darkcomet | fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3.exe
Size

1.5MB
MD5

7589a096aa62e18e4f551f8aac5f30ce
SHA1

eaced6976c02d9f33f4a4d783f16a9290b5a71e5
SHA256

fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3
SHA512

0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c
SSDEEP

24576:dRmJkcoQricOIQxiZY1iag0a4oAboSB70PwvKNFZTVMrZiD4iVheq86F9/xP:SJZoQrbTFZY1iagIzborkKN73DjV7Z

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

minamobile1.zapto.org:1604

Mutex

DC_MUTEX-FVRPPG1

Attributes

InstallPath
MSDCSC\explorer.exe
gencode
2Ml2U2nN4HCu
install
true
offline_keylogger
true
persistence
true
reg_key
Microsoft Explorer Service

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
5076	explorer.exe
2292	explorer.exe
4208	explorer.exe
688	explorer.exe
4552	explorer.exe
3384	explorer.exe
4708	explorer.exe
652	explorer.exe
1792	explorer.exe
4400	explorer.exe
3380	explorer.exe
3560	explorer.exe
4976	explorer.exe
3056	explorer.exe
732	explorer.exe
216	explorer.exe
3388	explorer.exe
2388	explorer.exe
776	explorer.exe
1696	explorer.exe
4684	explorer.exe
3820	explorer.exe
4048	explorer.exe
2112	explorer.exe
2108	explorer.exe
1212	explorer.exe
4984	explorer.exe
4232	explorer.exe
1540	explorer.exe
2260	explorer.exe
4084	explorer.exe
4476	explorer.exe
1104	explorer.exe
4952	explorer.exe
3028	explorer.exe
1004	explorer.exe
2756	explorer.exe
1992	explorer.exe
1856	explorer.exe
3976	explorer.exe
3128	explorer.exe
3056	explorer.exe
4972	explorer.exe
548	explorer.exe
2256	explorer.exe
3048	explorer.exe
2436	explorer.exe
1132	explorer.exe
3824	explorer.exe
1620	explorer.exe
4424	explorer.exe
1960	explorer.exe
3576	explorer.exe
1560	explorer.exe
784	explorer.exe
1532	explorer.exe
4300	explorer.exe
1180	explorer.exe
4888	explorer.exe
700	explorer.exe
3800	explorer.exe
1084	explorer.exe
1672	explorer.exe
4004	explorer.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1780	attrib.exe
1740	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer Service = "C:\\Windows\\system32\\MSDCSC\\explorer.exe"	explorer.exe

