9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1

Analysis

max time kernel
203s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Size

1.1MB
MD5

cb2e32b906afa94ac0016f42d67d53dc
SHA1

2a0848d6247bde35ea5d84c6617313d31e884608
SHA256

9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1
SHA512

c99c6fbf61d434a6752059e5fd91e48818ad5375bc32fbef8b8cab73b37b548a686d6ddab387fbe2095a48ef855671e849c5a69ee9a69bc77e6f02b4df49aa4c
SSDEEP

12288:cRxbQHbdm/HbPfRnJGSUUg+6fSf7Gos20oZXhxR788:cnbwgbBJG9cgOGomoXPRw8

Score

9^/10

evasion persistence trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000012302-130.dat	acprotect
behavioral1/files/0x0008000000012302-160.dat	acprotect
behavioral1/files/0x0008000000012302-161.dat	acprotect
behavioral1/memory/932-162-0x0000000000430000-0x000000000043F000-memory.dmp	acprotect

Executes dropped EXE 11 IoCs

pid	Process
804	smss.exe
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
1680	smss.exe
932	lsass.exe
652	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
1496	lsass.exe
1704	smss.exe
728	smss.exe
1700	smss.exe
1752	smss.exe
536	smss.exe

Sets file execution options in registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	lsass.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	lsass.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	smss.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/316-54-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000c0000000122f5-60.dat	upx
behavioral1/files/0x000c0000000122f5-61.dat	upx
behavioral1/files/0x000c0000000122f5-62.dat	upx
behavioral1/files/0x000c0000000122f5-64.dat	upx
behavioral1/memory/804-65-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000b0000000122f8-66.dat	upx
behavioral1/files/0x000b0000000122f8-67.dat	upx
behavioral1/files/0x000b0000000122f8-70.dat	upx
behavioral1/files/0x000b0000000122f8-68.dat	upx
behavioral1/memory/316-71-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2000-77-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000c0000000122f5-82.dat	upx
behavioral1/files/0x000c0000000122f5-83.dat	upx
behavioral1/files/0x000c0000000122f5-84.dat	upx
behavioral1/files/0x000c0000000122f5-86.dat	upx
behavioral1/memory/1680-88-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x00090000000122fe-89.dat	upx
behavioral1/files/0x00090000000122fe-90.dat	upx
behavioral1/files/0x00090000000122fe-93.dat	upx
behavioral1/files/0x00090000000122fe-99.dat	upx
behavioral1/files/0x00090000000122fe-101.dat	upx
behavioral1/memory/932-104-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2000-105-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x00090000000122fe-106.dat	upx
behavioral1/files/0x00090000000122fe-113.dat	upx
behavioral1/memory/1496-126-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000c0000000122f5-127.dat	upx
behavioral1/memory/1496-128-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0008000000012302-130.dat	upx
behavioral1/files/0x000c0000000122f5-132.dat	upx
behavioral1/files/0x000c0000000122f5-133.dat	upx
behavioral1/files/0x000c0000000122f5-134.dat	upx
behavioral1/files/0x000c0000000122f5-136.dat	upx
behavioral1/memory/1704-137-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000012306-138.dat	upx
behavioral1/memory/932-139-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/memory/932-140-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000c0000000122f5-143.dat	upx
behavioral1/files/0x000c0000000122f5-144.dat	upx
behavioral1/files/0x000c0000000122f5-146.dat	upx
behavioral1/memory/728-147-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000c0000000122f5-151.dat	upx
behavioral1/files/0x000c0000000122f5-152.dat	upx
behavioral1/files/0x000c0000000122f5-154.dat	upx
behavioral1/memory/1700-155-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000c0000000122f5-156.dat	upx
behavioral1/files/0x000c0000000122f5-159.dat	upx
behavioral1/files/0x000c0000000122f5-157.dat	upx
behavioral1/files/0x0008000000012302-160.dat	upx
behavioral1/files/0x0008000000012302-161.dat	upx
behavioral1/memory/932-162-0x0000000000430000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1752-164-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1752-165-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral1/files/0x000c0000000122f5-171.dat	upx
behavioral1/files/0x000c0000000122f5-172.dat	upx
behavioral1/files/0x000c0000000122f5-174.dat	upx
behavioral1/memory/536-175-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Loads dropped DLL 25 IoCs

pid	Process
1364	cmd.exe
1364	cmd.exe
316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
1324	cmd.exe
1324	cmd.exe
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
932	lsass.exe
860	cmd.exe
860	cmd.exe
1372	cmd.exe
1372	cmd.exe
1932	regsvr32.exe
2008	cmd.exe
2008	cmd.exe
932	lsass.exe
932	lsass.exe
1752	smss.exe
1228	cmd.exe
1228	cmd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Enumerates connected drives 3 TTPs 5 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\E:	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe

Drops autorun.inf file 1 TTPs 13 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
File opened for modification	D:\AUTORUN.INF	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
File opened for modification	\??\E:\AUTORUN.INF	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
File opened for modification	C:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe
File opened for modification	C:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe
File opened for modification	C:\AUTORUN.INF	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File opened for modification	D:\AUTORUN.INF	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File opened for modification	\??\E:\AUTORUN.INF	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File created	C:\Windows\SysWOW64\dnsq.dll	lsass.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File created	C:\Windows\SysWOW64\00302.log	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\00302.log	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
File created	C:\Windows\SysWOW64\00302.log	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\bak	lsass.exe
File created	C:\Windows\SysWOW64\com\smss.exe	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
File created	C:\Windows\SysWOW64\00302.log	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
File created	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dnsq.dll	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1732	ping.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
932	lsass.exe
1496	lsass.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
Token: SeDebugPrivilege	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
Token: SeDebugPrivilege	932	lsass.exe
Token: SeDebugPrivilege	1496	lsass.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
932	lsass.exe
932	lsass.exe
932	lsass.exe
932	lsass.exe
1496	lsass.exe
1496	lsass.exe
1496	lsass.exe
1496	lsass.exe
932	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1736	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	28
PID 316 wrote to memory of 1736	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	28
PID 316 wrote to memory of 1736	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	28
PID 316 wrote to memory of 1736	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	28
PID 316 wrote to memory of 1744	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	29
PID 316 wrote to memory of 1744	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	29
PID 316 wrote to memory of 1744	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	29
PID 316 wrote to memory of 1744	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	29
PID 316 wrote to memory of 468	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	32
PID 316 wrote to memory of 468	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	32
PID 316 wrote to memory of 468	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	32
PID 316 wrote to memory of 468	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	32
PID 316 wrote to memory of 1364	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	34
PID 316 wrote to memory of 1364	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	34
PID 316 wrote to memory of 1364	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	34
PID 316 wrote to memory of 1364	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	34
PID 1364 wrote to memory of 804	1364	cmd.exe	36
PID 1364 wrote to memory of 804	1364	cmd.exe	36
PID 1364 wrote to memory of 804	1364	cmd.exe	36
PID 1364 wrote to memory of 804	1364	cmd.exe	36
PID 316 wrote to memory of 2000	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	37
PID 316 wrote to memory of 2000	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	37
PID 316 wrote to memory of 2000	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	37
PID 316 wrote to memory of 2000	316	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe	37
PID 2000 wrote to memory of 1784	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	38
PID 2000 wrote to memory of 1784	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	38
PID 2000 wrote to memory of 1784	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	38
PID 2000 wrote to memory of 1784	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	38
PID 2000 wrote to memory of 1044	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	40
PID 2000 wrote to memory of 1044	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	40
PID 2000 wrote to memory of 1044	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	40
PID 2000 wrote to memory of 1044	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	40
PID 2000 wrote to memory of 428	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	41
PID 2000 wrote to memory of 428	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	41
PID 2000 wrote to memory of 428	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	41
PID 2000 wrote to memory of 428	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	41
PID 2000 wrote to memory of 1268	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	43
PID 2000 wrote to memory of 1268	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	43
PID 2000 wrote to memory of 1268	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	43
PID 2000 wrote to memory of 1268	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	43
PID 2000 wrote to memory of 1048	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	46
PID 2000 wrote to memory of 1048	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	46
PID 2000 wrote to memory of 1048	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	46
PID 2000 wrote to memory of 1048	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	46
PID 2000 wrote to memory of 968	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	48
PID 2000 wrote to memory of 968	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	48
PID 2000 wrote to memory of 968	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	48
PID 2000 wrote to memory of 968	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	48
PID 2000 wrote to memory of 1084	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	50
PID 2000 wrote to memory of 1084	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	50
PID 2000 wrote to memory of 1084	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	50
PID 2000 wrote to memory of 1084	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	50
PID 2000 wrote to memory of 1324	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	52
PID 2000 wrote to memory of 1324	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	52
PID 2000 wrote to memory of 1324	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	52
PID 2000 wrote to memory of 1324	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	52
PID 1324 wrote to memory of 1680	1324	cmd.exe	54
PID 1324 wrote to memory of 1680	1324	cmd.exe	54
PID 1324 wrote to memory of 1680	1324	cmd.exe	54
PID 1324 wrote to memory of 1680	1324	cmd.exe	54
PID 2000 wrote to memory of 932	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	55
PID 2000 wrote to memory of 932	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	55
PID 2000 wrote to memory of 932	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	55
PID 2000 wrote to memory of 932	2000	9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log	55

