systembc | hxxps://mainpagedir[.]xyz/invoice[.]xll

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
02-02-2022 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mainpagedir.xyz/invoice.xll

Score

10^/10

systembc vidar discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1768-95-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1768-96-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1768-98-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar
behavioral1/memory/1768-99-0x0000000000400000-0x00000000004A9000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

sse.exeZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exe

pid process

1328 sse.exe
996 ZBGKY1LECO59B8WT.exe
1832 ZBGKY1LECO59B8WT.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZBGKY1LECO59B8WT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZBGKY1LECO59B8WT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZBGKY1LECO59B8WT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZBGKY1LECO59B8WT.exe

Loads dropped DLL 12 IoCs

Processes:

EXCEL.EXERegAsm.exe

pid	process
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
1768	RegAsm.exe
1768	RegAsm.exe
1768	RegAsm.exe
1768	RegAsm.exe
1768	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZBGKY1LECO59B8WT.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZBGKY1LECO59B8WT.exe

Drops file in System32 directory 2 IoCs

Processes:

ZBGKY1LECO59B8WT.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Debug	ZBGKY1LECO59B8WT.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{58C1303D-5AFA422D-9DA5029E-1552C40B}.Environment	ZBGKY1LECO59B8WT.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

ZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exe

pid process

996 ZBGKY1LECO59B8WT.exe
996 ZBGKY1LECO59B8WT.exe
1832 ZBGKY1LECO59B8WT.exe
1832 ZBGKY1LECO59B8WT.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sse.exe

description pid process target process

PID 1328 set thread context of 1768 1328 sse.exe RegAsm.exe

pid	process
996	ZBGKY1LECO59B8WT.exe
996	ZBGKY1LECO59B8WT.exe
1832	ZBGKY1LECO59B8WT.exe
1832	ZBGKY1LECO59B8WT.exe

description	pid	process	target process
PID 1328 set thread context of 1768	1328	sse.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

ZBGKY1LECO59B8WT.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	ZBGKY1LECO59B8WT.exe
File opened for modification	C:\Windows\Tasks\wow64.job	ZBGKY1LECO59B8WT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1504 timeout.exe

pid	process
1504	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1752 taskkill.exe

pid	process
1752	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 7038dfc76818d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeEXCEL.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0E31C71-845B-11EC-A52F-56E7B8E0DA42} = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350594019"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE

NTFS ADS 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File opened for modification	C:\ProgramData\ZBGKY1LECO59B8WT.exe:Zone.Identifier	RegAsm.exe
File created	C:\ProgramData\ZBGKY1LECO59B8WT.exe:Zone.Identifier	RegAsm.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

2020 EXCEL.EXE
1736 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

sse.exeRegAsm.exeZBGKY1LECO59B8WT.exeZBGKY1LECO59B8WT.exe

pid	process
1328	sse.exe
1328	sse.exe
1768	RegAsm.exe
1768	RegAsm.exe
1768	RegAsm.exe
1768	RegAsm.exe
996	ZBGKY1LECO59B8WT.exe
996	ZBGKY1LECO59B8WT.exe
1832	ZBGKY1LECO59B8WT.exe
1832	ZBGKY1LECO59B8WT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

EXCEL.EXEsse.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2020	EXCEL.EXE
Token: SeShutdownPrivilege	2020	EXCEL.EXE
Token: SeDebugPrivilege	1328	sse.exe
Token: SeDebugPrivilege	1752	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1324 iexplore.exe
1324 iexplore.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

iexplore.exe

pid process

1324 iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

iexplore.exeIEXPLORE.EXEEXCEL.EXEEXCEL.EXE

pid	process
1324	iexplore.exe
1324	iexplore.exe
848	IEXPLORE.EXE
848	IEXPLORE.EXE
848	IEXPLORE.EXE
848	IEXPLORE.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
1736	EXCEL.EXE
1736	EXCEL.EXE
1736	EXCEL.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

