lucastealer | d881663244daab00c57fb1715aef3ce183da334236670ea520bbf0fd198a4b3d

Resubmissions

22-10-2023 04:26

231022-e2zfpsfa72 10

21-10-2023 21:13

231021-z27gjacf54 10

Analysis

max time kernel
61s
max time network
53s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.13d37451cb332802b88bd5684f8a9f90.exe
Size

4.6MB
MD5

13d37451cb332802b88bd5684f8a9f90
SHA1

19c367dca209aff91e39aaedaa021e0c957502d0
SHA256

d881663244daab00c57fb1715aef3ce183da334236670ea520bbf0fd198a4b3d
SHA512

e38eadd8628cc6d6d8e0ef8538635328ec8d62292b1672fbc8a18c974fc1393879102746006ef5a13f1e52bbe4bf692e3111f54110427e4805e7a231b94c741a
SSDEEP

49152:CYhJZoQrbTFZY1ia/N8kHLlkMROX1lW68ZM5mmhD+SbilzCUWCLcMldpxruKihtB:zhtrbTA1OiWXLW6jRhdGVQguhhW31Z4

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CIJRTX.lnk	neas.13d37451cb332802b88bd5684f8a9f90.exe

Executes dropped EXE 11 IoCs

pid	Process
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2684	icsys.icn.exe
2604	explorer.exe
2656	spoolsv.exe
2016	UPUGVT.exe
2980	svchost.exe
2964	RXLFSQ.exe
1172	spoolsv.exe
1468	upugvt.exe
1768	icsys.icn.exe
2080	explorer.exe

Loads dropped DLL 27 IoCs

pid	Process
860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe
860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe
860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe
2684	icsys.icn.exe
2684	icsys.icn.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2604	explorer.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2604	explorer.exe
2656	spoolsv.exe
2656	spoolsv.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe
2980	svchost.exe
2980	svchost.exe
2016	UPUGVT.exe
2016	UPUGVT.exe
2016	UPUGVT.exe
1768	icsys.icn.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\CIJRTX = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	neas.13d37451cb332802b88bd5684f8a9f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00250000000152d3-6.dat	autoit_exe
behavioral1/files/0x00250000000152d3-9.dat	autoit_exe
behavioral1/files/0x00250000000152d3-10.dat	autoit_exe
behavioral1/files/0x0006000000015e3e-140.dat	autoit_exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1732	2964	WerFault.exe	34

