8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe
Size

1017KB
MD5

fd7478cf5ed8210cb781e2857499ef97
SHA1

f4e7b5d69efd3919b7108f0aaebc2d40138d4e77
SHA256

8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f
SHA512

1b5200fc971c09efc9e65644446a22ab156d14b945c7ac72ffb978a9759edd1c436d44dc08b6a0ee2097bb0df70f1e9f7895aecd1d3a3c3b4b649ac1008c953d
SSDEEP

24576:uMvucHxOzi2hpgtiC7I9myZhzPym+gMRDiuZhyjvupeSzYPsswnQYa5a0d5w:uMvuc37I9myHv+gZE8X9Ps3

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 18 IoCs

Processes:

kissec.exeserverc.exemisse.exeqqz.exewinlogon.exe240590296.exesvchost.exespoolsv.exespoolsc.exeservices.exemstsv.exemstsc.exelsass.exeexplorer.exealg.exekisse.exesecie.exeieLock.exe

pid	process
2676	kissec.exe
4420	serverc.exe
4696	misse.exe
4856	qqz.exe
4964	winlogon.exe
1268	240590296.exe
4692	svchost.exe
4896	spoolsv.exe
4812	spoolsc.exe
204	services.exe
4384	mstsv.exe
968	mstsc.exe
1076	lsass.exe
3484	explorer.exe
1264	alg.exe
1936	kisse.exe
4508	secie.exe
3736	ieLock.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\serverc.exe	upx
C:\Users\Admin\AppData\Local\Temp\serverc.exe	upx
behavioral2/memory/4420-149-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/4472-155-0x0000000000400000-0x000000000044F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\kisse.exe	upx
C:\Users\Admin\AppData\Local\Temp\kisse.exe	upx
behavioral2/memory/1936-196-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4420-212-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1936-213-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exeqqz.exesecie.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	qqz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	secie.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3600 regsvr32.exe

pid	process
3600	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kisse.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	kisse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQNews = "\"C:\\Program Files (x86)\\QQNews\\QQNews.exe\" /r"	kisse.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

ieLock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\ = "RisingBHO"	ieLock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}	ieLock.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

serverc.exe

description pid process target process

PID 4420 set thread context of 4472 4420 serverc.exe svchost.exe

description	pid	process	target process
PID 4420 set thread context of 4472	4420	serverc.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

kisse.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\QQNews\QQNews.exe	kisse.exe
File created	C:\Program Files (x86)\QQNews\QQNews.exe	kisse.exe

Drops file in Windows directory 3 IoCs

Processes:

secie.exe

description	ioc	process
File created	C:\WINDOWS\Helps\ieLock.dll	secie.exe
File created	C:\WINDOWS\Helps\ieLock.exe	secie.exe
File created	C:\WINDOWS\Helps\ielock.ini	secie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3100 4472 WerFault.exe svchost.exe

pid	pid_target	process	target process
3100	4472	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ieLock.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	ieLock.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	ieLock.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

ieLock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page	ieLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page	ieLock.exe

Modifies registry class 46 IoCs

Processes:

regsvr32.exesecie.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ = "_Class1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\ = "ieLock.Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\ = "ieLock"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\TypeLib\ = "{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	secie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\HELPDIR\ = "C:\\WINDOWS\\Helps"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\TypeLib\ = "{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\VERSION\ = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ = "Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\TypeLib\ = "{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\InprocServer32\ = "C:\\WINDOWS\\Helps\\ieLock.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ieLock.Class1\ = "ieLock.Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ieLock.Class1\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA1194C-8219-4C38-93DA-2E57F1308DBD}\ProgID\ = "ieLock.Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ieLock.Class1\Clsid\ = "{2BA1194C-8219-4C38-93DA-2E57F1308DBD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{937BD1EA-BDEB-4720-B8BE-A0D54EE71FD9}\2.0\0\win32\ = "C:\\WINDOWS\\Helps\\ieLock.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C7B3E8-D8EB-456F-A6E4-1DDFBBCDC6EE}\ = "_Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ieLock.Class1	regsvr32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4860 NOTEPAD.EXE

pid	process
4860	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

serverc.exekisse.exe

pid	process
4420	serverc.exe
4420	serverc.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe
1936	kisse.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

qqz.exe240590296.exe

description pid process

Token: SeDebugPrivilege 4856 qqz.exe
Token: SeDebugPrivilege 1268 240590296.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

kisse.exeieLock.exe

pid process

1936 kisse.exe
1936 kisse.exe
3736 ieLock.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ieLock.exe

