cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a

Analysis

max time kernel
254s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
Size

840KB
MD5

4782291bc809406f9b6e02d99f177db2
SHA1

14ef51d15e7bbea121f81f90711d4dae0e05d4ba
SHA256

cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a
SHA512

55813f4c06324eac66850b32c3f8ea71bb0455f7399f4b54b6bd9ec8cf6a43264332010a6ca235dbc113f530727ccf3d2e2f8e4890e65bbbcabeb4227a72fcc2
SSDEEP

12288:OCpyvXFPTfnCvX66h/NYJ9nDW6FApNg3gZqdDUtOuBiMc/j6KRVrxn7Nl4+GtlrL:rk9P7nCvX6MNYLIbgYJ3chra+GbrL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

d3WQGzd9.exepjcic.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d3WQGzd9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pjcic.exe

Executes dropped EXE 8 IoCs

Processes:

d3WQGzd9.exepjcic.exeawhost.exebwhost.exebwhost.execwhost.execsrss.exedwhost.exe

pid process

396 d3WQGzd9.exe
1384 pjcic.exe
864 awhost.exe
532 bwhost.exe
1872 bwhost.exe
1632 cwhost.exe
336 csrss.exe
1832 dwhost.exe

Loads dropped DLL 15 IoCs

Processes:

cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exed3WQGzd9.exeWerFault.exe

pid	process
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
396	d3WQGzd9.exe
396	d3WQGzd9.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pjcic.exed3WQGzd9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /G"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /R"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /k"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /H"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /W"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /E"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /B"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /U"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /i"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /e"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /r"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /s"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /P"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /N"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /L"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /D"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /q"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /n"	pjcic.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /t"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /f"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /u"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /J"	pjcic.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d3WQGzd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /l"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /c"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /p"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /Q"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /C"	d3WQGzd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /y"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /Y"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /j"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /C"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /h"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /g"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /a"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /M"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /w"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /F"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /b"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /v"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /x"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /A"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /o"	pjcic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjcic = "C:\\Users\\Admin\\pjcic.exe /O"	pjcic.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

csrss.exe

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe
File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exeawhost.exebwhost.exebwhost.exe

description	pid	process	target process
PID 524 set thread context of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 864 set thread context of 1588	864	awhost.exe	svchost.exe
PID 532 set thread context of 1872	532	bwhost.exe	bwhost.exe
PID 1872 set thread context of 1472	1872	bwhost.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

852 1632 WerFault.exe cwhost.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

332 tasklist.exe
1796 tasklist.exe

pid	pid_target	process	target process
852	1632	WerFault.exe	cwhost.exe

pid	process
332	tasklist.exe
1796	tasklist.exe

Modifies registry class 3 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{47d0328c-b53e-9c2b-349a-af8a9f7fd0dd}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47d0328c-b53e-9c2b-349a-af8a9f7fd0dd}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47d0328c-b53e-9c2b-349a-af8a9f7fd0dd}\cid = "8575287422197935863"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d3WQGzd9.exesvchost.exepjcic.exeexplorer.exe

pid	process
396	d3WQGzd9.exe
396	d3WQGzd9.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1384	pjcic.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1472	explorer.exe
1472	explorer.exe
1384	pjcic.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1588	svchost.exe
1384	pjcic.exe
1588	svchost.exe
1384	pjcic.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exeexplorer.exetasklist.exe

description pid process

Token: SeDebugPrivilege 332 tasklist.exe
Token: SeDebugPrivilege 1472 explorer.exe
Token: SeDebugPrivilege 1796 tasklist.exe

description	pid	process
Token: SeDebugPrivilege	332	tasklist.exe
Token: SeDebugPrivilege	1472	explorer.exe
Token: SeDebugPrivilege	1796	tasklist.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.execd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exed3WQGzd9.exepjcic.exeawhost.exebwhost.exedwhost.exe

pid	process
524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
396	d3WQGzd9.exe
1384	pjcic.exe
864	awhost.exe
532	bwhost.exe
1832	dwhost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

