8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Size

316KB
MD5

528bcc049158a4bedf27542fcd6c7ff0
SHA1

b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b
SHA256

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476
SHA512

a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130
SSDEEP

6144:i73FQmDBY/K7WAsQ58eOjCM6/UrI35g73FQmDBy/K7WAs:i71QPSIAcGC71QJSI

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

smss.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exesmss.exelsass.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exesmss.exesmss.exesmss.exesmss.exe

pid	process
2028	smss.exe
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
336	lsass.exe
668	smss.exe
1572	lsass.exe
804	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1512	smss.exe
1344	smss.exe
800	smss.exe
1400	smss.exe

Loads dropped DLL 21 IoCs

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exeregsvr32.exe

pid	process
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
336	lsass.exe
336	lsass.exe
336	lsass.exe
336	lsass.exe
336	lsass.exe
336	lsass.exe
336	lsass.exe
336	lsass.exe
2044	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

lsass.exe

description ioc process

Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run lsass.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exelsass.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

lsass.exe

description ioc process

File opened (read-only) \??\E: lsass.exe

description	ioc	process
File opened (read-only)	\??\E:	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe

Drops file in System32 directory 13 IoCs

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exelsass.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\bak	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File created	C:\Windows\SysWOW64\com\smss.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

lsass.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main lsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server\ = "sndrec32.exe"	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server\ = "sndrec32.exe"	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exelsass.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe

pid	process
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
336	lsass.exe
336	lsass.exe
336	lsass.exe
336	lsass.exe
1572	lsass.exe
1572	lsass.exe
804	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
1572	lsass.exe
1572	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exelsass.exe

description	pid	process	target process
PID 1788 wrote to memory of 1076	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	cacls.exe
PID 1788 wrote to memory of 1076	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	cacls.exe
PID 1788 wrote to memory of 1076	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	cacls.exe
PID 1788 wrote to memory of 1076	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	cacls.exe
PID 1788 wrote to memory of 2028	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	smss.exe
PID 1788 wrote to memory of 2028	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	smss.exe
PID 1788 wrote to memory of 2028	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	smss.exe
PID 1788 wrote to memory of 2028	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	smss.exe
PID 1788 wrote to memory of 1772	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
PID 1788 wrote to memory of 1772	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
PID 1788 wrote to memory of 1772	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
PID 1788 wrote to memory of 1772	1788	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
PID 1772 wrote to memory of 868	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	cacls.exe
PID 1772 wrote to memory of 868	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	cacls.exe
PID 1772 wrote to memory of 868	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	cacls.exe
PID 1772 wrote to memory of 868	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	cacls.exe
PID 1772 wrote to memory of 336	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 1772 wrote to memory of 336	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 1772 wrote to memory of 336	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 1772 wrote to memory of 336	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 1772 wrote to memory of 668	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	smss.exe
PID 1772 wrote to memory of 668	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	smss.exe
PID 1772 wrote to memory of 668	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	smss.exe
PID 1772 wrote to memory of 668	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	smss.exe
PID 1772 wrote to memory of 804	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
PID 1772 wrote to memory of 804	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
PID 1772 wrote to memory of 804	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
PID 1772 wrote to memory of 804	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
PID 1772 wrote to memory of 1572	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 1772 wrote to memory of 1572	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 1772 wrote to memory of 1572	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 1772 wrote to memory of 1572	1772	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 336 wrote to memory of 1368	336	lsass.exe	cacls.exe
PID 336 wrote to memory of 1368	336	lsass.exe	cacls.exe
PID 336 wrote to memory of 1368	336	lsass.exe	cacls.exe
PID 336 wrote to memory of 1368	336	lsass.exe	cacls.exe
PID 1572 wrote to memory of 1808	1572	lsass.exe	cacls.exe
PID 1572 wrote to memory of 1808	1572	lsass.exe	cacls.exe
PID 1572 wrote to memory of 1808	1572	lsass.exe	cacls.exe
PID 1572 wrote to memory of 1808	1572	lsass.exe	cacls.exe
PID 336 wrote to memory of 1512	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1512	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1512	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1512	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1344	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1344	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1344	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1344	336	lsass.exe	smss.exe
PID 336 wrote to memory of 800	336	lsass.exe	smss.exe
PID 336 wrote to memory of 800	336	lsass.exe	smss.exe
PID 336 wrote to memory of 800	336	lsass.exe	smss.exe
PID 336 wrote to memory of 800	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1400	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1400	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1400	336	lsass.exe	smss.exe
PID 336 wrote to memory of 1400	336	lsass.exe	smss.exe
PID 336 wrote to memory of 2024	336	lsass.exe	cmd.exe
PID 336 wrote to memory of 2024	336	lsass.exe	cmd.exe
PID 336 wrote to memory of 2024	336	lsass.exe	cmd.exe
PID 336 wrote to memory of 2024	336	lsass.exe	cmd.exe
PID 336 wrote to memory of 1620	336	lsass.exe	cmd.exe
PID 336 wrote to memory of 1620	336	lsass.exe	cmd.exe
PID 336 wrote to memory of 1620	336	lsass.exe	cmd.exe
PID 336 wrote to memory of 1620	336	lsass.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
"C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
2⤵
PID:1076

