bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
Size

524KB
MD5

2cbec03e40a5b039cf09284bf0ec34a8
SHA1

e0b356a51d9bb65421c9a8350baabf081d4c83c8
SHA256

bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b
SHA512

f04295847d0ea634a47efed3edbcfa9197d461843577c374f0d30af909f6179939f937076f2bac33e50267d2851a50bb675f7ab9a7e87f8394141ea501d05db7
SSDEEP

12288:dSFMFpuhRp8tmnkX4C4IosE/rSkU19Zt/kMM22:UF+u+gkX3o1jSkErM2

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\5116369f\\X"	Explorer.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

JB3O2vP3.exekieadey.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	JB3O2vP3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kieadey.exe

Executes dropped EXE 11 IoCs

Processes:

JB3O2vP3.exekieadey.exe2sun.exe2sun.exe2sun.exe2sun.exe2sun.exe2sun.exe3sun.execsrss.exeX

pid process

1776 JB3O2vP3.exe
580 kieadey.exe
1300 2sun.exe
564 2sun.exe
1576 2sun.exe
1972 2sun.exe
1984 2sun.exe
1852 2sun.exe
1768 3sun.exe
336 csrss.exe
1384 X

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/564-84-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/564-85-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/564-86-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/564-92-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1576-91-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1576-96-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/564-94-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1576-99-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1972-104-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1576-106-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1972-107-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1972-108-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1576-109-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1972-116-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1972-117-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1984-119-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1984-118-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1984-115-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1984-125-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1984-126-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1576-130-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1984-132-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1972-131-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/564-167-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1848 cmd.exe

pid	process
1848	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exeJB3O2vP3.exe3sun.exe

pid	process
1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
1776	JB3O2vP3.exe
1776	JB3O2vP3.exe
1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
1768	3sun.exe
1768	3sun.exe

Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240
Destination IP 31.193.3.240

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kieadey.exeJB3O2vP3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /E"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /O"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /i"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /D"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /y"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /w"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /p"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /Q"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /t"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /s"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /d"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /G"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /K"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /P"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /e"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /j"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /r"	kieadey.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	JB3O2vP3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /J"	JB3O2vP3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /g"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /k"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /h"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /W"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /Z"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /f"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /l"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /H"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /I"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /o"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /c"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /z"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /B"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /X"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /T"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /M"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /m"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /N"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /V"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /a"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /x"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /v"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /b"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /A"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /n"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /L"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /R"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /C"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /J"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /Y"	kieadey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kieadey = "C:\\Users\\Admin\\kieadey.exe /q"	kieadey.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2sun.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2sun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2sun.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

2sun.exe3sun.exe

description	pid	process	target process
PID 1300 set thread context of 564	1300	2sun.exe	2sun.exe
PID 1300 set thread context of 1576	1300	2sun.exe	2sun.exe
PID 1300 set thread context of 1972	1300	2sun.exe	2sun.exe
PID 1300 set thread context of 1984	1300	2sun.exe	2sun.exe
PID 1300 set thread context of 1852	1300	2sun.exe	2sun.exe
PID 1768 set thread context of 1908	1768	3sun.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1524 tasklist.exe
936 tasklist.exe

pid	process
1524	tasklist.exe
936	tasklist.exe

Modifies registry class 3 IoCs

Processes:

3sun.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{3097c7e0-1ac2-2f18-0d68-79804155316e}	3sun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3097c7e0-1ac2-2f18-0d68-79804155316e}\u = "188"	3sun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3097c7e0-1ac2-2f18-0d68-79804155316e}\cid = "5540952245175752010"	3sun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

JB3O2vP3.exe2sun.exekieadey.exe2sun.exe3sun.exeX

pid	process
1776	JB3O2vP3.exe
1776	JB3O2vP3.exe
1576	2sun.exe
580	kieadey.exe
1972	2sun.exe
580	kieadey.exe
580	kieadey.exe
1576	2sun.exe
580	kieadey.exe
1768	3sun.exe
1768	3sun.exe
1768	3sun.exe
580	kieadey.exe
1768	3sun.exe
1384	X
580	kieadey.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
1576	2sun.exe
580	kieadey.exe
580	kieadey.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
580	kieadey.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
1972	2sun.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
1576	2sun.exe
580	kieadey.exe
580	kieadey.exe
1576	2sun.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
1576	2sun.exe
1576	2sun.exe
580	kieadey.exe
1576	2sun.exe
580	kieadey.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE

pid	process
1288	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tasklist.exe3sun.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1524	tasklist.exe
Token: SeDebugPrivilege	1768	3sun.exe
Token: SeDebugPrivilege	1768	3sun.exe
Token: SeDebugPrivilege	936	tasklist.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exeJB3O2vP3.exekieadey.exe2sun.exe2sun.exe2sun.exe

pid process

1204 bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
1776 JB3O2vP3.exe
580 kieadey.exe
1300 2sun.exe
564 2sun.exe
1984 2sun.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

336 csrss.exe

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exeJB3O2vP3.execmd.exe2sun.exe3sun.exe

description	pid	process	target process
PID 1204 wrote to memory of 1776	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	JB3O2vP3.exe
PID 1204 wrote to memory of 1776	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	JB3O2vP3.exe
PID 1204 wrote to memory of 1776	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	JB3O2vP3.exe
PID 1204 wrote to memory of 1776	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	JB3O2vP3.exe
PID 1776 wrote to memory of 580	1776	JB3O2vP3.exe	kieadey.exe
PID 1776 wrote to memory of 580	1776	JB3O2vP3.exe	kieadey.exe
PID 1776 wrote to memory of 580	1776	JB3O2vP3.exe	kieadey.exe
PID 1776 wrote to memory of 580	1776	JB3O2vP3.exe	kieadey.exe
PID 1776 wrote to memory of 792	1776	JB3O2vP3.exe	cmd.exe
PID 1776 wrote to memory of 792	1776	JB3O2vP3.exe	cmd.exe
PID 1776 wrote to memory of 792	1776	JB3O2vP3.exe	cmd.exe
PID 1776 wrote to memory of 792	1776	JB3O2vP3.exe	cmd.exe
PID 792 wrote to memory of 1524	792	cmd.exe	tasklist.exe
PID 792 wrote to memory of 1524	792	cmd.exe	tasklist.exe
PID 792 wrote to memory of 1524	792	cmd.exe	tasklist.exe
PID 792 wrote to memory of 1524	792	cmd.exe	tasklist.exe
PID 1204 wrote to memory of 1300	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	2sun.exe
PID 1204 wrote to memory of 1300	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	2sun.exe
PID 1204 wrote to memory of 1300	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	2sun.exe
PID 1204 wrote to memory of 1300	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 564	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1576	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1972	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1984	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1852	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1852	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1852	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1852	1300	2sun.exe	2sun.exe
PID 1300 wrote to memory of 1852	1300	2sun.exe	2sun.exe
PID 1204 wrote to memory of 1768	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	3sun.exe
PID 1204 wrote to memory of 1768	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	3sun.exe
PID 1204 wrote to memory of 1768	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	3sun.exe
PID 1204 wrote to memory of 1768	1204	bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe	3sun.exe
PID 1768 wrote to memory of 1288	1768	3sun.exe	Explorer.EXE
PID 1768 wrote to memory of 336	1768	3sun.exe	csrss.exe
PID 1768 wrote to memory of 1384	1768	3sun.exe	X

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Users\Admin\AppData\Local\Temp\bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
"C:\Users\Admin\AppData\Local\Temp\bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\JB3O2vP3.exe
C:\Users\Admin\JB3O2vP3.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\kieadey.exe
"C:\Users\Admin\kieadey.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del JB3O2vP3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Users\Admin\2sun.exe
C:\Users\Admin\2sun.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\2sun.exe
"C:\Users\Admin\2sun.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:564

C:\Users\Admin\2sun.exe
"C:\Users\Admin\2sun.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Users\Admin\2sun.exe
"C:\Users\Admin\2sun.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\2sun.exe
"C:\Users\Admin\2sun.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Users\Admin\2sun.exe
"C:\Users\Admin\2sun.exe"
4⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\3sun.exe
C:\Users\Admin\3sun.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\5116369f\X
*0*bc*b31a954a*31.193.3.240:53
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del bc31b9a0a04cdbb2db963b14dd35bab87b46bfa1b70626ee1fabc1654ee4093b.exe
3⤵
- Deletes itself
PID:1848

