luminosity | 905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Size

325KB
MD5

fef59adb2c9f7f2ade645d3107c61f02
SHA1

058acd6926519431406e839c4d05ae682b280394
SHA256

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5
SHA512

f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983
SSDEEP

6144:sxx+xgkm1Je7HwpzGXHNqnTkPD6veXEImKkLiHSh5cQ/ck0HXtP2ouD1:687H7HNqnQ27TmO5sFHAbD

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\303888\\system.exe\""	system.exe

Executes dropped EXE 16 IoCs

pid	Process
1800	iktd5bdk.exe
1820	system.exe
1880	system.exe
524	system.exe
1876	ool-s00y.exe
1744	xzloqei2.exe
1096	system.exe
1880	system.exe
968	f1sodsv0.exe
972	system.exe
1132	system.exe
1176	oobf107k.exe
1564	system.exe
1996	system.exe
1960	ta69omti.exe
1084	system.exe

Loads dropped DLL 14 IoCs

pid	Process
2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
2012	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
2012	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
1820	system.exe
1820	system.exe
1096	system.exe
1096	system.exe
972	system.exe
972	system.exe
1564	system.exe
1564	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows System = "\"C:\\ProgramData\\303888\\system.exe\""	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	system.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 1964 set thread context of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1820 set thread context of 524	1820	system.exe	46
PID 1096 set thread context of 1880	1096	system.exe	63
PID 972 set thread context of 1132	972	system.exe	72
PID 1564 set thread context of 1996	1564	system.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
1204	PING.EXE
836	PING.EXE
836	PING.EXE
788	PING.EXE
624	PING.EXE
1348	PING.EXE
1704	PING.EXE
1744	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1800	iktd5bdk.exe
1800	iktd5bdk.exe
1820	system.exe
1820	system.exe
1876	ool-s00y.exe
1876	ool-s00y.exe
1744	xzloqei2.exe
1744	xzloqei2.exe
524	system.exe
524	system.exe
524	system.exe
968	f1sodsv0.exe
968	f1sodsv0.exe
1176	oobf107k.exe
1176	oobf107k.exe
1960	ta69omti.exe
1960	ta69omti.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2012	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Token: SeDebugPrivilege	1800	iktd5bdk.exe
Token: SeDebugPrivilege	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Token: SeDebugPrivilege	1820	system.exe
Token: SeDebugPrivilege	1876	ool-s00y.exe
Token: SeDebugPrivilege	1744	xzloqei2.exe
Token: SeDebugPrivilege	524	system.exe
Token: SeDebugPrivilege	616	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Token: SeDebugPrivilege	1096	system.exe
Token: SeDebugPrivilege	968	f1sodsv0.exe
Token: SeDebugPrivilege	972	system.exe
Token: SeDebugPrivilege	1176	oobf107k.exe
Token: SeDebugPrivilege	1564	system.exe
Token: SeDebugPrivilege	1960	ta69omti.exe
Token: SeDebugPrivilege	1084	system.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
524	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1516	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	27
PID 2000 wrote to memory of 1516	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	27
PID 2000 wrote to memory of 1516	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	27
PID 2000 wrote to memory of 1516	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	27
PID 1516 wrote to memory of 1348	1516	cmd.exe	29
PID 1516 wrote to memory of 1348	1516	cmd.exe	29
PID 1516 wrote to memory of 1348	1516	cmd.exe	29
PID 1516 wrote to memory of 1348	1516	cmd.exe	29
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 2012	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	30
PID 2000 wrote to memory of 108	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	31
PID 2000 wrote to memory of 108	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	31
PID 2000 wrote to memory of 108	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	31
PID 2000 wrote to memory of 108	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	31
PID 108 wrote to memory of 1528	108	csc.exe	33
PID 108 wrote to memory of 1528	108	csc.exe	33
PID 108 wrote to memory of 1528	108	csc.exe	33
PID 108 wrote to memory of 1528	108	csc.exe	33
PID 2000 wrote to memory of 1800	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	34
PID 2000 wrote to memory of 1800	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	34
PID 2000 wrote to memory of 1800	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	34
PID 2000 wrote to memory of 1800	2000	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	34
PID 1800 wrote to memory of 1964	1800	iktd5bdk.exe	36
PID 1800 wrote to memory of 1964	1800	iktd5bdk.exe	36
PID 1800 wrote to memory of 1964	1800	iktd5bdk.exe	36
PID 1800 wrote to memory of 1964	1800	iktd5bdk.exe	36
PID 1964 wrote to memory of 1912	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	37
PID 1964 wrote to memory of 1912	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	37
PID 1964 wrote to memory of 1912	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	37
PID 1964 wrote to memory of 1912	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	37
PID 1912 wrote to memory of 1704	1912	cmd.exe	39
PID 1912 wrote to memory of 1704	1912	cmd.exe	39
PID 1912 wrote to memory of 1704	1912	cmd.exe	39
PID 1912 wrote to memory of 1704	1912	cmd.exe	39
PID 2012 wrote to memory of 1820	2012	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	40
PID 2012 wrote to memory of 1820	2012	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	40
PID 2012 wrote to memory of 1820	2012	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	40
PID 2012 wrote to memory of 1820	2012	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	40
PID 1820 wrote to memory of 1716	1820	system.exe	41
PID 1820 wrote to memory of 1716	1820	system.exe	41
PID 1820 wrote to memory of 1716	1820	system.exe	41
PID 1820 wrote to memory of 1716	1820	system.exe	41
PID 1716 wrote to memory of 1744	1716	cmd.exe	43
PID 1716 wrote to memory of 1744	1716	cmd.exe	43
PID 1716 wrote to memory of 1744	1716	cmd.exe	43
PID 1716 wrote to memory of 1744	1716	cmd.exe	43
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1964 wrote to memory of 1776	1964	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	44
PID 1820 wrote to memory of 1880	1820	system.exe	45
PID 1820 wrote to memory of 1880	1820	system.exe	45