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2260	schtasks.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000005657692310204c6f63616c00380008000400efbe5457809d565769232a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000005457809d122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe5457809d5457809d2a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	RXLFSQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	RXLFSQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	RXLFSQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_Classes\Local Settings	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	RXLFSQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000056577323102054656d700000360008000400efbe5457809d565773232a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	RXLFSQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	RXLFSQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	RXLFSQ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	icsys.icn.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe
2604	explorer.exe
2980	svchost.exe
2980	svchost.exe
2604	explorer.exe
2980	svchost.exe
2604	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2604	explorer.exe
2980	svchost.exe
2876	neas.13d37451cb332802b88bd5684f8a9f90.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe
860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe
2684	icsys.icn.exe
2684	icsys.icn.exe
2604	explorer.exe
2604	explorer.exe
2656	spoolsv.exe
2656	spoolsv.exe
2016	UPUGVT.exe
2980	svchost.exe
2980	svchost.exe
2016	UPUGVT.exe
1172	spoolsv.exe
1172	spoolsv.exe
2604	explorer.exe
2604	explorer.exe
1768	icsys.icn.exe
1768	icsys.icn.exe
2080	explorer.exe
2080	explorer.exe
2964	RXLFSQ.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2876	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	28
PID 860 wrote to memory of 2876	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	28
PID 860 wrote to memory of 2876	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	28
PID 860 wrote to memory of 2876	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	28
PID 860 wrote to memory of 2684	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	29
PID 860 wrote to memory of 2684	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	29
PID 860 wrote to memory of 2684	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	29
PID 860 wrote to memory of 2684	860	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	29
PID 2684 wrote to memory of 2604	2684	icsys.icn.exe	30
PID 2684 wrote to memory of 2604	2684	icsys.icn.exe	30
PID 2684 wrote to memory of 2604	2684	icsys.icn.exe	30
PID 2684 wrote to memory of 2604	2684	icsys.icn.exe	30
PID 2876 wrote to memory of 2016	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	31
PID 2876 wrote to memory of 2016	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	31
PID 2876 wrote to memory of 2016	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	31
PID 2876 wrote to memory of 2016	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	31
PID 2604 wrote to memory of 2656	2604	explorer.exe	32
PID 2604 wrote to memory of 2656	2604	explorer.exe	32
PID 2604 wrote to memory of 2656	2604	explorer.exe	32
PID 2604 wrote to memory of 2656	2604	explorer.exe	32
PID 2656 wrote to memory of 2980	2656	spoolsv.exe	33
PID 2656 wrote to memory of 2980	2656	spoolsv.exe	33
PID 2656 wrote to memory of 2980	2656	spoolsv.exe	33
PID 2656 wrote to memory of 2980	2656	spoolsv.exe	33
PID 2876 wrote to memory of 2964	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	34
PID 2876 wrote to memory of 2964	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	34
PID 2876 wrote to memory of 2964	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	34
PID 2876 wrote to memory of 2964	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	34
PID 2980 wrote to memory of 1172	2980	svchost.exe	35
PID 2980 wrote to memory of 1172	2980	svchost.exe	35
PID 2980 wrote to memory of 1172	2980	svchost.exe	35
PID 2980 wrote to memory of 1172	2980	svchost.exe	35
PID 2980 wrote to memory of 268	2980	svchost.exe	36
PID 2980 wrote to memory of 268	2980	svchost.exe	36
PID 2980 wrote to memory of 268	2980	svchost.exe	36
PID 2980 wrote to memory of 268	2980	svchost.exe	36
PID 2016 wrote to memory of 1468	2016	UPUGVT.exe	38
PID 2016 wrote to memory of 1468	2016	UPUGVT.exe	38
PID 2016 wrote to memory of 1468	2016	UPUGVT.exe	38
PID 2016 wrote to memory of 1468	2016	UPUGVT.exe	38
PID 2016 wrote to memory of 1768	2016	UPUGVT.exe	39
PID 2016 wrote to memory of 1768	2016	UPUGVT.exe	39
PID 2016 wrote to memory of 1768	2016	UPUGVT.exe	39
PID 2016 wrote to memory of 1768	2016	UPUGVT.exe	39
PID 1768 wrote to memory of 2080	1768	icsys.icn.exe	40
PID 1768 wrote to memory of 2080	1768	icsys.icn.exe	40
PID 1768 wrote to memory of 2080	1768	icsys.icn.exe	40
PID 1768 wrote to memory of 2080	1768	icsys.icn.exe	40
PID 2876 wrote to memory of 2400	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	41
PID 2876 wrote to memory of 2400	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	41
PID 2876 wrote to memory of 2400	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	41
PID 2876 wrote to memory of 2400	2876	neas.13d37451cb332802b88bd5684f8a9f90.exe	41
PID 2400 wrote to memory of 2260	2400	cmd.exe	43
PID 2400 wrote to memory of 2260	2400	cmd.exe	43
PID 2400 wrote to memory of 2260	2400	cmd.exe	43
PID 2400 wrote to memory of 2260	2400	cmd.exe	43
PID 2964 wrote to memory of 1732	2964	RXLFSQ.exe	47
PID 2964 wrote to memory of 1732	2964	RXLFSQ.exe	47
PID 2964 wrote to memory of 1732	2964	RXLFSQ.exe	47
PID 2964 wrote to memory of 1732	2964	RXLFSQ.exe	47

C:\Users\Admin\AppData\Local\Temp\NEAS.13d37451cb332802b88bd5684f8a9f90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.13d37451cb332802b88bd5684f8a9f90.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860
- \??\c:\users\admin\appdata\local\temp\neas.13d37451cb332802b88bd5684f8a9f90.exe
  c:\users\admin\appdata\local\temp\neas.13d37451cb332802b88bd5684f8a9f90.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\UPUGVT.exe
    "C:\Users\Admin\AppData\Local\Temp\UPUGVT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - \??\c:\users\admin\appdata\local\temp\upugvt.exe
      c:\users\admin\appdata\local\temp\upugvt.exe
      4⤵
      Executes dropped EXE
      PID:1468
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1768
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
- - C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe
    "C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1068
      4⤵
      Loads dropped DLL
      Program crash
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn CIJRTX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn CIJRTX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:2260
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2656
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
      - C:\Windows\SysWOW64\at.exe
        
        at 04:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\neas.13d37451cb332802b88bd5684f8a9f90.exe