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
C:\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
C:\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
C:\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
C:\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
C:\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
C:\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
C:\Users\Admin\3sun.exe

Filesize
278KB

MD5
345cbbd3a56a313f804b997f8cbecb2b

SHA1
9978d6f5bca8ab1486573ff073661e7cfd40c365

SHA256
492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c

SHA512
5cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d

Download Submit
C:\Users\Admin\3sun.exe

Filesize
278KB

MD5
345cbbd3a56a313f804b997f8cbecb2b

SHA1
9978d6f5bca8ab1486573ff073661e7cfd40c365

SHA256
492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c

SHA512
5cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d

Download Submit
C:\Users\Admin\AppData\Local\5116369f\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
C:\Users\Admin\JB3O2vP3.exe

Filesize
228KB

MD5
290d691efc05b13247d2f6d8952a215b

SHA1
a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0

SHA256
43b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be

SHA512
8dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e

Download Submit
C:\Users\Admin\JB3O2vP3.exe

Filesize
228KB

MD5
290d691efc05b13247d2f6d8952a215b

SHA1
a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0

SHA256
43b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be

SHA512
8dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e

Download Submit
C:\Users\Admin\kieadey.exe

Filesize
228KB

MD5
f75c047fa2dc90b2bbc6ee434ce71423

SHA1
ef42e3e3cfdc48b825005ba0c11be5e9cfba7b9b

SHA256
3c1eec8857833e34080f72d3b6c5252858536d18225ffc37f9f6106322c4cd49

SHA512
6355c27f7d1d44f6b0fb21fd9507a9b402fd68db9d2a1d30b962644376be21084766e9a143f08f729acb5e5c7143c07e324da7337952fc51c13bfcf1ab68c9f7

Download Submit
C:\Users\Admin\kieadey.exe

Filesize
228KB

MD5
f75c047fa2dc90b2bbc6ee434ce71423

SHA1
ef42e3e3cfdc48b825005ba0c11be5e9cfba7b9b

SHA256
3c1eec8857833e34080f72d3b6c5252858536d18225ffc37f9f6106322c4cd49

SHA512
6355c27f7d1d44f6b0fb21fd9507a9b402fd68db9d2a1d30b962644376be21084766e9a143f08f729acb5e5c7143c07e324da7337952fc51c13bfcf1ab68c9f7

Download Submit
C:\Windows\system32\consrv.dll

Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
\Users\Admin\2sun.exe

Filesize
128KB

MD5
cba16c1a489b02c4ff5720c68f35f787

SHA1
bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

SHA256
0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

SHA512
00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

Download Submit
\Users\Admin\3sun.exe

Filesize
278KB

MD5
345cbbd3a56a313f804b997f8cbecb2b

SHA1
9978d6f5bca8ab1486573ff073661e7cfd40c365

SHA256
492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c

SHA512
5cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d

Download Submit
\Users\Admin\3sun.exe

Filesize
278KB

MD5
345cbbd3a56a313f804b997f8cbecb2b

SHA1
9978d6f5bca8ab1486573ff073661e7cfd40c365

SHA256
492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c

SHA512
5cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d

Download Submit
\Users\Admin\AppData\Local\5116369f\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\Users\Admin\AppData\Local\5116369f\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\Users\Admin\JB3O2vP3.exe

Filesize
228KB

MD5
290d691efc05b13247d2f6d8952a215b

SHA1
a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0

SHA256
43b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be

SHA512
8dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e

Download Submit
\Users\Admin\JB3O2vP3.exe

Filesize
228KB

MD5
290d691efc05b13247d2f6d8952a215b

SHA1
a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0

SHA256
43b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be

SHA512
8dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e

Download Submit
\Users\Admin\kieadey.exe

Filesize
228KB

MD5
f75c047fa2dc90b2bbc6ee434ce71423

SHA1
ef42e3e3cfdc48b825005ba0c11be5e9cfba7b9b

SHA256
3c1eec8857833e34080f72d3b6c5252858536d18225ffc37f9f6106322c4cd49

SHA512
6355c27f7d1d44f6b0fb21fd9507a9b402fd68db9d2a1d30b962644376be21084766e9a143f08f729acb5e5c7143c07e324da7337952fc51c13bfcf1ab68c9f7

