luminosity | ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157

Analysis

max time kernel
182s
max time network
170s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
Size

598KB
MD5

988c93c1604be2107921463122471e5c
SHA1

5267b6437962f8360dbfb910498a46cae63b19a9
SHA256

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157
SHA512

591d3908d6ea6f6d8c543f0c3b346ff5508803c5c8dc9b3046341e5c35890c80458ce54d88dbb005f7c8f5b7aeff28b60204bca7bfda5fb4dda76120421420eb
SSDEEP

12288:yeFSHA02FWBtTsEsfoOYxdY1TQT1t6AIlZu13AL:yAS6WrA9fo38TC1tJ9U

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Windows Explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\878521\\Windows Explorer.exe\""	Windows Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	Windows Explorer.exe

Executes dropped EXE 7 IoCs

Processes:

rxkulyt1.exehykda-da.exeWindows Explorer.exe15yzlbat.exeWindows Explorer.exeWindows Explorer.exedwjsb-b0.exe

pid process

1912 rxkulyt1.exe
1184 hykda-da.exe
1860 Windows Explorer.exe
920 15yzlbat.exe
1740 Windows Explorer.exe
1360 Windows Explorer.exe
1796 dwjsb-b0.exe

pid	process
1912	rxkulyt1.exe
1184	hykda-da.exe
1860	Windows Explorer.exe
920	15yzlbat.exe
1740	Windows Explorer.exe
1360	Windows Explorer.exe
1796	dwjsb-b0.exe

Loads dropped DLL 10 IoCs

Processes:

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeWindows Explorer.exe

pid	process
1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1924	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1924	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1004	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1004	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1860	Windows Explorer.exe
1860	Windows Explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Explorer = "\"C:\\ProgramData\\878521\\Windows Explorer.exe\""	Windows Explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

Windows Explorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	Windows Explorer.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	Windows Explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeWindows Explorer.exe

description	pid	process	target process
PID 1036 set thread context of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1004 set thread context of 1532	1004	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1860 set thread context of 1360	1860	Windows Explorer.exe	Windows Explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1764 PING.EXE
832 PING.EXE
1336 PING.EXE
1364 PING.EXE
1100 PING.EXE

pid	process
1764	PING.EXE
832	PING.EXE
1336	PING.EXE
1364	PING.EXE
1100	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exerxkulyt1.exe15yzlbat.exeWindows Explorer.exeWindows Explorer.exedwjsb-b0.exe

pid	process
1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
1912	rxkulyt1.exe
920	15yzlbat.exe
920	15yzlbat.exe
1860	Windows Explorer.exe
1860	Windows Explorer.exe
1360	Windows Explorer.exe
1796	dwjsb-b0.exe
1796	dwjsb-b0.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe

pid process

1924 ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe

pid	process
1924	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exerxkulyt1.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exeWindows Explorer.exe15yzlbat.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exedwjsb-b0.exeWindows Explorer.exe

description	pid	process
Token: SeDebugPrivilege	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
Token: SeDebugPrivilege	1912	rxkulyt1.exe
Token: SeDebugPrivilege	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
Token: SeDebugPrivilege	1004	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
Token: SeDebugPrivilege	1860	Windows Explorer.exe
Token: SeDebugPrivilege	920	15yzlbat.exe
Token: SeDebugPrivilege	1992	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
Token: SeDebugPrivilege	1796	dwjsb-b0.exe
Token: SeDebugPrivilege	1360	Windows Explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Explorer.exe