pid process

3736 ieLock.exe

description	pid	process
Token: SeDebugPrivilege	4856	qqz.exe
Token: SeDebugPrivilege	1268	240590296.exe

pid	process
1936	kisse.exe
1936	kisse.exe
3736	ieLock.exe

pid	process
3736	ieLock.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

kissec.exemisse.exeserverc.exekisse.exeieLock.exe

pid	process
2676	kissec.exe
2676	kissec.exe
4696	misse.exe
4696	misse.exe
4420	serverc.exe
4420	serverc.exe
2676	kissec.exe
2676	kissec.exe
1936	kisse.exe
3736	ieLock.exe
1936	kisse.exe
1936	kisse.exe
4696	misse.exe
4696	misse.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exeserverc.exeqqz.exesecie.exe

description	pid	process	target process
PID 4512 wrote to memory of 2676	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	kissec.exe
PID 4512 wrote to memory of 2676	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	kissec.exe
PID 4512 wrote to memory of 2676	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	kissec.exe
PID 4512 wrote to memory of 4420	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	serverc.exe
PID 4512 wrote to memory of 4420	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	serverc.exe
PID 4512 wrote to memory of 4420	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	serverc.exe
PID 4512 wrote to memory of 4696	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	misse.exe
PID 4512 wrote to memory of 4696	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	misse.exe
PID 4512 wrote to memory of 4696	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	misse.exe
PID 4512 wrote to memory of 4856	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	qqz.exe
PID 4512 wrote to memory of 4856	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	qqz.exe
PID 4512 wrote to memory of 4856	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	qqz.exe
PID 4512 wrote to memory of 4964	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	winlogon.exe
PID 4512 wrote to memory of 4964	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	winlogon.exe
PID 4512 wrote to memory of 4964	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	winlogon.exe
PID 4420 wrote to memory of 4472	4420	serverc.exe	svchost.exe
PID 4420 wrote to memory of 4472	4420	serverc.exe	svchost.exe
PID 4420 wrote to memory of 4472	4420	serverc.exe	svchost.exe
PID 4856 wrote to memory of 1268	4856	qqz.exe	240590296.exe
PID 4856 wrote to memory of 1268	4856	qqz.exe	240590296.exe
PID 4856 wrote to memory of 1268	4856	qqz.exe	240590296.exe
PID 4420 wrote to memory of 4472	4420	serverc.exe	svchost.exe
PID 4420 wrote to memory of 4472	4420	serverc.exe	svchost.exe
PID 4512 wrote to memory of 4692	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	svchost.exe
PID 4512 wrote to memory of 4692	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	svchost.exe
PID 4512 wrote to memory of 4692	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	svchost.exe
PID 4512 wrote to memory of 4896	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	spoolsv.exe
PID 4512 wrote to memory of 4896	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	spoolsv.exe
PID 4512 wrote to memory of 4896	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	spoolsv.exe
PID 4512 wrote to memory of 4812	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	spoolsc.exe
PID 4512 wrote to memory of 4812	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	spoolsc.exe
PID 4512 wrote to memory of 4812	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	spoolsc.exe
PID 4512 wrote to memory of 204	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	services.exe
PID 4512 wrote to memory of 204	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	services.exe
PID 4512 wrote to memory of 204	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	services.exe
PID 4856 wrote to memory of 224	4856	qqz.exe	cmd.exe
PID 4856 wrote to memory of 224	4856	qqz.exe	cmd.exe
PID 4856 wrote to memory of 224	4856	qqz.exe	cmd.exe
PID 4512 wrote to memory of 4384	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	mstsv.exe
PID 4512 wrote to memory of 4384	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	mstsv.exe
PID 4512 wrote to memory of 4384	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	mstsv.exe
PID 4512 wrote to memory of 968	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	mstsc.exe
PID 4512 wrote to memory of 968	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	mstsc.exe
PID 4512 wrote to memory of 968	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	mstsc.exe
PID 4512 wrote to memory of 1076	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	lsass.exe
PID 4512 wrote to memory of 1076	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	lsass.exe
PID 4512 wrote to memory of 1076	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	lsass.exe
PID 4512 wrote to memory of 3484	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	explorer.exe
PID 4512 wrote to memory of 3484	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	explorer.exe
PID 4512 wrote to memory of 3484	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	explorer.exe
PID 4512 wrote to memory of 1264	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	alg.exe
PID 4512 wrote to memory of 1264	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	alg.exe
PID 4512 wrote to memory of 1264	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	alg.exe
PID 4512 wrote to memory of 1936	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	kisse.exe
PID 4512 wrote to memory of 1936	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	kisse.exe
PID 4512 wrote to memory of 1936	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	kisse.exe
PID 4512 wrote to memory of 4508	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	secie.exe
PID 4512 wrote to memory of 4508	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	secie.exe
PID 4512 wrote to memory of 4508	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	secie.exe
PID 4512 wrote to memory of 680	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	cmd.exe
PID 4512 wrote to memory of 680	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	cmd.exe
PID 4512 wrote to memory of 680	4512	8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe	cmd.exe
PID 4508 wrote to memory of 3736	4508	secie.exe	ieLock.exe
PID 4508 wrote to memory of 3736	4508	secie.exe	ieLock.exe

