a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5

Analysis

max time kernel
106s
max time network
137s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe
Size

721KB
MD5

20e1fcbec4619053a06e4bd67811c200
SHA1

cf3e7f3128d933d9d5e9395f7093bfd56e9f9a2c
SHA256

a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5
SHA512

5d806117fa3b85fffe491fdc2944f99bb576ec4de64c9e26ff3125f63419c0c97a29e3afb7d8351e3b68b320028a1d4ae943e89a092a9f12eea2dfeca140cb08
SSDEEP

12288:6yuMgCTiJiYNadtDII4EViqHbVmacykOvHnQts/XQnFhYCNIBtAGVcW:6yuMgCTX8aTUI1RH/HAY

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

subinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

pid	process
1040	subinacl.exe
2004	subinacl.exe
1412	subinacl.exe
1216	subinacl.exe
1732	subinacl.exe
2028	subinacl.exe
1600	subinacl.exe
1316	subinacl.exe
908	subinacl.exe
1208	subinacl.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

1556 takeown.exe
772 takeown.exe
844 icacls.exe
556 icacls.exe

pid	process
1556	takeown.exe
772	takeown.exe
844	icacls.exe
556	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "%SystemRoot%\\System32\\spoolsv.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RpcLocator\ImagePath = "%SystemRoot%\\system32\\locator.exe"	regedit.exe

Loads dropped DLL 21 IoCs

Processes:

cmd.exeregsvr32.exe

pid	process
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
564	regsvr32.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe
1756	cmd.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exe

pid process

844 icacls.exe
556 icacls.exe
1556 takeown.exe
772 takeown.exe

pid	process
844	icacls.exe
556	icacls.exe
1556	takeown.exe
772	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\runonce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Done = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Done.bat"	reg.exe

Drops file in System32 directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File created	C:\Windows\SysWOW64\spoolss.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolss.dll	cmd.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2020 sc.exe
560 sc.exe
1992 sc.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