C:\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
"C:\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
  2⤵
  PID:1736
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ok
  2⤵
  PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe^|c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe|c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
    3⤵
    - Executes dropped EXE
    PID:804
- \??\c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
  "c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log"
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
    3⤵
    PID:428
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c echo ok
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
    3⤵
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.~^|c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\SysWOW64\com\smss.exe
      C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.~|c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
      4⤵
      Executes dropped EXE
      PID:1680
- - C:\Windows\SysWOW64\com\lsass.exe
    "C:\Windows\system32\com\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:932
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo ok
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:860
    - - C:\Windows\SysWOW64\com\smss.exe
        
        C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:1372
    - - C:\Windows\SysWOW64\com\smss.exe
        
        C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:2008
    - - C:\Windows\SysWOW64\com\smss.exe
        
        C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:1700
  - - C:\Windows\SysWOW64\com\smss.exe
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
      4⤵
      Loads dropped DLL
      PID:1228
    - - C:\Windows\SysWOW64\com\smss.exe
        
        C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\ping.exe
      ping.exe -f -n 1 www.baidu.com
      4⤵
      Runs ping.exe
      PID:1732
- - C:\Users\Admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe
    "C:\Users\Admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe"
    3⤵
    - Executes dropped EXE
    PID:652
- - C:\Windows\SysWOW64\com\lsass.exe
    ^c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log
    3⤵
    - Executes dropped EXE
    - Sets file execution options in registry
    - Checks for any installed AV software in registry
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1496
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo ok
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
      4⤵
      PID:284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe

Filesize
1008KB

MD5
b1b5c7807db18fa91c767645f8ec484a

SHA1
e161c942d72e2680483a6d19650bc2fb0eafe8c2

SHA256
4ba83b5e209e898af60cd591cbbe045eea1e92c6d95589787b82b8fd695a45b7

SHA512
08e8be288d90aac2ddc4e23ec68f3d0d16414d787c829ddb486ddd558e131d4e6814d76988bef29005fc4f7b086894dddbd1d9942fa2a1dfd1b34eaf90b35af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log

Filesize
1.1MB

MD5
cb2e32b906afa94ac0016f42d67d53dc

SHA1
2a0848d6247bde35ea5d84c6617313d31e884608

SHA256
9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1

SHA512
c99c6fbf61d434a6752059e5fd91e48818ad5375bc32fbef8b8cab73b37b548a686d6ddab387fbe2095a48ef855671e849c5a69ee9a69bc77e6f02b4df49aa4c

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
C:\Windows\SysWOW64\com\netcfg.dll

Filesize
44KB

MD5
d3777f588e34bbc50a1c08d472b94a83

SHA1
abcbccde250c3a142347efc32c5a89869ead61f4

SHA256
0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b

SHA512
8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
23KB

MD5
6e011a364d6a6170499947231ffbde99

SHA1
3f7ebdbd269a7e3bf46a0135c20485baa749bf65

SHA256
c1c54122cd6dcd7d685d80ec0872a9736d89752f0df9cea25ab8398a6b30e1f3

SHA512
50446842b5c2dc3880ea193454778a955d594916a75f103e6c1cb04c9815e230a36f35f0326a1a759360645adfbe7221239dc967a33efc886b6638847c5da008

Download Submit
C:\pagefile.pif

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
\??\c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe

Filesize
1008KB

MD5
b1b5c7807db18fa91c767645f8ec484a

SHA1
e161c942d72e2680483a6d19650bc2fb0eafe8c2

SHA256
4ba83b5e209e898af60cd591cbbe045eea1e92c6d95589787b82b8fd695a45b7

SHA512
08e8be288d90aac2ddc4e23ec68f3d0d16414d787c829ddb486ddd558e131d4e6814d76988bef29005fc4f7b086894dddbd1d9942fa2a1dfd1b34eaf90b35af5

Download Submit
\??\c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log

Filesize
1.1MB

MD5
cb2e32b906afa94ac0016f42d67d53dc

SHA1
2a0848d6247bde35ea5d84c6617313d31e884608

SHA256
9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1

SHA512
c99c6fbf61d434a6752059e5fd91e48818ad5375bc32fbef8b8cab73b37b548a686d6ddab387fbe2095a48ef855671e849c5a69ee9a69bc77e6f02b4df49aa4c

Download Submit
\??\c:\users\admin\appdata\local\temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.~

Filesize
1008KB

MD5
b1b5c7807db18fa91c767645f8ec484a

SHA1
e161c942d72e2680483a6d19650bc2fb0eafe8c2

SHA256
4ba83b5e209e898af60cd591cbbe045eea1e92c6d95589787b82b8fd695a45b7

SHA512
08e8be288d90aac2ddc4e23ec68f3d0d16414d787c829ddb486ddd558e131d4e6814d76988bef29005fc4f7b086894dddbd1d9942fa2a1dfd1b34eaf90b35af5