C:\Users\Admin\AppData\Local\Temp\8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe
"C:\Users\Admin\AppData\Local\Temp\8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\kissec.exe
"C:\Users\Admin\AppData\Local\Temp\kissec.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Users\Admin\AppData\Local\Temp\serverc.exe
"C:\Users\Admin\AppData\Local\Temp\serverc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 12
4⤵
- Program crash
PID:3100

C:\Users\Admin\AppData\Local\Temp\misse.exe
"C:\Users\Admin\AppData\Local\Temp\misse.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Users\Admin\AppData\Local\Temp\qqz.exe
"C:\Users\Admin\AppData\Local\Temp\qqz.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Roaming\240590296.exe
"C:\Users\Admin\AppData\Roaming\240590296.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\qqz.exe >> NUL
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\winlogon.exe
"C:\Users\Admin\AppData\Local\Temp\winlogon.exe"
2⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
"C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"
2⤵
- Executes dropped EXE
PID:4896

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
"C:\Users\Admin\AppData\Local\Temp\spoolsc.exe"
2⤵
- Executes dropped EXE
PID:4812

C:\Users\Admin\AppData\Local\Temp\services.exe
"C:\Users\Admin\AppData\Local\Temp\services.exe"
2⤵
- Executes dropped EXE
PID:204

C:\Users\Admin\AppData\Local\Temp\mstsv.exe
"C:\Users\Admin\AppData\Local\Temp\mstsv.exe"
2⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Temp\mstsc.exe
"C:\Users\Admin\AppData\Local\Temp\mstsc.exe"
2⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\Temp\lsass.exe
"C:\Users\Admin\AppData\Local\Temp\lsass.exe"
2⤵
- Executes dropped EXE
PID:1076

C:\Users\Admin\AppData\Local\Temp\alg.exe
"C:\Users\Admin\AppData\Local\Temp\alg.exe"
2⤵
- Executes dropped EXE
PID:1264

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\Temp\kisse.exe
"C:\Users\Admin\AppData\Local\Temp\kisse.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Users\Admin\AppData\Local\Temp\secie.exe
"C:\Users\Admin\AppData\Local\Temp\secie.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508

C:\WINDOWS\Helps\ieLock.exe
"C:\WINDOWS\Helps\ieLock.exe"
3⤵
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\WINDOWS\Helps\ieLock.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:3600

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\WINDOWS\Helps\ielock.ini
3⤵
- Opens file in notepad (likely ransom note)
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ope2993.bat" "" "C:\Users\Admin\AppData\Local\Temp" "secie.exe""
3⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ope24AF.bat" "" "C:\Users\Admin\AppData\Local\Temp" "8cc6b3953ed33919b4ea4a6dcf9fdc51b0ec17d3ee2c8cfeb5e378589d66b01f.exe""
2⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4472 -ip 4472
1⤵
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\alg.exe
Filesize
28KB

MD5
c380be9ac5ffda1d7d0f8ce3b089c0f3

SHA1
5c51e940432b1ad1fd27b077025b5da24884b2c4

SHA256
46177fda45d123039040ab0c0c75f7c8610dc20d55ac1781bb24ff17c8dcf42d

SHA512
d1dcde53b7895d1bbd811eec3cbd1ec8d3416ea809e809926915dbf40a791aa9aed34585ab1ce9f0a3fe78fe7939750c21b28604996678593c22b702a244a43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\alg.exe
Filesize
28KB

MD5
c380be9ac5ffda1d7d0f8ce3b089c0f3

SHA1
5c51e940432b1ad1fd27b077025b5da24884b2c4

SHA256
46177fda45d123039040ab0c0c75f7c8610dc20d55ac1781bb24ff17c8dcf42d

SHA512
d1dcde53b7895d1bbd811eec3cbd1ec8d3416ea809e809926915dbf40a791aa9aed34585ab1ce9f0a3fe78fe7939750c21b28604996678593c22b702a244a43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
28KB

