a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
Size

524KB
MD5

223686ba9a056e632afd6a2204f75bf4
SHA1

fae4073f0f021bb46765fc8690f02d63369455b4
SHA256

a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82
SHA512

93a2196ad6a1c4c2cc4011382e838da145effa45270af695aa6e1bee40c9a2fd1ccc36bfa8a5a9a582ed9377e1bf90af16577c293c18ca30cbf28bfec4966b3d
SSDEEP

12288:m/XJJmzIMQL0sRjDGi5uj/C/OeP9TqdJy4Jt3E:mhJirsRjjkSUdJy4Jt3

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qr5i4eI0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	moelee.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	3hum.exe

Executes dropped EXE 10 IoCs

pid	Process
1368	qr5i4eI0.exe
1572	moelee.exe
1564	2hum.exe
972	2hum.exe
432	2hum.exe
1316	2hum.exe
2028	2hum.exe
2040	3hum.exe
2024	4hum.exe
332	csrss.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/972-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/972-85-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/972-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/432-91-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/972-93-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/972-95-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/432-96-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/432-94-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/432-105-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/432-106-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1316-104-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1316-107-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1316-108-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2028-113-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1316-115-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1316-117-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2028-118-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2028-116-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2028-124-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2028-126-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2028-130-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/972-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/432-132-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1316-133-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2040-139-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2040-142-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/432-143-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2040-144-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2040-146-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Loads dropped DLL 10 IoCs

pid	Process
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1368	qr5i4eI0.exe
1368	qr5i4eI0.exe
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /h"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /s"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /O"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /D"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /T"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /r"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /d"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /I"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /K"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /v"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /R"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xrujsl3bqqwsvr3zdscxxf1uzfdvzrhq2\\svcnost.exe\""	3hum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /x"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /q"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /g"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /c"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /H"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /n"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /k"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /U"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /W"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /Z"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /G"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /X"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /M"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /u"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /o"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /l"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /i"	moelee.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /A"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /t"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /w"	moelee.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qr5i4eI0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /b"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /e"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /j"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /p"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /a"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /y"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /N"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /J"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /F"	qr5i4eI0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /F"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /E"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /B"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /V"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /S"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /L"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /f"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /z"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /Y"	moelee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\moelee = "C:\\Users\\Admin\\moelee.exe /C"	moelee.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2hum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2hum.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 972	1564	2hum.exe	35
PID 1564 set thread context of 432	1564	2hum.exe	36
PID 1564 set thread context of 1316	1564	2hum.exe	37
PID 1564 set thread context of 2028	1564	2hum.exe	38
PID 2024 set thread context of 364	2024	4hum.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1324	tasklist.exe
1668	tasklist.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	qr5i4eI0.exe
1368	qr5i4eI0.exe
1572	moelee.exe
432	2hum.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
2040	3hum.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
432	2hum.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
2024	4hum.exe
2024	4hum.exe
2024	4hum.exe
1572	moelee.exe
2024	4hum.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe
1572	moelee.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	tasklist.exe
Token: SeDebugPrivilege	2024	4hum.exe
Token: SeDebugPrivilege	2024	4hum.exe
Token: SeDebugPrivilege	1668	tasklist.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
1368	qr5i4eI0.exe
1572	moelee.exe
1564	2hum.exe
972	2hum.exe
1316	2hum.exe
2028	2hum.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2040	3hum.exe
332	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1368	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	28
PID 1076 wrote to memory of 1368	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	28
PID 1076 wrote to memory of 1368	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	28
PID 1076 wrote to memory of 1368	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	28
PID 1368 wrote to memory of 1572	1368	qr5i4eI0.exe	29
PID 1368 wrote to memory of 1572	1368	qr5i4eI0.exe	29
PID 1368 wrote to memory of 1572	1368	qr5i4eI0.exe	29
PID 1368 wrote to memory of 1572	1368	qr5i4eI0.exe	29
PID 1368 wrote to memory of 1596	1368	qr5i4eI0.exe	30
PID 1368 wrote to memory of 1596	1368	qr5i4eI0.exe	30
PID 1368 wrote to memory of 1596	1368	qr5i4eI0.exe	30
PID 1368 wrote to memory of 1596	1368	qr5i4eI0.exe	30
PID 1596 wrote to memory of 1324	1596	cmd.exe	32
PID 1596 wrote to memory of 1324	1596	cmd.exe	32
PID 1596 wrote to memory of 1324	1596	cmd.exe	32
PID 1596 wrote to memory of 1324	1596	cmd.exe	32
PID 1076 wrote to memory of 1564	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	34
PID 1076 wrote to memory of 1564	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	34
PID 1076 wrote to memory of 1564	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	34
PID 1076 wrote to memory of 1564	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	34
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 972	1564	2hum.exe	35
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 432	1564	2hum.exe	36
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 1316	1564	2hum.exe	37
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1564 wrote to memory of 2028	1564	2hum.exe	38
PID 1076 wrote to memory of 2040	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	39
PID 1076 wrote to memory of 2040	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	39
PID 1076 wrote to memory of 2040	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	39
PID 1076 wrote to memory of 2040	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	39
PID 1076 wrote to memory of 2024	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	40
PID 1076 wrote to memory of 2024	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	40
PID 1076 wrote to memory of 2024	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	40
PID 1076 wrote to memory of 2024	1076	a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe	40
PID 2024 wrote to memory of 1260	2024	4hum.exe	12
PID 2024 wrote to memory of 332	2024	4hum.exe	25
PID 2024 wrote to memory of 364	2024	4hum.exe	41
PID 2024 wrote to memory of 364	2024	4hum.exe	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
  "C:\Users\Admin\AppData\Local\Temp\a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\qr5i4eI0.exe
    C:\Users\Admin\qr5i4eI0.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\moelee.exe
      "C:\Users\Admin\moelee.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del qr5i4eI0.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
- - C:\Users\Admin\2hum.exe
    C:\Users\Admin\2hum.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\2hum.exe
      "C:\Users\Admin\2hum.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:972
  - - C:\Users\Admin\2hum.exe
      "C:\Users\Admin\2hum.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:432
  - - C:\Users\Admin\2hum.exe
      "C:\Users\Admin\2hum.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1316
  - - C:\Users\Admin\2hum.exe
      "C:\Users\Admin\2hum.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2028
- - C:\Users\Admin\3hum.exe
    C:\Users\Admin\3hum.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:2040
- - C:\Users\Admin\4hum.exe
    C:\Users\Admin\4hum.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:364
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist&&del a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
    3⤵
    - Deletes itself
    PID:1932
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:880