pid process

1360 Windows Explorer.exe

pid	process
1360	Windows Explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.execmd.execsc.exerxkulyt1.exeba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 1164	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 1688 wrote to memory of 1164	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 1688 wrote to memory of 1164	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 1688 wrote to memory of 1164	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 1164 wrote to memory of 1364	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 1364	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 1364	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 1364	1164	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1764	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1764	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1764	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1764	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 540	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 540	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 540	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 540	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 676	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 676	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 676	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 676	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1664	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1664	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1664	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1664	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1492	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1492	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1492	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1492	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1688 wrote to memory of 1080	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	csc.exe
PID 1688 wrote to memory of 1080	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	csc.exe
PID 1688 wrote to memory of 1080	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	csc.exe
PID 1688 wrote to memory of 1080	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	csc.exe
PID 1080 wrote to memory of 1004	1080	csc.exe	cvtres.exe
PID 1080 wrote to memory of 1004	1080	csc.exe	cvtres.exe
PID 1080 wrote to memory of 1004	1080	csc.exe	cvtres.exe
PID 1080 wrote to memory of 1004	1080	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1912	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	rxkulyt1.exe
PID 1688 wrote to memory of 1912	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	rxkulyt1.exe
PID 1688 wrote to memory of 1912	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	rxkulyt1.exe
PID 1688 wrote to memory of 1912	1688	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	rxkulyt1.exe
PID 1912 wrote to memory of 1036	1912	rxkulyt1.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1912 wrote to memory of 1036	1912	rxkulyt1.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1912 wrote to memory of 1036	1912	rxkulyt1.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1912 wrote to memory of 1036	1912	rxkulyt1.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 828	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 1036 wrote to memory of 828	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 1036 wrote to memory of 828	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 1036 wrote to memory of 828	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	cmd.exe
PID 828 wrote to memory of 1100	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1100	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1100	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1100	828	cmd.exe	PING.EXE
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1924	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
PID 1036 wrote to memory of 1976	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	csc.exe
PID 1036 wrote to memory of 1976	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	csc.exe
PID 1036 wrote to memory of 1976	1036	ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
"C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:1364
- C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
  2⤵
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
  2⤵
  PID:540
- C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxkulyt1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES591A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5919.tmp"
    3⤵
    PID:1004
- C:\Users\Admin\AppData\Local\Temp\rxkulyt1.exe
  "C:\Users\Admin\AppData\Local\Temp\rxkulyt1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
    "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
      "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: RenamesItself
      PID:1924
    - - C:\ProgramData\878521\Windows Explorer.exe
        
        "C:\ProgramData\878521\Windows Explorer.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        6⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        7⤵
        Runs ping.exe
        
        PID:832
      - C:\ProgramData\878521\Windows Explorer.exe
        
        "C:\ProgramData\878521\Windows Explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1740
      - C:\ProgramData\878521\Windows Explorer.exe
        
        "C:\ProgramData\878521\Windows Explorer.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1360
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dwjsb-b0.cmdline"
        6⤵
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES511E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC314E.tmp"
        7⤵
        
        PID:1080
      - C:\Users\Admin\AppData\Local\Temp\dwjsb-b0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dwjsb-b0.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 476
        7⤵
        
        PID:852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hykda-da.cmdline"
      4⤵
      PID:1976
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB888.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB4C0.tmp"
        5⤵
        
        PID:852
  - - C:\Users\Admin\AppData\Local\Temp\hykda-da.exe
      "C:\Users\Admin\AppData\Local\Temp\hykda-da.exe"
      4⤵
      Executes dropped EXE
      PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        6⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        7⤵
        Runs ping.exe
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
        6⤵
        
        PID:1532
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15yzlbat.cmdline"
        6⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2001.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2000.tmp"
        7⤵
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\15yzlbat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\15yzlbat.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        8⤵
        
        PID:776
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        9⤵
        Runs ping.exe
        
        PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\878521\Windows Explorer.exe

Filesize
598KB

MD5
988c93c1604be2107921463122471e5c

SHA1
5267b6437962f8360dbfb910498a46cae63b19a9

SHA256
ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157

SHA512
591d3908d6ea6f6d8c543f0c3b346ff5508803c5c8dc9b3046341e5c35890c80458ce54d88dbb005f7c8f5b7aeff28b60204bca7bfda5fb4dda76120421420eb