MD5
55905e5c06318cf08bc05e589e303c78

SHA1
e0216c88f67020dd92ab9dc39d0903b72139ea2d

SHA256
bbbc98db1a6c7f0c2ae7dbb86176bde77be73ccd523a5bf408ea307925b65bcf

SHA512
e343dd46fb759f472d17b12b870c345045fd96df57f170c838056594488f4bf1ee2096a2f79f9060e4e1b98df54918f90c13b12d5cdd92dd50a8769004bba1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
28KB

MD5
55905e5c06318cf08bc05e589e303c78

SHA1
e0216c88f67020dd92ab9dc39d0903b72139ea2d

SHA256
bbbc98db1a6c7f0c2ae7dbb86176bde77be73ccd523a5bf408ea307925b65bcf

SHA512
e343dd46fb759f472d17b12b870c345045fd96df57f170c838056594488f4bf1ee2096a2f79f9060e4e1b98df54918f90c13b12d5cdd92dd50a8769004bba1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kisse.exe
Filesize
57KB

MD5
a0d1de21bb1ad90a34537cc4e6702cb2

SHA1
a063ad06f99e0dba6457599bb18f35a68e9b623b

SHA256
da710c0a4ad5fc204d28779554ce431a4ded407fd0dbe421fe08724ac29fb280

SHA512
fa924a9bb4ed51fea72f359496e1a74ba493c0e41c2fe1df471b3de51fd0ab589104fd317b4e760d71d1ee16ca86ca9cc066142c0908cd4b06b83b57435e00ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\kisse.exe
Filesize
57KB

MD5
a0d1de21bb1ad90a34537cc4e6702cb2

SHA1
a063ad06f99e0dba6457599bb18f35a68e9b623b

SHA256
da710c0a4ad5fc204d28779554ce431a4ded407fd0dbe421fe08724ac29fb280

SHA512
fa924a9bb4ed51fea72f359496e1a74ba493c0e41c2fe1df471b3de51fd0ab589104fd317b4e760d71d1ee16ca86ca9cc066142c0908cd4b06b83b57435e00ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\kissec.exe
Filesize
604KB

MD5
d4a9c365a0fcab10d9e001ad0eeba36d

SHA1
0128008e3f5314347b73682a65fb0a10bfa51798

SHA256
5ae791556b21546521b84cb2b3f4542fd5c1a0abbd65f55464c62a86701d67c1

SHA512
d158236069eea6b586ff19e75be97af24233003b425d33ce5c6ee38839613898aa11885e5752b81e935e99c804a16d8e8a84948820da381742455781cbe75c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kissec.exe
Filesize
604KB

MD5
d4a9c365a0fcab10d9e001ad0eeba36d

SHA1
0128008e3f5314347b73682a65fb0a10bfa51798

SHA256
5ae791556b21546521b84cb2b3f4542fd5c1a0abbd65f55464c62a86701d67c1

SHA512
d158236069eea6b586ff19e75be97af24233003b425d33ce5c6ee38839613898aa11885e5752b81e935e99c804a16d8e8a84948820da381742455781cbe75c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsass.exe
Filesize
28KB

MD5
6e2df689bce54691c338658089947a23

SHA1
3c03dd16bd4096d5a187ece2623bd65fc0bd08fb

SHA256
84e7cf5ceb03dd6e65c5eeff6dc1a9031fc83fa55015c24e6388eedadef7ab2e

SHA512
ab5934bd10c952c486d308f446f320f17ae8f3440982c8b012bac7106f68c70706074f1226971a0dfc90023bc2179cd0ef7a94b2f95d492fb910b4db462fe685

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsass.exe
Filesize
28KB

MD5
6e2df689bce54691c338658089947a23

SHA1
3c03dd16bd4096d5a187ece2623bd65fc0bd08fb

SHA256
84e7cf5ceb03dd6e65c5eeff6dc1a9031fc83fa55015c24e6388eedadef7ab2e

SHA512
ab5934bd10c952c486d308f446f320f17ae8f3440982c8b012bac7106f68c70706074f1226971a0dfc90023bc2179cd0ef7a94b2f95d492fb910b4db462fe685

Download Submit
C:\Users\Admin\AppData\Local\Temp\misse.exe
Filesize
272KB

MD5
27a92aa9cdb996f90d2010b700911bda

SHA1
9fd2451263c02fe18994c0c3ee93e36f3e8161f2

SHA256
bbcf855c7d283d7bcd7da1630dcb56704f06df2c69c3430b71e52883d516f1a8

SHA512
dd8933ab8e283e6af84a9f12947f5a7d6ea8ad7171a2783930d1e6aea781d70c47ab88ccf05e598dcfa6a706858e0d5115861228da472c800d424e895bb149d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\misse.exe
Filesize
272KB

