Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:56
Behavioral task
behavioral1
Sample
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Resource
win10v2004-20221111-en
General
-
Target
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
-
Size
305KB
-
MD5
456d70ea849a2259771e8380247aacb0
-
SHA1
6c8d3149b2b7dfb848853f5ad0a4e3c7831a105d
-
SHA256
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96
-
SHA512
1ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d
-
SSDEEP
6144:b7nI8TmAfM8D2tWq96ZuZ9wty3pdEIr1CJTk:fnIwmAE8D2tWq96IZ9wIpqW1CK
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\dnsq.dll acprotect C:\Windows\SysWOW64\com\netcfg.dll acprotect \Windows\SysWOW64\com\netcfg.dll acprotect C:\Windows\SysWOW64\dnsq.dll acprotect \Windows\SysWOW64\dnsq.dll acprotect -
Executes dropped EXE 5 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exelsass.exesmss.exepid process 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 300 lsass.exe 1684 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 636 lsass.exe 1748 smss.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options lsass.exe -
Processes:
resource yara_rule behavioral1/memory/1992-55-0x0000000000400000-0x000000000042C000-memory.dmp upx \Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log upx \Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log upx C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log upx behavioral1/memory/1992-64-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/900-72-0x0000000000400000-0x000000000042C000-memory.dmp upx \??\c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log upx \Windows\SysWOW64\com\lsass.exe upx \Windows\SysWOW64\com\lsass.exe upx C:\Windows\SysWOW64\com\lsass.exe upx C:\Windows\SysWOW64\com\lsass.exe upx behavioral1/memory/300-91-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/900-94-0x0000000000400000-0x000000000042C000-memory.dmp upx \Windows\SysWOW64\dnsq.dll upx \Windows\SysWOW64\com\lsass.exe upx \Windows\SysWOW64\com\lsass.exe upx behavioral1/memory/900-107-0x0000000000400000-0x000000000042C000-memory.dmp upx C:\Windows\SysWOW64\com\lsass.exe upx C:\Windows\SysWOW64\com\netcfg.dll upx \Windows\SysWOW64\com\netcfg.dll upx behavioral1/memory/636-115-0x0000000000400000-0x000000000042C000-memory.dmp upx C:\Windows\SysWOW64\dnsq.dll upx \Windows\SysWOW64\dnsq.dll upx behavioral1/memory/1748-118-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/300-119-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/300-122-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Loads dropped DLL 13 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exeregsvr32.exesmss.exepid process 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 300 lsass.exe 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 300 lsass.exe 300 lsass.exe 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 1688 regsvr32.exe 1748 smss.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
Processes:
lsass.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.logdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log -
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exelsass.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsass.exedescription ioc process File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\f: lsass.exe -
Drops autorun.inf file 1 TTPs 7 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
lsass.exedescription ioc process File created C:\AUTORUN.INF lsass.exe File opened for modification D:\AUTORUN.INF lsass.exe File opened for modification \??\E:\AUTORUN.INF lsass.exe File opened for modification C:\autorun.inf lsass.exe File opened for modification D:\autorun.inf lsass.exe File opened for modification \??\E:\autorun.inf lsass.exe File opened for modification C:\AUTORUN.INF lsass.exe -
Drops file in System32 directory 21 IoCs
Processes:
lsass.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.logdescription ioc process File opened for modification C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File opened for modification C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File opened for modification C:\Windows\SysWOW64\dnsq.dll lsass.exe File created C:\Windows\SysWOW64\dnsq.dll lsass.exe File opened for modification C:\Windows\SysWOW64\com\smss.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe File created C:\Windows\SysWOW64\com\lsass.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log File opened for modification C:\Windows\SysWOW64\com\smss.exe lsass.exe File created C:\Windows\SysWOW64\com\netcfg.000 lsass.exe File created C:\Windows\SysWOW64\7118325.log lsass.exe File opened for modification C:\Windows\SysWOW64\com\lsass.exe lsass.exe File created C:\Windows\SysWOW64\com\netcfg.dll lsass.exe File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe lsass.exe File created C:\Windows\SysWOW64\00302.log 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe File created C:\Windows\SysWOW64\com\smss.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe File created C:\Windows\SysWOW64\00302.log 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log File opened for modification C:\Windows\SysWOW64\com\smss.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log File created C:\Windows\SysWOW64\00302.log lsass.exe File created C:\Windows\SysWOW64\com\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\7118325.log lsass.exe File opened for modification C:\Windows\SysWOW64\com\bak lsass.exe File opened for modification C:\Windows\SysWOW64\com\lsass.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exepid process 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 300 lsass.exe -
