to memory of 1768 1328 sse.exe RegAsm.exe PID 1768 wrote to memory of 996 1768 RegAsm.exe ZBGKY1LECO59B8WT.exe PID 1768 wrote to memory of 996 1768 RegAsm.exe ZBGKY1LECO59B8WT.exe PID 1768 wrote to memory of 996 1768 RegAsm.exe ZBGKY1LECO59B8WT.exe PID 1768 wrote to memory of 996 1768 RegAsm.exe ZBGKY1LECO59B8WT.exe PID 1768 wrote to memory of 996 1768 RegAsm.exe ZBGKY1LECO59B8WT.exe PID 1768 wrote to memory of 996 1768 RegAsm.exe ZBGKY1LECO59B8WT.exe PID 1768 wrote to memory of 996 1768 RegAsm.exe ZBGKY1LECO59B8WT.exe PID 1768 wrote to memory of 1732 1768 RegAsm.exe cmd.exe PID 1768 wrote to memory of 1732 1768 RegAsm.exe cmd.exe PID 1768 wrote to memory of 1732 1768 RegAsm.exe cmd.exe PID 1768 wrote to memory of 1732 1768 RegAsm.exe cmd.exe PID 1732 wrote to memory of 1752 1732 cmd.exe taskkill.exe PID 1732 wrote to memory of 1752 1732 cmd.exe taskkill.exe PID 1732 wrote to memory of 1752 1732 cmd.exe taskkill.exe PID 1732 wrote to memory of 1752 1732 cmd.exe taskkill.exe PID 1732 wrote to memory of 1504 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1504 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1504 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1504 1732 cmd.exe timeout.exe PID 1052 wrote to memory of 1832 1052 taskeng.exe ZBGKY1LECO59B8WT.exe PID 1052 wrote to memory of 1832 1052 taskeng.exe ZBGKY1LECO59B8WT.exe PID 1052 wrote to memory of 1832 1052 taskeng.exe ZBGKY1LECO59B8WT.exe PID 1052 wrote to memory of 1832 1052 taskeng.exe ZBGKY1LECO59B8WT.exe PID 1052 wrote to memory of 1832 1052 taskeng.exe ZBGKY1LECO59B8WT.exe PID 1052 wrote to memory of 1832 1052 taskeng.exe ZBGKY1LECO59B8WT.exe PID 1052 wrote to memory of 1832 1052 taskeng.exe ZBGKY1LECO59B8WT.exe PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE PID 1324 wrote to memory of 1736 1324 iexplore.exe EXCEL.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://mainpagedir.xyz/invoice.xll1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde2⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1736
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\sse.exeC:\Users\Admin\AppData\Local\Temp\sse.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:864
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\ProgramData\ZBGKY1LECO59B8WT.exe"C:\ProgramData\ZBGKY1LECO59B8WT.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RegAsm.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del C:\ProgramData\*.dll & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im RegAsm.exe /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
PID:1504
-
C:\Windows\system32\taskeng.exetaskeng.exe {874E25D5-4361-473F-956B-B46A7F8B35E6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\ProgramData\ZBGKY1LECO59B8WT.exeC:\ProgramData\ZBGKY1LECO59B8WT.exe start2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ZBGKY1LECO59B8WT.exeMD5
c28c72944827aecc6e64211f91d082cd
SHA1478e292f63cacdc9d43e095ce5ef7a3accb68cde
SHA2564f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3
SHA512d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7
-
C:\ProgramData\ZBGKY1LECO59B8WT.exeMD5
c28c72944827aecc6e64211f91d082cd
SHA1478e292f63cacdc9d43e095ce5ef7a3accb68cde
SHA2564f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3
SHA512d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7
-
C:\ProgramData\ZBGKY1LECO59B8WT.exeMD5
c28c72944827aecc6e64211f91d082cd
SHA1478e292f63cacdc9d43e095ce5ef7a3accb68cde
SHA2564f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3
SHA512d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7
-
C:\ProgramData\freebl3.dllMD5
ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\softokn3.dllMD5
a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77BMD5
b9e9bbf1f59d79ddcf9e5cba916104e6
SHA187007a3d6fd1e710ab7f02bd1d6f11015f2f02b7
SHA2568a293d3ab277428ce95ecd4c05597a81338dfc1c22a167adc028df42196b9477
SHA512ec320e92895fd2904d80fc8e524183377ce86e488b7e56ed65217f893f0f840d2c7bde99ecc47668924e78ea67b7bcf5a4c80f809c23a016a30638d1bd260136
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81AE85DE38104DD9072C57D227D38AE3MD5
eb8968acac55a69906a26c8ddc5197d7
SHA168d58c60ea18694dbc1e3762a063a08c7aef5c15