336 csrss.exe

pid	process
336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.execd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exed3WQGzd9.exeawhost.exebwhost.execmd.exebwhost.exepjcic.exe

description	pid	process	target process
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 524 wrote to memory of 1188	524	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
PID 1188 wrote to memory of 396	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	d3WQGzd9.exe
PID 1188 wrote to memory of 396	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	d3WQGzd9.exe
PID 1188 wrote to memory of 396	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	d3WQGzd9.exe
PID 1188 wrote to memory of 396	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	d3WQGzd9.exe
PID 396 wrote to memory of 1384	396	d3WQGzd9.exe	pjcic.exe
PID 396 wrote to memory of 1384	396	d3WQGzd9.exe	pjcic.exe
PID 396 wrote to memory of 1384	396	d3WQGzd9.exe	pjcic.exe
PID 396 wrote to memory of 1384	396	d3WQGzd9.exe	pjcic.exe
PID 1188 wrote to memory of 864	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	awhost.exe
PID 1188 wrote to memory of 864	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	awhost.exe
PID 1188 wrote to memory of 864	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	awhost.exe
PID 1188 wrote to memory of 864	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	awhost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 396 wrote to memory of 796	396	d3WQGzd9.exe	cmd.exe
PID 396 wrote to memory of 796	396	d3WQGzd9.exe	cmd.exe
PID 396 wrote to memory of 796	396	d3WQGzd9.exe	cmd.exe
PID 396 wrote to memory of 796	396	d3WQGzd9.exe	cmd.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 864 wrote to memory of 1588	864	awhost.exe	svchost.exe
PID 1188 wrote to memory of 532	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	bwhost.exe
PID 1188 wrote to memory of 532	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	bwhost.exe
PID 1188 wrote to memory of 532	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	bwhost.exe
PID 1188 wrote to memory of 532	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 532 wrote to memory of 1872	532	bwhost.exe	bwhost.exe
PID 796 wrote to memory of 332	796	cmd.exe	tasklist.exe
PID 796 wrote to memory of 332	796	cmd.exe	tasklist.exe
PID 796 wrote to memory of 332	796	cmd.exe	tasklist.exe
PID 796 wrote to memory of 332	796	cmd.exe	tasklist.exe
PID 1188 wrote to memory of 1632	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cwhost.exe
PID 1188 wrote to memory of 1632	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cwhost.exe
PID 1188 wrote to memory of 1632	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cwhost.exe
PID 1188 wrote to memory of 1632	1188	cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe	cwhost.exe
PID 1872 wrote to memory of 1472	1872	bwhost.exe	explorer.exe
PID 1872 wrote to memory of 1472	1872	bwhost.exe	explorer.exe
PID 1872 wrote to memory of 1472	1872	bwhost.exe	explorer.exe
PID 1872 wrote to memory of 1472	1872	bwhost.exe	explorer.exe
PID 1872 wrote to memory of 1472	1872	bwhost.exe	explorer.exe
PID 1384 wrote to memory of 332	1384	pjcic.exe	tasklist.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336

C:\Users\Admin\AppData\Local\Temp\cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
"C:\Users\Admin\AppData\Local\Temp\cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
  "C:\Users\Admin\AppData\Local\Temp\cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Users\Admin\d3WQGzd9.exe
    C:\Users\Admin\d3WQGzd9.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\pjcic.exe
      "C:\Users\Admin\pjcic.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del d3WQGzd9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
- - C:\Users\Admin\awhost.exe
    C:\Users\Admin\awhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1588
- - C:\Users\Admin\bwhost.exe
    C:\Users\Admin\bwhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Users\Admin\bwhost.exe
      "C:\Users\Admin\bwhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\explorer.exe
        
        0000003C*
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
- - C:\Users\Admin\cwhost.exe
    C:\Users\Admin\cwhost.exe
    3⤵
    - Executes dropped EXE
    PID:1632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 168
      4⤵
      Loads dropped DLL
      Program crash
      PID:852
- - C:\Users\Admin\dwhost.exe
    C:\Users\Admin\dwhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del cd217ba507fc09a4eea74eb0530a7acf2f33d23a1a454aedb328e11cbcda176a.exe
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1796

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
C:\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
C:\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
C:\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
C:\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
C:\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
C:\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
C:\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
C:\Users\Admin\dwhost.exe

Filesize
24KB

MD5
aaa893d374547f20f7fdd7c3b6c56b36

SHA1
f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

SHA256
17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

SHA512
491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

Download Submit
C:\Users\Admin\pjcic.exe

Filesize
364KB

MD5
6d3a21e6866047b0f16b0053c81104c6

SHA1
b56582ed3ca38e9c6e084a33ee70ed7ef525255e

SHA256
8bc164e03cead88b331733c09f082c114e9d29e4e3755cd508d4d3062a526b14

SHA512
9a69184897106c5d173bca88e0586637849f10d12096d8544c219bcab18bee9a2f01edef520fcc83a2ccf36a582b7d948952e31f23f6ec2c7521305d22697559