AutoIT Executable 60 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000300000001e70f-133.dat	autoit_exe
behavioral2/files/0x000300000001e70f-134.dat	autoit_exe
behavioral2/files/0x000300000001e70f-138.dat	autoit_exe
behavioral2/files/0x0007000000022f64-149.dat	autoit_exe
behavioral2/files/0x0007000000022f64-150.dat	autoit_exe
behavioral2/files/0x000300000001e70f-154.dat	autoit_exe
behavioral2/files/0x000300000001e70f-156.dat	autoit_exe
behavioral2/files/0x000300000001e70f-165.dat	autoit_exe
behavioral2/files/0x000300000001e70f-171.dat	autoit_exe
behavioral2/files/0x000300000001e70f-177.dat	autoit_exe
behavioral2/files/0x000300000001e70f-183.dat	autoit_exe
behavioral2/files/0x000300000001e70f-189.dat	autoit_exe
behavioral2/files/0x000300000001e70f-195.dat	autoit_exe
behavioral2/files/0x000300000001e70f-201.dat	autoit_exe
behavioral2/files/0x000300000001e70f-207.dat	autoit_exe
behavioral2/files/0x000300000001e70f-214.dat	autoit_exe
behavioral2/files/0x000300000001e70f-220.dat	autoit_exe
behavioral2/files/0x000300000001e70f-226.dat	autoit_exe
behavioral2/files/0x000300000001e70f-232.dat	autoit_exe
behavioral2/files/0x000300000001e70f-238.dat	autoit_exe
behavioral2/files/0x000300000001e70f-244.dat	autoit_exe
behavioral2/files/0x000300000001e70f-250.dat	autoit_exe
behavioral2/files/0x000300000001e70f-256.dat	autoit_exe
behavioral2/files/0x000300000001e70f-262.dat	autoit_exe
behavioral2/files/0x000300000001e70f-268.dat	autoit_exe
behavioral2/files/0x000300000001e70f-274.dat	autoit_exe
behavioral2/files/0x000300000001e70f-280.dat	autoit_exe
behavioral2/files/0x000300000001e70f-286.dat	autoit_exe
behavioral2/files/0x000300000001e70f-292.dat	autoit_exe
behavioral2/files/0x000300000001e70f-298.dat	autoit_exe
behavioral2/files/0x000300000001e70f-305.dat	autoit_exe
behavioral2/files/0x000300000001e70f-311.dat	autoit_exe
behavioral2/files/0x000300000001e70f-318.dat	autoit_exe
behavioral2/files/0x000300000001e70f-324.dat	autoit_exe
behavioral2/files/0x000300000001e70f-330.dat	autoit_exe
behavioral2/files/0x000300000001e70f-336.dat	autoit_exe
behavioral2/files/0x000300000001e70f-342.dat	autoit_exe
behavioral2/files/0x000300000001e70f-348.dat	autoit_exe
behavioral2/files/0x000300000001e70f-354.dat	autoit_exe
behavioral2/files/0x000300000001e70f-360.dat	autoit_exe
behavioral2/files/0x000300000001e70f-366.dat	autoit_exe
behavioral2/files/0x000300000001e70f-372.dat	autoit_exe
behavioral2/files/0x000300000001e70f-378.dat	autoit_exe
behavioral2/files/0x000300000001e70f-384.dat	autoit_exe
behavioral2/files/0x000300000001e70f-390.dat	autoit_exe
behavioral2/files/0x000300000001e70f-396.dat	autoit_exe
behavioral2/files/0x000300000001e70f-402.dat	autoit_exe
behavioral2/files/0x000300000001e70f-408.dat	autoit_exe
behavioral2/files/0x000300000001e70f-414.dat	autoit_exe
behavioral2/files/0x000300000001e70f-420.dat	autoit_exe
behavioral2/files/0x000300000001e70f-426.dat	autoit_exe
behavioral2/files/0x000300000001e70f-432.dat	autoit_exe
behavioral2/files/0x000300000001e70f-438.dat	autoit_exe
behavioral2/files/0x000300000001e70f-444.dat	autoit_exe
behavioral2/files/0x000300000001e70f-450.dat	autoit_exe
behavioral2/files/0x000300000001e70f-456.dat	autoit_exe
behavioral2/files/0x000300000001e70f-462.dat	autoit_exe
behavioral2/files/0x000300000001e70f-468.dat	autoit_exe
behavioral2/files/0x000300000001e70f-474.dat	autoit_exe
behavioral2/files/0x000300000001e70f-480.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\MSDCSC\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 2292	5076	explorer.exe	81
PID 5076 set thread context of 4552	5076	explorer.exe	98
PID 688 set thread context of 3384	688	explorer.exe	101
PID 688 set thread context of 4708	688	explorer.exe	102
PID 688 set thread context of 652	688	explorer.exe	103
PID 688 set thread context of 1792	688	explorer.exe	104
PID 688 set thread context of 4400	688	explorer.exe	105
PID 688 set thread context of 3380	688	explorer.exe	106
PID 688 set thread context of 3560	688	explorer.exe	107
PID 688 set thread context of 4976	688	explorer.exe	108
PID 688 set thread context of 3056	688	explorer.exe	109
PID 688 set thread context of 732	688	explorer.exe	110
PID 688 set thread context of 216	688	explorer.exe	111
PID 688 set thread context of 3388	688	explorer.exe	112
PID 688 set thread context of 2388	688	explorer.exe	113
PID 688 set thread context of 776	688	explorer.exe	114
PID 688 set thread context of 1696	688	explorer.exe	115
PID 688 set thread context of 4684	688	explorer.exe	116
PID 688 set thread context of 3820	688	explorer.exe	117
PID 688 set thread context of 4048	688	explorer.exe	118
PID 688 set thread context of 2112	688	explorer.exe	119
PID 688 set thread context of 2108	688	explorer.exe	120
PID 688 set thread context of 1212	688	explorer.exe	121
PID 688 set thread context of 4984	688	explorer.exe	122
PID 688 set thread context of 4232	688	explorer.exe	123
PID 688 set thread context of 1540	688	explorer.exe	124
PID 688 set thread context of 2260	688	explorer.exe	125
PID 688 set thread context of 4084	688	explorer.exe	126
PID 688 set thread context of 4476	688	explorer.exe	127
PID 688 set thread context of 1104	688	explorer.exe	128
PID 688 set thread context of 4952	688	explorer.exe	129
PID 688 set thread context of 3028	688	explorer.exe	130
PID 688 set thread context of 1004	688	explorer.exe	131
PID 688 set thread context of 2756	688	explorer.exe	132
PID 688 set thread context of 1992	688	explorer.exe	133
PID 688 set thread context of 1856	688	explorer.exe	134
PID 688 set thread context of 3976	688	explorer.exe	135
PID 688 set thread context of 3128	688	explorer.exe	136
PID 688 set thread context of 3056	688	explorer.exe	137
PID 688 set thread context of 4972	688	explorer.exe	138
PID 688 set thread context of 548	688	explorer.exe	139
PID 688 set thread context of 2256	688	explorer.exe	140
PID 688 set thread context of 3048	688	explorer.exe	141
PID 688 set thread context of 2436	688	explorer.exe	142
PID 688 set thread context of 1132	688	explorer.exe	143
PID 688 set thread context of 3824	688	explorer.exe	144
PID 688 set thread context of 1620	688	explorer.exe	145
PID 688 set thread context of 4424	688	explorer.exe	146
PID 688 set thread context of 1960	688	explorer.exe	147
PID 688 set thread context of 3576	688	explorer.exe	148
PID 688 set thread context of 1560	688	explorer.exe	149
PID 688 set thread context of 784	688	explorer.exe	150
PID 688 set thread context of 1532	688	explorer.exe	151
PID 688 set thread context of 4300	688	explorer.exe	152
PID 688 set thread context of 1180	688	explorer.exe	153
PID 688 set thread context of 4888	688	explorer.exe	154
PID 688 set thread context of 700	688	explorer.exe	155
PID 688 set thread context of 3800	688	explorer.exe	156
PID 688 set thread context of 1084	688	explorer.exe	157
PID 688 set thread context of 1672	688	explorer.exe	158
PID 688 set thread context of 4004	688	explorer.exe	159
PID 688 set thread context of 332	688	explorer.exe	160
PID 688 set thread context of 2252	688	explorer.exe	161
PID 688 set thread context of 4212	688	explorer.exe	162