SHA256fd8c9c0f9c5bf36308de3507e654ad6cc18bdb0b4fab52d55e00f354e0dca7e4
SHA512236d0db5b75821528c3b29d5471291c0d90b3efd6218e3f445c557d70de048d62edcb8fe0562b588ea776cd1e8e1c0a80f7e21875760fbe97e76ee068f40f1d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
785fba5418a4df5e682d7a4da4ef7103
SHA13afe4a04cd5a58d6b51221f5a3aa2b6ee6112d33
SHA25687f5330cc843ef52a6175dbe88046fbe75f140800a1c934b676d05b9fef2fe66
SHA512b712943187ee2a64371be31cef6fb4d39ace66d1c308a5f3ec73cfcd684ac78d9cd9a57e0d4294f88c51c9a32c9c23955b75d4939085b2f57939befa86e1ad96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357MD5
a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77BMD5
7367e72a45da35573b1abadb927ebd7d
SHA18623c1f33be392b4df63bc2df17d820eb707c68b
SHA2568b39a677b38342a35ed43e0efcc56f1f3522a815dafb30fcb67b6baf2f42ec8d
SHA5129a6ecc906b6d7e664c0d0cdd891516dbbfd70e836115f8252403995011bb01a31f7ddc639032a63e3448b17bf231e317ff92100711f8078fdcefbb95f6270210
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81AE85DE38104DD9072C57D227D38AE3MD5
520daf3db64ddbdfbcfe4b9408683e78
SHA1b04e4daf4ac7817b53a34ae76580eda8c8e48a6d
SHA256dbc342a1935106d3d707a06b7d07529e08dee5c4ff4e6dad526af64565030ddb
SHA512b649db97f4e3b661f32ed9966057ead750a8c2675383143c4654a4d03b86ff345349b8625c7a099e017c9aa327bd3aeb1a8bacec41173c6c154998f2d383c459
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
b881afdb05ccc7beaed226f9f1c35b42
SHA1054a572c9e60697794ad791d11c583e35b7d36cf
SHA2560fe66b01f5b4ff15a1614d9af6358137579eff206c4b5e489c8c1b7a48a97eb6
SHA512a568bbe4273fe7c76dec4d503c48847c878b2973fb3a7dbd208a5192da0919e8999f2017e0d1f305259c5042a7bafd920a6ee24fc7a3dc35c5521379aa1edc91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
a34425d3da270b3e9d4f2e90f1723635
SHA1544237bd5b299e796dc02ab49d480b424732cb76
SHA256e35724f6f5d72f96bc184ec9efc6d5c9cf1ff33afa37d267c4d7add2497cb347
SHA5128eb2a13ea4af1cb4ce633907ce9c408946e42ddfcb69d9bc320d62f594246b8ae25c18e0ba330e4874e43bdf4850516e9d00e31b21ba983364b3afc3ebc3e50b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357MD5
5667701092cc8452531e9c35bca840b0
SHA169b118d43101d043afbf8bfb179ff549334ebe6a
SHA2569b6159128f21236cb439fc541cd74f72d7521447b3857fae2d2de1783997a984
SHA512c2ce66e7be8b316879a3a83a569015533e0c9a5ffb77e1da10fda6183ac78088cfbe7815ac7287256fe50fa38055cdd9e6f127cb4212cafe960b4c3768fb1965
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xllMD5
a04d8167d9f4313b9f1e6ba38900306c
SHA13f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
C:\Users\Admin\AppData\Local\Temp\sse.exeMD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a
SHA1cdb274d6595f62ef9c568ff4c0164a2c88314e96
SHA256b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61
SHA51202e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757
-
C:\Users\Admin\AppData\Local\Temp\sse.exeMD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a
SHA1cdb274d6595f62ef9c568ff4c0164a2c88314e96
SHA256b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61
SHA51202e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HPCEXVML.txtMD5
d0b785233bfebbec7cb0252a56374f14
SHA163686c50710492c7d1dc2d00c104f2e17110f714
SHA2561253669e4e11df8350dd402ec27749725e4ba64b53c8710621386b967d034a2f
SHA512e313a4eec6970922f9215f209c586bb4d3ef2fc8f1551b856f335ec585ba147808941039f8f5fe5076c2ad306c37885006356464da527178ba62f384ee31d10f
-
C:\Users\Admin\Downloads\invoice.xll.x0kd99k.partialMD5
a04d8167d9f4313b9f1e6ba38900306c
SHA13f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
\ProgramData\ZBGKY1LECO59B8WT.exeMD5
c28c72944827aecc6e64211f91d082cd
SHA1478e292f63cacdc9d43e095ce5ef7a3accb68cde
SHA2564f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3
SHA512d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xllMD5
a04d8167d9f4313b9f1e6ba38900306c
SHA13f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xllMD5
a04d8167d9f4313b9f1e6ba38900306c
SHA13f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xllMD5
a04d8167d9f4313b9f1e6ba38900306c
SHA13f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xllMD5
a04d8167d9f4313b9f1e6ba38900306c
SHA13f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xllMD5
a04d8167d9f4313b9f1e6ba38900306c