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
C:\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
C:\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
C:\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
C:\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
C:\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
C:\Users\Admin\3hum.exe

Filesize
101KB

MD5
1e8c6e21a447e947c7dcbeb9ccf79f81

SHA1
78998e36435c58e2be3bc3f737d8d0f402d5a576

SHA256
40323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767

SHA512
31bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55

Download Submit
C:\Users\Admin\3hum.exe

Filesize
101KB

MD5
1e8c6e21a447e947c7dcbeb9ccf79f81

SHA1
78998e36435c58e2be3bc3f737d8d0f402d5a576

SHA256
40323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767

SHA512
31bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55

Download Submit
C:\Users\Admin\4hum.exe

Filesize
212KB

MD5
a755f176cd1cc2f7104ae0309bd35a41

SHA1
3bcece3625dc7fe38c551a6f25bd61e7c4cbc892

SHA256
979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640

SHA512
268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0

Download Submit
C:\Users\Admin\4hum.exe

Filesize
212KB

MD5
a755f176cd1cc2f7104ae0309bd35a41

SHA1
3bcece3625dc7fe38c551a6f25bd61e7c4cbc892

SHA256
979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640

SHA512
268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0

Download Submit
C:\Users\Admin\moelee.exe

Filesize
328KB

MD5
f650d00a7946f0c9450047a9648a96ed

SHA1
4651e505cf3727db7bbc6dcc282f3671177b2be8

SHA256
612bec993e3d50b661703c152a75a8061c3087abf886b935021a745ab2e1e5d7

SHA512
9f0d7fc3d5f3d212bd296dfd52a24d3680fb26965d5142d26b55024b1817642592ef170ffa65c83a62dfec0b5d75b353ab33aca3b8f3b18c9b5ef809bb02c67e

Download Submit
C:\Users\Admin\moelee.exe

Filesize
328KB

MD5
f650d00a7946f0c9450047a9648a96ed

SHA1
4651e505cf3727db7bbc6dcc282f3671177b2be8

SHA256
612bec993e3d50b661703c152a75a8061c3087abf886b935021a745ab2e1e5d7

SHA512
9f0d7fc3d5f3d212bd296dfd52a24d3680fb26965d5142d26b55024b1817642592ef170ffa65c83a62dfec0b5d75b353ab33aca3b8f3b18c9b5ef809bb02c67e

Download Submit
C:\Users\Admin\qr5i4eI0.exe

Filesize
328KB

MD5
9aae23da87aeef9bb56c08f760442ab2

SHA1
b1627a775b2f5d2a72742829326a66e684839268

SHA256
77d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f

SHA512
13026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73

Download Submit
C:\Users\Admin\qr5i4eI0.exe

Filesize
328KB

MD5
9aae23da87aeef9bb56c08f760442ab2

SHA1
b1627a775b2f5d2a72742829326a66e684839268

SHA256
77d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f

SHA512
13026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73

Download Submit
C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
939d1edb6037f6261723f0e76dd96a77