C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
"C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:1348
- C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
  "C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\ProgramData\303888\system.exe
    "C:\ProgramData\303888\system.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:1744
  - - C:\ProgramData\303888\system.exe
      "C:\ProgramData\303888\system.exe"
      4⤵
      Executes dropped EXE
      PID:1880
  - - C:\ProgramData\303888\system.exe
      "C:\ProgramData\303888\system.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:524
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xzloqei2.cmdline"
      4⤵
      PID:280
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F84.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F83.tmp"
        5⤵
        
        PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\xzloqei2.exe
      "C:\Users\Admin\AppData\Local\Temp\xzloqei2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1744
    - - C:\ProgramData\303888\system.exe
        
        "C:\ProgramData\303888\system.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        6⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        7⤵
        Runs ping.exe
        
        PID:836
      - C:\ProgramData\303888\system.exe
        
        "C:\ProgramData\303888\system.exe"
        6⤵
        Executes dropped EXE
        
        PID:1880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f1sodsv0.cmdline"
        6⤵
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70EE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC70ED.tmp"
        7⤵
        
        PID:936
      - C:\Users\Admin\AppData\Local\Temp\f1sodsv0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f1sodsv0.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\ProgramData\303888\system.exe
        
        "C:\ProgramData\303888\system.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        9⤵
        Runs ping.exe
        
        PID:836
        
        C:\ProgramData\303888\system.exe
        
        "C:\ProgramData\303888\system.exe"
        8⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oobf107k.cmdline"
        8⤵
        
        PID:960
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECFF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF90.tmp"
        9⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\oobf107k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oobf107k.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\ProgramData\303888\system.exe
        
        "C:\ProgramData\303888\system.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        10⤵
        
        PID:568
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        11⤵
        Runs ping.exe
        
        PID:788
        
        C:\ProgramData\303888\system.exe
        
        "C:\ProgramData\303888\system.exe"
        10⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ta69omti.cmdline"
        10⤵
        
        PID:1408
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EE6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC39F5.tmp"
        11⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\ta69omti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ta69omti.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\ProgramData\303888\system.exe
        
        "C:\ProgramData\303888\system.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        12⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        13⤵
        Runs ping.exe
        
        PID:624
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iktd5bdk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9149.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9148.tmp"
    3⤵
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\iktd5bdk.exe
  "C:\Users\Admin\AppData\Local\Temp\iktd5bdk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
    "C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
      "C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
      4⤵
      PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ool-s00y.cmdline"
      4⤵
      PID:1320
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F07.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1EF7.tmp"
        5⤵
        
        PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\ool-s00y.exe
      "C:\Users\Admin\AppData\Local\Temp\ool-s00y.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1876

C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
"C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F07.tmp

Filesize
1KB

MD5
8f3c31980b891d5e7a9595381c45a92a

SHA1
19b4021193fd45b74cfd7742d06e16bab879699c

SHA256
608d8624482e22e8399ee7ec612edec39adcb1ca534be8ca54627cf23aa02a15

SHA512
8bdb070b5af24a2f23df5daf81b6902934c57f92605a0508700e709e943554df5bf28b32d6c12db92bfcc89b6577aefe8e8c3362bca4aed1fa5f2caeddd6f3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F84.tmp

