darkcomet | ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-05-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Size

3.8MB
MD5

57f9d1882f4bf9a35c66a3c7e541a174
SHA1

6c26537c0b251371c9e888f157f24017a00057eb
SHA256

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a
SHA512

e76e92e95629581bc2ee0bafb4057446402c5ba72b2e2013a85c2109166412d07a2657815aeff13ee4e6f932016b6e32a7bdd5444bf560814b1c49a08877661f

Score

10^/10

darkcomet 2020nov1 2020nov11 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

2020NOV11

sandyclark255.hopto.org:1605

Mutex

DC_MUTEX-C010SK7

Attributes

gencode
cFXCTt13CuYM
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

2020NOV1

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes

InstallPath
excelsl.exe
gencode
n7asq0Dbu7D2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
office

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svthost.exeyuW5b7N21WCqOnJT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe"	svthost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\hINoh1usVUOKfH8Z\\GFsU8x34z2A2.exe\",explorer.exe"	yuW5b7N21WCqOnJT.exe

Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

Processes:

printserv.exesvthost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	printserv.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svthost.exe

Executes dropped EXE 11 IoCs

Processes:

Thz6y65w80qLYvfN.exeolvhWZJ2IzOyDIQz.exeNYmjjeMc5K0gWjJL.exeU8UmBnUmjzG38e62.exeyuW5b7N21WCqOnJT.exefmEz1XArATxqw5DG.exeprintserv.exeprintserv.exesvthost.exesvwhost.exeexcelsl.exe

pid	process
2208	Thz6y65w80qLYvfN.exe
2308	olvhWZJ2IzOyDIQz.exe
4928	NYmjjeMc5K0gWjJL.exe
3776	U8UmBnUmjzG38e62.exe
3740	yuW5b7N21WCqOnJT.exe
3124	fmEz1XArATxqw5DG.exe
3680	printserv.exe
868	printserv.exe
4468	svthost.exe
2784	svwhost.exe
3536	excelsl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exesvthost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	svthost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svthost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe"	svthost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fmEz1XArATxqw5DG.exeyuW5b7N21WCqOnJT.exe

description	pid	process	target process
PID 3124 set thread context of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3740 set thread context of 4468	3740	yuW5b7N21WCqOnJT.exe	svthost.exe

Drops file in Windows directory 4 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

description	ioc	process
File created	C:\Windows\svwhost.exe	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
File opened for modification	C:\Windows\assembly	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
File created	C:\Windows\assembly\Desktop.ini	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3040 3536 WerFault.exe excelsl.exe

pid	pid_target	process	target process
3040	3536	WerFault.exe	excelsl.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

880 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3688 timeout.exe

pid	process
880	schtasks.exe

pid	process
3688	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exesvthost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svthost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fmEz1XArATxqw5DG.exeab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

pid	process
3124	fmEz1XArATxqw5DG.exe
3124	fmEz1XArATxqw5DG.exe
3124	fmEz1XArATxqw5DG.exe
3124	fmEz1XArATxqw5DG.exe
3124	fmEz1XArATxqw5DG.exe
3124	fmEz1XArATxqw5DG.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exeThz6y65w80qLYvfN.exeNYmjjeMc5K0gWjJL.exeU8UmBnUmjzG38e62.exeyuW5b7N21WCqOnJT.exefmEz1XArATxqw5DG.exeolvhWZJ2IzOyDIQz.exeprintserv.exesvthost.exe