MD5
27a92aa9cdb996f90d2010b700911bda

SHA1
9fd2451263c02fe18994c0c3ee93e36f3e8161f2

SHA256
bbcf855c7d283d7bcd7da1630dcb56704f06df2c69c3430b71e52883d516f1a8

SHA512
dd8933ab8e283e6af84a9f12947f5a7d6ea8ad7171a2783930d1e6aea781d70c47ab88ccf05e598dcfa6a706858e0d5115861228da472c800d424e895bb149d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstsc.exe
Filesize
28KB

MD5
524a4fd6e226bb8853bc4749a05978d0

SHA1
43dbdceb9bcf8c92c2e1717b34756f5b1f9d8d1e

SHA256
5c6098ace6e248b83389c5e3ae9e8db515314e8c0108671fd89b2bdb847957ef

SHA512
10cb88fa72449aba48bb9be2f5a67a8f0b6115064bc0f11f2eb504d464fbcd7033c839f4e273757b930b03456b9bb62c0afef27795b0acccf534ccfeae18f202

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstsc.exe
Filesize
28KB

MD5
524a4fd6e226bb8853bc4749a05978d0

SHA1
43dbdceb9bcf8c92c2e1717b34756f5b1f9d8d1e

SHA256
5c6098ace6e248b83389c5e3ae9e8db515314e8c0108671fd89b2bdb847957ef

SHA512
10cb88fa72449aba48bb9be2f5a67a8f0b6115064bc0f11f2eb504d464fbcd7033c839f4e273757b930b03456b9bb62c0afef27795b0acccf534ccfeae18f202

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstsv.exe
Filesize
28KB

MD5
548fd7007430a3c4298d15a4f494ab3e

SHA1
c7ca35ae06ac6f0355933f8582771c136d4e9b09

SHA256
4a74cdec581da791d7025c5f9fc730be88c7a23f4283316878fce7e0781067cf

SHA512
05988bb05b6d02f5d944feb2442857c55399338aa3d4373f45cd8200cc0fbb69c57183646c0c3a1aaaa3f22d51b33f57653251c500a8cd3c188f0bc501b78fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstsv.exe
Filesize
28KB

MD5
548fd7007430a3c4298d15a4f494ab3e

SHA1
c7ca35ae06ac6f0355933f8582771c136d4e9b09

SHA256
4a74cdec581da791d7025c5f9fc730be88c7a23f4283316878fce7e0781067cf

SHA512
05988bb05b6d02f5d944feb2442857c55399338aa3d4373f45cd8200cc0fbb69c57183646c0c3a1aaaa3f22d51b33f57653251c500a8cd3c188f0bc501b78fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope24AF.bat
Filesize
44B

MD5
bd72f632464c3ff2f5a20870b59aa27b

SHA1
4bbb3d50ec61ce9adebf98a3c8f7a0bbe960a684

SHA256
9ddaf09d8002847f4ab98a3e2f50730aa4a6950815aeef1ec55bae5482afb0f4

SHA512
12295684b9c54f7a3a55c60be888941124072c864f1b52f438bfc04a929ba1e6add8a088f06d3812591a2441ec3409584a72d96f2dd8ebd47c7a7fce51443676

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope2993.bat
Filesize
44B

MD5
bd72f632464c3ff2f5a20870b59aa27b

SHA1
4bbb3d50ec61ce9adebf98a3c8f7a0bbe960a684

SHA256
9ddaf09d8002847f4ab98a3e2f50730aa4a6950815aeef1ec55bae5482afb0f4

SHA512
12295684b9c54f7a3a55c60be888941124072c864f1b52f438bfc04a929ba1e6add8a088f06d3812591a2441ec3409584a72d96f2dd8ebd47c7a7fce51443676

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqz.exe
Filesize
104KB

MD5
59a1a99ffa42d5aec0991c3482569011

SHA1
262f00f61558cc699d98d711ae43599fabb49f35

SHA256
7efdb72cb8a9b03a7cb9eda7c30bf1369356ac52a1e0ef8508c943c9c3ff5780

SHA512
5ffc95be2e762e1ac670a73280e6477eca8b9905e4c18e6a23e24cc7771f76cd7b028f11b6cd2df105a8872863610c8db1c9cddec96bb76123fc385396ef483a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqz.exe
Filesize
104KB