Download Submit
C:\ProgramData\878521\Windows Explorer.exe

Filesize
598KB

MD5
988c93c1604be2107921463122471e5c

SHA1
5267b6437962f8360dbfb910498a46cae63b19a9

SHA256
ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157

SHA512
591d3908d6ea6f6d8c543f0c3b346ff5508803c5c8dc9b3046341e5c35890c80458ce54d88dbb005f7c8f5b7aeff28b60204bca7bfda5fb4dda76120421420eb

Download Submit
C:\ProgramData\878521\Windows Explorer.exe

Filesize
598KB

MD5
988c93c1604be2107921463122471e5c

SHA1
5267b6437962f8360dbfb910498a46cae63b19a9

SHA256
ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157

SHA512
591d3908d6ea6f6d8c543f0c3b346ff5508803c5c8dc9b3046341e5c35890c80458ce54d88dbb005f7c8f5b7aeff28b60204bca7bfda5fb4dda76120421420eb

Download Submit
C:\ProgramData\878521\Windows Explorer.exe

Filesize
598KB

MD5
988c93c1604be2107921463122471e5c

SHA1
5267b6437962f8360dbfb910498a46cae63b19a9

SHA256
ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157

SHA512
591d3908d6ea6f6d8c543f0c3b346ff5508803c5c8dc9b3046341e5c35890c80458ce54d88dbb005f7c8f5b7aeff28b60204bca7bfda5fb4dda76120421420eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yzlbat.exe

Filesize
3KB

MD5
06ce6672836b21261fca28283da8b004

SHA1
9f1e4ef5fdb649c0b6953a1f8aea84dd38f5f587

SHA256
9614b5c10815a25448217c8b01b73593b40f879fb0c329a692a679b47ec9315e

SHA512
0f4ca3543d7a432c161fa39c157851595851a26691e88a928cde715c907502976d348fb6dc05118e4621fe7a82c9766ed54dec04fda75253cf3fe3ac07268588

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yzlbat.exe

Filesize
3KB

MD5
06ce6672836b21261fca28283da8b004

SHA1
9f1e4ef5fdb649c0b6953a1f8aea84dd38f5f587

SHA256
9614b5c10815a25448217c8b01b73593b40f879fb0c329a692a679b47ec9315e

SHA512
0f4ca3543d7a432c161fa39c157851595851a26691e88a928cde715c907502976d348fb6dc05118e4621fe7a82c9766ed54dec04fda75253cf3fe3ac07268588

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2001.tmp

Filesize
1KB

MD5
f759d57af8e8feffab0e64763a6361d2

SHA1
c8118b8f45604295c006bea6e5939aa3422c84cd

SHA256
d9f5fe2a92857280477c94501041ecf0eaae947214b61438d37817edc8ec04cf

SHA512
96d7e03c4f9a3d6341e4684c758f131a4178c67cfa2d2b9acc1b77e8f7940b4ca9089f1c1335365c79519fa6c2114f13b4a278ba61f8692e5192f83fc2d80565

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES511E.tmp

Filesize
1KB

MD5
4934b494ac7b613298cfe22d8a492771

SHA1
25a6d50572fbaf69eb458a738374c8fec1cf2768

SHA256
a7198a129cc20247912f0fd1480f587fcf6de197f1c323f507288cf5655511ba

SHA512
2f4902df1883baca40f76b4dc2e4cf0603cb5e32e8f335cef542ef4ade290b5cafb851df25bd8ae2386fb64c5b8b51e2dd8651ee8e3ed3dfda95f4df19879478

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES591A.tmp

Filesize
1KB

MD5
660cb7d424cfc78e046638acf6d0bc11

SHA1
85a2b52df17fef0a60d39872b4ca7f4b0d7c5ddc

SHA256
13f3360c10e817ce939d888e31703ff6b3fbe7fc84f2318cd594ba8b39b7e396

SHA512
e6f40316447fd012ba2e1560165f3dab739f26a575497ff1b9663438c977227d5c51fa7fc3e72fd3a4cbc2c1e6834942a78f172bf151bd49c235fa073023642a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB888.tmp