320 regedit.exe
Runs net.exe

pid	process
2020	sc.exe
560	sc.exe
1992	sc.exe

pid	process
320	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1556	takeown.exe
Token: SeTakeOwnershipPrivilege	772	takeown.exe
Token: SeSecurityPrivilege	1040	subinacl.exe
Token: SeBackupPrivilege	1040	subinacl.exe
Token: SeRestorePrivilege	1040	subinacl.exe
Token: SeRestorePrivilege	1040	subinacl.exe
Token: SeTakeOwnershipPrivilege	1040	subinacl.exe
Token: SeChangeNotifyPrivilege	1040	subinacl.exe
Token: SeDebugPrivilege	1040	subinacl.exe
Token: SeSecurityPrivilege	2004	subinacl.exe
Token: SeBackupPrivilege	2004	subinacl.exe
Token: SeRestorePrivilege	2004	subinacl.exe
Token: SeRestorePrivilege	2004	subinacl.exe
Token: SeTakeOwnershipPrivilege	2004	subinacl.exe
Token: SeChangeNotifyPrivilege	2004	subinacl.exe
Token: SeDebugPrivilege	2004	subinacl.exe
Token: SeSecurityPrivilege	1412	subinacl.exe
Token: SeBackupPrivilege	1412	subinacl.exe
Token: SeRestorePrivilege	1412	subinacl.exe
Token: SeRestorePrivilege	1412	subinacl.exe
Token: SeTakeOwnershipPrivilege	1412	subinacl.exe
Token: SeChangeNotifyPrivilege	1412	subinacl.exe
Token: SeDebugPrivilege	1412	subinacl.exe
Token: SeSecurityPrivilege	1216	subinacl.exe
Token: SeBackupPrivilege	1216	subinacl.exe
Token: SeRestorePrivilege	1216	subinacl.exe
Token: SeRestorePrivilege	1216	subinacl.exe
Token: SeTakeOwnershipPrivilege	1216	subinacl.exe
Token: SeChangeNotifyPrivilege	1216	subinacl.exe
Token: SeDebugPrivilege	1216	subinacl.exe
Token: SeSecurityPrivilege	1732	subinacl.exe
Token: SeBackupPrivilege	1732	subinacl.exe
Token: SeRestorePrivilege	1732	subinacl.exe
Token: SeRestorePrivilege	1732	subinacl.exe
Token: SeTakeOwnershipPrivilege	1732	subinacl.exe
Token: SeChangeNotifyPrivilege	1732	subinacl.exe
Token: SeDebugPrivilege	1732	subinacl.exe
Token: SeSecurityPrivilege	2028	subinacl.exe
Token: SeBackupPrivilege	2028	subinacl.exe
Token: SeRestorePrivilege	2028	subinacl.exe
Token: SeRestorePrivilege	2028	subinacl.exe
Token: SeTakeOwnershipPrivilege	2028	subinacl.exe
Token: SeChangeNotifyPrivilege	2028	subinacl.exe
Token: SeDebugPrivilege	2028	subinacl.exe
Token: SeSecurityPrivilege	1600	subinacl.exe
Token: SeBackupPrivilege	1600	subinacl.exe
Token: SeRestorePrivilege	1600	subinacl.exe
Token: SeRestorePrivilege	1600	subinacl.exe
Token: SeTakeOwnershipPrivilege	1600	subinacl.exe
Token: SeChangeNotifyPrivilege	1600	subinacl.exe
Token: SeDebugPrivilege	1600	subinacl.exe
Token: SeSecurityPrivilege	1316	subinacl.exe
Token: SeBackupPrivilege	1316	subinacl.exe
Token: SeRestorePrivilege	1316	subinacl.exe
Token: SeRestorePrivilege	1316	subinacl.exe
Token: SeTakeOwnershipPrivilege	1316	subinacl.exe
Token: SeChangeNotifyPrivilege	1316	subinacl.exe
Token: SeDebugPrivilege	1316	subinacl.exe
Token: SeSecurityPrivilege	908	subinacl.exe
Token: SeBackupPrivilege	908	subinacl.exe
Token: SeRestorePrivilege	908	subinacl.exe
Token: SeRestorePrivilege	908	subinacl.exe
Token: SeTakeOwnershipPrivilege	908	subinacl.exe
Token: SeChangeNotifyPrivilege	908	subinacl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1252 wrote to memory of 1316	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1316	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1316	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1316	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 472	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 472	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 472	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 472	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 676	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 676	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 676	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 676	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 676 wrote to memory of 1176	676	cmd.exe	attrib.exe
PID 676 wrote to memory of 1176	676	cmd.exe	attrib.exe
PID 676 wrote to memory of 1176	676	cmd.exe	attrib.exe
PID 676 wrote to memory of 1176	676	cmd.exe	attrib.exe
PID 1252 wrote to memory of 1180	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1180	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1180	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1180	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 524	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 524	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 524	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 524	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 376	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 376	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 376	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 376	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1092	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1092	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1092	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1092	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1696	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1696	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1696	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1696	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1020	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1020	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1020	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1020	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1756	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1756	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1756	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1252 wrote to memory of 1756	1252	a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe	cmd.exe
PID 1756 wrote to memory of 1820	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1820	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1820	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1820	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1512	1756	cmd.exe	net.exe
PID 1756 wrote to memory of 1512	1756	cmd.exe	net.exe
PID 1756 wrote to memory of 1512	1756	cmd.exe	net.exe
PID 1756 wrote to memory of 1512	1756	cmd.exe	net.exe
PID 1512 wrote to memory of 1740	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1740	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1740	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1740	1512	net.exe	net1.exe
PID 1756 wrote to memory of 1556	1756	cmd.exe	takeown.exe
PID 1756 wrote to memory of 1556	1756	cmd.exe	takeown.exe
PID 1756 wrote to memory of 1556	1756	cmd.exe	takeown.exe
PID 1756 wrote to memory of 1556	1756	cmd.exe	takeown.exe
PID 1756 wrote to memory of 772	1756	cmd.exe	takeown.exe
PID 1756 wrote to memory of 772	1756	cmd.exe	takeown.exe
PID 1756 wrote to memory of 772	1756	cmd.exe	takeown.exe
PID 1756 wrote to memory of 772	1756	cmd.exe	takeown.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1176 attrib.exe

pid	process
1176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe
"C:\Users\Admin\AppData\Local\Temp\a7e78b8f4f59d905be2ffa65ba3d1a2f16b7002cd0145b8b3d03fe925b382ba5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
2⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
2⤵
PID:472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
3⤵
- Views/modifies file attributes
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9132.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9132.bat"
2⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp8129.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp8129.exe"
2⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9132.bat
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\reg.exe
Reg Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /f
3⤵
PID:1820

C:\Windows\SysWOW64\net.exe
Net stop spooler
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop spooler
4⤵
PID:1740

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolss.dll /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolsv.exe /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolss.dll" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolsv.exe" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:556