iexplore.exeEXCEL.EXEsse.exeRegAsm.execmd.exetaskeng.exe

description	pid	process	target process
PID 1324 wrote to memory of 848	1324	iexplore.exe	IEXPLORE.EXE
PID 1324 wrote to memory of 848	1324	iexplore.exe	IEXPLORE.EXE
PID 1324 wrote to memory of 848	1324	iexplore.exe	IEXPLORE.EXE
PID 1324 wrote to memory of 848	1324	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1328	2020	EXCEL.EXE	sse.exe
PID 2020 wrote to memory of 1328	2020	EXCEL.EXE	sse.exe
PID 2020 wrote to memory of 1328	2020	EXCEL.EXE	sse.exe
PID 2020 wrote to memory of 1328	2020	EXCEL.EXE	sse.exe
PID 1328 wrote to memory of 864	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 864	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 864	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 864	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 864	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 864	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 864	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1328 wrote to memory of 1768	1328	sse.exe	RegAsm.exe
PID 1768 wrote to memory of 996	1768	RegAsm.exe	ZBGKY1LECO59B8WT.exe
PID 1768 wrote to memory of 996	1768	RegAsm.exe	ZBGKY1LECO59B8WT.exe
PID 1768 wrote to memory of 996	1768	RegAsm.exe	ZBGKY1LECO59B8WT.exe
PID 1768 wrote to memory of 996	1768	RegAsm.exe	ZBGKY1LECO59B8WT.exe
PID 1768 wrote to memory of 996	1768	RegAsm.exe	ZBGKY1LECO59B8WT.exe
PID 1768 wrote to memory of 996	1768	RegAsm.exe	ZBGKY1LECO59B8WT.exe
PID 1768 wrote to memory of 996	1768	RegAsm.exe	ZBGKY1LECO59B8WT.exe
PID 1768 wrote to memory of 1732	1768	RegAsm.exe	cmd.exe
PID 1768 wrote to memory of 1732	1768	RegAsm.exe	cmd.exe
PID 1768 wrote to memory of 1732	1768	RegAsm.exe	cmd.exe
PID 1768 wrote to memory of 1732	1768	RegAsm.exe	cmd.exe
PID 1732 wrote to memory of 1752	1732	cmd.exe	taskkill.exe
PID 1732 wrote to memory of 1752	1732	cmd.exe	taskkill.exe
PID 1732 wrote to memory of 1752	1732	cmd.exe	taskkill.exe
PID 1732 wrote to memory of 1752	1732	cmd.exe	taskkill.exe
PID 1732 wrote to memory of 1504	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1504	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1504	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1504	1732	cmd.exe	timeout.exe
PID 1052 wrote to memory of 1832	1052	taskeng.exe	ZBGKY1LECO59B8WT.exe
PID 1052 wrote to memory of 1832	1052	taskeng.exe	ZBGKY1LECO59B8WT.exe
PID 1052 wrote to memory of 1832	1052	taskeng.exe	ZBGKY1LECO59B8WT.exe
PID 1052 wrote to memory of 1832	1052	taskeng.exe	ZBGKY1LECO59B8WT.exe
PID 1052 wrote to memory of 1832	1052	taskeng.exe	ZBGKY1LECO59B8WT.exe
PID 1052 wrote to memory of 1832	1052	taskeng.exe	ZBGKY1LECO59B8WT.exe
PID 1052 wrote to memory of 1832	1052	taskeng.exe	ZBGKY1LECO59B8WT.exe
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE
PID 1324 wrote to memory of 1736	1324	iexplore.exe	EXCEL.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mainpagedir.xyz/invoice.xll
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:848

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
2⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\sse.exe
C:\Users\Admin\AppData\Local\Temp\sse.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\ProgramData\ZBGKY1LECO59B8WT.exe
"C:\ProgramData\ZBGKY1LECO59B8WT.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RegAsm.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del C:\ProgramData\*.dll & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RegAsm.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:1504

C:\Windows\system32\taskeng.exe
taskeng.exe {874E25D5-4361-473F-956B-B46A7F8B35E6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\ProgramData\ZBGKY1LECO59B8WT.exe
C:\ProgramData\ZBGKY1LECO59B8WT.exe start
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ZBGKY1LECO59B8WT.exe
MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
C:\ProgramData\ZBGKY1LECO59B8WT.exe
MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
C:\ProgramData\ZBGKY1LECO59B8WT.exe
MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B
MD5
b9e9bbf1f59d79ddcf9e5cba916104e6

SHA1
87007a3d6fd1e710ab7f02bd1d6f11015f2f02b7

SHA256
8a293d3ab277428ce95ecd4c05597a81338dfc1c22a167adc028df42196b9477

SHA512
ec320e92895fd2904d80fc8e524183377ce86e488b7e56ed65217f893f0f840d2c7bde99ecc47668924e78ea67b7bcf5a4c80f809c23a016a30638d1bd260136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81AE85DE38104DD9072C57D227D38AE3
MD5
eb8968acac55a69906a26c8ddc5197d7