Filesize
1KB

MD5
1ac119141de45e4ec141ef8b3965fe43

SHA1
a3f46b503e305bf1eb29e27e74ec8090ed265527

SHA256
9319709815761b29a8c3921372f2c693ba83c9def87e1051e691b2a936348e13

SHA512
8540ea1cf4f69abe392cb16c0c62fbb3193b2c225aa5ffbcf3e94eb0aa6bc00213b47132240fea76788bd5ce9d79e027af12a58d32478fda5cca5e6632f09728

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwjsb-b0.exe

Filesize
3KB

MD5
a7ef10b409987630554af5746ed3a603

SHA1
50f1dfae500af1a9034770ebcb646f57cc54f883

SHA256
a408847531f71aaf05f20e0a22c723d835c6ff43832484d852604e2bd1f9aeee

SHA512
b98ebabcdacc92968f2d3f35d6ace93269fa3dad72f77684729ba41cb97b01b62e0cb4fe879cf18041555151569c8a11f6ed26e819c4d64cabe48175140e8bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwjsb-b0.exe

Filesize
3KB

MD5
a7ef10b409987630554af5746ed3a603

SHA1
50f1dfae500af1a9034770ebcb646f57cc54f883

SHA256
a408847531f71aaf05f20e0a22c723d835c6ff43832484d852604e2bd1f9aeee

SHA512
b98ebabcdacc92968f2d3f35d6ace93269fa3dad72f77684729ba41cb97b01b62e0cb4fe879cf18041555151569c8a11f6ed26e819c4d64cabe48175140e8bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hykda-da.exe

Filesize
3KB

MD5
c0f51e939a14144c54046a1f143a5625

SHA1
48ad5cc6a97405c36c8ee4e988e78b94b15bae12

SHA256
901987c22b044698df43630723cdae79f01f979d8ac3edff406fbdfbf0c658cd

SHA512
d3a9c4acdd17289b9fd365c56667191caf4933c7b374c4e9e644e3e36e8e035f68f8dc450b886eccf8acc04b51b75aa0d628b0f61f3c655749e5d30ddec4ad2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hykda-da.exe

Filesize
3KB

MD5
c0f51e939a14144c54046a1f143a5625

SHA1
48ad5cc6a97405c36c8ee4e988e78b94b15bae12

SHA256
901987c22b044698df43630723cdae79f01f979d8ac3edff406fbdfbf0c658cd

SHA512
d3a9c4acdd17289b9fd365c56667191caf4933c7b374c4e9e644e3e36e8e035f68f8dc450b886eccf8acc04b51b75aa0d628b0f61f3c655749e5d30ddec4ad2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxkulyt1.exe

Filesize
3KB

MD5
bca845ab39269b10eb306419ccc489f4

SHA1
fb74f2f56dacd1eb4d13e01d5d2b4f3736776bc0

SHA256
01eb7aa6d43f0d1db30d818a59fea510a0cff366cb28d52d8181fe4958e49399

SHA512
586d1e067bca6ec0174ddaed5ffb74caac5a3f2ce5e7262a5e0ff985f71562cc5a7616d4accbcee390c23d222312af6421457f4189ce813b1baa340d03ea8411

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxkulyt1.exe

Filesize
3KB

MD5
bca845ab39269b10eb306419ccc489f4

SHA1
fb74f2f56dacd1eb4d13e01d5d2b4f3736776bc0

SHA256
01eb7aa6d43f0d1db30d818a59fea510a0cff366cb28d52d8181fe4958e49399

SHA512
586d1e067bca6ec0174ddaed5ffb74caac5a3f2ce5e7262a5e0ff985f71562cc5a7616d4accbcee390c23d222312af6421457f4189ce813b1baa340d03ea8411