Download Submit
\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe

Filesize
1008KB

MD5
b1b5c7807db18fa91c767645f8ec484a

SHA1
e161c942d72e2680483a6d19650bc2fb0eafe8c2

SHA256
4ba83b5e209e898af60cd591cbbe045eea1e92c6d95589787b82b8fd695a45b7

SHA512
08e8be288d90aac2ddc4e23ec68f3d0d16414d787c829ddb486ddd558e131d4e6814d76988bef29005fc4f7b086894dddbd1d9942fa2a1dfd1b34eaf90b35af5

Download Submit
\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe

Filesize
1008KB

MD5
b1b5c7807db18fa91c767645f8ec484a

SHA1
e161c942d72e2680483a6d19650bc2fb0eafe8c2

SHA256
4ba83b5e209e898af60cd591cbbe045eea1e92c6d95589787b82b8fd695a45b7

SHA512
08e8be288d90aac2ddc4e23ec68f3d0d16414d787c829ddb486ddd558e131d4e6814d76988bef29005fc4f7b086894dddbd1d9942fa2a1dfd1b34eaf90b35af5

Download Submit
\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log

Filesize
1.1MB

MD5
cb2e32b906afa94ac0016f42d67d53dc

SHA1
2a0848d6247bde35ea5d84c6617313d31e884608

SHA256
9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1

SHA512
c99c6fbf61d434a6752059e5fd91e48818ad5375bc32fbef8b8cab73b37b548a686d6ddab387fbe2095a48ef855671e849c5a69ee9a69bc77e6f02b4df49aa4c

Download Submit
\Users\Admin\AppData\Local\Temp\9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1.exe.log

Filesize
1.1MB

MD5
cb2e32b906afa94ac0016f42d67d53dc

SHA1
2a0848d6247bde35ea5d84c6617313d31e884608

SHA256
9785f5814ba645e2e6fad8047e25644d18b1f559d00943f3a526cb0d12f86fd1

SHA512
c99c6fbf61d434a6752059e5fd91e48818ad5375bc32fbef8b8cab73b37b548a686d6ddab387fbe2095a48ef855671e849c5a69ee9a69bc77e6f02b4df49aa4c

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
80KB

MD5
41e09563077ce88e9e894b021d30a7d1

SHA1
361f11973a8c6bd2ba549fb10ce74d555a41cdb7

SHA256
ef96cfcd196c9dac12672c4c2ad327e8e1b327cd883d24fff97092e4c7cbd2a8

SHA512
bda850613b3df9234d0b8c4a78b385645726ed7db89fab0dd76b936d13041f9255a7dc8056b9a0ba5583ab5600bc2709026100549f16af6b3c47f5fd9c82a2bc

Download Submit
\Windows\SysWOW64\com\netcfg.dll

Filesize
44KB

MD5
d3777f588e34bbc50a1c08d472b94a83

SHA1
abcbccde250c3a142347efc32c5a89869ead61f4

SHA256
0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b

SHA512
8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
21KB

MD5
ecc52a71f452d05a30b9b521d8ed9025

SHA1
fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

SHA256
f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

SHA512
d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
23KB

MD5
6e011a364d6a6170499947231ffbde99

SHA1
3f7ebdbd269a7e3bf46a0135c20485baa749bf65

SHA256
c1c54122cd6dcd7d685d80ec0872a9736d89752f0df9cea25ab8398a6b30e1f3

SHA512
50446842b5c2dc3880ea193454778a955d594916a75f103e6c1cb04c9815e230a36f35f0326a1a759360645adfbe7221239dc967a33efc886b6638847c5da008

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
23KB

MD5
6e011a364d6a6170499947231ffbde99

SHA1
3f7ebdbd269a7e3bf46a0135c20485baa749bf65

SHA256
c1c54122cd6dcd7d685d80ec0872a9736d89752f0df9cea25ab8398a6b30e1f3

SHA512
50446842b5c2dc3880ea193454778a955d594916a75f103e6c1cb04c9815e230a36f35f0326a1a759360645adfbe7221239dc967a33efc886b6638847c5da008

Download Submit
memory/316-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/316-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/316-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/536-175-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/728-147-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/804-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/932-139-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/932-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/932-162-0x0000000000430000-0x000000000043F000-memory.dmp

Filesize
60KB

Download
memory/932-169-0x0000000000430000-0x000000000043F000-memory.dmp

Filesize
60KB

Download
memory/932-168-0x0000000000430000-0x000000000043F000-memory.dmp

Filesize
60KB

Download
memory/932-104-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/932-163-0x0000000000430000-0x000000000043F000-memory.dmp

Filesize
60KB

Download
memory/1496-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1496-128-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1680-88-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1700-155-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1704-137-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1752-164-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1752-165-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2000-105-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2000-103-0x0000000002B50000-0x0000000002B7B000-memory.dmp

Filesize
172KB

Download
memory/2000-77-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download