Filesize
1KB

MD5
688a834e4abde72838b4402e67162376

SHA1
17e0f263890cebba0844403c9575700e2bf6c194

SHA256
5cbb42130bac6bc3877d6348529c66460a82fabbba8cea44eb369871270458be

SHA512
76ab9c99f8145c330ba41b05db8e226ea5976c7ae077267fdfd107f462cb96f4935f5ad2b0c11e661f165259bde3f73e69984337d65d0429312808d5b5d5838a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3EE6.tmp

Filesize
1KB

MD5
546e6e0b9fa60cc1f9900615715213b2

SHA1
920c490c0d191e422ba7cd17cf0e38d84071ae2c

SHA256
392be1f0cee715f8888c4ba8fa258f8a9577fb0bf5cb36ad257dc7d8abf6eb9a

SHA512
4315d45fa263b35266c3a4447de39e3d391315b2cc9dc6e7f0163f2d8d800acfa9a4d359f23d246029e133de5e1d1afcdb635bf1aca7e49346136f90d6e9c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES70EE.tmp

Filesize
1KB

MD5
3cc29e66fa0d5ae6640172d4ccbad70d

SHA1
fe50c197184801672e525f363c5b776e61072584

SHA256
6c1e2a31fb85a9fd21ec4acb4ada1d514fd5ac1e50ace9d156b40bc3ecbc05d1

SHA512
8e3a0085bb9e05516559ca6af8022b818098b0208da246d8dd1711730590553339ab9cea8011ef882e2ef41106aa87f8228feaed19b95e18880b0a83047febc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9149.tmp

Filesize
1KB

MD5
9d2bbf304ab9e82feb2896036db800f4

SHA1
563c6eb655dc26abfcc290cb1f46e52f2df7ba09

SHA256
7fed337a918dc826496fe4d02645788f63c9604e93c1c40601bfeed17a3b5c58

SHA512
d6800b893ea6406a08fb4b8c4d53530bea1faaa701ee2179cfe3f8cd5cae82862acd794b196ea664e6a88547b5e185ef61431318fa0b4088d83567ed34290327

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESECFF.tmp

Filesize
1KB

MD5
d45be14b67bb53ed970fcc9a56bffd10

SHA1
439123c2aa1ea448a53acc940043da04036cb5d7

SHA256
b588eb99fdb2663507715d22a524e9a730a639a84244cd3447dd6dc8b8a21b16

SHA512
d10d3e0b0dc473b09893031540ff40ff581d404f9c59692da5cf1bee45d85588d3541003e3c0dfff501e45d0af1755c04a8a21878a02b6869cece4d2a2f601d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1sodsv0.exe

Filesize
3KB

MD5
57ba2bc08f69aa3a9a91e035225c0aee

SHA1
e7e439b3f0000e1d3ece619082e0fe87d1c389e6

SHA256
623dbaa207c81ae3f8ed80a976c6bd8c7bc80b4cd23e99b784a208d057b44d6f

SHA512
8d037be36f184edefc8b9edbe3eae4144aec90cb5829cb3c9364b4fd01ce5ea114b787d27cd19c3dc299cbe584775442825128b9a5009e21ec8a9cf000c63c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1sodsv0.exe

Filesize
3KB

MD5
57ba2bc08f69aa3a9a91e035225c0aee

SHA1
e7e439b3f0000e1d3ece619082e0fe87d1c389e6

SHA256
623dbaa207c81ae3f8ed80a976c6bd8c7bc80b4cd23e99b784a208d057b44d6f

SHA512
8d037be36f184edefc8b9edbe3eae4144aec90cb5829cb3c9364b4fd01ce5ea114b787d27cd19c3dc299cbe584775442825128b9a5009e21ec8a9cf000c63c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\iktd5bdk.exe

Filesize
3KB

MD5
e81240d7391a8602ce1fcdbf57a0e62a

SHA1
c989b9df20e3f9300bbfc9b95b0deb154269f7e0

SHA256
95ffac8953b5d474f49f71fdd12b63c1602c09cfa545fc0ee549840a25d3b333

SHA512
204a9f40ea143cf387c17e8d0ff487209ffdea3b45a9a688874bb2dd0d1cb99012ff0e9eb62d99db64c64b49e4467dfbe55163138aff1a0f16f6b2bbcd1394e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iktd5bdk.exe

Filesize
3KB

MD5
e81240d7391a8602ce1fcdbf57a0e62a

SHA1
c989b9df20e3f9300bbfc9b95b0deb154269f7e0

SHA256
95ffac8953b5d474f49f71fdd12b63c1602c09cfa545fc0ee549840a25d3b333

SHA512
204a9f40ea143cf387c17e8d0ff487209ffdea3b45a9a688874bb2dd0d1cb99012ff0e9eb62d99db64c64b49e4467dfbe55163138aff1a0f16f6b2bbcd1394e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oobf107k.exe