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\15yzlbat.0.cs

Filesize
272B

MD5
8036ac37d39fefd1bed135933566dec4

SHA1
665213d7d096d251d90b352d0210043e52afabf4

SHA256
a3b77eccea10862d99f09d6599de23ce1c7f6d6991d32bbf36abec591e43eb86

SHA512
e94b58c7d8feed80c66148ddac47ca375df9226bbffbdc79cf36bb621194a51bccd32ea025f09da71eb0c9af2e0adee061c91e1e63cb3ee78c6a30a41476c645

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\15yzlbat.cmdline

Filesize
187B

MD5
78513af2813b76c4fc2efa62ff1e87dc

SHA1
c0526e19aa95b3322c6dbeb3568f369bce0d082e

SHA256
9ee9aca0506588dfed9a5353060f53ba21aee47f2a8c2662bbd56fe50a21a939

SHA512
db673ee280e52deffe9e9140d2813578aee292a46aa457315413a3cbc46d1e730147f7723ba8d1de73e41e6283c50d030f7999df84a2abdd185c5958ac08c664

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2000.tmp

Filesize
652B

MD5
e5d69ab6e452cb2c42ec85c6c069be0a

SHA1
2f8ba813b49a0a62dae6762a3da79319f4942f00

SHA256
73b299e547ef60a51dab6d5b1dd49a459586a4eb57f38f807427fbbd8427ef5e

SHA512
0afc5889bec4c66aba48007f1d5a5b090bd87c20d57670f63fa29c7a7c12909735e21b29718a4f2d291dbb50ce7fba22618f92045ec32a4d4b53dbd1fe1af3cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC314E.tmp

Filesize
652B

MD5
1680fb5c452a5edfad52addf93c03262

SHA1
0b9ef901b8c87e4fd733d91a2067f024c2a82b1b

SHA256
092650595e6f669208228c9431f7cf418e7c7bedc771cb2b9b6c22e8c86fb109

SHA512
adcd16ccae962f4ba77ff0d0ed1e847a3681aebbc46cd15f4fab144a451204cab57c85d29c432378c653ec049e1155f455ae3390ee559fd86ec31937fb5845a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5919.tmp

Filesize
652B

MD5
2e7bc5f7d371f41d6f010d56d139258a

SHA1
6fc51ff9e7804c9a14e6640546ba679647711433

SHA256
0005bb77501f962ced618a5e20def023e8374235e9b465c42a9f19e1fca871c1

SHA512
a8fdddba8f1386aa9d9464a4d5dc19066706c7799dad136cfec6303420b42cf514d6b900cb36bbfe8473da3e1a01085b244387f6f8ff29ade408b9f95c2c7447

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB4C0.tmp

Filesize
652B

MD5
e3ada82e45ae051edcad1a4e002e314f

SHA1
9759315b5f724f31b8f6acbd8aa2049ee24cfea9

SHA256
20ddbdb78d4042434fa4625083f44308e941b2c2687447695096604b897cfee3

SHA512
5beab62584bd5de667be18af686e08d1460f5d4f7eabea865c6ffb2addf737c269f56b27254970ca1592b26a7af0233271ee01fb49c679adf140e20edee7873d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dwjsb-b0.0.cs

Filesize
212B

MD5
7b13d09df6f0356a1bf703b2d42dfac3

SHA1
0164b7339412b4696f0d571fbc9952a224ada651

SHA256
f75bde2e60ac2f7810270c8eb97f9fee9c5ffa77f5adf77899987a7cc081547d

SHA512
00a23c2f21c0b1799c121ffc662f77b1cd4382e5e6cffccdb7947ffe8725bacb01fc4cd0fd93cc7d42585a331d8dfb1c238e56089c0fcfac9363dc81d9afbb36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dwjsb-b0.cmdline

Filesize
187B

MD5
1b5363de7e0595bd5048246a762da942

SHA1
5ef57c0866e49d70700170c2b16fb6306ddb7ea8

SHA256
5a8d434f675dd542e4fe6dbcb060056204b3b195d76d03a572e3301c19d07136

SHA512
ea4529b4e73cc197ce379fdb6c9944cb1c415d12a79dc71c16a7702aed8c0ebae31ee6848eb1a5f671c1314301abeedcd782400805b95f7542ac8c6422aaa210