SHA13f0c0c5555707a52247b91452c75692c1f30c8b6
SHA256fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA512e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf
-
\Users\Admin\AppData\Local\Temp\sse.exeMD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a
SHA1cdb274d6595f62ef9c568ff4c0164a2c88314e96
SHA256b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61
SHA51202e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757
-
\Users\Admin\AppData\Local\Temp\sse.exeMD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a
SHA1cdb274d6595f62ef9c568ff4c0164a2c88314e96
SHA256b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61
SHA51202e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757
-
memory/996-121-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/996-109-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/996-122-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/996-120-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/996-119-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/996-118-0x0000000002050000-0x0000000002096000-memory.dmpFilesize
280KB
-
memory/996-117-0x00000000763C0000-0x000000007651C000-memory.dmpFilesize
1.4MB
-
memory/996-115-0x00000000769C0000-0x0000000076A07000-memory.dmpFilesize
284KB
-
memory/996-113-0x0000000076850000-0x00000000768FC000-memory.dmpFilesize
688KB
-
memory/996-112-0x0000000076980000-0x00000000769B5000-memory.dmpFilesize
212KB
-
memory/996-111-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1328-86-0x0000000000BA0000-0x0000000000BC8000-memory.dmpFilesize
160KB
-
memory/1328-88-0x0000000004390000-0x0000000004391000-memory.dmpFilesize
4KB
-
memory/1328-90-0x0000000004395000-0x00000000043A6000-memory.dmpFilesize
68KB
-
memory/1328-91-0x0000000001FD0000-0x0000000001FEC000-memory.dmpFilesize
112KB
-
memory/1736-145-0x000000002F311000-0x000000002F314000-memory.dmpFilesize
12KB
-
memory/1736-146-0x000000006EBD1000-0x000000006EBD3000-memory.dmpFilesize
8KB
-
memory/1736-147-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1768-92-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1768-99-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1768-98-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1768-96-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1768-94-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1768-95-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1768-93-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1832-127-0x0000000076980000-0x00000000769B5000-memory.dmpFilesize
212KB
-
memory/1832-135-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1832-137-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1832-124-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1832-126-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1832-134-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1832-128-0x0000000076850000-0x00000000768FC000-memory.dmpFilesize
688KB
-
memory/1832-130-0x00000000769C0000-0x0000000076A07000-memory.dmpFilesize
284KB
-
memory/1832-133-0x00000000763C0000-0x000000007651C000-memory.dmpFilesize
1.4MB
-
memory/1832-132-0x0000000000260000-0x00000000002A6000-memory.dmpFilesize
280KB
-
memory/2020-58-0x0000000002F60000-0x0000000002F62000-memory.dmpFilesize
8KB
-
memory/2020-54-0x000000002FD31000-0x000000002FD34000-memory.dmpFilesize
12KB
-
memory/2020-78-0x0000000007CD0000-0x000000000891A000-memory.dmpFilesize
12.3MB
-
memory/2020-77-0x0000000007CD0000-0x000000000891A000-memory.dmpFilesize
12.3MB
-
memory/2020-76-0x0000000005600000-0x000000000563C000-memory.dmpFilesize
240KB
-
memory/2020-75-0x0000000005330000-0x000000000534C000-memory.dmpFilesize
112KB
-
memory/2020-89-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2020-57-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB
-
memory/2020-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2020-55-0x000000006EDE1000-0x000000006EDE3000-memory.dmpFilesize
8KB
-
memory/2020-79-0x0000000007CD0000-0x000000000891A000-memory.dmpFilesize
12.3MB
-
memory/2020-80-0x0000000007CD0000-0x000000000891A000-memory.dmpFilesize
12.3MB
-
memory/2020-81-0x00000000054A0000-0x00000000054AE000-memory.dmpFilesize
56KB