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe
5076	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4552	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2292	explorer.exe
Token: SeSecurityPrivilege	2292	explorer.exe
Token: SeTakeOwnershipPrivilege	2292	explorer.exe
Token: SeLoadDriverPrivilege	2292	explorer.exe
Token: SeSystemProfilePrivilege	2292	explorer.exe
Token: SeSystemtimePrivilege	2292	explorer.exe
Token: SeProfSingleProcessPrivilege	2292	explorer.exe
Token: SeIncBasePriorityPrivilege	2292	explorer.exe
Token: SeCreatePagefilePrivilege	2292	explorer.exe
Token: SeBackupPrivilege	2292	explorer.exe
Token: SeRestorePrivilege	2292	explorer.exe
Token: SeShutdownPrivilege	2292	explorer.exe
Token: SeDebugPrivilege	2292	explorer.exe
Token: SeSystemEnvironmentPrivilege	2292	explorer.exe
Token: SeChangeNotifyPrivilege	2292	explorer.exe
Token: SeRemoteShutdownPrivilege	2292	explorer.exe
Token: SeUndockPrivilege	2292	explorer.exe
Token: SeManageVolumePrivilege	2292	explorer.exe
Token: SeImpersonatePrivilege	2292	explorer.exe
Token: SeCreateGlobalPrivilege	2292	explorer.exe
Token: 33	2292	explorer.exe
Token: 34	2292	explorer.exe
Token: 35	2292	explorer.exe
Token: 36	2292	explorer.exe
Token: SeIncreaseQuotaPrivilege	4552	explorer.exe
Token: SeSecurityPrivilege	4552	explorer.exe
Token: SeTakeOwnershipPrivilege	4552	explorer.exe
Token: SeLoadDriverPrivilege	4552	explorer.exe
Token: SeSystemProfilePrivilege	4552	explorer.exe
Token: SeSystemtimePrivilege	4552	explorer.exe
Token: SeProfSingleProcessPrivilege	4552	explorer.exe
Token: SeIncBasePriorityPrivilege	4552	explorer.exe
Token: SeCreatePagefilePrivilege	4552	explorer.exe
Token: SeBackupPrivilege	4552	explorer.exe
Token: SeRestorePrivilege	4552	explorer.exe
Token: SeShutdownPrivilege	4552	explorer.exe
Token: SeDebugPrivilege	4552	explorer.exe
Token: SeSystemEnvironmentPrivilege	4552	explorer.exe
Token: SeChangeNotifyPrivilege	4552	explorer.exe
Token: SeRemoteShutdownPrivilege	4552	explorer.exe
Token: SeUndockPrivilege	4552	explorer.exe
Token: SeManageVolumePrivilege	4552	explorer.exe
Token: SeImpersonatePrivilege	4552	explorer.exe
Token: SeCreateGlobalPrivilege	4552	explorer.exe
Token: 33	4552	explorer.exe
Token: 34	4552	explorer.exe
Token: 35	4552	explorer.exe
Token: 36	4552	explorer.exe
Token: SeIncreaseQuotaPrivilege	3384	explorer.exe
Token: SeSecurityPrivilege	3384	explorer.exe
Token: SeTakeOwnershipPrivilege	3384	explorer.exe
Token: SeLoadDriverPrivilege	3384	explorer.exe
Token: SeSystemProfilePrivilege	3384	explorer.exe
Token: SeSystemtimePrivilege	3384	explorer.exe
Token: SeProfSingleProcessPrivilege	3384	explorer.exe
Token: SeIncBasePriorityPrivilege	3384	explorer.exe
Token: SeCreatePagefilePrivilege	3384	explorer.exe
Token: SeBackupPrivilege	3384	explorer.exe
Token: SeRestorePrivilege	3384	explorer.exe
Token: SeShutdownPrivilege	3384	explorer.exe
Token: SeDebugPrivilege	3384	explorer.exe
Token: SeSystemEnvironmentPrivilege	3384	explorer.exe
Token: SeChangeNotifyPrivilege	3384	explorer.exe
Token: SeRemoteShutdownPrivilege	3384	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4552	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 5076	3144	fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3.exe	80
PID 3144 wrote to memory of 5076	3144	fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3.exe	80
PID 3144 wrote to memory of 5076	3144	fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3.exe	80
PID 5076 wrote to memory of 2292	5076	explorer.exe	81
PID 5076 wrote to memory of 2292	5076	explorer.exe	81
PID 5076 wrote to memory of 2292	5076	explorer.exe	81
PID 5076 wrote to memory of 2292	5076	explorer.exe	81
PID 5076 wrote to memory of 2292	5076	explorer.exe	81
PID 2292 wrote to memory of 3416	2292	explorer.exe	87
PID 2292 wrote to memory of 3416	2292	explorer.exe	87
PID 2292 wrote to memory of 3416	2292	explorer.exe	87
PID 2292 wrote to memory of 4544	2292	explorer.exe	88
PID 2292 wrote to memory of 4544	2292	explorer.exe	88
PID 2292 wrote to memory of 4544	2292	explorer.exe	88
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 2292 wrote to memory of 3204	2292	explorer.exe	91
PID 4544 wrote to memory of 1740	4544	cmd.exe	93
PID 4544 wrote to memory of 1740	4544	cmd.exe	93
PID 4544 wrote to memory of 1740	4544	cmd.exe	93
PID 3416 wrote to memory of 1780	3416	cmd.exe	92
PID 3416 wrote to memory of 1780	3416	cmd.exe	92
PID 3416 wrote to memory of 1780	3416	cmd.exe	92
PID 2292 wrote to memory of 4208	2292	explorer.exe	97
PID 2292 wrote to memory of 4208	2292	explorer.exe	97
PID 2292 wrote to memory of 4208	2292	explorer.exe	97
PID 5076 wrote to memory of 4552	5076	explorer.exe	98
PID 5076 wrote to memory of 4552	5076	explorer.exe	98
PID 5076 wrote to memory of 4552	5076	explorer.exe	98
PID 4208 wrote to memory of 688	4208	explorer.exe	99
PID 4208 wrote to memory of 688	4208	explorer.exe	99
PID 4208 wrote to memory of 688	4208	explorer.exe	99
PID 5076 wrote to memory of 4552	5076	explorer.exe	98
PID 5076 wrote to memory of 4552	5076	explorer.exe	98
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100
PID 4552 wrote to memory of 4468	4552	explorer.exe	100