SHA1
71bb2769c8c1b274ff1ea974130210782c0dbea5

SHA256
334b9afb67d2b69611d27928e69e693e70a9c2ba22d8e90e0067656d6b3c9e4e

SHA512
88af102480eba5dd42de31b3d9cb48723e751f10a76867543fffd6eddd26206ddc6491ef8e7e2ccbb8c43d12652e1f52ef7e1086e0862af78150762606785d8c

Download Submit
\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
\Users\Admin\2hum.exe

Filesize
96KB

MD5
90d23730203c3fa5dbcb8a068fc28f7c

SHA1
d24dd53a400d27984aadc060a7a0ef084cb5a005

SHA256
3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

SHA512
13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

Download Submit
\Users\Admin\3hum.exe

Filesize
101KB

MD5
1e8c6e21a447e947c7dcbeb9ccf79f81

SHA1
78998e36435c58e2be3bc3f737d8d0f402d5a576

SHA256
40323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767

SHA512
31bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55

Download Submit
\Users\Admin\3hum.exe

Filesize
101KB

MD5
1e8c6e21a447e947c7dcbeb9ccf79f81

SHA1
78998e36435c58e2be3bc3f737d8d0f402d5a576

SHA256
40323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767

SHA512
31bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55

Download Submit
\Users\Admin\4hum.exe

Filesize
212KB

MD5
a755f176cd1cc2f7104ae0309bd35a41

SHA1
3bcece3625dc7fe38c551a6f25bd61e7c4cbc892

SHA256
979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640

SHA512
268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0

Download Submit
\Users\Admin\4hum.exe

Filesize
212KB

MD5
a755f176cd1cc2f7104ae0309bd35a41

SHA1
3bcece3625dc7fe38c551a6f25bd61e7c4cbc892

SHA256
979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640

SHA512
268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0

Download Submit
\Users\Admin\moelee.exe

Filesize
328KB

MD5
f650d00a7946f0c9450047a9648a96ed

SHA1
4651e505cf3727db7bbc6dcc282f3671177b2be8

SHA256
612bec993e3d50b661703c152a75a8061c3087abf886b935021a745ab2e1e5d7

SHA512
9f0d7fc3d5f3d212bd296dfd52a24d3680fb26965d5142d26b55024b1817642592ef170ffa65c83a62dfec0b5d75b353ab33aca3b8f3b18c9b5ef809bb02c67e

Download Submit
\Users\Admin\moelee.exe

Filesize
328KB

MD5
f650d00a7946f0c9450047a9648a96ed

SHA1
4651e505cf3727db7bbc6dcc282f3671177b2be8

SHA256
612bec993e3d50b661703c152a75a8061c3087abf886b935021a745ab2e1e5d7

SHA512
9f0d7fc3d5f3d212bd296dfd52a24d3680fb26965d5142d26b55024b1817642592ef170ffa65c83a62dfec0b5d75b353ab33aca3b8f3b18c9b5ef809bb02c67e

Download Submit
\Users\Admin\qr5i4eI0.exe

Filesize
328KB

MD5
9aae23da87aeef9bb56c08f760442ab2

SHA1
b1627a775b2f5d2a72742829326a66e684839268

SHA256
77d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f

SHA512
13026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73

Download Submit
\Users\Admin\qr5i4eI0.exe

Filesize
328KB

MD5
9aae23da87aeef9bb56c08f760442ab2

SHA1
b1627a775b2f5d2a72742829326a66e684839268

SHA256
77d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f

SHA512
13026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/332-166-0x0000000001F90000-0x0000000001FA1000-memory.dmp

Filesize
68KB

Download
memory/432-106-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-105-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-96-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/880-177-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/880-183-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/880-173-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/880-184-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/880-185-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/880-186-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/880-181-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/972-93-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/972-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/972-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/972-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/972-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/972-95-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/972-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1076-56-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1260-155-0x0000000002A90000-0x0000000002A96000-memory.dmp

Filesize
24KB

Download
memory/1260-159-0x0000000002A90000-0x0000000002A96000-memory.dmp

Filesize
24KB

Download
memory/1260-163-0x0000000002A90000-0x0000000002A96000-memory.dmp

Filesize
24KB

Download
memory/1316-107-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1316-104-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1316-117-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1316-115-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1316-108-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1316-102-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1316-133-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2024-170-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2024-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2024-154-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2024-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2024-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2028-112-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-113-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-116-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-130-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-118-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-124-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-126-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2040-146-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2040-139-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2040-144-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2040-142-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2040-141-0x0000000000370000-0x00000000003D2000-memory.dmp

Filesize
392KB

Download
memory/2040-140-0x0000000000280000-0x00000000002E2000-memory.dmp

Filesize
392KB

Download