darkcomet | 94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7

Analysis

max time kernel
105s
max time network
136s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe
Size

1.6MB
MD5

172b508f760ff844fc31e44d761d289c
SHA1

a43ec1760b278bb434b6e61da41002d410a7aa5d
SHA256

94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7
SHA512

fbafbfa36796918ac64a4a5148ba5f14cc5536f2eb4ad052350420dc9b33ff457a15a21ba121accf463f62af7f6c37aceca70124df6c78f9401630c5daa15824
SSDEEP

24576:4t+wU3uLfA7l+yUx+tRnCbSQnn8P2ubdWlm4yol+3L3aaQtpE4RYCOs:I831l+yUGzQn22WD4kb8tOs

Score

10^/10

darkcomet neshta evasion persistence rat spyware stealer trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detect Neshta payload 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\teiubescmemo.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\teiubescmemo.exe	family_neshta
\Users\Admin\AppData\Local\Temp\teiubescmemo.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\teiubescmemo.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

teiubescmemo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\explorer.exe"	teiubescmemo.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

explorer.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	explorer.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

teiubescmemo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	teiubescmemo.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	explorer.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 7 IoCs

Processes:

teiubescmemo.exeteiubescmemo.exesvchost.comsvchost.comsvchost.comsvchost.comexplorer.exe

pid process

468 teiubescmemo.exe
268 teiubescmemo.exe
1528 svchost.com
828 svchost.com
1572 svchost.com
632 svchost.com
572 explorer.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1552 attrib.exe
1936 attrib.exe

pid	process
468	teiubescmemo.exe
268	teiubescmemo.exe
1528	svchost.com
828	svchost.com
1572	svchost.com
632	svchost.com
572	explorer.exe

pid	process
1552	attrib.exe
1936	attrib.exe

Loads dropped DLL 52 IoCs

Processes:

94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exeteiubescmemo.exesvchost.com

pid	process
1180	94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe
1180	94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe
468	teiubescmemo.exe
468	teiubescmemo.exe
1528	svchost.com
1528	svchost.com
1528	svchost.com
468	teiubescmemo.exe
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com
1528	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

teiubescmemo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\explorer.exe"	teiubescmemo.exe

Drops file in Program Files directory 64 IoCs

Processes:

teiubescmemo.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	teiubescmemo.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	teiubescmemo.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comteiubescmemo.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	teiubescmemo.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

teiubescmemo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	teiubescmemo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1864 PING.EXE

pid	process
1864	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

teiubescmemo.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	268	teiubescmemo.exe
Token: SeSecurityPrivilege	268	teiubescmemo.exe
Token: SeTakeOwnershipPrivilege	268	teiubescmemo.exe
Token: SeLoadDriverPrivilege	268	teiubescmemo.exe
Token: SeSystemProfilePrivilege	268	teiubescmemo.exe
Token: SeSystemtimePrivilege	268	teiubescmemo.exe
Token: SeProfSingleProcessPrivilege	268	teiubescmemo.exe
Token: SeIncBasePriorityPrivilege	268	teiubescmemo.exe
Token: SeCreatePagefilePrivilege	268	teiubescmemo.exe
Token: SeBackupPrivilege	268	teiubescmemo.exe
Token: SeRestorePrivilege	268	teiubescmemo.exe
Token: SeShutdownPrivilege	268	teiubescmemo.exe
Token: SeDebugPrivilege	268	teiubescmemo.exe
Token: SeSystemEnvironmentPrivilege	268	teiubescmemo.exe
Token: SeChangeNotifyPrivilege	268	teiubescmemo.exe
Token: SeRemoteShutdownPrivilege	268	teiubescmemo.exe
Token: SeUndockPrivilege	268	teiubescmemo.exe
Token: SeManageVolumePrivilege	268	teiubescmemo.exe
Token: SeImpersonatePrivilege	268	teiubescmemo.exe
Token: SeCreateGlobalPrivilege	268	teiubescmemo.exe
Token: 33	268	teiubescmemo.exe
Token: 34	268	teiubescmemo.exe
Token: 35	268	teiubescmemo.exe
Token: SeIncreaseQuotaPrivilege	572	explorer.exe
Token: SeSecurityPrivilege	572	explorer.exe
Token: SeTakeOwnershipPrivilege	572	explorer.exe
Token: SeLoadDriverPrivilege	572	explorer.exe
Token: SeSystemProfilePrivilege	572	explorer.exe
Token: SeSystemtimePrivilege	572	explorer.exe
Token: SeProfSingleProcessPrivilege	572	explorer.exe
Token: SeIncBasePriorityPrivilege	572	explorer.exe
Token: SeCreatePagefilePrivilege	572	explorer.exe
Token: SeBackupPrivilege	572	explorer.exe
Token: SeRestorePrivilege	572	explorer.exe
Token: SeShutdownPrivilege	572	explorer.exe
Token: SeDebugPrivilege	572	explorer.exe
Token: SeSystemEnvironmentPrivilege	572	explorer.exe
Token: SeChangeNotifyPrivilege	572	explorer.exe
Token: SeRemoteShutdownPrivilege	572	explorer.exe
Token: SeUndockPrivilege	572	explorer.exe
Token: SeManageVolumePrivilege	572	explorer.exe
Token: SeImpersonatePrivilege	572	explorer.exe
Token: SeCreateGlobalPrivilege	572	explorer.exe
Token: 33	572	explorer.exe
Token: 34	572	explorer.exe
Token: 35	572	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