Suspicious behavior: LoadsDriver 3 IoCs
Processes:
pid process 468 468 468 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exedescription pid process Token: SeDebugPrivilege 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe Token: SeDebugPrivilege 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log Token: SeDebugPrivilege 300 lsass.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exelsass.exepid process 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log 300 lsass.exe 300 lsass.exe 300 lsass.exe 300 lsass.exe 300 lsass.exe 636 lsass.exe 636 lsass.exe 636 lsass.exe 636 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exedescription pid process target process PID 1992 wrote to memory of 1720 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cmd.exe PID 1992 wrote to memory of 1720 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cmd.exe PID 1992 wrote to memory of 1720 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cmd.exe PID 1992 wrote to memory of 1720 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cmd.exe PID 1992 wrote to memory of 1540 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 1540 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 1540 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 1540 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 1492 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 1492 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 1492 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 1492 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe cacls.exe PID 1992 wrote to memory of 900 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log PID 1992 wrote to memory of 900 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log PID 1992 wrote to memory of 900 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log PID 1992 wrote to memory of 900 1992 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log PID 900 wrote to memory of 1160 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1160 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1160 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1160 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1012 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 1012 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 1012 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 1012 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 776 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 776 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 776 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 776 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 1048 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 1048 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 1048 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 1048 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 388 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 388 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 388 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 388 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cacls.exe PID 900 wrote to memory of 520 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 520 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 520 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 520 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1096 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1096 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1096 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 1096 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log cmd.exe PID 900 wrote to memory of 300 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log lsass.exe PID 900 wrote to memory of 300 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log lsass.exe PID 900 wrote to memory of 300 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log lsass.exe PID 900 wrote to memory of 300 900 2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log lsass.exe PID 300 wrote to memory of 1060 300 lsass.exe cmd.exe PID 300 wrote to memory of 1060 300 lsass.exe cmd.exe PID 300 wrote to memory of 1060 300 lsass.exe cmd.exe PID 300 wrote to memory of 1060 300 lsass.exe cmd.exe PID 300 wrote to memory of 1752 300 lsass.exe cacls.exe PID 300 wrote to memory of 1752 300 lsass.exe cacls.exe PID 300 wrote to memory of 1752 300 lsass.exe cacls.exe PID 300 wrote to memory of 1752 300 lsass.exe cacls.exe PID 300 wrote to memory of 896 300 lsass.exe cacls.exe PID 300 wrote to memory of 896 300 lsass.exe cacls.exe PID 300 wrote to memory of 896 300 lsass.exe cacls.exe PID 300 wrote to memory of 896 300 lsass.exe cacls.exe PID 300 wrote to memory of 1536 300 lsass.exe cacls.exe PID 300 wrote to memory of 1536 300 lsass.exe cacls.exe PID 300 wrote to memory of 1536 300 lsass.exe cacls.exe PID 300 wrote to memory of 1536 300 lsass.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe"C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe"1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵
-
\??\c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log"c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log"2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok3⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F3⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F3⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"3⤵
-
C:\Windows\SysWOW64\com\lsass.exe"C:\Windows\system32\com\lsass.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok4⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F4⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F4⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F4⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F4⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F4⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\com\smss.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵
-
C:\Users\Admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe"C:\Users\Admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\com\lsass.exe^c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exeFilesize
121KB
MD5d68c76c06e7c214e75568cf33681e703
SHA125770e6a917f6f3f0fd8842c505510f988e894b0
SHA25674710d859e37240d2f08bc8a85ab9ce211dbb664e810c580c256cfcad23e0c15
SHA512eba7a70ff65b9f2132a713a41dd62aafd7e13a20c6b04dcd08496ae281f722b5ced9cbbe943f11cd7a8e87eb64bab5b5b754cfb9a77cd24a2c5f7cb3675ea052
-
C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.logFilesize
305KB
MD5456d70ea849a2259771e8380247aacb0
SHA16c8d3149b2b7dfb848853f5ad0a4e3c7831a105d
SHA2562cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96
SHA5121ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d
-
C:\Windows\SysWOW64\com\lsass.exeFilesize
92KB
MD563c116bb81aec29d3da6427ac0569095
SHA1fecaa03fd4290cdad785bac8942ab17ad90c0a41
SHA256a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6
SHA512bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e
-
C:\Windows\SysWOW64\com\lsass.exeFilesize
92KB
MD563c116bb81aec29d3da6427ac0569095
SHA1fecaa03fd4290cdad785bac8942ab17ad90c0a41
SHA256a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6
SHA512bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e
-
C:\Windows\SysWOW64\com\lsass.exeFilesize
92KB
MD563c116bb81aec29d3da6427ac0569095
SHA1fecaa03fd4290cdad785bac8942ab17ad90c0a41
SHA256a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6
SHA512bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e
-
C:\Windows\SysWOW64\com\netcfg.dllFilesize
16KB
MD5d1f6b9273cbb2e23aeed11346d0072c5
SHA10d012a7c7b37082dcbd5e1688f72eeade705f825
SHA256dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc
SHA5124c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e
-
C:\Windows\SysWOW64\com\smss.exeFilesize
40KB
MD5ae1cd1d740c265b7f18f827f9e37afab
SHA16b976bc56e4021e7237b3cd4dbe412b6949fb0a0
SHA256a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11
SHA512c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571
-
C:\Windows\SysWOW64\com\smss.exeFilesize
40KB
MD5ae1cd1d740c265b7f18f827f9e37afab
SHA16b976bc56e4021e7237b3cd4dbe412b6949fb0a0
SHA256a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11
SHA512c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571
-
C:\Windows\SysWOW64\com\smss.exeFilesize
40KB
MD5ae1cd1d740c265b7f18f827f9e37afab
SHA16b976bc56e4021e7237b3cd4dbe412b6949fb0a0
SHA256a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11
SHA512c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571
-
C:\Windows\SysWOW64\dnsq.dllFilesize
31KB
MD5a475c31bf62b806dc6fcd1c30944265c
SHA11f35c6fcf9edff883b30cf1d6938dfedd061d4a3
SHA256d21d297acb59782cb06ab61d06ba6b07e34fc332f8e00bd51615a0fdd7af534d
SHA512325d34018fba3263994d9b9187452bff8c4ae32193273f499647b31afacf1d6e28a3d75e1bd8097e42c688d436561e065b7d4f5e1eb3e912949c5e02183de540
-
\??\c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.logFilesize
305KB
MD5456d70ea849a2259771e8380247aacb0
SHA16c8d3149b2b7dfb848853f5ad0a4e3c7831a105d
SHA2562cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96
SHA5121ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d
-
\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exeFilesize
121KB
MD5d68c76c06e7c214e75568cf33681e703
SHA125770e6a917f6f3f0fd8842c505510f988e894b0
SHA25674710d859e37240d2f08bc8a85ab9ce211dbb664e810c580c256cfcad23e0c15
SHA512eba7a70ff65b9f2132a713a41dd62aafd7e13a20c6b04dcd08496ae281f722b5ced9cbbe943f11cd7a8e87eb64bab5b5b754cfb9a77cd24a2c5f7cb3675ea052
-
\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exeFilesize
121KB
MD5d68c76c06e7c214e75568cf33681e703
SHA125770e6a917f6f3f0fd8842c505510f988e894b0
SHA25674710d859e37240d2f08bc8a85ab9ce211dbb664e810c580c256cfcad23e0c15