Filesize
4.4MB

MD5
4ef9093c4d69f66d224b6734abc50345

SHA1
ac7e66abb63ef71d14a7753d769379ec7ee5eb5e

SHA256
a7d420fbd384b07ca436d9a48f2975f5401fd4efb16445bff7a0d2ffba53dcfa

SHA512
dddc114583045a49e0e9757f5dac6bcd517bd5b577501d84f5d750944206e3c376c7db37914fa6f3cc216a3442078d2b64109004aee4a82f8a7f1154423f8732

Download Submit
C:\Users\Admin\AppData\Local\Temp\upugvt.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe

Filesize
4.4MB

MD5
4ef9093c4d69f66d224b6734abc50345

SHA1
ac7e66abb63ef71d14a7753d769379ec7ee5eb5e

SHA256
a7d420fbd384b07ca436d9a48f2975f5401fd4efb16445bff7a0d2ffba53dcfa

SHA512
dddc114583045a49e0e9757f5dac6bcd517bd5b577501d84f5d750944206e3c376c7db37914fa6f3cc216a3442078d2b64109004aee4a82f8a7f1154423f8732

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
89648ad1fac7ce99328ac897edeb9411

SHA1
a1ae5a1b178eb072432ce998fa76994a79ae4474

SHA256
33d5d2a063d852984a2d746f5e3de2454a104111d6804b2b7d603ef865ae0619

SHA512
217143621fb5e669d498ba545e50015df68a707f20fe1b12d715c97f9da05f5c1c12a541bcc6a73aa83988303ab4181a23d71a54fea0d54950c090af56b2ec55

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
aaf743b1e8e99062c4fc2eb113f717a0

SHA1
67eb8ab8cee5974b552e132a27aad3320379c1a2

SHA256
51a54ca0804455e52ab783566c667ff586b5f8b97b352c9aef5a5419e02d3f54

SHA512
a8e3b3c2d8eff9e1512526500709825d4cb751348f861e011dd3a30a5c06ee01ecb7c95faa68ee98e9a6a01deddcde77fca6a92bf066edef71a1df0d4ef4fb7a

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
aaf743b1e8e99062c4fc2eb113f717a0

SHA1
67eb8ab8cee5974b552e132a27aad3320379c1a2

SHA256
51a54ca0804455e52ab783566c667ff586b5f8b97b352c9aef5a5419e02d3f54

SHA512
a8e3b3c2d8eff9e1512526500709825d4cb751348f861e011dd3a30a5c06ee01ecb7c95faa68ee98e9a6a01deddcde77fca6a92bf066edef71a1df0d4ef4fb7a

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
bf4f7e45d605ee5f47ac6e713c96c1d7

SHA1
36da454f2e5f1638a0d7f318270ac3b217f95a42

SHA256
49607c959f29feed63e363847d93d0f9c6daf196d6ea1752f719584a468c43a9

SHA512
70856471e46ecb4ab175be65187bf890bc0b6d38952bdb21ca96639d691d53436f14d31286e855c9b6b356009e66f3a1d9c2ad72b048b590183fc7f8c8027652

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
bf4f7e45d605ee5f47ac6e713c96c1d7

SHA1
36da454f2e5f1638a0d7f318270ac3b217f95a42

SHA256
49607c959f29feed63e363847d93d0f9c6daf196d6ea1752f719584a468c43a9

SHA512
70856471e46ecb4ab175be65187bf890bc0b6d38952bdb21ca96639d691d53436f14d31286e855c9b6b356009e66f3a1d9c2ad72b048b590183fc7f8c8027652

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
dd7e028b32fb4994c27519996f247ac8