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1780	attrib.exe
1740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3.exe
"C:\Users\Admin\AppData\Local\Temp\fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Roaming\explorer.exe
  C:\Users\Admin\AppData\Roaming\explorer.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Roaming\explorer.exe
    "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\explorer.exe" +s +h
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Roaming\explorer.exe" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Roaming" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1740
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:3204
  - - C:\Windows\SysWOW64\MSDCSC\explorer.exe
      "C:\Windows\system32\MSDCSC\explorer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        C:\Users\Admin\AppData\Roaming\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:688
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4708
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:652
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1792
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4400
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3380
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3560
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4976
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3056
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:732
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:216
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3388
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2388
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:776
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1696
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4684
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3820
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4048
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2112
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2108
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1212
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4984
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4232
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1540
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2260
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4084
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4476
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1104
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4952
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3028
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1004
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2756
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1992
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1856
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3976
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3128
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3056
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4972
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:548
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2256
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3048
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2436
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1132
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3824
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4424
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1960
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3576
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1560
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:784
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1532
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4300
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1180
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4888
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:700
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3800
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1084
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1672
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4004
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:332
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4212
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:3700
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1844
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4712
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4848
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:492
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:2504
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4568
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:888
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:3104
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:2388
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:2836
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Adds Run key to start application
        