Filesize
3KB

MD5
29a4601f6bbfbb8f449d266d8739c7dd

SHA1
af50111bdac2de7ae51eb76ed7f91de23d6dd4b6

SHA256
08021894f1a90fe1f310973e79957897cdbe8a99e1b770d66d708fa7080d6bb6

SHA512
a203106668e455a2fc5b6f64ab1bcd38a7b8b3ee57d22652b19ee4e66409501c2a612d68cfc69a09d689cb92de002975c4791239b892d5384eaf32daa18bcb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\oobf107k.exe

Filesize
3KB

MD5
29a4601f6bbfbb8f449d266d8739c7dd

SHA1
af50111bdac2de7ae51eb76ed7f91de23d6dd4b6

SHA256
08021894f1a90fe1f310973e79957897cdbe8a99e1b770d66d708fa7080d6bb6

SHA512
a203106668e455a2fc5b6f64ab1bcd38a7b8b3ee57d22652b19ee4e66409501c2a612d68cfc69a09d689cb92de002975c4791239b892d5384eaf32daa18bcb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ool-s00y.exe

Filesize
3KB

MD5
7db496fa81ea37eb818c2ebfb8e40b01

SHA1
0427fd7da14d8bb6ce3e853bbbbbe7074a0f7862

SHA256
c0b0e660855b786f63cba93f13dcad3e0a09b01ad4a77c79337fa3b46628b316

SHA512
4897aec5dd0cd1abf0f45e25f5d36805ecae400863d5ad2aa5a231addabd241702b1a0033d68ae64b130c748d2bdd0563c18fc43c56f6139ab9c81c7a728a1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ool-s00y.exe

Filesize
3KB

MD5
7db496fa81ea37eb818c2ebfb8e40b01

SHA1
0427fd7da14d8bb6ce3e853bbbbbe7074a0f7862

SHA256
c0b0e660855b786f63cba93f13dcad3e0a09b01ad4a77c79337fa3b46628b316

SHA512
4897aec5dd0cd1abf0f45e25f5d36805ecae400863d5ad2aa5a231addabd241702b1a0033d68ae64b130c748d2bdd0563c18fc43c56f6139ab9c81c7a728a1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ta69omti.exe

Filesize
3KB

MD5
9d2c2b3fc75e62a8ffcfe579cf0c1bd3

SHA1
31463125c327502c876d8bec63c21e3bd5bbae87

SHA256
9a9e75498c6740242c02111d2a1b7d4279f1ff4c3d861a4d7530bf35be4ffe59

SHA512
f93be9a1ea7f3f00a00dd58327bc0a67299150c9675607ef032dd7e18389aad3b3b4b15b0d60360c8553b110dfcbf21dcc17b003961f6eb4ce89e293a7ad7e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ta69omti.exe

Filesize
3KB

MD5
9d2c2b3fc75e62a8ffcfe579cf0c1bd3

SHA1
31463125c327502c876d8bec63c21e3bd5bbae87

SHA256
9a9e75498c6740242c02111d2a1b7d4279f1ff4c3d861a4d7530bf35be4ffe59

SHA512
f93be9a1ea7f3f00a00dd58327bc0a67299150c9675607ef032dd7e18389aad3b3b4b15b0d60360c8553b110dfcbf21dcc17b003961f6eb4ce89e293a7ad7e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzloqei2.exe

Filesize
3KB

MD5
5a1e090bef4e472fba7e4c356c7ffc4a

SHA1
b24e01b59df42014d91b5fb994be66c87ccd0346

SHA256
b953d75c9715af089c6270cc2efe89c2043a8454e6a743ede44e5ce51bc2efcf

SHA512
08af77e0145a93215945f0b189906ca6dec9b538791a64f7c0a8033316f785ddf4b3ac8ca3b7d71f37c8763f7efcbbd06bac43e8918f786819ba76840c8c2c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzloqei2.exe

Filesize
3KB

MD5
5a1e090bef4e472fba7e4c356c7ffc4a

SHA1
b24e01b59df42014d91b5fb994be66c87ccd0346

SHA256
b953d75c9715af089c6270cc2efe89c2043a8454e6a743ede44e5ce51bc2efcf

SHA512
08af77e0145a93215945f0b189906ca6dec9b538791a64f7c0a8033316f785ddf4b3ac8ca3b7d71f37c8763f7efcbbd06bac43e8918f786819ba76840c8c2c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1EF7.tmp