SHA1
30aba255932a3103e298e0630d6ead0e99c6c37d

SHA256
8b6bb07f6d1ec200ef75142d74c002d012383b1842cd4dc68c65baf67acec393

SHA512
595cf994f3193157d5877715c7649a9e4975a8684db1e562e4801172643e161b3b5d3925b94c9a249276d49af787b9d28c0447ea0eece0e8dd0d48199a24d510

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
\??\c:\users\admin\appdata\local\temp\neas.13d37451cb332802b88bd5684f8a9f90.exe

Filesize
4.4MB

MD5
4ef9093c4d69f66d224b6734abc50345

SHA1
ac7e66abb63ef71d14a7753d769379ec7ee5eb5e

SHA256
a7d420fbd384b07ca436d9a48f2975f5401fd4efb16445bff7a0d2ffba53dcfa

SHA512
dddc114583045a49e0e9757f5dac6bcd517bd5b577501d84f5d750944206e3c376c7db37914fa6f3cc216a3442078d2b64109004aee4a82f8a7f1154423f8732

Download Submit
\??\c:\users\admin\appdata\local\temp\upugvt.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
aaf743b1e8e99062c4fc2eb113f717a0

SHA1
67eb8ab8cee5974b552e132a27aad3320379c1a2

SHA256
51a54ca0804455e52ab783566c667ff586b5f8b97b352c9aef5a5419e02d3f54

SHA512
a8e3b3c2d8eff9e1512526500709825d4cb751348f861e011dd3a30a5c06ee01ecb7c95faa68ee98e9a6a01deddcde77fca6a92bf066edef71a1df0d4ef4fb7a

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
bf4f7e45d605ee5f47ac6e713c96c1d7

SHA1
36da454f2e5f1638a0d7f318270ac3b217f95a42

SHA256
49607c959f29feed63e363847d93d0f9c6daf196d6ea1752f719584a468c43a9

SHA512
70856471e46ecb4ab175be65187bf890bc0b6d38952bdb21ca96639d691d53436f14d31286e855c9b6b356009e66f3a1d9c2ad72b048b590183fc7f8c8027652

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
dd7e028b32fb4994c27519996f247ac8

SHA1
30aba255932a3103e298e0630d6ead0e99c6c37d

SHA256
8b6bb07f6d1ec200ef75142d74c002d012383b1842cd4dc68c65baf67acec393

SHA512
595cf994f3193157d5877715c7649a9e4975a8684db1e562e4801172643e161b3b5d3925b94c9a249276d49af787b9d28c0447ea0eece0e8dd0d48199a24d510

Download Submit
\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\neas.13d37451cb332802b88bd5684f8a9f90.exe

Filesize
4.4MB

MD5
4ef9093c4d69f66d224b6734abc50345

SHA1
ac7e66abb63ef71d14a7753d769379ec7ee5eb5e

SHA256
a7d420fbd384b07ca436d9a48f2975f5401fd4efb16445bff7a0d2ffba53dcfa

SHA512
dddc114583045a49e0e9757f5dac6bcd517bd5b577501d84f5d750944206e3c376c7db37914fa6f3cc216a3442078d2b64109004aee4a82f8a7f1154423f8732

Download Submit
\Users\Admin\AppData\Local\Temp\upugvt.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\Users\Admin\AppData\Local\Temp\upugvt.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
aaf743b1e8e99062c4fc2eb113f717a0

SHA1
67eb8ab8cee5974b552e132a27aad3320379c1a2

SHA256
51a54ca0804455e52ab783566c667ff586b5f8b97b352c9aef5a5419e02d3f54

SHA512
a8e3b3c2d8eff9e1512526500709825d4cb751348f861e011dd3a30a5c06ee01ecb7c95faa68ee98e9a6a01deddcde77fca6a92bf066edef71a1df0d4ef4fb7a

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
aaf743b1e8e99062c4fc2eb113f717a0

SHA1
67eb8ab8cee5974b552e132a27aad3320379c1a2

SHA256
51a54ca0804455e52ab783566c667ff586b5f8b97b352c9aef5a5419e02d3f54

SHA512
a8e3b3c2d8eff9e1512526500709825d4cb751348f861e011dd3a30a5c06ee01ecb7c95faa68ee98e9a6a01deddcde77fca6a92bf066edef71a1df0d4ef4fb7a

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
aaf743b1e8e99062c4fc2eb113f717a0