MD5
59a1a99ffa42d5aec0991c3482569011

SHA1
262f00f61558cc699d98d711ae43599fabb49f35

SHA256
7efdb72cb8a9b03a7cb9eda7c30bf1369356ac52a1e0ef8508c943c9c3ff5780

SHA512
5ffc95be2e762e1ac670a73280e6477eca8b9905e4c18e6a23e24cc7771f76cd7b028f11b6cd2df105a8872863610c8db1c9cddec96bb76123fc385396ef483a

Download Submit
C:\Users\Admin\AppData\Local\Temp\secie.exe
Filesize
46KB

MD5
7298aba8030bc4732621094a3f41c118

SHA1
4e8250d146dff2671fce66eee0c8b46630ea071c

SHA256
7c8237bb02ae1a22873866d6490bd0d3d240e719a4e880fc129337dd94e8e1fd

SHA512
c37bfae1b39476f5ce633bd2ea7011195dc058a6f03026b5f35661b40a7cee798749b7f4577caf56e948a5b5ae71acb636744e6e1c509cfa602b2ad20e436e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\secie.exe
Filesize
46KB

MD5
7298aba8030bc4732621094a3f41c118

SHA1
4e8250d146dff2671fce66eee0c8b46630ea071c

SHA256
7c8237bb02ae1a22873866d6490bd0d3d240e719a4e880fc129337dd94e8e1fd

SHA512
c37bfae1b39476f5ce633bd2ea7011195dc058a6f03026b5f35661b40a7cee798749b7f4577caf56e948a5b5ae71acb636744e6e1c509cfa602b2ad20e436e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\serverc.exe
Filesize
396KB

MD5
267373d57e27873d69fcf4bba6bb2a16

SHA1
a7d28407c13776a305af0e150ef515aa5494fb3e

SHA256
3ff28517a8d3dff783113903a2924e58a66f74f8ed4984e0229ba2c0b7724787

SHA512
273063718412ec552f4c510f20260cc1f3d9a9c33c782590cfd8515f4c0c8e0f82ba43e925fee59e8b6c72b610904283a6cb07bd88ddb045dcbd7b66a4d4d9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\serverc.exe
Filesize
396KB

MD5
267373d57e27873d69fcf4bba6bb2a16

SHA1
a7d28407c13776a305af0e150ef515aa5494fb3e

SHA256
3ff28517a8d3dff783113903a2924e58a66f74f8ed4984e0229ba2c0b7724787

SHA512
273063718412ec552f4c510f20260cc1f3d9a9c33c782590cfd8515f4c0c8e0f82ba43e925fee59e8b6c72b610904283a6cb07bd88ddb045dcbd7b66a4d4d9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.exe
Filesize
28KB

MD5
fb6da7701801b8ac6a58308babd553d7

SHA1
509bce39215db946e57762537841fa7aaa1c628c

SHA256
a329228e28ec0edb442122e97f6243c8cbc93163cc03a3fffb3b72db06d167f6

SHA512
24300a401a5019dda254cf5cf5e49aa32775fee70382313907229d6562b0da80dc9081301e10ff6fdc15a27a37aa3cc688f5123074f877961bfd277cfbecc2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.exe
Filesize
28KB

MD5
fb6da7701801b8ac6a58308babd553d7

SHA1
509bce39215db946e57762537841fa7aaa1c628c

SHA256
a329228e28ec0edb442122e97f6243c8cbc93163cc03a3fffb3b72db06d167f6

SHA512
24300a401a5019dda254cf5cf5e49aa32775fee70382313907229d6562b0da80dc9081301e10ff6fdc15a27a37aa3cc688f5123074f877961bfd277cfbecc2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
Filesize
28KB

MD5
1d3e5e8db2e29478df42b295640d139d

SHA1
a9a9940e083e93fd7264b6a949288aa42a873887

SHA256
14ecf88cae5b11a1676928fd7795799059048b260a204ee557d0bec71a7da889

SHA512
3c515ec9eb198e98f791e37ae1181ded18a608084b5fb49f3e0f1b8543a9d2983c42df208c48529225205b91bc0d8fca53cf421931dbf5fa17ab68ca67f77d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
Filesize
28KB

MD5
1d3e5e8db2e29478df42b295640d139d

SHA1
a9a9940e083e93fd7264b6a949288aa42a873887

SHA256
14ecf88cae5b11a1676928fd7795799059048b260a204ee557d0bec71a7da889

SHA512
3c515ec9eb198e98f791e37ae1181ded18a608084b5fb49f3e0f1b8543a9d2983c42df208c48529225205b91bc0d8fca53cf421931dbf5fa17ab68ca67f77d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
Filesize
28KB

