luminosity | bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
Size

3.1MB
MD5

baa0df2b6b9abb65a20f36a63ec570e8
SHA1

d04bf31a0f2419e00f77a8fab0def33c9f0c82ee
SHA256

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212
SHA512

dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15
SSDEEP

24576:bPgzDvUm2P+JYGWIT+qL19uPxFijutwz310Rj36Vi6GlY/CG:bPgMm22JYRCLvuPxFrK31i3yjsY/C

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp.exe\""	tmp.exe

Executes dropped EXE 5 IoCs

Processes:

tmp.exesysmon.exetmp.exesysmon.exesysmon.exe

pid process

1732 tmp.exe
592 sysmon.exe
1700 tmp.exe
568 sysmon.exe
748 sysmon.exe

pid	process
1732	tmp.exe
592	sysmon.exe
1700	tmp.exe
568	sysmon.exe
748	sysmon.exe

Loads dropped DLL 23 IoCs

Processes:

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exetmp.exebbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exesysmon.exetmp.exesysmon.exesysmon.exe

pid	process
1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
592	sysmon.exe
592	sysmon.exe
592	sysmon.exe
592	sysmon.exe
592	sysmon.exe
592	sysmon.exe
1700	tmp.exe
1700	tmp.exe
1700	tmp.exe
568	sysmon.exe
568	sysmon.exe
568	sysmon.exe
1700	tmp.exe
1700	tmp.exe
748	sysmon.exe
748	sysmon.exe
748	sysmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp.exe\""	tmp.exe

Drops file in System32 directory 2 IoCs

Processes:

tmp.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe tmp.exe
File opened for modification C:\Windows\SysWOW64\clientsvr.exe tmp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exesysmon.exe

description	pid	process	target process
PID 1996 set thread context of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 592 set thread context of 568	592	sysmon.exe	sysmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exetmp.exesysmon.exe

pid	process
1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
1732	tmp.exe
592	sysmon.exe
592	sysmon.exe
592	sysmon.exe
592	sysmon.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe

pid process

936 bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe

pid	process
936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exetmp.exesysmon.exe

description	pid	process
Token: SeDebugPrivilege	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
Token: 33	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
Token: SeIncBasePriorityPrivilege	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
Token: SeDebugPrivilege	1732	tmp.exe
Token: SeDebugPrivilege	592	sysmon.exe
Token: 33	592	sysmon.exe
Token: SeIncBasePriorityPrivilege	592	sysmon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid process

1732 tmp.exe

pid	process
1732	tmp.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exebbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exesysmon.exetmp.exe

description	pid	process	target process
PID 1996 wrote to memory of 1732	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	tmp.exe
PID 1996 wrote to memory of 1732	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	tmp.exe
PID 1996 wrote to memory of 1732	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	tmp.exe
PID 1996 wrote to memory of 1732	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	tmp.exe
PID 1996 wrote to memory of 1732	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	tmp.exe
PID 1996 wrote to memory of 1732	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	tmp.exe
PID 1996 wrote to memory of 1732	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	tmp.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 1996 wrote to memory of 936	1996	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
PID 936 wrote to memory of 592	936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	sysmon.exe
PID 936 wrote to memory of 592	936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	sysmon.exe
PID 936 wrote to memory of 592	936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	sysmon.exe
PID 936 wrote to memory of 592	936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	sysmon.exe
PID 936 wrote to memory of 592	936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	sysmon.exe
PID 936 wrote to memory of 592	936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	sysmon.exe
PID 936 wrote to memory of 592	936	bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe	sysmon.exe
PID 592 wrote to memory of 1700	592	sysmon.exe	tmp.exe
PID 592 wrote to memory of 1700	592	sysmon.exe	tmp.exe
PID 592 wrote to memory of 1700	592	sysmon.exe	tmp.exe
PID 592 wrote to memory of 1700	592	sysmon.exe	tmp.exe
PID 592 wrote to memory of 1700	592	sysmon.exe	tmp.exe
PID 592 wrote to memory of 1700	592	sysmon.exe	tmp.exe
PID 592 wrote to memory of 1700	592	sysmon.exe	tmp.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 592 wrote to memory of 568	592	sysmon.exe	sysmon.exe
PID 1700 wrote to memory of 748	1700	tmp.exe	sysmon.exe
PID 1700 wrote to memory of 748	1700	tmp.exe	sysmon.exe
PID 1700 wrote to memory of 748	1700	tmp.exe	sysmon.exe
PID 1700 wrote to memory of 748	1700	tmp.exe	sysmon.exe
PID 1700 wrote to memory of 748	1700	tmp.exe	sysmon.exe
PID 1700 wrote to memory of 748	1700	tmp.exe	sysmon.exe
PID 1700 wrote to memory of 748	1700	tmp.exe	sysmon.exe

C:\Users\Admin\AppData\Local\Temp\bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
"C:\Users\Admin\AppData\Local\Temp\bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Users\Admin\AppData\Local\Temp\bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
C:\Users\Admin\AppData\Local\Temp\bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:936

C:\ProgramData\147938\sysmon.exe
"C:\ProgramData\147938\sysmon.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\ProgramData\147938\sysmon.exe
C:\ProgramData\147938\sysmon.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\ProgramData\147938\sysmon.exe
"C:\ProgramData\147938\sysmon.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\147938\sysmon.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
C:\ProgramData\147938\sysmon.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
C:\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
C:\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
C:\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\ProgramData\147938\sysmon.exe
Filesize
3.1MB

MD5
baa0df2b6b9abb65a20f36a63ec570e8

SHA1
d04bf31a0f2419e00f77a8fab0def33c9f0c82ee

SHA256
bbf84fac4f56a7819964d01819b48500d6771dffe999bf0ae7e5e6b71b2cb212

SHA512
dfe9701a77db1fb02d114467527492c901519373bc4433928987f8745f6a6523298981e3486a17f237a4588540c394c122ecd743de7b3e8e355f11261a9d1e15

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
365KB

MD5
efb53517cf3879d9909f81d8c4d37c0c

SHA1
e21a324695d8ebd5b70fb73cb9599a1e4c17c20c

SHA256
0fcb0b9c18669cefb3194664752dd0a4b57d1fb79923d433b1133dd99486f9db

SHA512
b58ba2ed9541fe04b3e32952475cd5cf8de8caf47ccb19784ba86aa5165f112e8a12b043a0512b4ecc5870542598d62a0f66c8c3701956eb61d836a9e0064ace

Download Submit
memory/568-116-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/568-104-0x000000000045CF0E-mapping.dmp

Download
memory/592-87-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/592-80-0x0000000000000000-mapping.dmp

Download
memory/592-117-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/748-127-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/748-121-0x0000000000000000-mapping.dmp

Download
memory/936-73-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/936-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/936-75-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/936-129-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/936-131-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/936-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/936-71-0x000000000045CF0E-mapping.dmp

Download
memory/936-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/936-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/936-78-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-132-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-130-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-111-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-90-0x0000000000000000-mapping.dmp

Download
memory/1732-77-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-58-0x0000000000000000-mapping.dmp

Download
memory/1732-128-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-107-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download