description	pid	process
Token: SeDebugPrivilege	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: 33	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: SeIncBasePriorityPrivilege	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: SeDebugPrivilege	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: SeDebugPrivilege	2208	Thz6y65w80qLYvfN.exe
Token: 33	2208	Thz6y65w80qLYvfN.exe
Token: SeIncBasePriorityPrivilege	2208	Thz6y65w80qLYvfN.exe
Token: SeDebugPrivilege	4928	NYmjjeMc5K0gWjJL.exe
Token: 33	4928	NYmjjeMc5K0gWjJL.exe
Token: SeIncBasePriorityPrivilege	4928	NYmjjeMc5K0gWjJL.exe
Token: SeDebugPrivilege	3776	U8UmBnUmjzG38e62.exe
Token: 33	3776	U8UmBnUmjzG38e62.exe
Token: SeIncBasePriorityPrivilege	3776	U8UmBnUmjzG38e62.exe
Token: SeDebugPrivilege	3740	yuW5b7N21WCqOnJT.exe
Token: 33	3740	yuW5b7N21WCqOnJT.exe
Token: SeIncBasePriorityPrivilege	3740	yuW5b7N21WCqOnJT.exe
Token: SeDebugPrivilege	3124	fmEz1XArATxqw5DG.exe
Token: 33	3124	fmEz1XArATxqw5DG.exe
Token: SeIncBasePriorityPrivilege	3124	fmEz1XArATxqw5DG.exe
Token: SeDebugPrivilege	3124	fmEz1XArATxqw5DG.exe
Token: SeDebugPrivilege	2308	olvhWZJ2IzOyDIQz.exe
Token: 33	2308	olvhWZJ2IzOyDIQz.exe
Token: SeIncBasePriorityPrivilege	2308	olvhWZJ2IzOyDIQz.exe
Token: SeDebugPrivilege	3740	yuW5b7N21WCqOnJT.exe
Token: SeIncreaseQuotaPrivilege	868	printserv.exe
Token: SeSecurityPrivilege	868	printserv.exe
Token: SeTakeOwnershipPrivilege	868	printserv.exe
Token: SeLoadDriverPrivilege	868	printserv.exe
Token: SeSystemProfilePrivilege	868	printserv.exe
Token: SeSystemtimePrivilege	868	printserv.exe
Token: SeProfSingleProcessPrivilege	868	printserv.exe
Token: SeIncBasePriorityPrivilege	868	printserv.exe
Token: SeCreatePagefilePrivilege	868	printserv.exe
Token: SeBackupPrivilege	868	printserv.exe
Token: SeRestorePrivilege	868	printserv.exe
Token: SeShutdownPrivilege	868	printserv.exe
Token: SeDebugPrivilege	868	printserv.exe
Token: SeSystemEnvironmentPrivilege	868	printserv.exe
Token: SeChangeNotifyPrivilege	868	printserv.exe
Token: SeRemoteShutdownPrivilege	868	printserv.exe
Token: SeUndockPrivilege	868	printserv.exe
Token: SeManageVolumePrivilege	868	printserv.exe
Token: SeImpersonatePrivilege	868	printserv.exe
Token: SeCreateGlobalPrivilege	868	printserv.exe
Token: 33	868	printserv.exe
Token: 34	868	printserv.exe
Token: 35	868	printserv.exe
Token: 36	868	printserv.exe
Token: SeIncreaseQuotaPrivilege	4468	svthost.exe
Token: SeSecurityPrivilege	4468	svthost.exe
Token: SeTakeOwnershipPrivilege	4468	svthost.exe
Token: SeLoadDriverPrivilege	4468	svthost.exe
Token: SeSystemProfilePrivilege	4468	svthost.exe
Token: SeSystemtimePrivilege	4468	svthost.exe
Token: SeProfSingleProcessPrivilege	4468	svthost.exe
Token: SeIncBasePriorityPrivilege	4468	svthost.exe
Token: SeCreatePagefilePrivilege	4468	svthost.exe
Token: SeBackupPrivilege	4468	svthost.exe
Token: SeRestorePrivilege	4468	svthost.exe
Token: SeShutdownPrivilege	4468	svthost.exe
Token: SeDebugPrivilege	4468	svthost.exe
Token: SeSystemEnvironmentPrivilege	4468	svthost.exe
Token: SeChangeNotifyPrivilege	4468	svthost.exe
Token: SeRemoteShutdownPrivilege	4468	svthost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

printserv.exeAcroRd32.exe

pid process

868 printserv.exe
4124 AcroRd32.exe
4124 AcroRd32.exe
4124 AcroRd32.exe
4124 AcroRd32.exe

pid	process
868	printserv.exe
4124	AcroRd32.exe
4124	AcroRd32.exe
4124	AcroRd32.exe
4124	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exefmEz1XArATxqw5DG.exeprintserv.exeyuW5b7N21WCqOnJT.exe

