0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc

Analysis

max time kernel
114s
max time network
120s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Size

1.9MB
MD5

83cb5c6151bf2d49a800557af451cead
SHA1

ddcc46491dd27692dbe8b218dc669e966c8ee88d
SHA256

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc
SHA512

3c7afc1f4563cc1598dc69f81560d1b6f059bef02c6dec75c4e036dfa50ec0b077b895133334c733a5fbc979f765e2b4c0473036f2a3a780cf846e3803d79284
SSDEEP

49152:8NQ/5vHwq6I92yqUm3qUocqa3nwkFfiFiAe:8ypwqn9fxJr+nw46AAe

Score

9^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\version.dll	acprotect
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\version.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

searchlineu_nc.exesearchlinedc.exe

pid process

520 searchlineu_nc.exe
1352 searchlinedc.exe

pid	process
520	searchlineu_nc.exe
1352	searchlinedc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\version.dll	upx
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\version.dll	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1252 cmd.exe

pid	process
1252	cmd.exe

Loads dropped DLL 24 IoCs

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exesearchlineu_nc.exe

pid	process
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
520	searchlineu_nc.exe
520	searchlineu_nc.exe
520	searchlineu_nc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Searchline_nc = "\"C:\\Program Files (x86)\\Searchline_nc\\searchlineu_nc.exe\" subcmd"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Searchline_ncupdate = "C:\\Program Files (x86)\\Searchline_nc\\searchlinedc.exe"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ = "searchline_nc"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\NoExplorer = "1"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

Drops file in Program Files directory 6 IoCs

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

description	ioc	process
File created	C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
File created	C:\Program Files (x86)\Searchline_nc\searchlinedc.exe	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_sajulove.dll	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_sajulove_new.dll	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
File created	C:\Program Files (x86)\Searchline_nc\uninstall.exe	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_nc.dll	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1164 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

624 schtasks.exe

pid	process
1164	sc.exe

pid	process
624	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\AppName = "searchlineu_nc.exe"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\AppPath = "C:\\Program Files (x86)\\Searchline_nc\\"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\Policy = "3"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

Modifies registry class 51 IoCs

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32\ = "C:\\Program Files (x86)\\Searchline_nc\\searchline_nc.dll"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}\ = "searchline_nc"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CLSID\ = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CurVer	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID\ = "searchline_nc.searchline_nc_Obj.1"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\Version = "1.0"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\ = "searchline_nc_Obj Class"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\ = "searchline_nc_Obj Class"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\AppID = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\Programmable	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32\ = "C:\\Program Files (x86)\\Searchline_nc\\searchline_nc.dll"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32\ThreadingModel = "Apartment"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\searchline_nc.DLL\AppID = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ = "searchline_nc"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\ = "searchline_nc 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\CLSID\ = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\CLSID	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CLSID	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR\	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\searchline_nc.DLL	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID\ = "searchline_nc.searchline_nc_Obj"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ = "Isearchline_nc_Obj"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CurVer\ = "searchline_nc.searchline_nc_Obj.1"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS\ = "0"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ = "Isearchline_nc_Obj"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\Version = "1.0"	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exesearchlineu_nc.exe

pid	process
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
520	searchlineu_nc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

description	pid	process
Token: SeRestorePrivilege	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
Token: SeBackupPrivilege	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

searchlineu_nc.exe

pid process

520 searchlineu_nc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

searchlineu_nc.exe

pid process

520 searchlineu_nc.exe
520 searchlineu_nc.exe

pid	process
520	searchlineu_nc.exe

pid	process
520	searchlineu_nc.exe
520	searchlineu_nc.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.execmd.exesearchlineu_nc.exe