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hykda-da.0.cs

Filesize
272B

MD5
520c326b412a3577d2fa20523bf626a7

SHA1
40129eeae62d285a46d5c388e6179b5e91132747

SHA256
59e67ccfe00aa42d09b77c1ff3cd4c0e5dd79b6fd552ad3126c577f1c86c8a3b

SHA512
7c9308b17e1e16462ac2ec9713d4548238065aa5a9f5285891623c737b9a3055c448e62caebfd1ce1452bb0b14334d58f8e6ad9adade4ee73d6037ebb9f775e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hykda-da.cmdline

Filesize
187B

MD5
bdf024476ba7a863b39db212319c7dc5

SHA1
3f88f5726f7b75ed440cbf20a319c2ecd499471d

SHA256
e3fe77118bf07c12f2e692cbb9581c2ad25a14e4cfa2bdcef00b2bc568d13236

SHA512
a69697b4157dfb249d97208e26e36b28f5d19b10c75227c0822a77ae89c6c26fe517ed8ad1caa40558996b15b9495c6864d9eb13f5dccfd49911773db00e9680

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rxkulyt1.0.cs

Filesize
272B

MD5
cf440be4020d1acbe7325eabf9c9adc8

SHA1
5965c7cd5d0097c6054cc9ffc410362b2361c1fe

SHA256
d9bc6ecb4e165e4b08e5caaaa736757146062d32ee652d1d644fd6fca609561f

SHA512
37ce81de8887bda25aee58b4505d42c48dbfd7752ee4e570b5ea01bf9eee9bdeca24ad8b4aa8855db5a79dccbcc87ce5d56c520af26653f8dc3884a2b717c7fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rxkulyt1.cmdline

Filesize
187B

MD5
98f572bd5751ba0c062eaed98c910b7a

SHA1
9e1a0c9dc8ae949f8bcf532ec9f742e792b9af96

SHA256
03a0600ee90d3818c9e7f290fa159e8c8c1dc964487cb501e54126c66660c6d0

SHA512
f6cb4be1a0f7bc617b782bb0909420df2a41b7f2f6604697a2f9370924c46bf0c33953d219abecbaef0ed79874f74cfd015b07e471ac298d03d868de792222da

Download Submit
\ProgramData\878521\Windows Explorer.exe

Filesize
598KB

MD5
988c93c1604be2107921463122471e5c

SHA1
5267b6437962f8360dbfb910498a46cae63b19a9

SHA256
ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157

SHA512
591d3908d6ea6f6d8c543f0c3b346ff5508803c5c8dc9b3046341e5c35890c80458ce54d88dbb005f7c8f5b7aeff28b60204bca7bfda5fb4dda76120421420eb

Download Submit
\ProgramData\878521\Windows Explorer.exe

Filesize
598KB

MD5
988c93c1604be2107921463122471e5c

SHA1
5267b6437962f8360dbfb910498a46cae63b19a9

SHA256
ba7493b37a3f341c4af47f07c02f261526fe180247fdd48b3060fccd438ed157

SHA512
591d3908d6ea6f6d8c543f0c3b346ff5508803c5c8dc9b3046341e5c35890c80458ce54d88dbb005f7c8f5b7aeff28b60204bca7bfda5fb4dda76120421420eb

Download Submit
\Users\Admin\AppData\Local\Temp\15yzlbat.exe

Filesize
3KB

MD5
06ce6672836b21261fca28283da8b004

SHA1
9f1e4ef5fdb649c0b6953a1f8aea84dd38f5f587

SHA256
9614b5c10815a25448217c8b01b73593b40f879fb0c329a692a679b47ec9315e

SHA512
0f4ca3543d7a432c161fa39c157851595851a26691e88a928cde715c907502976d348fb6dc05118e4621fe7a82c9766ed54dec04fda75253cf3fe3ac07268588

