2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96

Analysis

max time kernel
167s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Size

305KB
MD5

456d70ea849a2259771e8380247aacb0
SHA1

6c8d3149b2b7dfb848853f5ad0a4e3c7831a105d
SHA256

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96
SHA512

1ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d
SSDEEP

6144:b7nI8TmAfM8D2tWq96ZuZ9wty3pdEIr1CJTk:fnIwmAE8D2tWq96IZ9wIpqW1CK

Score

9^/10

evasion persistence trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\dnsq.dll	acprotect
C:\Windows\SysWOW64\dnsq.dll	acprotect
C:\Windows\SysWOW64\dnsq.dll	acprotect
C:\Windows\SysWOW64\com\netcfg.dll	acprotect
C:\Windows\SysWOW64\Com\netcfg.dll	acprotect

Executes dropped EXE 5 IoCs

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exelsass.exesmss.exe

pid	process
3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3836	lsass.exe
1296	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
672	lsass.exe
2084	smss.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	lsass.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4896-132-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/4896-136-0x0000000000400000-0x000000000042C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	upx
\??\c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	upx
behavioral2/memory/3252-141-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/4896-142-0x0000000000400000-0x000000000042C000-memory.dmp	upx
C:\Windows\SysWOW64\Com\lsass.exe	upx
C:\Windows\SysWOW64\com\lsass.exe	upx
C:\Windows\SysWOW64\Com\lsass.exe	upx
behavioral2/memory/3252-157-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/672-159-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3836-167-0x0000000000400000-0x000000000042C000-memory.dmp	upx
C:\Windows\SysWOW64\dnsq.dll	upx
C:\Windows\SysWOW64\dnsq.dll	upx
C:\Windows\SysWOW64\dnsq.dll	upx
C:\Windows\SysWOW64\com\netcfg.dll	upx
C:\Windows\SysWOW64\Com\netcfg.dll	upx
behavioral2/memory/3836-179-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/2084-180-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/3836-183-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	lsass.exe

Loads dropped DLL 3 IoCs

Processes:

lsass.exesmss.exeregsvr32.exe

pid process

3836 lsass.exe
2084 smss.exe
4064 regsvr32.exe

pid	process
3836	lsass.exe
2084	smss.exe
4064	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1063

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

lsass.exe

description ioc process

File opened (read-only) \??\E: lsass.exe
File opened (read-only) \??\e: lsass.exe

description	ioc	process
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\e:	lsass.exe

Drops autorun.inf file 1 TTPs 7 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\autorun.inf	lsass.exe
File opened for modification	D:\autorun.inf	lsass.exe
File opened for modification	\??\E:\autorun.inf	lsass.exe
File opened for modification	C:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe

Drops file in System32 directory 21 IoCs

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe

description	ioc	process
File created	C:\Windows\SysWOW64\com\smss.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\com\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\00302.log	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
File created	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File opened for modification	C:\Windows\SysWOW64\240616672.log	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\bak	lsass.exe
File created	C:\Windows\SysWOW64\00302.log	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
File created	C:\Windows\SysWOW64\com\lsass.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
File created	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dnsq.dll	lsass.exe
File created	C:\Windows\SysWOW64\dnsq.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
File created	C:\Windows\SysWOW64\00302.log	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File created	C:\Windows\SysWOW64\240616672.log	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

3440 ping.exe

pid	process
3440	ping.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe

pid	process
4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3836	lsass.exe
3836	lsass.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

652
652
652

pid	process
652
652
652

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe

description	pid	process
Token: SeDebugPrivilege	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
Token: SeDebugPrivilege	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
Token: SeDebugPrivilege	3836	lsass.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exelsass.exe

pid	process
4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3836	lsass.exe
3836	lsass.exe
3836	lsass.exe
3836	lsass.exe
672	lsass.exe
672	lsass.exe
672	lsass.exe
672	lsass.exe
3836	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.loglsass.exe