description	pid	process	target process
PID 1644 wrote to memory of 1664	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1664	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1664	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1664	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1664	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1664	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1664	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1664 wrote to memory of 624	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 624	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 624	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 624	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 624	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 624	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 624	1664	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 520	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlineu_nc.exe
PID 1644 wrote to memory of 520	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlineu_nc.exe
PID 1644 wrote to memory of 520	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlineu_nc.exe
PID 1644 wrote to memory of 520	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlineu_nc.exe
PID 1644 wrote to memory of 520	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlineu_nc.exe
PID 1644 wrote to memory of 520	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlineu_nc.exe
PID 1644 wrote to memory of 520	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlineu_nc.exe
PID 1644 wrote to memory of 1352	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlinedc.exe
PID 1644 wrote to memory of 1352	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlinedc.exe
PID 1644 wrote to memory of 1352	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlinedc.exe
PID 1644 wrote to memory of 1352	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlinedc.exe
PID 1644 wrote to memory of 1352	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlinedc.exe
PID 1644 wrote to memory of 1352	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlinedc.exe
PID 1644 wrote to memory of 1352	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	searchlinedc.exe
PID 520 wrote to memory of 1164	520	searchlineu_nc.exe	sc.exe
PID 520 wrote to memory of 1164	520	searchlineu_nc.exe	sc.exe
PID 520 wrote to memory of 1164	520	searchlineu_nc.exe	sc.exe
PID 520 wrote to memory of 1164	520	searchlineu_nc.exe	sc.exe
PID 520 wrote to memory of 1164	520	searchlineu_nc.exe	sc.exe
PID 520 wrote to memory of 1164	520	searchlineu_nc.exe	sc.exe
PID 520 wrote to memory of 1164	520	searchlineu_nc.exe	sc.exe
PID 1644 wrote to memory of 1252	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1252	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1252	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1252	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1252	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1252	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe
PID 1644 wrote to memory of 1252	1644	0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe
"C:\Users\Admin\AppData\Local\Temp\0a03f3e93cce32b443d0b5a069dd49cf66b6d41c680b3c0f3183f8178974ecbc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /C schtasks /Create /F /TN "Searchlinenc" /SC ONLOGON /TR "'C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe' schcmd" /rL HIGHEST
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /F /TN "Searchlinenc" /SC ONLOGON /TR "'C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe' schcmd" /rL HIGHEST
3⤵
- Creates scheduled task(s)
PID:624

C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
"C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe" Runcmd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\sc.exe
sc query npf
3⤵
- Launches sc.exe
PID:1164

C:\Program Files (x86)\Searchline_nc\searchlinedc.exe
"C:\Program Files (x86)\Searchline_nc\searchlinedc.exe"
2⤵
- Executes dropped EXE
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c \DelUS.bat
2⤵
- Deletes itself
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat
Filesize
264B

MD5
171ea5191b35453e846c5fd764f9b14b

SHA1
e8080fd4704565f953fda045a736ab0af26c1121

SHA256
e07834fc0910f02b759d8683755a26f7a8f12879008922c75b58a895c1f9ecc2

SHA512
6196d9faa6833dbfda1573910b3a705bb9436431e0d26fcaaddb3d526f56d6cc39a45623b45a1a1e40844045d9e5b320df461596d71d0dc5a46bc867e43dbcef

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlinedc.exe
Filesize
638KB

MD5
9403b82e97d31ed102c770e118f73923

SHA1
7849ef861cd59b82e8dd5348b8681be4946e1c9c

SHA256
5d7926527802785bf993d08d9015195814807f1d1fe9935e25e414db188e410f

SHA512
9095bdc5bec1411de8a1a5ae8a854c0b0575afdb1257e9f6c3585c2688a2511c9670a8f3265e323698633f17967e5fa18db2dfe69ec37c82d7ac3d8a9bc63fd7

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
Filesize
390KB

MD5
b1917d1edcd903202ee5771ba962e110

SHA1
ba929a26ee798f7c5ca3d62949cad15f4e66b44a

SHA256
93fef29ecadd8886f4ba74d8a8c38b089ef8d4b3bfae7e18c12b94b79f9fa7ad

SHA512
820fdede6510c03afea0af0ca4bf35738cf0519ff5cba88261f600e9d76c0375f76d545ee65d1e4358a93413e0bcbfd8995be959901502c6e743a479bb3b189b