Filesize
652B

MD5
26ae4f185cac54408d487c2fbeb99d30

SHA1
25bb10a831205b007116b78b0c6efd6e8a13a679

SHA256
88820cad18374c48c2b140462446bec60dab372da6e8bbe74cb7dd360126b109

SHA512
c5bcb150a939a1cc8a2893415c88ea21792471d8d2c8992d3a750973f349cceba28547ea5cf027023fd0c53068cee279e173dd260df3b321312274a8742f9675

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F83.tmp

Filesize
652B

MD5
4bea3ad5c0ff7032a65e03dad327b905

SHA1
893df1164dcf4ecea318fa23f9480d3753fe1f92

SHA256
c66090233fe8bcf1d569422c4a2196967bd8680ed4536adbbcbdafa65048dc43

SHA512
f8c64d54986951e8e90c0f52d4e437c293165c3fd4b153245fd0dccc3e03bd47cd0e8ae635eb035d07e87fabcf84b5e0ff9c1610b6a469144201b1795ce2b422

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC39F5.tmp

Filesize
652B

MD5
0d53bb8e56f5e63a329f22d451744a40

SHA1
98a09000e7aa5e7b93615a44c83fe3cc78dab0be

SHA256
1bcd6b0ad7fff20cb4aad90c3130d5244a0d34455a446fa090c5e49eca925019

SHA512
f45e53705fb32abe941ac31add27adb2b3cac6c2ef1dc83b5c9b5392dc9da36fdce8674a5480c12485d99ec51d363a2670da27964326e96dda5ececeacc5665e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC70ED.tmp

Filesize
652B

MD5
ad9c39972ccd8b7113aedae25661f233

SHA1
7623575f6308e2ccd559a532c00366c20bfd8ca6

SHA256
87cfc4658b1a459b13d3bf27ecc029e62b38287d1b1d5d6003a22a8a46bd8804

SHA512
871bc8fae4ec41e673b00a0d2131dd989817b18441c255d239bfdd8a6d5521e5b18662196454a149ee8d821d83db1017e66d1e24e9f23ec0d53648ed467d389f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9148.tmp

Filesize
652B

MD5
6f7ccac24c8b47e7a86a57525ad3017d

SHA1
4cb04737100270f58a63a7f85c0f187ab0595895

SHA256
eb7fca0a704893df2fc248bb92883102cb55c0d382a132935c540a5397bbe1b0

SHA512
7ebcb1db543bf3f070210fa890bdaca04542fb65a24c700a9deec669c61c7841e561c45d8a9d33947e73ac7d8758516f3ef5bd46563bfcb5c483dd8f5a7ef715

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCF90.tmp

Filesize
652B

MD5
fe7de3d4043adb89527ac5b944410020

SHA1
41eca2041000127ee6a9643e6dc120e57405fe94

SHA256
0ad2c25bb4546e3320d1efcc2d2e0b42dc0391e998b1245add72cc8552a4a684

SHA512
dece0b74b484c24629e6784b921f0b2c60692b5290fdb9ba123902a19c47428c8531fdbdb600246b18821dd0ff6451d32edad21fb725f7570f602805d7ed471f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1sodsv0.0.cs

Filesize
202B

MD5
ac6c967092f24dfff236570af58de253

SHA1
58c2d4519f6a2b9a11cbd3c6482400ff950abd07

SHA256
b74a77408a115e388a408aaa49e8521222dc6d5bd45542bb229e65c248cc2152

SHA512
8b2924491d01622664f8d855b2d7948379229123a28988b3f75d800860fc7ea2f596908c62bce3e2c8d3b14c45c322c2cd2362469b329e83de9df57c72d192a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1sodsv0.cmdline

Filesize
217B

MD5
1e7c259acc9e781794243e21f4d2393b

SHA1
afb14884555f72a9c3bc2a9394763cf77c92c426

SHA256
73e39578ae52435042ea07b83c96cbfb182353698ce14e15bc2275b28bcb0c1b

SHA512
f4cda8bce4d9dcb7c0e09c0340e6c1943ef5b3a0e909db20c446866097a4f6d3a058b200d98676569221945c738eb2db705bc0c157ae67b870e97070f853f257

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iktd5bdk.0.cs

Filesize
272B

MD5
9b2fff4aebed953975b4f4da0b21eeb0

SHA1
9fc0195cc33666a3ace74877e69592f0edd6167f

SHA256
40a319a3ffcf0df98b0d0ceb397a8a0acdaa48de1fbbe5ba364081604afcc6ea

SHA512
96dc564da6c8d8d6d699bf9d7893fc54f610005ef538a69d50e57ec9ca923556af8b9132cf09f60b0d93a6f0d033712a855c263059f1fe0534012d001ac87b6a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iktd5bdk.cmdline