SHA1
67eb8ab8cee5974b552e132a27aad3320379c1a2

SHA256
51a54ca0804455e52ab783566c667ff586b5f8b97b352c9aef5a5419e02d3f54

SHA512
a8e3b3c2d8eff9e1512526500709825d4cb751348f861e011dd3a30a5c06ee01ecb7c95faa68ee98e9a6a01deddcde77fca6a92bf066edef71a1df0d4ef4fb7a

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
bf4f7e45d605ee5f47ac6e713c96c1d7

SHA1
36da454f2e5f1638a0d7f318270ac3b217f95a42

SHA256
49607c959f29feed63e363847d93d0f9c6daf196d6ea1752f719584a468c43a9

SHA512
70856471e46ecb4ab175be65187bf890bc0b6d38952bdb21ca96639d691d53436f14d31286e855c9b6b356009e66f3a1d9c2ad72b048b590183fc7f8c8027652

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
bf4f7e45d605ee5f47ac6e713c96c1d7

SHA1
36da454f2e5f1638a0d7f318270ac3b217f95a42

SHA256
49607c959f29feed63e363847d93d0f9c6daf196d6ea1752f719584a468c43a9

SHA512
70856471e46ecb4ab175be65187bf890bc0b6d38952bdb21ca96639d691d53436f14d31286e855c9b6b356009e66f3a1d9c2ad72b048b590183fc7f8c8027652

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
bf4f7e45d605ee5f47ac6e713c96c1d7

SHA1
36da454f2e5f1638a0d7f318270ac3b217f95a42

SHA256
49607c959f29feed63e363847d93d0f9c6daf196d6ea1752f719584a468c43a9

SHA512
70856471e46ecb4ab175be65187bf890bc0b6d38952bdb21ca96639d691d53436f14d31286e855c9b6b356009e66f3a1d9c2ad72b048b590183fc7f8c8027652

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
bf4f7e45d605ee5f47ac6e713c96c1d7

SHA1
36da454f2e5f1638a0d7f318270ac3b217f95a42

SHA256
49607c959f29feed63e363847d93d0f9c6daf196d6ea1752f719584a468c43a9

SHA512
70856471e46ecb4ab175be65187bf890bc0b6d38952bdb21ca96639d691d53436f14d31286e855c9b6b356009e66f3a1d9c2ad72b048b590183fc7f8c8027652

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
dd7e028b32fb4994c27519996f247ac8

SHA1
30aba255932a3103e298e0630d6ead0e99c6c37d

SHA256
8b6bb07f6d1ec200ef75142d74c002d012383b1842cd4dc68c65baf67acec393

SHA512
595cf994f3193157d5877715c7649a9e4975a8684db1e562e4801172643e161b3b5d3925b94c9a249276d49af787b9d28c0447ea0eece0e8dd0d48199a24d510

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
dd7e028b32fb4994c27519996f247ac8

SHA1
30aba255932a3103e298e0630d6ead0e99c6c37d

SHA256
8b6bb07f6d1ec200ef75142d74c002d012383b1842cd4dc68c65baf67acec393

SHA512
595cf994f3193157d5877715c7649a9e4975a8684db1e562e4801172643e161b3b5d3925b94c9a249276d49af787b9d28c0447ea0eece0e8dd0d48199a24d510

Download Submit
memory/860-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-22-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/860-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-146-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/1768-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-139-0x0000000002BF0000-0x0000000002C30000-memory.dmp

Filesize
256KB

Download
memory/2080-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-92-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/2684-38-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/2684-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-43-0x0000000004190000-0x00000000041D0000-memory.dmp

Filesize
256KB

Download
memory/2876-102-0x0000000003990000-0x00000000039DE000-memory.dmp

Filesize
312KB

Download
memory/2876-64-0x0000000004190000-0x00000000041D0000-memory.dmp

Filesize
256KB

Download
memory/2876-50-0x0000000004190000-0x00000000041D0000-memory.dmp

Filesize
256KB

Download
memory/2964-155-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2964-156-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2964-157-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2964-158-0x0000000005CC0000-0x0000000005CC2000-memory.dmp

Filesize
8KB

Download
memory/2964-159-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2964-112-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2964-134-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2964-116-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2964-135-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2964-164-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download