description	pid	process	target process
PID 4896 wrote to memory of 208	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cmd.exe
PID 4896 wrote to memory of 208	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cmd.exe
PID 4896 wrote to memory of 208	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cmd.exe
PID 4896 wrote to memory of 4152	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cacls.exe
PID 4896 wrote to memory of 4152	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cacls.exe
PID 4896 wrote to memory of 4152	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cacls.exe
PID 4896 wrote to memory of 1112	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cacls.exe
PID 4896 wrote to memory of 1112	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cacls.exe
PID 4896 wrote to memory of 1112	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	cacls.exe
PID 4896 wrote to memory of 3252	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
PID 4896 wrote to memory of 3252	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
PID 4896 wrote to memory of 3252	4896	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
PID 3252 wrote to memory of 4396	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 4396	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 4396	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 1284	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1284	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1284	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1248	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1248	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1248	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 4028	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 4028	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 4028	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1948	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1948	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 1948	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cacls.exe
PID 3252 wrote to memory of 4388	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 4388	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 4388	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 3780	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 3780	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 3780	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	cmd.exe
PID 3252 wrote to memory of 3836	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	lsass.exe
PID 3252 wrote to memory of 3836	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	lsass.exe
PID 3252 wrote to memory of 3836	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	lsass.exe
PID 3252 wrote to memory of 1296	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
PID 3252 wrote to memory of 1296	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
PID 3252 wrote to memory of 1296	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
PID 3252 wrote to memory of 672	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	lsass.exe
PID 3252 wrote to memory of 672	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	lsass.exe
PID 3252 wrote to memory of 672	3252	2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log	lsass.exe
PID 3836 wrote to memory of 3916	3836	lsass.exe	cmd.exe
PID 3836 wrote to memory of 3916	3836	lsass.exe	cmd.exe
PID 3836 wrote to memory of 3916	3836	lsass.exe	cmd.exe
PID 3836 wrote to memory of 864	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 864	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 864	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 3152	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 3152	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 3152	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 4892	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 4892	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 4892	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 1504	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 1504	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 1504	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 3764	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 3764	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 3764	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 2320	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 2320	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 2320	3836	lsass.exe	cacls.exe
PID 3836 wrote to memory of 1300	3836	lsass.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
"C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe"
1⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
2⤵
PID:208

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
2⤵
PID:4152

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
2⤵
PID:1112

\??\c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
"c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
3⤵
PID:4396

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
3⤵
PID:1284

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
3⤵
PID:1248

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
3⤵
PID:4028

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
3⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
3⤵
PID:3780

C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
4⤵
PID:3916

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
4⤵
PID:864

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
4⤵
PID:3152

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
4⤵
PID:4892

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
4⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
4⤵
PID:3764

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
4⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
4⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
4⤵
PID:876

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:4064

C:\Windows\SysWOW64\com\smss.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
4⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
4⤵
PID:2524

C:\Windows\SysWOW64\ping.exe
ping.exe -f -n 1 www.baidu.com
4⤵
- Runs ping.exe
PID:3440

C:\Users\Admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe
"C:\Users\Admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe"
3⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe

Filesize
121KB

MD5
d68c76c06e7c214e75568cf33681e703

SHA1
25770e6a917f6f3f0fd8842c505510f988e894b0

SHA256
74710d859e37240d2f08bc8a85ab9ce211dbb664e810c580c256cfcad23e0c15

SHA512
eba7a70ff65b9f2132a713a41dd62aafd7e13a20c6b04dcd08496ae281f722b5ced9cbbe943f11cd7a8e87eb64bab5b5b754cfb9a77cd24a2c5f7cb3675ea052

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log

Filesize
305KB

MD5
456d70ea849a2259771e8380247aacb0

SHA1
6c8d3149b2b7dfb848853f5ad0a4e3c7831a105d

SHA256
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96

SHA512
1ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d

Download Submit
C:\Windows\SysWOW64\Com\lsass.exe

Filesize
92KB

MD5
63c116bb81aec29d3da6427ac0569095

SHA1
fecaa03fd4290cdad785bac8942ab17ad90c0a41

SHA256
a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6

SHA512
bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e

Download Submit
C:\Windows\SysWOW64\Com\lsass.exe

Filesize
92KB

MD5
63c116bb81aec29d3da6427ac0569095

SHA1
fecaa03fd4290cdad785bac8942ab17ad90c0a41

SHA256
a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6

SHA512
bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e

Download Submit
C:\Windows\SysWOW64\Com\netcfg.dll

Filesize
16KB

MD5
d1f6b9273cbb2e23aeed11346d0072c5

SHA1
0d012a7c7b37082dcbd5e1688f72eeade705f825

SHA256
dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc

SHA512
4c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e

Download Submit
C:\Windows\SysWOW64\Com\smss.exe

Filesize
40KB

MD5
ae1cd1d740c265b7f18f827f9e37afab

SHA1
6b976bc56e4021e7237b3cd4dbe412b6949fb0a0

SHA256
a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11

SHA512
c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
92KB

MD5
63c116bb81aec29d3da6427ac0569095

SHA1
fecaa03fd4290cdad785bac8942ab17ad90c0a41

SHA256
a8b60ca820277a3d6f8fc9b950e84a544ab0643c946243d94bc408b86566f3e6

SHA512
bb83cd4f0776e5363f2dc94ec948df9257899b1945d04ad78847770af95bc716ad36c436395e92029e11fc793a0af99e74fe5312cd10158da837b42eb93a314e

Download Submit
C:\Windows\SysWOW64\com\netcfg.dll

Filesize
16KB

MD5
d1f6b9273cbb2e23aeed11346d0072c5

SHA1
0d012a7c7b37082dcbd5e1688f72eeade705f825

SHA256
dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc

SHA512
4c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
ae1cd1d740c265b7f18f827f9e37afab