Download Submit
C:\Users\Admin\pjcic.exe

Filesize
364KB

MD5
6d3a21e6866047b0f16b0053c81104c6

SHA1
b56582ed3ca38e9c6e084a33ee70ed7ef525255e

SHA256
8bc164e03cead88b331733c09f082c114e9d29e4e3755cd508d4d3062a526b14

SHA512
9a69184897106c5d173bca88e0586637849f10d12096d8544c219bcab18bee9a2f01edef520fcc83a2ccf36a582b7d948952e31f23f6ec2c7521305d22697559

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
53KB

MD5
68689b2e7472e2cfb3f39da8a59505d9

SHA1
5be15784ab1193dc13ac24ec1efcabded5fe2df4

SHA256
f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

SHA512
269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

Download Submit
\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
\Users\Admin\dwhost.exe

Filesize
24KB

MD5
aaa893d374547f20f7fdd7c3b6c56b36

SHA1
f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

SHA256
17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

SHA512
491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

Download Submit
\Users\Admin\dwhost.exe

Filesize
24KB

MD5
aaa893d374547f20f7fdd7c3b6c56b36

SHA1
f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

SHA256
17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

SHA512
491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

Download Submit
\Users\Admin\pjcic.exe

Filesize
364KB

MD5
6d3a21e6866047b0f16b0053c81104c6

SHA1
b56582ed3ca38e9c6e084a33ee70ed7ef525255e

SHA256
8bc164e03cead88b331733c09f082c114e9d29e4e3755cd508d4d3062a526b14

SHA512
9a69184897106c5d173bca88e0586637849f10d12096d8544c219bcab18bee9a2f01edef520fcc83a2ccf36a582b7d948952e31f23f6ec2c7521305d22697559

Download Submit
\Users\Admin\pjcic.exe

Filesize
364KB

MD5
6d3a21e6866047b0f16b0053c81104c6

SHA1
b56582ed3ca38e9c6e084a33ee70ed7ef525255e

SHA256
8bc164e03cead88b331733c09f082c114e9d29e4e3755cd508d4d3062a526b14

SHA512
9a69184897106c5d173bca88e0586637849f10d12096d8544c219bcab18bee9a2f01edef520fcc83a2ccf36a582b7d948952e31f23f6ec2c7521305d22697559

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
68689b2e7472e2cfb3f39da8a59505d9

SHA1
5be15784ab1193dc13ac24ec1efcabded5fe2df4

SHA256
f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

SHA512
269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

Download Submit
memory/332-124-0x0000000000000000-mapping.dmp

Download
memory/336-149-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/396-71-0x0000000000000000-mapping.dmp

Download
memory/532-109-0x0000000000000000-mapping.dmp

Download
memory/796-95-0x0000000000000000-mapping.dmp

Download
memory/852-143-0x0000000000000000-mapping.dmp

Download
memory/864-87-0x0000000000000000-mapping.dmp

Download
memory/888-157-0x0000000000000000-mapping.dmp

Download
memory/1188-68-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1188-63-0x00000000004012FC-mapping.dmp

Download
memory/1188-67-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/1188-62-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1188-159-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1188-56-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1188-57-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1188-93-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1188-59-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1384-79-0x0000000000000000-mapping.dmp

Download
memory/1472-131-0x0000000000170000-0x0000000000189000-memory.dmp

Filesize
100KB

Download
memory/1472-136-0x0000000000170000-0x0000000000189000-memory.dmp

Filesize
100KB

Download
memory/1472-141-0x0000000000170000-0x0000000000189000-memory.dmp

Filesize
100KB

Download
memory/1472-130-0x0000000000000000-mapping.dmp

Download
memory/1472-142-0x0000000000060000-0x0000000000075000-memory.dmp

Filesize
84KB

Download
memory/1588-102-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-101-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-96-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-94-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-98-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-99-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-100-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-103-0x00000000004012A0-mapping.dmp

Download
memory/1588-106-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-105-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1632-127-0x0000000000000000-mapping.dmp

Download
memory/1796-158-0x0000000000000000-mapping.dmp

Download
memory/1832-152-0x0000000000000000-mapping.dmp

Download
memory/1872-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-121-0x00000000004013C6-mapping.dmp

Download