SHA512eba7a70ff65b9f2132a713a41dd62aafd7e13a20c6b04dcd08496ae281f722b5ced9cbbe943f11cd7a8e87eb64bab5b5b754cfb9a77cd24a2c5f7cb3675ea052
-
\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.logFilesize
305KB
MD5456d70ea849a2259771e8380247aacb0
SHA16c8d3149b2b7dfb848853f5ad0a4e3c7831a105d
SHA2562cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96
SHA5121ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d
-
\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.logFilesize
305KB
MD5456d70ea849a2259771e8380247aacb0
SHA16c8d3149b2b7dfb848853f5ad0a4e3c7831a105d
SHA2562cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96
SHA5121ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d
-
\Windows\SysWOW64\com\lsass.exeFilesize
92KB
MD563c116bb81aec29d3da6427ac0569095
SHA1fecaa03fd4290cdad785bac8942ab17ad90c0a41
SHA256a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6
SHA512bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e
-
\Windows\SysWOW64\com\lsass.exeFilesize
92KB
MD563c116bb81aec29d3da6427ac0569095
SHA1fecaa03fd4290cdad785bac8942ab17ad90c0a41
SHA256a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6
SHA512bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e
-
\Windows\SysWOW64\com\lsass.exeFilesize
92KB
MD563c116bb81aec29d3da6427ac0569095
SHA1fecaa03fd4290cdad785bac8942ab17ad90c0a41
SHA256a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6
SHA512bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e
-
\Windows\SysWOW64\com\lsass.exeFilesize
92KB
MD563c116bb81aec29d3da6427ac0569095
SHA1fecaa03fd4290cdad785bac8942ab17ad90c0a41
SHA256a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6
SHA512bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e
-
\Windows\SysWOW64\com\netcfg.dllFilesize
16KB
MD5d1f6b9273cbb2e23aeed11346d0072c5
SHA10d012a7c7b37082dcbd5e1688f72eeade705f825
SHA256dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc
SHA5124c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e
-
\Windows\SysWOW64\com\smss.exeFilesize
40KB
MD5ae1cd1d740c265b7f18f827f9e37afab
SHA16b976bc56e4021e7237b3cd4dbe412b6949fb0a0
SHA256a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11
SHA512c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571
-
\Windows\SysWOW64\com\smss.exeFilesize
40KB
MD5ae1cd1d740c265b7f18f827f9e37afab
SHA16b976bc56e4021e7237b3cd4dbe412b6949fb0a0
SHA256a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11
SHA512c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571
-
\Windows\SysWOW64\dnsq.dllFilesize
31KB
MD5a475c31bf62b806dc6fcd1c30944265c
SHA11f35c6fcf9edff883b30cf1d6938dfedd061d4a3
SHA256d21d297acb59782cb06ab61d06ba6b07e34fc332f8e00bd51615a0fdd7af534d
SHA512325d34018fba3263994d9b9187452bff8c4ae32193273f499647b31afacf1d6e28a3d75e1bd8097e42c688d436561e065b7d4f5e1eb3e912949c5e02183de540
-
\Windows\SysWOW64\dnsq.dllFilesize
31KB
MD5a475c31bf62b806dc6fcd1c30944265c
SHA11f35c6fcf9edff883b30cf1d6938dfedd061d4a3
SHA256d21d297acb59782cb06ab61d06ba6b07e34fc332f8e00bd51615a0fdd7af534d
SHA512325d34018fba3263994d9b9187452bff8c4ae32193273f499647b31afacf1d6e28a3d75e1bd8097e42c688d436561e065b7d4f5e1eb3e912949c5e02183de540
-
memory/300-91-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/300-77-0x0000000000000000-mapping.dmp
-
memory/300-122-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/300-119-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/388-69-0x0000000000000000-mapping.dmp
-
memory/520-71-0x0000000000000000-mapping.dmp
-
memory/628-92-0x0000000000000000-mapping.dmp
-
memory/636-115-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/636-104-0x0000000000000000-mapping.dmp
-
memory/776-67-0x0000000000000000-mapping.dmp
-
memory/896-82-0x0000000000000000-mapping.dmp
-
memory/900-90-0x0000000002A50000-0x0000000002A7C000-memory.dmpFilesize
176KB
-
memory/900-89-0x0000000002A50000-0x0000000002A7C000-memory.dmpFilesize
176KB
-
memory/900-61-0x0000000000000000-mapping.dmp
-
memory/900-94-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/900-107-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/900-72-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/932-84-0x0000000000000000-mapping.dmp
-
memory/1012-66-0x0000000000000000-mapping.dmp
-
memory/1048-68-0x0000000000000000-mapping.dmp
-
memory/1060-80-0x0000000000000000-mapping.dmp
-
memory/1096-74-0x0000000000000000-mapping.dmp
-
memory/1116-120-0x0000000000000000-mapping.dmp
-
memory/1160-65-0x0000000000000000-mapping.dmp
-
memory/1492-58-0x0000000000000000-mapping.dmp
-
memory/1512-121-0x0000000000000000-mapping.dmp
-
memory/1536-83-0x0000000000000000-mapping.dmp
-
memory/1540-57-0x0000000000000000-mapping.dmp
-
memory/1668-93-0x0000000000000000-mapping.dmp
-
memory/1684-101-0x0000000000000000-mapping.dmp
-
memory/1688-95-0x0000000000000000-mapping.dmp
-
memory/1712-86-0x0000000000000000-mapping.dmp
-
memory/1720-56-0x0000000000000000-mapping.dmp
-
memory/1748-105-0x0000000000000000-mapping.dmp
-
memory/1748-118-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1752-81-0x0000000000000000-mapping.dmp
-
memory/1984-85-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1992-55-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1992-64-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB