c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe
Size

309KB
MD5

c99e8e48a1d28dbca548020dd3571072
SHA1

d011dc4f61fbdc2cdb6a8f8672318098435074e8
SHA256

c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6
SHA512

7017a958f2edb6c4b0cb8c87a1fc66052d7cb1c01c1249a688240d078bdb506862de7cbab5c15916150529d88f0916987bd519ce4d0b646aedbae13a3089a861
SSDEEP

6144:lhRifAX7WuXXAHEI+UPiO5sxK4rXjXyYODfjBgoRC088Gx2k:XLhQ+bOOT2fdg4O8G8k

Score

8^/10

persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

1.exe5913.exegy.exe520.exesvchost.exegemuas.exesvchost.exe

pid process

1944 1.exe
1900 5913.exe
520 gy.exe
1712 520.exe
1144 svchost.exe
1272 gemuas.exe
728 svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5913.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServicesTest\Parameters\ServiceDll = "C:\\Windows\\ServicesTest.dll"	5913.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\gy.exe	upx
C:\Users\Admin\AppData\Local\Temp\gy.exe	upx
\Users\Admin\AppData\Local\Temp\gy.exe	upx
\Users\Admin\AppData\Local\Temp\gy.exe	upx
C:\Users\Admin\AppData\Local\Temp\gy.exe	upx
\Users\Admin\AppData\Local\Temp\gy.exe	upx
\Users\Admin\AppData\Local\Temp\gy.exe	upx
C:\Windows\gemuas.exe	upx
behavioral1/memory/520-106-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1272-108-0x0000000000400000-0x0000000000410000-memory.dmp	upx
C:\Windows\gemuas.exe	upx
behavioral1/memory/1272-113-0x0000000000400000-0x0000000000410000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\5913.exe	vmprotect
C:\5913.exe	vmprotect
behavioral1/memory/1900-64-0x00000000001B0000-0x00000000001F7000-memory.dmp	vmprotect
\??\c:\windows\servicestest.dll	vmprotect
behavioral1/memory/2036-66-0x00000000740A0000-0x00000000740E7000-memory.dmp	vmprotect
behavioral1/memory/1900-68-0x00000000001B0000-0x00000000001F7000-memory.dmp	vmprotect
behavioral1/memory/2036-72-0x00000000740A0000-0x00000000740E7000-memory.dmp	vmprotect

Loads dropped DLL 17 IoCs

Processes:

1.exegy.exe520.exesvchost.exegemuas.exe

pid	process
1944	1.exe
1944	1.exe
1944	1.exe
520	gy.exe
520	gy.exe
520	gy.exe
1944	1.exe
1944	1.exe
1712	520.exe
1712	520.exe
1712	520.exe
1712	520.exe
1712	520.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1272	gemuas.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gemuas.exe

description	ioc	process
File opened (read-only)	\??\R:	gemuas.exe
File opened (read-only)	\??\S:	gemuas.exe
File opened (read-only)	\??\U:	gemuas.exe
File opened (read-only)	\??\W:	gemuas.exe
File opened (read-only)	\??\K:	gemuas.exe
File opened (read-only)	\??\F:	gemuas.exe
File opened (read-only)	\??\N:	gemuas.exe
File opened (read-only)	\??\E:	gemuas.exe
File opened (read-only)	\??\L:	gemuas.exe
File opened (read-only)	\??\M:	gemuas.exe
File opened (read-only)	\??\O:	gemuas.exe
File opened (read-only)	\??\V:	gemuas.exe
File opened (read-only)	\??\X:	gemuas.exe
File opened (read-only)	\??\Y:	gemuas.exe
File opened (read-only)	\??\Z:	gemuas.exe
File opened (read-only)	\??\J:	gemuas.exe
File opened (read-only)	\??\H:	gemuas.exe
File opened (read-only)	\??\I:	gemuas.exe
File opened (read-only)	\??\P:	gemuas.exe
File opened (read-only)	\??\Q:	gemuas.exe
File opened (read-only)	\??\T:	gemuas.exe
File opened (read-only)	\??\G:	gemuas.exe

Drops file in System32 directory 1 IoCs

Processes:

gemuas.exe

description ioc process

File created C:\Windows\SysWOW64\hra33.dll gemuas.exe
Drops file in Program Files directory 2 IoCs

Processes:

gemuas.exe

description ioc process

File created C:\Program Files\7-Zip\lpk.dll gemuas.exe
File opened for modification C:\Program Files\7-Zip\lpk.dll gemuas.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hra33.dll	gemuas.exe

description	ioc	process
File created	C:\Program Files\7-Zip\lpk.dll	gemuas.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	gemuas.exe

Drops file in Windows directory 4 IoCs

Processes:

gy.exe5913.exe

description	ioc	process
File created	C:\Windows\gemuas.exe	gy.exe
File opened for modification	C:\Windows\gemuas.exe	gy.exe
File created	C:\Windows\ServicesTest.dll	5913.exe
File opened for modification	C:\Windows\ServicesTest.dll	5913.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\1.exe	nsis_installer_2
C:\1.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Config	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Config\ = e6070b0001001c0002000e0031002d01	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exe

pid process

728 svchost.exe
728 svchost.exe
728 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

gy.exesvchost.exe

description pid process

Token: SeIncBasePriorityPrivilege 520 gy.exe
Token: SeBackupPrivilege 728 svchost.exe
Token: SeRestorePrivilege 728 svchost.exe

pid	process
728	svchost.exe
728	svchost.exe
728	svchost.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	520	gy.exe
Token: SeBackupPrivilege	728	svchost.exe
Token: SeRestorePrivilege	728	svchost.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe5913.exe1.exe520.exegy.exe

description	pid	process	target process
PID 532 wrote to memory of 1944	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	1.exe
PID 532 wrote to memory of 1944	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	1.exe
PID 532 wrote to memory of 1944	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	1.exe
PID 532 wrote to memory of 1944	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	1.exe
PID 532 wrote to memory of 1944	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	1.exe
PID 532 wrote to memory of 1944	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	1.exe
PID 532 wrote to memory of 1944	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	1.exe
PID 532 wrote to memory of 1900	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	5913.exe
PID 532 wrote to memory of 1900	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	5913.exe
PID 532 wrote to memory of 1900	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	5913.exe
PID 532 wrote to memory of 1900	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	5913.exe
PID 532 wrote to memory of 1900	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	5913.exe
PID 532 wrote to memory of 1900	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	5913.exe
PID 532 wrote to memory of 1900	532	c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe	5913.exe
PID 1900 wrote to memory of 2008	1900	5913.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	5913.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	5913.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	5913.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	5913.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	5913.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	5913.exe	cmd.exe
PID 1944 wrote to memory of 520	1944	1.exe	gy.exe
PID 1944 wrote to memory of 520	1944	1.exe	gy.exe
PID 1944 wrote to memory of 520	1944	1.exe	gy.exe
PID 1944 wrote to memory of 520	1944	1.exe	gy.exe
PID 1944 wrote to memory of 520	1944	1.exe	gy.exe
PID 1944 wrote to memory of 520	1944	1.exe	gy.exe
PID 1944 wrote to memory of 520	1944	1.exe	gy.exe
PID 1944 wrote to memory of 1712	1944	1.exe	520.exe
PID 1944 wrote to memory of 1712	1944	1.exe	520.exe
PID 1944 wrote to memory of 1712	1944	1.exe	520.exe
PID 1944 wrote to memory of 1712	1944	1.exe	520.exe
PID 1944 wrote to memory of 1712	1944	1.exe	520.exe
PID 1944 wrote to memory of 1712	1944	1.exe	520.exe
PID 1944 wrote to memory of 1712	1944	1.exe	520.exe
PID 1712 wrote to memory of 1144	1712	520.exe	svchost.exe
PID 1712 wrote to memory of 1144	1712	520.exe	svchost.exe
PID 1712 wrote to memory of 1144	1712	520.exe	svchost.exe
PID 1712 wrote to memory of 1144	1712	520.exe	svchost.exe
PID 1712 wrote to memory of 1144	1712	520.exe	svchost.exe
PID 1712 wrote to memory of 1144	1712	520.exe	svchost.exe
PID 1712 wrote to memory of 1144	1712	520.exe	svchost.exe
PID 1712 wrote to memory of 1940	1712	520.exe	cmd.exe
PID 1712 wrote to memory of 1940	1712	520.exe	cmd.exe
PID 1712 wrote to memory of 1940	1712	520.exe	cmd.exe
PID 1712 wrote to memory of 1940	1712	520.exe	cmd.exe
PID 1712 wrote to memory of 1940	1712	520.exe	cmd.exe
PID 1712 wrote to memory of 1940	1712	520.exe	cmd.exe
PID 1712 wrote to memory of 1940	1712	520.exe	cmd.exe
PID 520 wrote to memory of 468	520	gy.exe	cmd.exe
PID 520 wrote to memory of 468	520	gy.exe	cmd.exe
PID 520 wrote to memory of 468	520	gy.exe	cmd.exe
PID 520 wrote to memory of 468	520	gy.exe	cmd.exe
PID 520 wrote to memory of 468	520	gy.exe	cmd.exe
PID 520 wrote to memory of 468	520	gy.exe	cmd.exe
PID 520 wrote to memory of 468	520	gy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe
"C:\Users\Admin\AppData\Local\Temp\c051756a54caa1df806d7f92802c07cd4905d0bc38cde903725707bed5503ff6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\1.exe
"C:\1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\gy.exe
"C:\Users\Admin\AppData\Local\Temp\gy.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\gy.exe > nul
4⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\520.exe
"C:\Users\Admin\AppData\Local\Temp\520.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\temp\svchost.exe
"C:\Windows\temp\svchost.exe" -install
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\~0.bat" "
4⤵
PID:1940

C:\5913.exe
"C:\5913.exe"
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7079184.bat" "
3⤵
PID:2008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ServicesTest
1⤵
- Checks processor information in registry
PID:2036

C:\Windows\gemuas.exe
C:\Windows\gemuas.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1272

C:\Windows\temp\svchost.exe
C:\Windows\temp\svchost.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.exe
Filesize
152KB

MD5
653b105955e4ebb5ae20eb1fd22e8c0c

SHA1
fdfcaf735ad9e1c565cb876a0c541528b99fc940

SHA256
014f22f862be89eaad174e657b0b0e893cfc5c8feff1e6644bf281b2d7d333da

SHA512
08533a5594be95d6684821d138973f13d0e2815ddc9bbc1c011008d569a2c2487e43a77aa960eada3f39f9b8b8aee5cb77407042eb61578bd0c3e2b508043b02

Download Submit
C:\1.exe
Filesize
152KB

MD5
653b105955e4ebb5ae20eb1fd22e8c0c

SHA1
fdfcaf735ad9e1c565cb876a0c541528b99fc940

SHA256
014f22f862be89eaad174e657b0b0e893cfc5c8feff1e6644bf281b2d7d333da

SHA512
08533a5594be95d6684821d138973f13d0e2815ddc9bbc1c011008d569a2c2487e43a77aa960eada3f39f9b8b8aee5cb77407042eb61578bd0c3e2b508043b02

Download Submit
C:\5913.exe
Filesize
140KB

MD5
3630d6e5f296612aa1e55aa07e23dc18

SHA1
9985c74e23b5117586baed084e872588cb9dee44

SHA256
44d17e3e091b384bb1afc6edd03d0ff0288f01d0f900999642307d4ea1c57059

SHA512
a5ac6810593463fda5fc8346054f1ac058829f9d15ac51c7057863050004605847579db356a491c0405288c9b6793f833281d98780a98411d532d4a566daeed7

Download Submit
C:\5913.exe
Filesize
140KB

MD5
3630d6e5f296612aa1e55aa07e23dc18

SHA1
9985c74e23b5117586baed084e872588cb9dee44

SHA256
44d17e3e091b384bb1afc6edd03d0ff0288f01d0f900999642307d4ea1c57059

SHA512
a5ac6810593463fda5fc8346054f1ac058829f9d15ac51c7057863050004605847579db356a491c0405288c9b6793f833281d98780a98411d532d4a566daeed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\520.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
C:\Users\Admin\AppData\Local\Temp\520.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
C:\Users\Admin\AppData\Local\Temp\7079184.bat
Filesize
57B

MD5
1a1ffab3d6ccbfeaf5e485882c9cffb5

SHA1
bc50b1cd9dff7ea8b6a3ea71f4bd0eea84d14b4e

SHA256
e020a531ab623cf3b6a8b55dda652cbd37e795fd32919251b54d65cb45421803

SHA512
242fc86e23b617af8ae4d0cb3dad8fe434d73c0947a8f53a453ed8b081982e019571203052457dfa4e30ba1f1d0264bb39492364249ec591f6b6e7cecd7d6a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gy.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gy.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0.bat
Filesize
136B

MD5
ae2c7813247aaba1311db05455769dcf

SHA1
02ad2ae4ef27639e68b3cf5370dd0f17e4968d4b

SHA256
f5ff09333591ebd4108bce117b4a3b5ee754e3cb03d772f2353a53cdc0545120

SHA512
7e5c6f1cef2deef5b42e909e1beaf9362bd3f6faf42d5d7b7d302487832b93e6e23fd88b1cd9be6ac927610532f07f6cce77a904acb9b83d5493f0090a07b711

Download Submit
C:\Windows\Temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
C:\Windows\Temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
C:\Windows\gemuas.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
C:\Windows\gemuas.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
C:\Windows\temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\??\c:\windows\servicestest.dll
Filesize
140KB

MD5
41b20956cfadd0615318a1f05579439c

SHA1
70135a402896a9da903cb29a427dc050497192fb

SHA256
eed7e98d3f7dbedb2f75aabaf63eb3309d6fb414985158051ad78d56e9550c15

SHA512
6637ec708d4645707d218aeccea70e61e1987db41f142165d72bfab681caaea7e04878c4f29fcc2b738c155629cdd77276f001cc7253df4415c15f6338341d1c

Download Submit
\Users\Admin\AppData\Local\Temp\520.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Users\Admin\AppData\Local\Temp\520.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Users\Admin\AppData\Local\Temp\520.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Users\Admin\AppData\Local\Temp\520.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Users\Admin\AppData\Local\Temp\520.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Users\Admin\AppData\Local\Temp\gy.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
\Users\Admin\AppData\Local\Temp\gy.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
\Users\Admin\AppData\Local\Temp\gy.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
\Users\Admin\AppData\Local\Temp\gy.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
\Users\Admin\AppData\Local\Temp\gy.exe
Filesize
19KB

MD5
83cc9cd5f10586e2d4263c5f63c25648

SHA1
f2ab328ee1319a1e9020c3bccca8485f6c924753

SHA256
5b877835f6caa5186b6259e7667c21b9e3ac44499f2b218b4d097f5edac6a2ee

SHA512
6f4c78502c05094f2a54124f1b8c93a3f9cac1061ab441ff2c43e621bd7b23746aae82fad665fbd99419a734caa855b820281b5bc3d2a0f5e110ddf28e3b06c2

Download Submit
\Users\Admin\AppData\Local\Temp\nso3AB.tmp\System.dll
Filesize
10KB

MD5
0c8ea8e6637bbf8408104e672d78ba45

SHA1
c231c7acaf9abb7da93f28e1b71bed164d57103e

SHA256
509a93177a7ae130bc3b6b5ec3236c7aa0811b8b86f8ab3442c65fdf8ff85b1f

SHA512
ee763a3cdbbba3b28e6a903ac942c7228bd8e54b19de21d6187e481f2916d833d9b9800e5ac2998f4aa26274cdfb20a8bfdd10f00f2a15d37bcc529b617e1f28

Download Submit
\Windows\SysWOW64\hra33.dll
Filesize
28KB

MD5
e488e56ce1e32594d1bef97d930e16b0

SHA1
6e3c57ae5ed7c7aeec8380c653477c2482f33a5d

SHA256
1edd940efd80a74af8659a479ae7c05291459ad481a3b6d8c665533478070268

SHA512
7aee5b14e977330a1c5da60c886186a39a49fa1d7a539956fd3089be671f995584fdc7bd1bb01f9124c30406017943f38fbbdfa4312a7d3400edf487fe873147

Download Submit
\Windows\Temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Windows\Temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Windows\Temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Windows\Temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
\Windows\Temp\svchost.exe
Filesize
172KB

MD5
5b6a11850e44e4d1d0a2b35848e1add0

SHA1
b8f23cea4a79268a4f852b2591cac6d3052110ef

SHA256
9124d576c54132e0e902fff1062eb7e7919cbeb0e6c076e2004e4fd140e8eab5

SHA512
3f05d755f0748af1a09b91f15cf0e1e660e0955c8518db57a6f195412cc7a75c361e375b4b42738e4cbe4a1742552255c07ecfea935dafc269f3a64c06cb9375

Download Submit
memory/468-105-0x0000000000000000-mapping.dmp

Download
memory/520-75-0x0000000000000000-mapping.dmp

Download
memory/520-106-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1144-93-0x0000000000000000-mapping.dmp

Download
memory/1272-108-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-113-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1712-84-0x0000000000000000-mapping.dmp

Download
memory/1900-69-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download
memory/1900-68-0x00000000001B0000-0x00000000001F7000-memory.dmp

Filesize
284KB

Download
memory/1900-64-0x00000000001B0000-0x00000000001F7000-memory.dmp

Filesize
284KB

Download
memory/1900-59-0x0000000000000000-mapping.dmp

Download
memory/1940-102-0x0000000000000000-mapping.dmp

Download
memory/1944-55-0x0000000000000000-mapping.dmp

Download
memory/2008-67-0x0000000000000000-mapping.dmp

Download
memory/2036-66-0x00000000740A0000-0x00000000740E7000-memory.dmp

Filesize
284KB

Download
memory/2036-72-0x00000000740A0000-0x00000000740E7000-memory.dmp

Filesize
284KB

Download