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
Filesize
390KB

MD5
b1917d1edcd903202ee5771ba962e110

SHA1
ba929a26ee798f7c5ca3d62949cad15f4e66b44a

SHA256
93fef29ecadd8886f4ba74d8a8c38b089ef8d4b3bfae7e18c12b94b79f9fa7ad

SHA512
820fdede6510c03afea0af0ca4bf35738cf0519ff5cba88261f600e9d76c0375f76d545ee65d1e4358a93413e0bcbfd8995be959901502c6e743a479bb3b189b

Download Submit
\Program Files (x86)\Searchline_nc\searchline_nc.dll
Filesize
170KB

MD5
d86b78979e01fa87b9f3b45cb2e2221a

SHA1
0b103a62da51206b89853b3aeedcb5d61edb51d0

SHA256
e277dbd22ee5a6b8a40be75b7dea1faa794e6ec75e7686e7152a8d01a55d10a3

SHA512
3d8aaa20e7fbfc17e8fd4f59aa9ae2fdddd5b889c77c92d2fdc57b9b80941bb35cd7699f543305f70d794bac20dcefaee3b611aee27fcb4e6ccada1e305a4620

Download Submit
\Program Files (x86)\Searchline_nc\searchlinedc.exe
Filesize
638KB

MD5
9403b82e97d31ed102c770e118f73923

SHA1
7849ef861cd59b82e8dd5348b8681be4946e1c9c

SHA256
5d7926527802785bf993d08d9015195814807f1d1fe9935e25e414db188e410f

SHA512
9095bdc5bec1411de8a1a5ae8a854c0b0575afdb1257e9f6c3585c2688a2511c9670a8f3265e323698633f17967e5fa18db2dfe69ec37c82d7ac3d8a9bc63fd7

Download Submit
\Program Files (x86)\Searchline_nc\searchlinedc.exe
Filesize
638KB

MD5
9403b82e97d31ed102c770e118f73923

SHA1
7849ef861cd59b82e8dd5348b8681be4946e1c9c

SHA256
5d7926527802785bf993d08d9015195814807f1d1fe9935e25e414db188e410f

SHA512
9095bdc5bec1411de8a1a5ae8a854c0b0575afdb1257e9f6c3585c2688a2511c9670a8f3265e323698633f17967e5fa18db2dfe69ec37c82d7ac3d8a9bc63fd7

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
Filesize
390KB

MD5
b1917d1edcd903202ee5771ba962e110

SHA1
ba929a26ee798f7c5ca3d62949cad15f4e66b44a

SHA256
93fef29ecadd8886f4ba74d8a8c38b089ef8d4b3bfae7e18c12b94b79f9fa7ad

SHA512
820fdede6510c03afea0af0ca4bf35738cf0519ff5cba88261f600e9d76c0375f76d545ee65d1e4358a93413e0bcbfd8995be959901502c6e743a479bb3b189b

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
Filesize
390KB

MD5
b1917d1edcd903202ee5771ba962e110

SHA1
ba929a26ee798f7c5ca3d62949cad15f4e66b44a

SHA256
93fef29ecadd8886f4ba74d8a8c38b089ef8d4b3bfae7e18c12b94b79f9fa7ad

SHA512
820fdede6510c03afea0af0ca4bf35738cf0519ff5cba88261f600e9d76c0375f76d545ee65d1e4358a93413e0bcbfd8995be959901502c6e743a479bb3b189b