SHA1
68d58c60ea18694dbc1e3762a063a08c7aef5c15

SHA256
fd8c9c0f9c5bf36308de3507e654ad6cc18bdb0b4fab52d55e00f354e0dca7e4

SHA512
236d0db5b75821528c3b29d5471291c0d90b3efd6218e3f445c557d70de048d62edcb8fe0562b588ea776cd1e8e1c0a80f7e21875760fbe97e76ee068f40f1d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
785fba5418a4df5e682d7a4da4ef7103

SHA1
3afe4a04cd5a58d6b51221f5a3aa2b6ee6112d33

SHA256
87f5330cc843ef52a6175dbe88046fbe75f140800a1c934b676d05b9fef2fe66

SHA512
b712943187ee2a64371be31cef6fb4d39ace66d1c308a5f3ec73cfcd684ac78d9cd9a57e0d4294f88c51c9a32c9c23955b75d4939085b2f57939befa86e1ad96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B
MD5
7367e72a45da35573b1abadb927ebd7d

SHA1
8623c1f33be392b4df63bc2df17d820eb707c68b

SHA256
8b39a677b38342a35ed43e0efcc56f1f3522a815dafb30fcb67b6baf2f42ec8d

SHA512
9a6ecc906b6d7e664c0d0cdd891516dbbfd70e836115f8252403995011bb01a31f7ddc639032a63e3448b17bf231e317ff92100711f8078fdcefbb95f6270210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81AE85DE38104DD9072C57D227D38AE3
MD5
520daf3db64ddbdfbcfe4b9408683e78

SHA1
b04e4daf4ac7817b53a34ae76580eda8c8e48a6d

SHA256
dbc342a1935106d3d707a06b7d07529e08dee5c4ff4e6dad526af64565030ddb

SHA512
b649db97f4e3b661f32ed9966057ead750a8c2675383143c4654a4d03b86ff345349b8625c7a099e017c9aa327bd3aeb1a8bacec41173c6c154998f2d383c459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b881afdb05ccc7beaed226f9f1c35b42

SHA1
054a572c9e60697794ad791d11c583e35b7d36cf

SHA256
0fe66b01f5b4ff15a1614d9af6358137579eff206c4b5e489c8c1b7a48a97eb6

SHA512
a568bbe4273fe7c76dec4d503c48847c878b2973fb3a7dbd208a5192da0919e8999f2017e0d1f305259c5042a7bafd920a6ee24fc7a3dc35c5521379aa1edc91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
a34425d3da270b3e9d4f2e90f1723635

SHA1
544237bd5b299e796dc02ab49d480b424732cb76

SHA256
e35724f6f5d72f96bc184ec9efc6d5c9cf1ff33afa37d267c4d7add2497cb347

SHA512
8eb2a13ea4af1cb4ce633907ce9c408946e42ddfcb69d9bc320d62f594246b8ae25c18e0ba330e4874e43bdf4850516e9d00e31b21ba983364b3afc3ebc3e50b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
5667701092cc8452531e9c35bca840b0

SHA1
69b118d43101d043afbf8bfb179ff549334ebe6a

SHA256
9b6159128f21236cb439fc541cd74f72d7521447b3857fae2d2de1783997a984

SHA512
c2ce66e7be8b316879a3a83a569015533e0c9a5ffb77e1da10fda6183ac78088cfbe7815ac7287256fe50fa38055cdd9e6f127cb4212cafe960b4c3768fb1965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xll
MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.exe
MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.exe
MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HPCEXVML.txt
MD5
d0b785233bfebbec7cb0252a56374f14

SHA1
63686c50710492c7d1dc2d00c104f2e17110f714

SHA256
1253669e4e11df8350dd402ec27749725e4ba64b53c8710621386b967d034a2f

SHA512
e313a4eec6970922f9215f209c586bb4d3ef2fc8f1551b856f335ec585ba147808941039f8f5fe5076c2ad306c37885006356464da527178ba62f384ee31d10f

Download Submit
C:\Users\Admin\Downloads\invoice.xll.x0kd99k.partial
MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\ProgramData\ZBGKY1LECO59B8WT.exe
MD5
c28c72944827aecc6e64211f91d082cd

SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde

SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3

SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xll
MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xll
MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xll
MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xll
MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\invoice[1].xll
MD5
a04d8167d9f4313b9f1e6ba38900306c

SHA1
3f0c0c5555707a52247b91452c75692c1f30c8b6

SHA256
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

SHA512
e53147644d7e062eded21378e70538d4124fde41c72b228e6f3790f770a2e2f93daeac080884fc37eab6b74c8c7ab70684c20e915f4e599be5d6ec8233ddefbf

Download Submit
\Users\Admin\AppData\Local\Temp\sse.exe
MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
\Users\Admin\AppData\Local\Temp\sse.exe
MD5
32fb7d6020a0bd7fe6bebb32bc5cfc4a

SHA1
cdb274d6595f62ef9c568ff4c0164a2c88314e96

SHA256
b716444c44c6632438f963815dd31f180f9dca98baca76885f730e5b1b559b61

SHA512
02e1bf57e61bd0a2e4117bff95b60e05ea365b0eb00cd05de0e53f4cfc1bae90828183f846a6a2fecf1d09d07184236a48c8536a2203f2662c1dd03e8e2d5757

Download Submit
memory/996-121-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/996-109-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/996-122-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/996-120-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/996-119-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/996-118-0x0000000002050000-0x0000000002096000-memory.dmp

Filesize
280KB

Download
memory/996-117-0x00000000763C0000-0x000000007651C000-memory.dmp

Filesize
1.4MB

Download
memory/996-115-0x00000000769C0000-0x0000000076A07000-memory.dmp

Filesize
284KB

Download
memory/996-113-0x0000000076850000-0x00000000768FC000-memory.dmp

Filesize
688KB

Download
memory/996-112-0x0000000076980000-0x00000000769B5000-memory.dmp

Filesize
212KB

Download
memory/996-111-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1328-86-0x0000000000BA0000-0x0000000000BC8000-memory.dmp

Filesize
160KB

Download
memory/1328-88-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1328-90-0x0000000004395000-0x00000000043A6000-memory.dmp

Filesize
68KB

Download
memory/1328-91-0x0000000001FD0000-0x0000000001FEC000-memory.dmp

Filesize
112KB

Download
memory/1736-145-0x000000002F311000-0x000000002F314000-memory.dmp

Filesize
12KB

Download
memory/1736-146-0x000000006EBD1000-0x000000006EBD3000-memory.dmp

Filesize
8KB

Download
memory/1736-147-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1768-92-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-99-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-98-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-96-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-94-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-95-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1768-93-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1832-127-0x0000000076980000-0x00000000769B5000-memory.dmp

Filesize
212KB

Download
memory/1832-135-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1832-137-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1832-124-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1832-126-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1832-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1832-128-0x0000000076850000-0x00000000768FC000-memory.dmp

Filesize
688KB

Download
memory/1832-130-0x00000000769C0000-0x0000000076A07000-memory.dmp

Filesize
284KB

Download
memory/1832-133-0x00000000763C0000-0x000000007651C000-memory.dmp

Filesize
1.4MB

Download
memory/1832-132-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/2020-58-0x0000000002F60000-0x0000000002F62000-memory.dmp

Filesize
8KB

Download
memory/2020-54-0x000000002FD31000-0x000000002FD34000-memory.dmp

Filesize
12KB

Download
memory/2020-78-0x0000000007CD0000-0x000000000891A000-memory.dmp

Filesize
12.3MB

Download
memory/2020-77-0x0000000007CD0000-0x000000000891A000-memory.dmp

Filesize
12.3MB

Download
memory/2020-76-0x0000000005600000-0x000000000563C000-memory.dmp

Filesize
240KB

Download
memory/2020-75-0x0000000005330000-0x000000000534C000-memory.dmp

Filesize
112KB

Download
memory/2020-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-57-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-55-0x000000006EDE1000-0x000000006EDE3000-memory.dmp

Filesize
8KB

Download
memory/2020-79-0x0000000007CD0000-0x000000000891A000-memory.dmp

Filesize
12.3MB

Download
memory/2020-80-0x0000000007CD0000-0x000000000891A000-memory.dmp

Filesize
12.3MB

Download
memory/2020-81-0x00000000054A0000-0x00000000054AE000-memory.dmp

Filesize
56KB

Download