604 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

572 explorer.exe

pid	process
604	DllHost.exe

pid	process
572	explorer.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exeteiubescmemo.exeteiubescmemo.exesvchost.comsvchost.comcmd.execmd.exesvchost.comsvchost.comcmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 468	1180	94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe	teiubescmemo.exe
PID 1180 wrote to memory of 468	1180	94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe	teiubescmemo.exe
PID 1180 wrote to memory of 468	1180	94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe	teiubescmemo.exe
PID 1180 wrote to memory of 468	1180	94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe	teiubescmemo.exe
PID 468 wrote to memory of 268	468	teiubescmemo.exe	teiubescmemo.exe
PID 468 wrote to memory of 268	468	teiubescmemo.exe	teiubescmemo.exe
PID 468 wrote to memory of 268	468	teiubescmemo.exe	teiubescmemo.exe
PID 468 wrote to memory of 268	468	teiubescmemo.exe	teiubescmemo.exe
PID 268 wrote to memory of 1528	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 1528	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 1528	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 1528	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 828	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 828	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 828	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 828	268	teiubescmemo.exe	svchost.com
PID 1528 wrote to memory of 1556	1528	svchost.com	cmd.exe
PID 1528 wrote to memory of 1556	1528	svchost.com	cmd.exe
PID 1528 wrote to memory of 1556	1528	svchost.com	cmd.exe
PID 1528 wrote to memory of 1556	1528	svchost.com	cmd.exe
PID 828 wrote to memory of 968	828	svchost.com	cmd.exe
PID 828 wrote to memory of 968	828	svchost.com	cmd.exe
PID 828 wrote to memory of 968	828	svchost.com	cmd.exe
PID 828 wrote to memory of 968	828	svchost.com	cmd.exe
PID 968 wrote to memory of 1936	968	cmd.exe	attrib.exe
PID 968 wrote to memory of 1936	968	cmd.exe	attrib.exe
PID 968 wrote to memory of 1936	968	cmd.exe	attrib.exe
PID 968 wrote to memory of 1936	968	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1552	1556	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1552	1556	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1552	1556	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1552	1556	cmd.exe	attrib.exe
PID 268 wrote to memory of 1572	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 1572	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 1572	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 1572	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 632	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 632	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 632	268	teiubescmemo.exe	svchost.com
PID 268 wrote to memory of 632	268	teiubescmemo.exe	svchost.com
PID 1572 wrote to memory of 572	1572	svchost.com	explorer.exe
PID 1572 wrote to memory of 572	1572	svchost.com	explorer.exe
PID 1572 wrote to memory of 572	1572	svchost.com	explorer.exe
PID 1572 wrote to memory of 572	1572	svchost.com	explorer.exe
PID 632 wrote to memory of 1448	632	svchost.com	cmd.exe
PID 632 wrote to memory of 1448	632	svchost.com	cmd.exe
PID 632 wrote to memory of 1448	632	svchost.com	cmd.exe
PID 632 wrote to memory of 1448	632	svchost.com	cmd.exe
PID 1448 wrote to memory of 1864	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1864	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1864	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1864	1448	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1552 attrib.exe
1936 attrib.exe