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
Filesize
390KB

MD5
b1917d1edcd903202ee5771ba962e110

SHA1
ba929a26ee798f7c5ca3d62949cad15f4e66b44a

SHA256
93fef29ecadd8886f4ba74d8a8c38b089ef8d4b3bfae7e18c12b94b79f9fa7ad

SHA512
820fdede6510c03afea0af0ca4bf35738cf0519ff5cba88261f600e9d76c0375f76d545ee65d1e4358a93413e0bcbfd8995be959901502c6e743a479bb3b189b

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
Filesize
390KB

MD5
b1917d1edcd903202ee5771ba962e110

SHA1
ba929a26ee798f7c5ca3d62949cad15f4e66b44a

SHA256
93fef29ecadd8886f4ba74d8a8c38b089ef8d4b3bfae7e18c12b94b79f9fa7ad

SHA512
820fdede6510c03afea0af0ca4bf35738cf0519ff5cba88261f600e9d76c0375f76d545ee65d1e4358a93413e0bcbfd8995be959901502c6e743a479bb3b189b

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
Filesize
390KB

MD5
b1917d1edcd903202ee5771ba962e110

SHA1
ba929a26ee798f7c5ca3d62949cad15f4e66b44a

SHA256
93fef29ecadd8886f4ba74d8a8c38b089ef8d4b3bfae7e18c12b94b79f9fa7ad

SHA512
820fdede6510c03afea0af0ca4bf35738cf0519ff5cba88261f600e9d76c0375f76d545ee65d1e4358a93413e0bcbfd8995be959901502c6e743a479bb3b189b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\DLLWebCount.dll
Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\FindProcDLL.dll
Filesize
32KB

MD5
849abe37c3b8a6dd48089b769ee789c5

SHA1
81d5d6c4d6328059a07ae59878c717211a726512

SHA256
0ac175b28d2a156e71bda214d4a35321c85d434e325624564f0a5eee23c718be

SHA512
fa1f60aa1e26dffe6a0b2ee8cba6490cc2d1f94613777466ce434a71431bd88f8c3964718f3ea1dd2c8ca41847cc259999bb293ea2591f4f0a0add286229f76f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\IEKill.dll
Filesize
28KB

MD5
090f0ab18996feae6c0a62d83b2149c6

SHA1
5292898561ad88630088ae22fb877dfc7146ee77

SHA256
914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d

SHA512
2fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\IEKill.dll
Filesize
28KB

MD5
090f0ab18996feae6c0a62d83b2149c6

SHA1
5292898561ad88630088ae22fb877dfc7146ee77

SHA256
914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d

SHA512
2fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\SelfDelete.dll
Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\UnProtectMode.dll
Filesize
300KB

MD5
d89ff06d097d5040c1e530990bbe5dfe

SHA1
aaf0e28701d20617352b4679c32b93668e44cb00

SHA256
19daf98b87df2d643e4b42dfbb0f31dccbd9bd36908f419de7df7db3b74b8b4f

SHA512
512c82a00d41aa2884e4154dbbaefec557d4bf57c3848b7d25096791b393c9eae73d530aa476f1fd51409f4454e2668a1392810d3609f37c1b65ad7df485498d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFEBC.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/520-80-0x0000000000000000-mapping.dmp

Download
memory/624-72-0x0000000000000000-mapping.dmp

Download
memory/1164-93-0x0000000000000000-mapping.dmp

Download
memory/1252-96-0x0000000000000000-mapping.dmp

Download
memory/1352-84-0x0000000000000000-mapping.dmp

Download
memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1644-77-0x0000000001ED0000-0x0000000001EE2000-memory.dmp

Filesize
72KB

Download
memory/1644-76-0x0000000001ED0000-0x0000000001EE2000-memory.dmp

Filesize
72KB

Download
memory/1644-75-0x0000000001ED0000-0x0000000001EE2000-memory.dmp

Filesize
72KB

Download
memory/1644-74-0x0000000001ED0000-0x0000000001EE2000-memory.dmp

Filesize
72KB

Download
memory/1664-70-0x0000000000000000-mapping.dmp

Download