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Windows\System32\spoolss.dll
3⤵
- Loads dropped DLL
PID:564

C:\Windows\SysWOW64\msiexec.exe
Msiexec /unregserver
3⤵
PID:1180

C:\Windows\SysWOW64\msiexec.exe
Msiexec /regserver
3⤵
PID:596

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg
3⤵
- Sets service image path in registry
- Runs .reg file with regedit
PID:320

C:\Windows\SysWOW64\sc.exe
sc config spooler depend= RPCSS
3⤵
- Launches sc.exe
PID:2020

C:\Windows\SysWOW64\sc.exe
sc config spooler type= own
3⤵
- Launches sc.exe
PID:560

C:\Windows\SysWOW64\sc.exe
sc config spooler start= auto
3⤵
- Launches sc.exe
PID:1992

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /v Type /t REG_DWORD /d 0x00000010 /f
3⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
PID:1208

C:\Windows\SysWOW64\net.exe
Net start spooler
3⤵
PID:692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start spooler
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Done.bat" /f
3⤵
- Adds Run key to start application
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
3⤵
PID:1556

C:\Windows\SysWOW64\shutdown.exe
Shutdown /r /f /t 10
3⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9132.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9132.bat"
2⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp8129.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp8129.exe"
2⤵
PID:1944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg

Filesize
11KB

MD5
5b8a8081eb0b3300176510c426c722c9

SHA1
e6d4f7e41a8b49bfe3e18b492afc3e3be2dcc25e

SHA256
00d3bb72cb6e3f9019bfa24023eece8aebcadb776a13a26ea2ed50bf91fd7946

SHA512
3d72dca455156510f0097b9aa7eeebf59cd6b490281e750bf5c072f96eb878c26228ac69572284040c966ace031dea51b4db9f4185328ac6b2821304be1474ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll

Filesize
44KB

MD5
629181c26a78eb66b0b4e774e5ac2882

SHA1
7fb19484c68be7a298647461d543a35c0b739664

SHA256
de39d01adc4123c81ef77b24d7fc2f66c27cc2d31248ef53c52cd31ac90a95ce

SHA512
13377149d4d68130efc148c13ab10480a2f320d4396f61ec7a4fa5e497637469f831401d9c57438fa3d85ca883767c7781bfe37ebf83923aaecab9bebd30e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe

Filesize
309KB

MD5
49b6dd6ab3715b7a67965f17194e98a9

SHA1
748cce9f0ddad553aad3e695f10d6249fde953c2

SHA256
331d69f3630ba978ac13471a2e7465351d04416343a595c62b94badffcd02b3a

SHA512
8690e6180f6323a0b7eb935072eae295ed960f3c1755b3df319d9cd5ba44b55cc652874d098b3fe28c15b2bf4416615c93a6b2f06ecd17d37bea08bb3b371a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
186B

MD5
96d166f9530d94e1021916fd7c6e4a6f

SHA1
c641b873029c1c48f6c177319f3a5647d1b4685d

SHA256
253c417d94f7f5838807aa4fbbf64a5b197ffb65380234cdd40c48140ff0d961

SHA512
ba87107ab97aaa27e1f2bc5ceb024316c1d271dcc001e1427ca8c99e781da367c3709f00aaedcfbfb59cd91bed9b00dfd84de2abd279955dfda974515556c5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp8129.exe

Filesize
15B

MD5
3c52638971ead82b5929d605c1314ee0

SHA1
7318148a40faca203ac402dff51bbb04e638545c

SHA256
5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab

SHA512
46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9132.bat

Filesize
5KB

MD5
2f0c32650bd654c7ee7d2af6cfbf0ad3

SHA1
9a90999b25ab1062bb9b0ab7151a52968cb9b7a1

SHA256
c95e093e1b7b0afe9d58f74ef08088ef3e72b241e86edf07cb0a5fb0dddbc9c3

SHA512
d18b0ca07a8f26e283cb34f8e1e84b3dbbf97825ffadd0780c063950a4c6f06d7e85fd69cfe670c8f023a74fee3c25d0a1160282a53f1460b2146232af07060d

Download Submit
C:\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
629181c26a78eb66b0b4e774e5ac2882

SHA1
7fb19484c68be7a298647461d543a35c0b739664

SHA256
de39d01adc4123c81ef77b24d7fc2f66c27cc2d31248ef53c52cd31ac90a95ce

SHA512
13377149d4d68130efc148c13ab10480a2f320d4396f61ec7a4fa5e497637469f831401d9c57438fa3d85ca883767c7781bfe37ebf83923aaecab9bebd30e00d