pid	process
1552	attrib.exe
1936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe
"C:\Users\Admin\AppData\Local\Temp\94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\teiubescmemo.exe
"C:\Users\Admin\AppData\Local\Temp\teiubescmemo.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe" +s +h
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\attrib.exe
attrib C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\3582-490" +s +h
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp\3582-490 +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\attrib.exe
attrib C:\Users\Admin\AppData\Local\Temp\3582-490 +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k ping 127.0.0.1 -n 5 > NUL&del C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:1864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\explorer.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1572

C:\explorer.exe
C:\explorer.exe
5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\381626_2195208882865_1354706487_N.JPG
Filesize
67KB

MD5
432447435448c22257ea21176d1100bb

SHA1
db3b6f8247e07f4decf394aaa61b28f59fd80abc

SHA256
5646bbf65f892b64a1c41e983f14cf281f042d028e1886a70c9002591b7482ff

SHA512
5b1a2cd2f8362ba10a748494217878a2b250a55cf37b9396bf55455caa622adcd4909a3440cada57753cc3bf4a1264ec40dee5069942744509380aa25f9a34ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\teiubescmemo.exe
Filesize
963KB

MD5
ce5ab88da961c591a491375988e71e14

SHA1
5a7a0dc2842ff4fc1acbd6ce4345c1e741bd2abc

SHA256
7a957c54a39489ae8a4f9b4cdbbbe013c2755c8724bcba2595d1cdc005db9c08

SHA512
6b50849b0d40c909789a77d710807cf16a42cb173d27c2ebc030e3c75c0f93904cbb4235ce695c7fda7a2f458669b27a23afd5a0e79e65804b56d0e009c70c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\teiubescmemo.exe
Filesize
963KB

MD5
ce5ab88da961c591a491375988e71e14

SHA1
5a7a0dc2842ff4fc1acbd6ce4345c1e741bd2abc

SHA256
7a957c54a39489ae8a4f9b4cdbbbe013c2755c8724bcba2595d1cdc005db9c08

SHA512
6b50849b0d40c909789a77d710807cf16a42cb173d27c2ebc030e3c75c0f93904cbb4235ce695c7fda7a2f458669b27a23afd5a0e79e65804b56d0e009c70c66

Download Submit
C:\Windows\directx.sys
Filesize
107B

MD5
ddaf6d425c8ac00dc151aff1ef25f641

SHA1
9216d4f22e75a0e1b7d3421ea52abc87a3361276

SHA256
758e704937579284052a74ae3c4e26e17904a0dda397d75b7fa3c45aeb326f46

SHA512
33fb2753cd6e406274c05bd13cc4052c36fa41cee8a94cbcc711014994fd88a41e0606ae812ed68cbabad12f5111d0e132e1973e83c62dbf6de8f2e8d3b77fa7

Download Submit
C:\Windows\directx.sys
Filesize
29B

MD5
8e966011732995cd7680a1caa974fd57

SHA1
2b22d69074bfa790179858cc700a7cbfd01ca557

SHA256
97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

SHA512
892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
6d62ea3cf3cface62bea16193a52e643

SHA1
d486980e606e7d240764c4f3ab6846880c1c2009

SHA256
edcc4282011f20f2559175f319bb213a745ae256253ebb224e3b7fccfde94a61

SHA512
aaf184f8876299b7ffa52f186bbedce7886dc386343a7addb802717e2687bf256b93b77f7f8a7848bd58ad4adfaefde30bf2a3070798a9e05948d4e4c356c451

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
6d62ea3cf3cface62bea16193a52e643

SHA1
d486980e606e7d240764c4f3ab6846880c1c2009

SHA256
edcc4282011f20f2559175f319bb213a745ae256253ebb224e3b7fccfde94a61

SHA512
aaf184f8876299b7ffa52f186bbedce7886dc386343a7addb802717e2687bf256b93b77f7f8a7848bd58ad4adfaefde30bf2a3070798a9e05948d4e4c356c451