MD5
20d2f9507dff3cc967431558ebbe3412

SHA1
b9e307e225f0b64e245f6fc2f1ef55793cd3960e

SHA256
48ababa52164080123582a2899cb9e7527db6eed663037b7035a8185d1b4e816

SHA512
b3deaae16be3f72c38c43dabbae7311a7f1a5b8704f9e6ade3979305793c2e25e212191bec9ec444de8d87242135580b63a4628a4f9b0f7949d98c357b204ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
Filesize
28KB

MD5
20d2f9507dff3cc967431558ebbe3412

SHA1
b9e307e225f0b64e245f6fc2f1ef55793cd3960e

SHA256
48ababa52164080123582a2899cb9e7527db6eed663037b7035a8185d1b4e816

SHA512
b3deaae16be3f72c38c43dabbae7311a7f1a5b8704f9e6ade3979305793c2e25e212191bec9ec444de8d87242135580b63a4628a4f9b0f7949d98c357b204ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
28KB

MD5
9566951ec6ff4ab7cb88d8e84acaa5e7

SHA1
c31ec592bf0e224af2595e48ceaed273f84f92f4

SHA256
ce291bb37b33d526b84f7cc54fa53f1cff7602a0351fbdc1ef65ae8a07bc9f83

SHA512
58f70da3802a510736316be088d101262eeede888fd80c14a09aa25d337cc081e44e2a1d4a4807f51ff5870d6c7edf7fce9206498388a5eb5824c44d6fb474f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
28KB

MD5
9566951ec6ff4ab7cb88d8e84acaa5e7

SHA1
c31ec592bf0e224af2595e48ceaed273f84f92f4

SHA256
ce291bb37b33d526b84f7cc54fa53f1cff7602a0351fbdc1ef65ae8a07bc9f83

SHA512
58f70da3802a510736316be088d101262eeede888fd80c14a09aa25d337cc081e44e2a1d4a4807f51ff5870d6c7edf7fce9206498388a5eb5824c44d6fb474f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogon.exe
Filesize
28KB

MD5
8c03dfb96ec539b3877cd533afd6bb48

SHA1
8ce5f2ec3221bac93e0ef937c82469575bae5c76

SHA256
b0dd8ae64d56191922966caca131d8f3bb90801b5fb27a4f75acb0fe6763e20e

SHA512
3363c9a600c7ea831e486abe9a6f7680d79a04550c086409c9902390a52af02c453c0bb6f6ad1b699f0c4ce8672ec9ce30aa9b6cadf705df1da5e494b63a84cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogon.exe
Filesize
28KB

MD5
8c03dfb96ec539b3877cd533afd6bb48

SHA1
8ce5f2ec3221bac93e0ef937c82469575bae5c76

SHA256
b0dd8ae64d56191922966caca131d8f3bb90801b5fb27a4f75acb0fe6763e20e

SHA512
3363c9a600c7ea831e486abe9a6f7680d79a04550c086409c9902390a52af02c453c0bb6f6ad1b699f0c4ce8672ec9ce30aa9b6cadf705df1da5e494b63a84cb

Download Submit
C:\Users\Admin\AppData\Roaming\240590296.exe
Filesize
104KB

MD5
59a1a99ffa42d5aec0991c3482569011

SHA1
262f00f61558cc699d98d711ae43599fabb49f35

SHA256
7efdb72cb8a9b03a7cb9eda7c30bf1369356ac52a1e0ef8508c943c9c3ff5780

SHA512
5ffc95be2e762e1ac670a73280e6477eca8b9905e4c18e6a23e24cc7771f76cd7b028f11b6cd2df105a8872863610c8db1c9cddec96bb76123fc385396ef483a

Download Submit
C:\Users\Admin\AppData\Roaming\240590296.exe
Filesize
104KB

MD5
59a1a99ffa42d5aec0991c3482569011

SHA1
262f00f61558cc699d98d711ae43599fabb49f35

SHA256
7efdb72cb8a9b03a7cb9eda7c30bf1369356ac52a1e0ef8508c943c9c3ff5780

SHA512
5ffc95be2e762e1ac670a73280e6477eca8b9905e4c18e6a23e24cc7771f76cd7b028f11b6cd2df105a8872863610c8db1c9cddec96bb76123fc385396ef483a

Download Submit
C:\WINDOWS\Helps\ieLock.dll
Filesize
68KB

MD5
1428d09b77fa9f16c826b182e65f5b94

SHA1
09925b5f3e8a643a6494e583423b0517cc7fa4e7

SHA256
bd3e1066425be3d4ccfdd1861b33d57f4cd8797344866054f2aa2c626a91ba6b

SHA512
6f60222b2538937b77a3bc17ace7eba24704ba67d9353335d74a43933a1039adc46037ff42b30d54c359042092ac5c51e25fb807e23039f3a086243d3a9e78cb