description	pid	process	target process
PID 4692 wrote to memory of 2208	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	Thz6y65w80qLYvfN.exe
PID 4692 wrote to memory of 2208	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	Thz6y65w80qLYvfN.exe
PID 4692 wrote to memory of 2208	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	Thz6y65w80qLYvfN.exe
PID 4692 wrote to memory of 2308	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	olvhWZJ2IzOyDIQz.exe
PID 4692 wrote to memory of 2308	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	olvhWZJ2IzOyDIQz.exe
PID 4692 wrote to memory of 2308	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	olvhWZJ2IzOyDIQz.exe
PID 4692 wrote to memory of 4928	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	NYmjjeMc5K0gWjJL.exe
PID 4692 wrote to memory of 4928	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	NYmjjeMc5K0gWjJL.exe
PID 4692 wrote to memory of 4928	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	NYmjjeMc5K0gWjJL.exe
PID 4692 wrote to memory of 3776	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	U8UmBnUmjzG38e62.exe
PID 4692 wrote to memory of 3776	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	U8UmBnUmjzG38e62.exe
PID 4692 wrote to memory of 3776	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	U8UmBnUmjzG38e62.exe
PID 4692 wrote to memory of 3740	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	yuW5b7N21WCqOnJT.exe
PID 4692 wrote to memory of 3740	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	yuW5b7N21WCqOnJT.exe
PID 4692 wrote to memory of 3740	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	yuW5b7N21WCqOnJT.exe
PID 4692 wrote to memory of 3124	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	fmEz1XArATxqw5DG.exe
PID 4692 wrote to memory of 3124	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	fmEz1XArATxqw5DG.exe
PID 4692 wrote to memory of 3124	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	fmEz1XArATxqw5DG.exe
PID 3124 wrote to memory of 3680	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 3680	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 3680	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 4692 wrote to memory of 4124	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AcroRd32.exe
PID 4692 wrote to memory of 4124	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AcroRd32.exe
PID 4692 wrote to memory of 4124	4692	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AcroRd32.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 3124 wrote to memory of 868	3124	fmEz1XArATxqw5DG.exe	printserv.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 868 wrote to memory of 5012	868	printserv.exe	notepad.exe
PID 3740 wrote to memory of 4468	3740	yuW5b7N21WCqOnJT.exe	svthost.exe
PID 3740 wrote to memory of 4468	3740	yuW5b7N21WCqOnJT.exe	svthost.exe
PID 3740 wrote to memory of 4468	3740	yuW5b7N21WCqOnJT.exe	svthost.exe
PID 3740 wrote to memory of 4468	3740	yuW5b7N21WCqOnJT.exe	svthost.exe
PID 3740 wrote to memory of 4468	3740	yuW5b7N21WCqOnJT.exe	svthost.exe
PID 3740 wrote to memory of 4468	3740	yuW5b7N21WCqOnJT.exe	svthost.exe

C:\Users\Admin\AppData\Local\Temp\ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
"C:\Users\Admin\AppData\Local\Temp\ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\Thz6y65w80qLYvfN.exe
"C:\Users\Admin\AppData\Local\Temp\Thz6y65w80qLYvfN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\svhoste.exe
"C:\Windows\svhoste.exe"
3⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\olvhWZJ2IzOyDIQz.exe
"C:\Users\Admin\AppData\Local\Temp\olvhWZJ2IzOyDIQz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'skypes"' /tr "'C:\Users\Admin\AppData\Roaming\skypes.exe"'
3⤵
- Creates scheduled task(s)
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA93.tmp.bat""
3⤵
PID:3952

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3688

C:\Users\Admin\AppData\Local\Temp\NYmjjeMc5K0gWjJL.exe
"C:\Users\Admin\AppData\Local\Temp\NYmjjeMc5K0gWjJL.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\AppData\Local\Temp\U8UmBnUmjzG38e62.exe
"C:\Users\Admin\AppData\Local\Temp\U8UmBnUmjzG38e62.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Users\Admin\AppData\Local\Temp\cEdAAlRxyAr8g404\videorv.exe
"C:\Users\Admin\AppData\Local\Temp\cEdAAlRxyAr8g404\videorv.exe"
3⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\cEdAAlRxyAr8g404\videorv.exe
"C:\Users\Admin\AppData\Local\Temp\cEdAAlRxyAr8g404\videorv.exe"
3⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\yuW5b7N21WCqOnJT.exe
"C:\Users\Admin\AppData\Local\Temp\yuW5b7N21WCqOnJT.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\D4yiEAr1ljZj6pAJ\svthost.exe
"C:\Users\Admin\AppData\Local\Temp\D4yiEAr1ljZj6pAJ\svthost.exe"
3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:3760

C:\Users\Admin\Documents\excelsl.exe
"C:\Users\Admin\Documents\excelsl.exe"
4⤵
- Executes dropped EXE
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1052
5⤵
- Program crash
PID:3040

C:\Users\Admin\AppData\Local\Temp\fmEz1XArATxqw5DG.exe
"C:\Users\Admin\AppData\Local\Temp\fmEz1XArATxqw5DG.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\E54dfCaSRBjBGyUO\printserv.exe
"C:\Users\Admin\AppData\Local\Temp\E54dfCaSRBjBGyUO\printserv.exe"
3⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\AppData\Local\Temp\E54dfCaSRBjBGyUO\printserv.exe
"C:\Users\Admin\AppData\Local\Temp\E54dfCaSRBjBGyUO\printserv.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:5012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2dK6r2GhlM84qj4z.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:1192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A69FEC06D9C8828A28EDD5CD9831F1C7 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4421D6C72CFBBE7F9CFAF52A3BE97EDE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4421D6C72CFBBE7F9CFAF52A3BE97EDE --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=80384905C0CEA2A86EDB947DC660F7F2 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DFB905D2E1A8BDBB25C33CB9B9CA022D --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91A28C7833627097C183D07DB9F3125A --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2416

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
3⤵
PID:4336

C:\Windows\svwhost.exe
"C:\Windows\svwhost.exe"
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3536 -ip 3536
1⤵
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2dK6r2GhlM84qj4z.pdf
Filesize
46KB

MD5
e5a4a1326a02f8e7b59e6c3270ce7202

SHA1
42b567fcd31696fdc61b1627c23abc3f7bffde55

SHA256
dcb76016f9ac47e631540874da208a089f9d529da9628705a2869b954526bfe0

SHA512
a7580164daeef7bfd90a8eb3fe1a9e1504301f4d60ae8c54fe55bb396c1ef07b4b5af3b1e8df1ac81d166ab269886a49fbb6abdc8ad65cff0547a1cb3f353a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4yiEAr1ljZj6pAJ\svthost.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4yiEAr1ljZj6pAJ\svthost.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E54dfCaSRBjBGyUO\printserv.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E54dfCaSRBjBGyUO\printserv.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E54dfCaSRBjBGyUO\printserv.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYmjjeMc5K0gWjJL.exe
Filesize
379KB

MD5
ad5a883143a4cbc7f3480124f34150e8

SHA1
b301b43208d6a25ba53779b427628bf08b87e3d9

SHA256
837efc78139a51fdf70aa5e4df668705a6bb4636613435dd455a89d65dc55882

SHA512
d548c7942d47c2d2435d84bc4ff5487a2366ab5ac1be072c021d198882e1ebdc336e5e165830589b8fed081fa26f5cbf6f53b1470f31c2206144055e620c6e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYmjjeMc5K0gWjJL.exe
Filesize
379KB

MD5
ad5a883143a4cbc7f3480124f34150e8

SHA1
b301b43208d6a25ba53779b427628bf08b87e3d9

SHA256
837efc78139a51fdf70aa5e4df668705a6bb4636613435dd455a89d65dc55882

SHA512
d548c7942d47c2d2435d84bc4ff5487a2366ab5ac1be072c021d198882e1ebdc336e5e165830589b8fed081fa26f5cbf6f53b1470f31c2206144055e620c6e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thz6y65w80qLYvfN.exe
Filesize
396KB

MD5
bb536d9993e4b42bdf05418e6b74c774

SHA1
60fbce674150d6ddb45fc73c5286832088f6d36b

SHA256
99548c2c787d86ab5ed42350a9faa3d76303f119252e152979d0d2de29bb73da

SHA512
eddc68b2d6bdf901f931dfd0bb950f7cf86dca189fd78cd646030e08a6a73fe26b9ac74554a23256b8be26bbc67a47fe5c56ffcb00b38edc8af376b07ae85d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thz6y65w80qLYvfN.exe
Filesize
396KB

MD5
bb536d9993e4b42bdf05418e6b74c774

SHA1
60fbce674150d6ddb45fc73c5286832088f6d36b

SHA256
99548c2c787d86ab5ed42350a9faa3d76303f119252e152979d0d2de29bb73da

SHA512
eddc68b2d6bdf901f931dfd0bb950f7cf86dca189fd78cd646030e08a6a73fe26b9ac74554a23256b8be26bbc67a47fe5c56ffcb00b38edc8af376b07ae85d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\U8UmBnUmjzG38e62.exe
Filesize
851KB