Filesize
217B

MD5
bbb04a3858defcab70210f09c7ec53e7

SHA1
ac37c175d408455f735323aae66c1506078ea145

SHA256
1abc22efdfe625ad8f70b36d48a5792f4cdb6eabc5c3861ffb5423086600b7ba

SHA512
b304f04f31bce4ac571d869bf60e2e03bf2cfa44a4d88150f1c57292fe78746a6b2973e3d2f83b8013c1bd26611c16b81d4aa2b69c11c749a245b9e21e9241fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oobf107k.0.cs

Filesize
201B

MD5
ea7405bd841df54721dbf36e90aca14f

SHA1
1d7996a6d9bbdcb4fc5d59bf4c2154aaaa8a4bdb

SHA256
8247a86d61097a15bee7034811bd0e01dd232b12be6d8ae7b5e112d2ca8050a7

SHA512
20b8bbca2e2af653eb84f85d17cbf7429d738e2d660c3af62212be20ca6e6dec68864bdc81c165249f94400bb73698c66c079248253125273625848e42263db2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oobf107k.cmdline

Filesize
217B

MD5
9419d8327eb6210a6ba5c12dcea12b76

SHA1
9dba0203ce1527c9006a5df34ef493bf7fed73f2

SHA256
92918007367d14eee54a99b8b7f4cf5930f58808123bbca84ac4c6f0f98cf078

SHA512
e96be27ed1e0d76dcbbedeed2fd1fa6755027a00247970b06495c87e8fa42e7b592082a35ec7ba53e9b9e679ecd0fdd57f30ee1771c5516c75a17a0eb2b498e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ool-s00y.0.cs

Filesize
272B

MD5
362b64388833dfc8ffc6e5e044a0f8ea

SHA1
becd4070bee935c0540dd51cffbdc226c64c632f

SHA256
8d5646cdb332bb01b93c1eaa106cf626facade22eab93e1272447469ce688b76

SHA512
ef3a826fd439f953d44a3823b8232461c746a2fb4792e9c1a44840dc193b78e18d830d318bbd367ab11e08f4157da8fa280711e2acb22c6b3d0b75c299572b50

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ool-s00y.cmdline

Filesize
217B

MD5
c5a72983f8181bbba3d90adde28a71b8

SHA1
7943130604fd0a21d23aa752ce40eaafbf14b647

SHA256
1e5824265658f62cc0d0e26171541b4dbb14c348891cd1268b00550fde286ee6

SHA512
d7f4e2ce56591c00ffc6c71f18a1986ad82c869f029b4c7c8c0822014198b6a8c10aad2b6df61ceb5626d839f2eb0a486105df54894c23aba4493418884166b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta69omti.0.cs

Filesize
202B

MD5
139d04a0679a4ce77a126397bcec0dff

SHA1
32f93ab39ae66e2ef21e96599e82c38106c0869d

SHA256
6b01b034e124da654c11e8400585e40a90410c2bb279ca083b7b52a0f0c90436

SHA512
08896168388689da34d411ee22dac7cfbdeeadddbf20607751c69e59190311bacc77d3d8ac28d613c67563953f58cfb0785b941caf6fb2a0305f4b4e25910065

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta69omti.cmdline

Filesize
217B

MD5
a7412cd188d849b71993b1b9b8975d4f

SHA1
7caae39571a2670920f2533e335fa705337e4e45

SHA256
7467658c200e826c9a1e8f77c2560f9c9e4d654ce4197192e96b506f6606755d

SHA512
41a9f26c66b3ec4a362533df0957c965432f9f42093cb7bb09417c21679f0a4ac5b6e2d6245745ea819d4e5a5f65c1684ada514dedf0b444008b37dd0ecc6c7a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzloqei2.0.cs

Filesize
202B

MD5
c47b951cea7c03fffe0ccb5ec7dd858e

SHA1
d2fb136a5021e241da035cc43d9f2fc6356e59d1

SHA256
badf141c3ca25fb2326e9a3108d2e8ac430f01dc329b4dae066e987ba63e288f

SHA512
801e9f288f1424867ef9bb9d9b3d2c8da70bf73459f789769a8a821e48f69b29a247a99e45d03b49173cd674591780a3a14e8ca85f9761cb188ba66eb13bb1cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzloqei2.cmdline

Filesize
217B

MD5
a2c36cbb98ace52aeaf8e6e8e91a0331

SHA1
d2c625efca939409f2ee8e058dea506a1d87fb11

SHA256
ef26f6cd75463f12ec169cbfc04c4e2c1b87bfab346b6e17dc175ba956c6111f

SHA512
7593285affa30198b0e7f392b2d355c0eb943af1eac06d25060efbf55eb492a1a033036570bd21245dc8c763fdf2570bd2d15ce6b12175bd833fa72e65194b8b