        PID:2236
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4016
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1000
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Adds Run key to start application
        
        PID:4484
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:5116
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:5092
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4660
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1960
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4052
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1928
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1740
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4444
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:3964
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Adds Run key to start application
        
        PID:2292
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4796
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Adds Run key to start application
        
        PID:3668
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:3180
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4228
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:4440
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:2640
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        Adds Run key to start application
        
        PID:1308
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1888
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:2244
      - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        6⤵
        
        PID:1700
- - C:\Users\Admin\AppData\Roaming\explorer.exe
    "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\res.ico

Filesize
756KB

MD5
ef91d5f955a429d1d229abb265f137d1

SHA1
0246c7ea325032f771933e6b25d35106cd782184

SHA256
22b680cb88daa56b81055a907dd0c8b7d9e8b3924814c1fb157641472c1cf4bc

SHA512
bc34a71b02fefd07a93a4616cbcb8dba608747d6fb5f74298c9df05f1b5edee59787f7b4f9e768e236121ff89c3a8e49e68ee563465c717bd4f793d59ff3d371

Download Submit
C:\Users\Admin\AppData\Local\Temp\res.ico

Filesize
756KB

MD5
ef91d5f955a429d1d229abb265f137d1

SHA1
0246c7ea325032f771933e6b25d35106cd782184

SHA256
22b680cb88daa56b81055a907dd0c8b7d9e8b3924814c1fb157641472c1cf4bc

SHA512
bc34a71b02fefd07a93a4616cbcb8dba608747d6fb5f74298c9df05f1b5edee59787f7b4f9e768e236121ff89c3a8e49e68ee563465c717bd4f793d59ff3d371

Download Submit
C:\Users\Admin\AppData\Local\Temp\res.ico2

Filesize
756KB

MD5
ef91d5f955a429d1d229abb265f137d1

SHA1
0246c7ea325032f771933e6b25d35106cd782184

SHA256
22b680cb88daa56b81055a907dd0c8b7d9e8b3924814c1fb157641472c1cf4bc

SHA512
bc34a71b02fefd07a93a4616cbcb8dba608747d6fb5f74298c9df05f1b5edee59787f7b4f9e768e236121ff89c3a8e49e68ee563465c717bd4f793d59ff3d371

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Windows\SysWOW64\MSDCSC\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
C:\Windows\SysWOW64\MSDCSC\explorer.exe

Filesize
1.5MB

MD5
7589a096aa62e18e4f551f8aac5f30ce

SHA1
eaced6976c02d9f33f4a4d783f16a9290b5a71e5

SHA256
fc6f91773f25c82a791d065a632ea8d27928b08ea3034eac24b8e62b39d619f3

SHA512
0558c6020395a0b376ca834357b26c2079f6eae0ac3270650c7f65078f4eb2fdc97d53962d634e304aa5136a005682a0d9a8cb2c9f19ef2c91310a86af98c30c

Download Submit
memory/216-229-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/548-399-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/652-180-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/700-491-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/700-492-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/732-223-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/776-247-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/784-465-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1004-351-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1084-500-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1104-333-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1132-423-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1180-483-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1212-289-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1532-471-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1540-308-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1560-459-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1620-435-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1696-253-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1792-186-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1856-369-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1960-447-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/1992-363-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2108-283-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2112-277-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2256-405-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2260-314-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2292-141-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2292-137-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2292-147-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2292-140-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2292-139-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2388-241-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2436-417-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/2756-357-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3028-345-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3048-411-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3056-387-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3056-217-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3128-381-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3380-198-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3384-168-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3388-235-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3560-204-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3576-453-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3800-496-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3820-316-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3820-265-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3824-429-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/3976-375-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4048-271-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4084-321-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4232-302-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4232-301-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4300-477-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4400-192-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4424-441-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4476-327-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4552-160-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4552-212-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4552-158-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4684-259-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4708-174-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4888-487-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4952-339-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4972-393-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4976-210-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download
memory/4984-295-0x00000000000D0000-0x000000000019A000-memory.dmp

Filesize
808KB

Download