MD5
90ef2f0f0041ce121d288cb646bd6f7c

SHA1
98320df200c18c6dc23d9841d280e955cd08e6e3

SHA256
904f446d7ecbd31c11aec24e22143ebd4036a2b6c5bcf37a7ccc16b963cc2fee

SHA512
03234bacbe8445de1cea0fbb7c64e10f9d2249f9494e22d30a44f096fa4a8b8f2be2782619bac53c51b60800b372277edb5b7ac360de4bda54c43a480e89325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\U8UmBnUmjzG38e62.exe
Filesize
851KB

MD5
90ef2f0f0041ce121d288cb646bd6f7c

SHA1
98320df200c18c6dc23d9841d280e955cd08e6e3

SHA256
904f446d7ecbd31c11aec24e22143ebd4036a2b6c5bcf37a7ccc16b963cc2fee

SHA512
03234bacbe8445de1cea0fbb7c64e10f9d2249f9494e22d30a44f096fa4a8b8f2be2782619bac53c51b60800b372277edb5b7ac360de4bda54c43a480e89325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEdAAlRxyAr8g404\videorv.exe
Filesize
851KB

MD5
90ef2f0f0041ce121d288cb646bd6f7c

SHA1
98320df200c18c6dc23d9841d280e955cd08e6e3

SHA256
904f446d7ecbd31c11aec24e22143ebd4036a2b6c5bcf37a7ccc16b963cc2fee

SHA512
03234bacbe8445de1cea0fbb7c64e10f9d2249f9494e22d30a44f096fa4a8b8f2be2782619bac53c51b60800b372277edb5b7ac360de4bda54c43a480e89325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEdAAlRxyAr8g404\videorv.exe
Filesize
851KB

MD5
90ef2f0f0041ce121d288cb646bd6f7c

SHA1
98320df200c18c6dc23d9841d280e955cd08e6e3

SHA256
904f446d7ecbd31c11aec24e22143ebd4036a2b6c5bcf37a7ccc16b963cc2fee

SHA512
03234bacbe8445de1cea0fbb7c64e10f9d2249f9494e22d30a44f096fa4a8b8f2be2782619bac53c51b60800b372277edb5b7ac360de4bda54c43a480e89325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmEz1XArATxqw5DG.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmEz1XArATxqw5DG.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\olvhWZJ2IzOyDIQz.exe
Filesize
438KB

MD5
0a4b74345c65b419fa2e54003d8f35b2

SHA1
13695e65d21b1208fa871215344989cf4a45cada

SHA256
d056a28cca361012ee9d94d5c0119af33f1fddcfa0b39a45852eb115f2480cde

SHA512
56e00065754e10b630b4aa6fd2593086b260f1d29ef9e82d16a29c10c3462dd30e4072b33158790610305d02ab1b1eef8451ee0056bac78b266f17fdfcef65e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\olvhWZJ2IzOyDIQz.exe
Filesize
438KB

MD5
0a4b74345c65b419fa2e54003d8f35b2

SHA1
13695e65d21b1208fa871215344989cf4a45cada

SHA256
d056a28cca361012ee9d94d5c0119af33f1fddcfa0b39a45852eb115f2480cde

SHA512
56e00065754e10b630b4aa6fd2593086b260f1d29ef9e82d16a29c10c3462dd30e4072b33158790610305d02ab1b1eef8451ee0056bac78b266f17fdfcef65e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA93.tmp.bat
Filesize
150B

MD5
fd5ccb469cce5ee4f11de766251533ec

SHA1
207d33f75775c12e0a03b8903ebcd62390cf1a62

SHA256
b5ee77c8e0c1db8f2a72915dba86b7284e30d24a70c7e81c7fd216b3ea46c00a

SHA512
869b9a048222573b24ebe5923e88687349dda83f925d9c2294bea72bc72e6da8c139217a8688f61fe9399cf3284c44f6737525efdc56399e0a25d922dd0c3ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuW5b7N21WCqOnJT.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuW5b7N21WCqOnJT.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
C:\Users\Admin\Documents\excelsl.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
C:\Users\Admin\Documents\excelsl.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
C:\Windows\svhoste.exe
Filesize
396KB

MD5
bb536d9993e4b42bdf05418e6b74c774

SHA1
60fbce674150d6ddb45fc73c5286832088f6d36b

SHA256
99548c2c787d86ab5ed42350a9faa3d76303f119252e152979d0d2de29bb73da

SHA512
eddc68b2d6bdf901f931dfd0bb950f7cf86dca189fd78cd646030e08a6a73fe26b9ac74554a23256b8be26bbc67a47fe5c56ffcb00b38edc8af376b07ae85d89

Download Submit
C:\Windows\svhoste.exe
Filesize
396KB

MD5
bb536d9993e4b42bdf05418e6b74c774

SHA1
60fbce674150d6ddb45fc73c5286832088f6d36b

SHA256
99548c2c787d86ab5ed42350a9faa3d76303f119252e152979d0d2de29bb73da

SHA512
eddc68b2d6bdf901f931dfd0bb950f7cf86dca189fd78cd646030e08a6a73fe26b9ac74554a23256b8be26bbc67a47fe5c56ffcb00b38edc8af376b07ae85d89

Download Submit
C:\Windows\svwhost.exe
Filesize
3.8MB

MD5
57f9d1882f4bf9a35c66a3c7e541a174

SHA1
6c26537c0b251371c9e888f157f24017a00057eb

SHA256
ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a

SHA512
e76e92e95629581bc2ee0bafb4057446402c5ba72b2e2013a85c2109166412d07a2657815aeff13ee4e6f932016b6e32a7bdd5444bf560814b1c49a08877661f

Download Submit
C:\Windows\svwhost.exe
Filesize
3.8MB

MD5
57f9d1882f4bf9a35c66a3c7e541a174

SHA1
6c26537c0b251371c9e888f157f24017a00057eb

SHA256
ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a

SHA512
e76e92e95629581bc2ee0bafb4057446402c5ba72b2e2013a85c2109166412d07a2657815aeff13ee4e6f932016b6e32a7bdd5444bf560814b1c49a08877661f

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/548-200-0x0000000000000000-mapping.dmp

Download
memory/868-160-0x0000000000000000-mapping.dmp

Download
memory/868-161-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/868-163-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/868-167-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/868-165-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/880-224-0x0000000000000000-mapping.dmp

Download
memory/1192-189-0x0000000000000000-mapping.dmp

Download
memory/1216-211-0x0000000000000000-mapping.dmp

Download
memory/2080-204-0x0000000000000000-mapping.dmp

Download
memory/2080-205-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2080-207-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2080-208-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2080-209-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2208-131-0x0000000000000000-mapping.dmp

Download
memory/2208-141-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/2308-217-0x0000000009C80000-0x0000000009CE6000-memory.dmp

Filesize
408KB

Download
memory/2308-156-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/2308-134-0x0000000000000000-mapping.dmp

Download
memory/2308-219-0x0000000009FE0000-0x000000000A07C000-memory.dmp

Filesize
624KB

Download
memory/2308-153-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/2308-149-0x0000000000AC0000-0x0000000000B32000-memory.dmp

Filesize
456KB

Download
memory/2308-164-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/2416-214-0x0000000000000000-mapping.dmp

Download
memory/2452-195-0x0000000000000000-mapping.dmp

Download
memory/2604-192-0x0000000000000000-mapping.dmp

Download
memory/2784-181-0x0000000000000000-mapping.dmp

Download
memory/2784-187-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/3080-218-0x0000000000000000-mapping.dmp

Download
memory/3124-150-0x0000000000000000-mapping.dmp

Download
memory/3124-155-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-182-0x0000000000000000-mapping.dmp

Download
memory/3536-188-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/3680-157-0x0000000000000000-mapping.dmp

Download
memory/3688-227-0x0000000000000000-mapping.dmp

Download
memory/3740-154-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/3740-145-0x0000000000000000-mapping.dmp

Download
memory/3760-179-0x0000000000000000-mapping.dmp

Download
memory/3776-140-0x0000000000000000-mapping.dmp

Download
memory/3776-146-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/3952-225-0x0000000000000000-mapping.dmp

Download
memory/4124-159-0x0000000000000000-mapping.dmp

Download
memory/4336-216-0x0000000000000000-mapping.dmp

Download
memory/4412-223-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/4412-220-0x0000000000000000-mapping.dmp

Download
memory/4468-170-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4468-180-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4468-174-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4468-176-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4468-173-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4468-169-0x0000000000000000-mapping.dmp

Download
memory/4640-202-0x0000000000000000-mapping.dmp

Download
memory/4692-130-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-142-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-137-0x0000000000000000-mapping.dmp

Download
memory/5012-168-0x0000000000000000-mapping.dmp

Download