C:\Windows\SysWOW64\com\smss.exe
c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe|c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
2⤵
- Executes dropped EXE
PID:2028

\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
"c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
3⤵
PID:868

C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
4⤵
PID:1368

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
4⤵
- Executes dropped EXE
PID:1344

C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
4⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
4⤵
- Executes dropped EXE
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q C:\Windows\system32\com\bak
4⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q C:\Windows\system32\com\bak
4⤵
PID:1620

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2044

C:\Windows\SysWOW64\com\smss.exe
c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.~|c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
3⤵
- Executes dropped EXE
PID:668

\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
4⤵
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Filesize
124KB

MD5
93446abae1ada8c218735bc1c0acdf9d

SHA1
f14cb92d4a5f490e41dfaca17f4b5d1aacc60368

SHA256
e22c54614f00e2d10aaad970b857371957da97fea4e676eb53f3460b5688db80

SHA512
004389c4727a53cec9d70ac945d4561b6c3b61ea72b24b15ce61e81da8bea56e97595fb54f91bc04f2fe3b6268d6310de34be013a36db10406ccd2bf91c328cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Filesize
316KB

MD5
528bcc049158a4bedf27542fcd6c7ff0

SHA1
b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b

SHA256
8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

SHA512
a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130

Download Submit
C:\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
C:\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
C:\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
C:\Windows\SysWOW64\com\netcfg.dll
Filesize
44KB

MD5
cf1f3506599598844148afb012f227de

SHA1
19f57909e3101e000700ef9790c7a6df3e40e41b

SHA256
f2dd657b735314683e2c139b4e7b93df7918e9a8ec4ce1de3d05b0a8c1a4da33

SHA512
bf43fc34eeb9f76b7cc24dd5a640f9ba4642c3065434eccc163d1ab6483fe3d5d3baaaa224260eed4468bc8dcecbdf9d3cc25e16d48c232cf86c2b6bcea43cad

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\pagefile.pif
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Filesize
124KB

MD5
93446abae1ada8c218735bc1c0acdf9d

SHA1
f14cb92d4a5f490e41dfaca17f4b5d1aacc60368

SHA256
e22c54614f00e2d10aaad970b857371957da97fea4e676eb53f3460b5688db80

SHA512
004389c4727a53cec9d70ac945d4561b6c3b61ea72b24b15ce61e81da8bea56e97595fb54f91bc04f2fe3b6268d6310de34be013a36db10406ccd2bf91c328cf

Download Submit
\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Filesize
316KB

MD5
528bcc049158a4bedf27542fcd6c7ff0

SHA1
b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b

SHA256
8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

SHA512
a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130

Download Submit
\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Filesize
316KB