SHA1
6b976bc56e4021e7237b3cd4dbe412b6949fb0a0

SHA256
a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11

SHA512
c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
ae1cd1d740c265b7f18f827f9e37afab

SHA1
6b976bc56e4021e7237b3cd4dbe412b6949fb0a0

SHA256
a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11

SHA512
c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
ae1cd1d740c265b7f18f827f9e37afab

SHA1
6b976bc56e4021e7237b3cd4dbe412b6949fb0a0

SHA256
a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11

SHA512
c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
a475c31bf62b806dc6fcd1c30944265c

SHA1
1f35c6fcf9edff883b30cf1d6938dfedd061d4a3

SHA256
d21d297acb59782cb06ab61d06ba6b07e34fc332f8e00bd51615a0fdd7af534d

SHA512
325d34018fba3263994d9b9187452bff8c4ae32193273f499647b31afacf1d6e28a3d75e1bd8097e42c688d436561e065b7d4f5e1eb3e912949c5e02183de540

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
a475c31bf62b806dc6fcd1c30944265c

SHA1
1f35c6fcf9edff883b30cf1d6938dfedd061d4a3

SHA256
d21d297acb59782cb06ab61d06ba6b07e34fc332f8e00bd51615a0fdd7af534d

SHA512
325d34018fba3263994d9b9187452bff8c4ae32193273f499647b31afacf1d6e28a3d75e1bd8097e42c688d436561e065b7d4f5e1eb3e912949c5e02183de540

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
a475c31bf62b806dc6fcd1c30944265c

SHA1
1f35c6fcf9edff883b30cf1d6938dfedd061d4a3

SHA256
d21d297acb59782cb06ab61d06ba6b07e34fc332f8e00bd51615a0fdd7af534d

SHA512
325d34018fba3263994d9b9187452bff8c4ae32193273f499647b31afacf1d6e28a3d75e1bd8097e42c688d436561e065b7d4f5e1eb3e912949c5e02183de540

Download Submit
\??\c:\users\admin\appdata\local\temp\2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96.exe.log

Filesize
305KB

MD5
456d70ea849a2259771e8380247aacb0

SHA1
6c8d3149b2b7dfb848853f5ad0a4e3c7831a105d

SHA256
2cac37c8a1ce506cbabaee908d7a94fec709a2fca8604cd5645b3433841f3e96

SHA512
1ca08dccfff0b9126e9193ea56274642462a30331866dfd34220a77982a69864ac09ec41a7791dddb07aa6a465c1b25f8fba52f1b3af974a3c51f408aa03ea9d

Download Submit
memory/208-133-0x0000000000000000-mapping.dmp

Download
memory/672-159-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/672-155-0x0000000000000000-mapping.dmp

Download
memory/864-160-0x0000000000000000-mapping.dmp

Download
memory/876-169-0x0000000000000000-mapping.dmp

Download
memory/1112-135-0x0000000000000000-mapping.dmp

Download
memory/1248-144-0x0000000000000000-mapping.dmp

Download
memory/1284-143-0x0000000000000000-mapping.dmp

Download
memory/1296-153-0x0000000000000000-mapping.dmp

Download
memory/1300-166-0x0000000000000000-mapping.dmp

Download
memory/1504-163-0x0000000000000000-mapping.dmp

Download
memory/1948-146-0x0000000000000000-mapping.dmp

Download
memory/2084-172-0x0000000000000000-mapping.dmp

Download
memory/2084-180-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2320-165-0x0000000000000000-mapping.dmp

Download
memory/2524-182-0x0000000000000000-mapping.dmp

Download
memory/3152-161-0x0000000000000000-mapping.dmp

Download
memory/3252-157-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3252-137-0x0000000000000000-mapping.dmp

Download
memory/3252-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3440-184-0x0000000000000000-mapping.dmp

Download
memory/3764-164-0x0000000000000000-mapping.dmp

Download
memory/3780-149-0x0000000000000000-mapping.dmp

Download
memory/3836-183-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3836-167-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3836-150-0x0000000000000000-mapping.dmp

Download
memory/3836-179-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3916-158-0x0000000000000000-mapping.dmp

Download
memory/4028-145-0x0000000000000000-mapping.dmp

Download
memory/4052-181-0x0000000000000000-mapping.dmp

Download
memory/4064-170-0x0000000000000000-mapping.dmp

Download
memory/4152-134-0x0000000000000000-mapping.dmp

Download
memory/4388-147-0x0000000000000000-mapping.dmp

Download
memory/4396-140-0x0000000000000000-mapping.dmp

Download
memory/4892-162-0x0000000000000000-mapping.dmp

Download
memory/4896-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4896-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4896-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download