Download Submit
\Users\Admin\kieadey.exe

Filesize
228KB

MD5
f75c047fa2dc90b2bbc6ee434ce71423

SHA1
ef42e3e3cfdc48b825005ba0c11be5e9cfba7b9b

SHA256
3c1eec8857833e34080f72d3b6c5252858536d18225ffc37f9f6106322c4cd49

SHA512
6355c27f7d1d44f6b0fb21fd9507a9b402fd68db9d2a1d30b962644376be21084766e9a143f08f729acb5e5c7143c07e324da7337952fc51c13bfcf1ab68c9f7

Download Submit
\Windows\System32\consrv.dll

Filesize
29KB

MD5
1149c1bd71248a9d170e4568fb08df30

SHA1
6f77f183d65709901f476c5d6eebaed060a495f9

SHA256
c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

SHA512
9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
a6fb3c7ae7e2fdf8000eee97bb2d2411

SHA1
40bf52c55bc655e48a2337cf642bbac28e3cec8d

SHA256
10b1e83c2a5b056eff6aa1163711f7ad440c453d91d0c6f446121b257d43f647

SHA512
6cb494b437d561f24f9c8d84b72f8ce882f5f5418bd086c0a6dbf758d002788f4f227c7e7903e108008200be2edb6c4f6b1c508076d8d0bbb2cef21922cff868

Download Submit
memory/336-164-0x0000000001F00000-0x0000000001F0B000-memory.dmp

Filesize
44KB

Download
memory/564-86-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/564-92-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/564-94-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/564-167-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/564-83-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/564-84-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/564-85-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/564-87-0x0000000000405690-mapping.dmp

Download
memory/580-67-0x0000000000000000-mapping.dmp

Download
memory/792-73-0x0000000000000000-mapping.dmp

Download
memory/936-175-0x0000000000000000-mapping.dmp

Download
memory/1204-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1288-165-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/1288-166-0x00000000029F0000-0x00000000029FB000-memory.dmp

Filesize
44KB

Download
memory/1288-161-0x00000000029E0000-0x00000000029EB000-memory.dmp

Filesize
44KB

Download
memory/1288-142-0x00000000029C0000-0x00000000029C6000-memory.dmp

Filesize
24KB

Download
memory/1288-157-0x00000000029E0000-0x00000000029EB000-memory.dmp

Filesize
44KB

Download
memory/1288-153-0x00000000029E0000-0x00000000029EB000-memory.dmp

Filesize
44KB

Download
memory/1288-138-0x00000000029C0000-0x00000000029C6000-memory.dmp

Filesize
24KB

Download
memory/1288-146-0x00000000029C0000-0x00000000029C6000-memory.dmp

Filesize
24KB

Download
memory/1288-169-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/1300-77-0x0000000000000000-mapping.dmp

Download
memory/1384-151-0x0000000000000000-mapping.dmp

Download
memory/1524-74-0x0000000000000000-mapping.dmp

Download
memory/1576-130-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-106-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-96-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-89-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-99-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-109-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-91-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-100-0x000000000040C520-mapping.dmp

Download
memory/1768-163-0x000000000043C000-0x0000000000471000-memory.dmp

Filesize
212KB

Download
memory/1768-162-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download
memory/1768-135-0x0000000000000000-mapping.dmp

Download
memory/1768-168-0x000000000043C000-0x0000000000471000-memory.dmp

Filesize
212KB

Download
memory/1768-173-0x000000000043C000-0x0000000000471000-memory.dmp

Filesize
212KB

Download
memory/1768-172-0x0000000030670000-0x00000000306C1000-memory.dmp

Filesize
324KB

Download
memory/1776-59-0x0000000000000000-mapping.dmp

Download
memory/1848-174-0x0000000000000000-mapping.dmp

Download
memory/1852-123-0x0000000000000000-mapping.dmp

Download
memory/1908-171-0x0000000000000000-mapping.dmp

Download
memory/1972-107-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1972-116-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1972-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1972-110-0x0000000000424F20-mapping.dmp

Download
memory/1972-131-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1972-103-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1972-117-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1972-104-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1984-125-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1984-126-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1984-132-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1984-115-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1984-118-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1984-120-0x0000000000405790-mapping.dmp

Download
memory/1984-119-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download