Download Submit
\Users\Admin\AppData\Local\Temp\15yzlbat.exe

Filesize
3KB

MD5
06ce6672836b21261fca28283da8b004

SHA1
9f1e4ef5fdb649c0b6953a1f8aea84dd38f5f587

SHA256
9614b5c10815a25448217c8b01b73593b40f879fb0c329a692a679b47ec9315e

SHA512
0f4ca3543d7a432c161fa39c157851595851a26691e88a928cde715c907502976d348fb6dc05118e4621fe7a82c9766ed54dec04fda75253cf3fe3ac07268588

Download Submit
\Users\Admin\AppData\Local\Temp\dwjsb-b0.exe

Filesize
3KB

MD5
a7ef10b409987630554af5746ed3a603

SHA1
50f1dfae500af1a9034770ebcb646f57cc54f883

SHA256
a408847531f71aaf05f20e0a22c723d835c6ff43832484d852604e2bd1f9aeee

SHA512
b98ebabcdacc92968f2d3f35d6ace93269fa3dad72f77684729ba41cb97b01b62e0cb4fe879cf18041555151569c8a11f6ed26e819c4d64cabe48175140e8bb1

Download Submit
\Users\Admin\AppData\Local\Temp\dwjsb-b0.exe

Filesize
3KB

MD5
a7ef10b409987630554af5746ed3a603

SHA1
50f1dfae500af1a9034770ebcb646f57cc54f883

SHA256
a408847531f71aaf05f20e0a22c723d835c6ff43832484d852604e2bd1f9aeee

SHA512
b98ebabcdacc92968f2d3f35d6ace93269fa3dad72f77684729ba41cb97b01b62e0cb4fe879cf18041555151569c8a11f6ed26e819c4d64cabe48175140e8bb1

Download Submit
\Users\Admin\AppData\Local\Temp\hykda-da.exe

Filesize
3KB

MD5
c0f51e939a14144c54046a1f143a5625

SHA1
48ad5cc6a97405c36c8ee4e988e78b94b15bae12

SHA256
901987c22b044698df43630723cdae79f01f979d8ac3edff406fbdfbf0c658cd

SHA512
d3a9c4acdd17289b9fd365c56667191caf4933c7b374c4e9e644e3e36e8e035f68f8dc450b886eccf8acc04b51b75aa0d628b0f61f3c655749e5d30ddec4ad2f

Download Submit
\Users\Admin\AppData\Local\Temp\hykda-da.exe

Filesize
3KB

MD5
c0f51e939a14144c54046a1f143a5625

SHA1
48ad5cc6a97405c36c8ee4e988e78b94b15bae12

SHA256
901987c22b044698df43630723cdae79f01f979d8ac3edff406fbdfbf0c658cd

SHA512
d3a9c4acdd17289b9fd365c56667191caf4933c7b374c4e9e644e3e36e8e035f68f8dc450b886eccf8acc04b51b75aa0d628b0f61f3c655749e5d30ddec4ad2f

Download Submit
\Users\Admin\AppData\Local\Temp\rxkulyt1.exe

Filesize
3KB

MD5
bca845ab39269b10eb306419ccc489f4

SHA1
fb74f2f56dacd1eb4d13e01d5d2b4f3736776bc0

SHA256
01eb7aa6d43f0d1db30d818a59fea510a0cff366cb28d52d8181fe4958e49399

SHA512
586d1e067bca6ec0174ddaed5ffb74caac5a3f2ce5e7262a5e0ff985f71562cc5a7616d4accbcee390c23d222312af6421457f4189ce813b1baa340d03ea8411

Download Submit
\Users\Admin\AppData\Local\Temp\rxkulyt1.exe

Filesize
3KB

MD5
bca845ab39269b10eb306419ccc489f4

SHA1
fb74f2f56dacd1eb4d13e01d5d2b4f3736776bc0

SHA256
01eb7aa6d43f0d1db30d818a59fea510a0cff366cb28d52d8181fe4958e49399

SHA512
586d1e067bca6ec0174ddaed5ffb74caac5a3f2ce5e7262a5e0ff985f71562cc5a7616d4accbcee390c23d222312af6421457f4189ce813b1baa340d03ea8411