Download Submit
C:\WINDOWS\Helps\ieLock.exe
Filesize
68KB

MD5
7254bfe382aa181233ab342d2f142e69

SHA1
2e255b17879cf50746bb13245bd2459440efb2aa

SHA256
b050b93650c2f4ecc8b270670c63369295fb94136597156825749dd29857e9d8

SHA512
498bc3fc0db739775f8cb40cc32259cd2aae62197657a603cf809e360f5c602a2ed69c4533dfa494c67bb566c224164e22812861a5b41d72d63679ad447167c1

Download Submit
C:\WINDOWS\Helps\ielock.ini
Filesize
72B

MD5
5195bf838648006d371559cccc730289

SHA1
c374cae1a4db7de9e3adad46da4f2f94d947e2ea

SHA256
de9d8d23c59acfb2530dc22375c84328fa45172c69c36618ed2618edfaba8047

SHA512
67358fd6a01844472f450d787e05377199f6df09ad793d85788c4ee1179b54bb675449972e161e0e320c6f67aaf290dd6b9a9f28a267d5604613ead492a7fea6

Download Submit
C:\Windows\Helps\ieLock.dll
Filesize
68KB

MD5
1428d09b77fa9f16c826b182e65f5b94

SHA1
09925b5f3e8a643a6494e583423b0517cc7fa4e7

SHA256
bd3e1066425be3d4ccfdd1861b33d57f4cd8797344866054f2aa2c626a91ba6b

SHA512
6f60222b2538937b77a3bc17ace7eba24704ba67d9353335d74a43933a1039adc46037ff42b30d54c359042092ac5c51e25fb807e23039f3a086243d3a9e78cb

Download Submit
C:\Windows\Helps\ieLock.exe
Filesize
68KB

MD5
7254bfe382aa181233ab342d2f142e69

SHA1
2e255b17879cf50746bb13245bd2459440efb2aa

SHA256
b050b93650c2f4ecc8b270670c63369295fb94136597156825749dd29857e9d8

SHA512
498bc3fc0db739775f8cb40cc32259cd2aae62197657a603cf809e360f5c602a2ed69c4533dfa494c67bb566c224164e22812861a5b41d72d63679ad447167c1

Download Submit
memory/204-167-0x0000000000000000-mapping.dmp

Download
memory/224-168-0x0000000000000000-mapping.dmp

Download
memory/680-192-0x0000000000000000-mapping.dmp

Download
memory/968-174-0x0000000000000000-mapping.dmp

Download
memory/1076-177-0x0000000000000000-mapping.dmp

Download
memory/1264-183-0x0000000000000000-mapping.dmp

Download
memory/1268-154-0x0000000000000000-mapping.dmp

Download
memory/1644-206-0x0000000000000000-mapping.dmp

Download
memory/1936-186-0x0000000000000000-mapping.dmp

Download
memory/1936-213-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1936-196-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2676-133-0x0000000000000000-mapping.dmp

Download
memory/3484-180-0x0000000000000000-mapping.dmp

Download
memory/3600-209-0x0000000000000000-mapping.dmp

Download
memory/3736-199-0x0000000000000000-mapping.dmp

Download
memory/4384-171-0x0000000000000000-mapping.dmp

Download
memory/4420-139-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/4420-136-0x0000000000000000-mapping.dmp

Download
memory/4420-212-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4420-149-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4472-155-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4472-152-0x0000000000000000-mapping.dmp

Download
memory/4508-207-0x0000000000400000-0x000000000040D0F0-memory.dmp

Filesize
52KB

Download
memory/4508-197-0x0000000000400000-0x000000000040D0F0-memory.dmp

Filesize
52KB

Download
memory/4508-189-0x0000000000000000-mapping.dmp

Download
memory/4512-132-0x0000000000400000-0x00000000004FFEE9-memory.dmp

Filesize
1023KB

Download
memory/4512-194-0x0000000000400000-0x00000000004FFEE9-memory.dmp

Filesize
1023KB

Download
memory/4692-156-0x0000000000000000-mapping.dmp

Download
memory/4696-143-0x0000000000000000-mapping.dmp

Download
memory/4812-164-0x0000000000000000-mapping.dmp

Download
memory/4856-146-0x0000000000000000-mapping.dmp

Download
memory/4860-205-0x0000000000000000-mapping.dmp

Download
memory/4896-161-0x0000000000000000-mapping.dmp

Download
memory/4964-150-0x0000000000000000-mapping.dmp

Download