Download Submit
C:\Windows\SysWOW64\spoolsv.exe

Filesize
309KB

MD5
49b6dd6ab3715b7a67965f17194e98a9

SHA1
748cce9f0ddad553aad3e695f10d6249fde953c2

SHA256
331d69f3630ba978ac13471a2e7465351d04416343a595c62b94badffcd02b3a

SHA512
8690e6180f6323a0b7eb935072eae295ed960f3c1755b3df319d9cd5ba44b55cc652874d098b3fe28c15b2bf4416615c93a6b2f06ecd17d37bea08bb3b371a94

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
629181c26a78eb66b0b4e774e5ac2882

SHA1
7fb19484c68be7a298647461d543a35c0b739664

SHA256
de39d01adc4123c81ef77b24d7fc2f66c27cc2d31248ef53c52cd31ac90a95ce

SHA512
13377149d4d68130efc148c13ab10480a2f320d4396f61ec7a4fa5e497637469f831401d9c57438fa3d85ca883767c7781bfe37ebf83923aaecab9bebd30e00d

Download Submit
memory/320-125-0x0000000000000000-mapping.dmp

Download
memory/340-150-0x0000000000000000-mapping.dmp

Download
memory/376-60-0x0000000000000000-mapping.dmp

Download
memory/472-55-0x0000000000000000-mapping.dmp

Download
memory/524-59-0x0000000000000000-mapping.dmp

Download
memory/556-72-0x0000000000000000-mapping.dmp

Download
memory/560-129-0x0000000000000000-mapping.dmp

Download
memory/564-118-0x0000000000000000-mapping.dmp

Download
memory/596-123-0x0000000000000000-mapping.dmp

Download
memory/676-56-0x0000000000000000-mapping.dmp

Download
memory/692-142-0x0000000000000000-mapping.dmp

Download
memory/772-70-0x0000000000000000-mapping.dmp

Download
memory/836-151-0x0000000000000000-mapping.dmp

Download
memory/844-71-0x0000000000000000-mapping.dmp

Download
memory/908-134-0x0000000000000000-mapping.dmp

Download
memory/1020-63-0x0000000000000000-mapping.dmp

Download
memory/1040-76-0x0000000000000000-mapping.dmp

Download
memory/1040-78-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1040-149-0x0000000000000000-mapping.dmp

Download
memory/1052-131-0x0000000000000000-mapping.dmp

Download
memory/1092-61-0x0000000000000000-mapping.dmp

Download
memory/1096-148-0x0000000000000000-mapping.dmp

Download
memory/1176-57-0x0000000000000000-mapping.dmp

Download
memory/1180-58-0x0000000000000000-mapping.dmp

Download
memory/1180-121-0x0000000000000000-mapping.dmp

Download
memory/1208-139-0x0000000000000000-mapping.dmp

Download
memory/1216-91-0x0000000000000000-mapping.dmp

Download
memory/1316-54-0x0000000000000000-mapping.dmp

Download
memory/1316-115-0x0000000000000000-mapping.dmp

Download
memory/1412-86-0x0000000000000000-mapping.dmp

Download
memory/1512-67-0x0000000000000000-mapping.dmp

Download
memory/1512-143-0x0000000000000000-mapping.dmp

Download
memory/1556-145-0x0000000000000000-mapping.dmp

Download
memory/1556-69-0x0000000000000000-mapping.dmp

Download
memory/1572-144-0x0000000000000000-mapping.dmp

Download
memory/1600-108-0x0000000000000000-mapping.dmp

Download
memory/1660-152-0x0000000000000000-mapping.dmp

Download
memory/1696-62-0x0000000000000000-mapping.dmp

Download
memory/1732-96-0x0000000000000000-mapping.dmp

Download
memory/1740-68-0x0000000000000000-mapping.dmp

Download
memory/1756-64-0x0000000000000000-mapping.dmp

Download
memory/1760-156-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/1820-66-0x0000000000000000-mapping.dmp

Download
memory/1936-153-0x0000000000000000-mapping.dmp

Download
memory/1944-154-0x0000000000000000-mapping.dmp

Download
memory/1992-130-0x0000000000000000-mapping.dmp

Download
memory/2004-81-0x0000000000000000-mapping.dmp

Download
memory/2020-128-0x0000000000000000-mapping.dmp

Download
memory/2028-101-0x0000000000000000-mapping.dmp

Download