Download Submit
memory/776-157-0x0000000000000000-mapping.dmp

Download
memory/828-78-0x0000000000000000-mapping.dmp

Download
memory/832-120-0x0000000000000000-mapping.dmp

Download
memory/852-99-0x0000000000000000-mapping.dmp

Download
memory/852-193-0x0000000000000000-mapping.dmp

Download
memory/884-138-0x0000000000000000-mapping.dmp

Download
memory/920-147-0x0000000000000000-mapping.dmp

Download
memory/920-149-0x000007FEF4580000-0x000007FEF4FA3000-memory.dmp

Filesize
10.1MB

Download
memory/1004-64-0x0000000000000000-mapping.dmp

Download
memory/1004-130-0x0000000000785000-0x0000000000796000-memory.dmp

Filesize
68KB

Download
memory/1004-112-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-152-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-131-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1036-76-0x0000000000000000-mapping.dmp

Download
memory/1036-89-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1036-80-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1036-85-0x00000000005A5000-0x00000000005B6000-memory.dmp

Filesize
68KB

Download
memory/1036-108-0x00000000005A5000-0x00000000005B6000-memory.dmp

Filesize
68KB

Download
memory/1036-107-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-61-0x0000000000000000-mapping.dmp

Download
memory/1080-177-0x0000000000000000-mapping.dmp

Download
memory/1100-79-0x0000000000000000-mapping.dmp

Download
memory/1164-56-0x0000000000000000-mapping.dmp

Download
memory/1184-105-0x0000000000000000-mapping.dmp

Download
memory/1336-158-0x0000000000000000-mapping.dmp

Download
memory/1360-176-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-166-0x000000000045CF0E-mapping.dmp

Download
memory/1360-196-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-57-0x0000000000000000-mapping.dmp

Download
memory/1460-119-0x0000000000000000-mapping.dmp

Download
memory/1516-110-0x0000000000000000-mapping.dmp

Download
memory/1532-187-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-181-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-129-0x000000000045CF0E-mapping.dmp

Download
memory/1532-150-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-141-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-59-0x00000000020C5000-0x00000000020D6000-memory.dmp

Filesize
68KB

Download
memory/1688-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1688-73-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-60-0x00000000020C5000-0x00000000020D6000-memory.dmp

Filesize
68KB

Download
memory/1688-55-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-74-0x00000000020C5000-0x00000000020D6000-memory.dmp

Filesize
68KB

Download
memory/1748-168-0x0000000000000000-mapping.dmp

Download
memory/1764-111-0x0000000000000000-mapping.dmp

Download
memory/1796-190-0x000007FEF44E0000-0x000007FEF4F03000-memory.dmp

Filesize
10.1MB

Download
memory/1796-186-0x0000000000000000-mapping.dmp

Download
memory/1860-121-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-132-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-182-0x00000000021D5000-0x00000000021E6000-memory.dmp

Filesize
68KB

Download
memory/1860-191-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-115-0x0000000000000000-mapping.dmp

Download
memory/1860-151-0x00000000021D5000-0x00000000021E6000-memory.dmp

Filesize
68KB

Download
memory/1912-75-0x000007FEFC191000-0x000007FEFC193000-memory.dmp

Filesize
8KB

Download
memory/1912-72-0x000007FEF4580000-0x000007FEF4FA3000-memory.dmp

Filesize
10.1MB

Download
memory/1912-70-0x0000000000000000-mapping.dmp

Download
memory/1924-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1924-94-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1924-81-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1924-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1924-122-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-188-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-98-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1924-92-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1924-88-0x000000000045CF0E-mapping.dmp

Download
memory/1976-90-0x0000000000000000-mapping.dmp

Download
memory/1992-156-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-183-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-195-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-154-0x0000000000000000-mapping.dmp

Download