Download Submit
\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
\ProgramData\303888\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
\Users\Admin\AppData\Local\Temp\f1sodsv0.exe

Filesize
3KB

MD5
57ba2bc08f69aa3a9a91e035225c0aee

SHA1
e7e439b3f0000e1d3ece619082e0fe87d1c389e6

SHA256
623dbaa207c81ae3f8ed80a976c6bd8c7bc80b4cd23e99b784a208d057b44d6f

SHA512
8d037be36f184edefc8b9edbe3eae4144aec90cb5829cb3c9364b4fd01ce5ea114b787d27cd19c3dc299cbe584775442825128b9a5009e21ec8a9cf000c63c49

Download Submit
\Users\Admin\AppData\Local\Temp\f1sodsv0.exe

Filesize
3KB

MD5
57ba2bc08f69aa3a9a91e035225c0aee

SHA1
e7e439b3f0000e1d3ece619082e0fe87d1c389e6

SHA256
623dbaa207c81ae3f8ed80a976c6bd8c7bc80b4cd23e99b784a208d057b44d6f

SHA512
8d037be36f184edefc8b9edbe3eae4144aec90cb5829cb3c9364b4fd01ce5ea114b787d27cd19c3dc299cbe584775442825128b9a5009e21ec8a9cf000c63c49

Download Submit
\Users\Admin\AppData\Local\Temp\iktd5bdk.exe

Filesize
3KB

MD5
e81240d7391a8602ce1fcdbf57a0e62a

SHA1
c989b9df20e3f9300bbfc9b95b0deb154269f7e0

SHA256
95ffac8953b5d474f49f71fdd12b63c1602c09cfa545fc0ee549840a25d3b333

SHA512
204a9f40ea143cf387c17e8d0ff487209ffdea3b45a9a688874bb2dd0d1cb99012ff0e9eb62d99db64c64b49e4467dfbe55163138aff1a0f16f6b2bbcd1394e1

Download Submit
\Users\Admin\AppData\Local\Temp\iktd5bdk.exe

Filesize
3KB

MD5
e81240d7391a8602ce1fcdbf57a0e62a

SHA1
c989b9df20e3f9300bbfc9b95b0deb154269f7e0

SHA256
95ffac8953b5d474f49f71fdd12b63c1602c09cfa545fc0ee549840a25d3b333

SHA512
204a9f40ea143cf387c17e8d0ff487209ffdea3b45a9a688874bb2dd0d1cb99012ff0e9eb62d99db64c64b49e4467dfbe55163138aff1a0f16f6b2bbcd1394e1

Download Submit
\Users\Admin\AppData\Local\Temp\oobf107k.exe

Filesize
3KB

MD5
29a4601f6bbfbb8f449d266d8739c7dd

SHA1
af50111bdac2de7ae51eb76ed7f91de23d6dd4b6

SHA256
08021894f1a90fe1f310973e79957897cdbe8a99e1b770d66d708fa7080d6bb6

SHA512
a203106668e455a2fc5b6f64ab1bcd38a7b8b3ee57d22652b19ee4e66409501c2a612d68cfc69a09d689cb92de002975c4791239b892d5384eaf32daa18bcb51

Download Submit
\Users\Admin\AppData\Local\Temp\oobf107k.exe

Filesize
3KB

MD5
29a4601f6bbfbb8f449d266d8739c7dd

SHA1
af50111bdac2de7ae51eb76ed7f91de23d6dd4b6

SHA256
08021894f1a90fe1f310973e79957897cdbe8a99e1b770d66d708fa7080d6bb6

SHA512
a203106668e455a2fc5b6f64ab1bcd38a7b8b3ee57d22652b19ee4e66409501c2a612d68cfc69a09d689cb92de002975c4791239b892d5384eaf32daa18bcb51

Download Submit
\Users\Admin\AppData\Local\Temp\ool-s00y.exe

Filesize
3KB

MD5
7db496fa81ea37eb818c2ebfb8e40b01

SHA1
0427fd7da14d8bb6ce3e853bbbbbe7074a0f7862

SHA256
c0b0e660855b786f63cba93f13dcad3e0a09b01ad4a77c79337fa3b46628b316

SHA512
4897aec5dd0cd1abf0f45e25f5d36805ecae400863d5ad2aa5a231addabd241702b1a0033d68ae64b130c748d2bdd0563c18fc43c56f6139ab9c81c7a728a1ec