MD5
528bcc049158a4bedf27542fcd6c7ff0

SHA1
b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b

SHA256
8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

SHA512
a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130

Download Submit
\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.~
Filesize
124KB

MD5
93446abae1ada8c218735bc1c0acdf9d

SHA1
f14cb92d4a5f490e41dfaca17f4b5d1aacc60368

SHA256
e22c54614f00e2d10aaad970b857371957da97fea4e676eb53f3460b5688db80

SHA512
004389c4727a53cec9d70ac945d4561b6c3b61ea72b24b15ce61e81da8bea56e97595fb54f91bc04f2fe3b6268d6310de34be013a36db10406ccd2bf91c328cf

Download Submit
\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Filesize
124KB

MD5
93446abae1ada8c218735bc1c0acdf9d

SHA1
f14cb92d4a5f490e41dfaca17f4b5d1aacc60368

SHA256
e22c54614f00e2d10aaad970b857371957da97fea4e676eb53f3460b5688db80

SHA512
004389c4727a53cec9d70ac945d4561b6c3b61ea72b24b15ce61e81da8bea56e97595fb54f91bc04f2fe3b6268d6310de34be013a36db10406ccd2bf91c328cf

Download Submit
\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Filesize
124KB

MD5
93446abae1ada8c218735bc1c0acdf9d

SHA1
f14cb92d4a5f490e41dfaca17f4b5d1aacc60368

SHA256
e22c54614f00e2d10aaad970b857371957da97fea4e676eb53f3460b5688db80

SHA512
004389c4727a53cec9d70ac945d4561b6c3b61ea72b24b15ce61e81da8bea56e97595fb54f91bc04f2fe3b6268d6310de34be013a36db10406ccd2bf91c328cf

Download Submit
\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Filesize
316KB

MD5
528bcc049158a4bedf27542fcd6c7ff0

SHA1
b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b

SHA256
8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

SHA512
a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130

Download Submit
\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Filesize
316KB

MD5
528bcc049158a4bedf27542fcd6c7ff0

SHA1
b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b

SHA256
8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

SHA512
a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130

Download Submit
\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
\Windows\SysWOW64\com\netcfg.dll
Filesize
44KB

MD5
cf1f3506599598844148afb012f227de

SHA1
19f57909e3101e000700ef9790c7a6df3e40e41b

SHA256
f2dd657b735314683e2c139b4e7b93df7918e9a8ec4ce1de3d05b0a8c1a4da33

SHA512
bf43fc34eeb9f76b7cc24dd5a640f9ba4642c3065434eccc163d1ab6483fe3d5d3baaaa224260eed4468bc8dcecbdf9d3cc25e16d48c232cf86c2b6bcea43cad

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
memory/336-71-0x0000000000000000-mapping.dmp

Download
memory/668-76-0x0000000000000000-mapping.dmp

Download
memory/800-106-0x0000000000000000-mapping.dmp

Download
memory/804-82-0x0000000000000000-mapping.dmp

Download
memory/868-66-0x0000000000000000-mapping.dmp

Download
memory/1076-55-0x0000000000000000-mapping.dmp

Download
memory/1344-100-0x0000000000000000-mapping.dmp

Download
memory/1368-90-0x0000000000000000-mapping.dmp

Download
memory/1400-110-0x0000000000000000-mapping.dmp

Download
memory/1512-95-0x0000000000000000-mapping.dmp

Download
memory/1572-85-0x0000000000000000-mapping.dmp

Download
memory/1620-113-0x0000000000000000-mapping.dmp

Download
memory/1772-63-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1808-92-0x0000000000000000-mapping.dmp

Download
memory/2024-112-0x0000000000000000-mapping.dmp

Download
memory/2028-58-0x0000000000000000-mapping.dmp

Download
memory/2044-114-0x0000000000000000-mapping.dmp

Download