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
6d62ea3cf3cface62bea16193a52e643

SHA1
d486980e606e7d240764c4f3ab6846880c1c2009

SHA256
edcc4282011f20f2559175f319bb213a745ae256253ebb224e3b7fccfde94a61

SHA512
aaf184f8876299b7ffa52f186bbedce7886dc386343a7addb802717e2687bf256b93b77f7f8a7848bd58ad4adfaefde30bf2a3070798a9e05948d4e4c356c451

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
6d62ea3cf3cface62bea16193a52e643

SHA1
d486980e606e7d240764c4f3ab6846880c1c2009

SHA256
edcc4282011f20f2559175f319bb213a745ae256253ebb224e3b7fccfde94a61

SHA512
aaf184f8876299b7ffa52f186bbedce7886dc386343a7addb802717e2687bf256b93b77f7f8a7848bd58ad4adfaefde30bf2a3070798a9e05948d4e4c356c451

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
6d62ea3cf3cface62bea16193a52e643

SHA1
d486980e606e7d240764c4f3ab6846880c1c2009

SHA256
edcc4282011f20f2559175f319bb213a745ae256253ebb224e3b7fccfde94a61

SHA512
aaf184f8876299b7ffa52f186bbedce7886dc386343a7addb802717e2687bf256b93b77f7f8a7848bd58ad4adfaefde30bf2a3070798a9e05948d4e4c356c451

Download Submit
C:\explorer.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\teiubescmemo.exe
Filesize
922KB

MD5
c744a67f080ffb0d1cab7f8cc986af53

SHA1
b5a5bf6f4afc4f5e8ac5e61030517d622ea3171a

SHA256
216785f9f1b88d0393a5cb7262ba21f612cffd9661aa60a535b320cdc14f9df0

SHA512
c9f6201eb38ed4ca0ab5ddeb9dfc21ac2de2c05f69df1e96939f7a0d3f0ad52bf03e0888ba5112a911efa4c59a518e13e5c82d054dcdad9588774785b03c46bd

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\Users\Admin\AppData\Local\Temp\teiubescmemo.exe
Filesize
963KB

MD5
ce5ab88da961c591a491375988e71e14

SHA1
5a7a0dc2842ff4fc1acbd6ce4345c1e741bd2abc

SHA256
7a957c54a39489ae8a4f9b4cdbbbe013c2755c8724bcba2595d1cdc005db9c08

SHA512
6b50849b0d40c909789a77d710807cf16a42cb173d27c2ebc030e3c75c0f93904cbb4235ce695c7fda7a2f458669b27a23afd5a0e79e65804b56d0e009c70c66

Download Submit
\Users\Admin\AppData\Local\Temp\teiubescmemo.exe
Filesize
963KB

MD5
ce5ab88da961c591a491375988e71e14

SHA1
5a7a0dc2842ff4fc1acbd6ce4345c1e741bd2abc

SHA256
7a957c54a39489ae8a4f9b4cdbbbe013c2755c8724bcba2595d1cdc005db9c08

SHA512
6b50849b0d40c909789a77d710807cf16a42cb173d27c2ebc030e3c75c0f93904cbb4235ce695c7fda7a2f458669b27a23afd5a0e79e65804b56d0e009c70c66

Download Submit
memory/268-65-0x0000000000000000-mapping.dmp

Download
memory/468-59-0x0000000000000000-mapping.dmp

Download
memory/572-138-0x0000000000000000-mapping.dmp

Download
memory/632-131-0x0000000000000000-mapping.dmp

Download
memory/828-72-0x0000000000000000-mapping.dmp

Download
memory/968-78-0x0000000000000000-mapping.dmp

Download
memory/1180-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1180-56-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1180-55-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-139-0x0000000000000000-mapping.dmp

Download
memory/1528-70-0x0000000000000000-mapping.dmp

Download
memory/1552-104-0x0000000000000000-mapping.dmp

Download
memory/1556-76-0x0000000000000000-mapping.dmp

Download
memory/1572-130-0x0000000000000000-mapping.dmp

Download
memory/1864-141-0x0000000000000000-mapping.dmp

Download
memory/1936-103-0x0000000000000000-mapping.dmp

Download