Download Submit
\Users\Admin\AppData\Local\Temp\ool-s00y.exe

Filesize
3KB

MD5
7db496fa81ea37eb818c2ebfb8e40b01

SHA1
0427fd7da14d8bb6ce3e853bbbbbe7074a0f7862

SHA256
c0b0e660855b786f63cba93f13dcad3e0a09b01ad4a77c79337fa3b46628b316

SHA512
4897aec5dd0cd1abf0f45e25f5d36805ecae400863d5ad2aa5a231addabd241702b1a0033d68ae64b130c748d2bdd0563c18fc43c56f6139ab9c81c7a728a1ec

Download Submit
\Users\Admin\AppData\Local\Temp\ta69omti.exe

Filesize
3KB

MD5
9d2c2b3fc75e62a8ffcfe579cf0c1bd3

SHA1
31463125c327502c876d8bec63c21e3bd5bbae87

SHA256
9a9e75498c6740242c02111d2a1b7d4279f1ff4c3d861a4d7530bf35be4ffe59

SHA512
f93be9a1ea7f3f00a00dd58327bc0a67299150c9675607ef032dd7e18389aad3b3b4b15b0d60360c8553b110dfcbf21dcc17b003961f6eb4ce89e293a7ad7e4e

Download Submit
\Users\Admin\AppData\Local\Temp\ta69omti.exe

Filesize
3KB

MD5
9d2c2b3fc75e62a8ffcfe579cf0c1bd3

SHA1
31463125c327502c876d8bec63c21e3bd5bbae87

SHA256
9a9e75498c6740242c02111d2a1b7d4279f1ff4c3d861a4d7530bf35be4ffe59

SHA512
f93be9a1ea7f3f00a00dd58327bc0a67299150c9675607ef032dd7e18389aad3b3b4b15b0d60360c8553b110dfcbf21dcc17b003961f6eb4ce89e293a7ad7e4e

Download Submit
\Users\Admin\AppData\Local\Temp\xzloqei2.exe

Filesize
3KB

MD5
5a1e090bef4e472fba7e4c356c7ffc4a

SHA1
b24e01b59df42014d91b5fb994be66c87ccd0346

SHA256
b953d75c9715af089c6270cc2efe89c2043a8454e6a743ede44e5ce51bc2efcf

SHA512
08af77e0145a93215945f0b189906ca6dec9b538791a64f7c0a8033316f785ddf4b3ac8ca3b7d71f37c8763f7efcbbd06bac43e8918f786819ba76840c8c2c42

Download Submit
\Users\Admin\AppData\Local\Temp\xzloqei2.exe

Filesize
3KB

MD5
5a1e090bef4e472fba7e4c356c7ffc4a

SHA1
b24e01b59df42014d91b5fb994be66c87ccd0346

SHA256
b953d75c9715af089c6270cc2efe89c2043a8454e6a743ede44e5ce51bc2efcf

SHA512
08af77e0145a93215945f0b189906ca6dec9b538791a64f7c0a8033316f785ddf4b3ac8ca3b7d71f37c8763f7efcbbd06bac43e8918f786819ba76840c8c2c42

Download Submit
memory/524-134-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/524-175-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/616-176-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/616-213-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/616-163-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/968-204-0x000007FEF4A40000-0x000007FEF5463000-memory.dmp

Filesize
10.1MB

Download
memory/972-222-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/972-223-0x00000000002C5000-0x00000000002D6000-memory.dmp

Filesize
68KB

Download
memory/972-210-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/972-242-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1084-286-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-169-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-198-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-205-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-199-0x0000000000175000-0x0000000000186000-memory.dmp

Filesize
68KB

Download
memory/1132-232-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-266-0x0000000000125000-0x0000000000136000-memory.dmp

Filesize
68KB

Download
memory/1564-273-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-279-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-249-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-158-0x000007FEF3E10000-0x000007FEF4833000-memory.dmp

Filesize
10.1MB

Download
memory/1776-174-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-132-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-86-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1800-84-0x000007FEF4A40000-0x000007FEF5463000-memory.dmp

Filesize
10.1MB

Download
memory/1820-101-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-160-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-131-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-133-0x0000000002315000-0x0000000002326000-memory.dmp

Filesize
68KB

Download
memory/1876-151-0x000007FEF3E10000-0x000007FEF4833000-memory.dmp

Filesize
10.1MB

Download
memory/1880-197-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-113-0x0000000000365000-0x0000000000376000-memory.dmp

Filesize
68KB

Download
memory/1964-114-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-156-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-91-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-267-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-268-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-71-0x0000000001E85000-0x0000000001E96000-memory.dmp

Filesize
68KB

Download
memory/2000-55-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/2000-85-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-58-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-72-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-100-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-173-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download