6eec926e1e70542a355a8be392a4d948610adcce4faa7484e551d4cea5f8f0b1

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 17:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cloud.exe
Size

973KB
MD5

27a074cd4f7908bbc73efd5262351449
SHA1

d38bb4aa05392cab9db0576a91b1c70c165a9e20
SHA256

6eec926e1e70542a355a8be392a4d948610adcce4faa7484e551d4cea5f8f0b1
SHA512

5e77b0035ba065e27eba2295fe88303042a34132a499169b7f623f4e0fdbeb40b8dc31cc4185c586198558adb11f67e573168791587f8e5fb593812bc2a1b045
SSDEEP

24576:thHQR/5alj3DSudvGM3MXTVhtSQWGtxVR/Db:thHQV5oBdqTDtSQWGtfVDb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1316	ylqivlpbmf.exe
2308	laznflcvnk.exe
2680	SearchUserHost.exe
1344	Explorer.EXE
2544	cloud.exe
836	bindsvc.exe

Loads dropped DLL 14 IoCs

pid	Process
1272	cloud.exe
1272	cloud.exe
1272	cloud.exe
1272	cloud.exe
2628	SearchIndexer.exe
2628	SearchIndexer.exe
2628	SearchIndexer.exe
2680	SearchUserHost.exe
1316	ylqivlpbmf.exe
2308	laznflcvnk.exe
2308	laznflcvnk.exe
2100	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
1128	SearchFilterHost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0027000000018696-13.dat	upx
behavioral1/memory/1272-15-0x00000000021D0000-0x000000000234A000-memory.dmp	upx
behavioral1/files/0x0027000000018696-16.dat	upx
behavioral1/files/0x0027000000018696-22.dat	upx
behavioral1/files/0x0027000000018696-21.dat	upx
behavioral1/files/0x0027000000018696-19.dat	upx
behavioral1/memory/2308-28-0x0000000001300000-0x000000000147A000-memory.dmp	upx
behavioral1/memory/2308-158-0x0000000001300000-0x000000000147A000-memory.dmp	upx
behavioral1/files/0x0007000000018b6f-160.dat	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\racfg.exe	laznflcvnk.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	laznflcvnk.exe
File created	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\System32\bindsvc.exe	laznflcvnk.exe
File created	C:\Windows\SysWOW64\wideshut.exe	laznflcvnk.exe
File created	C:\Windows\SysWOW64\wimsvc.exe	laznflcvnk.exe
File opened for modification	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\system32\oci.dll	laznflcvnk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	laznflcvnk.exe
File created	C:\Windows\system32\msfte.dll	laznflcvnk.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
916	sc.exe
2248	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1044	tasklist.exe
2904	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2584	NETSTAT.EXE
3024	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1184	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008026acef780eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1008	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2628	SearchIndexer.exe
2628	SearchIndexer.exe
2680	SearchUserHost.exe
2904	tasklist.exe
2904	tasklist.exe
2308	laznflcvnk.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1344	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2628	SearchIndexer.exe
Token: 33	2628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2628	SearchIndexer.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	2584	NETSTAT.EXE
Token: SeDebugPrivilege	1044	tasklist.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe
Token: SeDebugPrivilege	2680	SearchUserHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2632	SearchProtocolHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2680	SearchUserHost.exe
2680	SearchUserHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1316	1272	cloud.exe	28
PID 1272 wrote to memory of 1316	1272	cloud.exe	28
PID 1272 wrote to memory of 1316	1272	cloud.exe	28
PID 1272 wrote to memory of 1316	1272	cloud.exe	28
PID 1272 wrote to memory of 2308	1272	cloud.exe	29
PID 1272 wrote to memory of 2308	1272	cloud.exe	29
PID 1272 wrote to memory of 2308	1272	cloud.exe	29
PID 1272 wrote to memory of 2308	1272	cloud.exe	29
PID 2628 wrote to memory of 2680	2628	SearchIndexer.exe	31
PID 2628 wrote to memory of 2680	2628	SearchIndexer.exe	31
PID 2628 wrote to memory of 2680	2628	SearchIndexer.exe	31
PID 2680 wrote to memory of 1344	2680	SearchUserHost.exe	14
PID 1316 wrote to memory of 2544	1316	ylqivlpbmf.exe	32
PID 1316 wrote to memory of 2544	1316	ylqivlpbmf.exe	32
PID 1316 wrote to memory of 2544	1316	ylqivlpbmf.exe	32
PID 1316 wrote to memory of 2544	1316	ylqivlpbmf.exe	32
PID 2680 wrote to memory of 996	2680	SearchUserHost.exe	33
PID 2680 wrote to memory of 996	2680	SearchUserHost.exe	33
PID 2680 wrote to memory of 996	2680	SearchUserHost.exe	33
PID 996 wrote to memory of 1184	996	cmd.exe	35
PID 996 wrote to memory of 1184	996	cmd.exe	35
PID 996 wrote to memory of 1184	996	cmd.exe	35
PID 2680 wrote to memory of 1972	2680	SearchUserHost.exe	38
PID 2680 wrote to memory of 1972	2680	SearchUserHost.exe	38
PID 2680 wrote to memory of 1972	2680	SearchUserHost.exe	38
PID 1972 wrote to memory of 2904	1972	cmd.exe	40
PID 1972 wrote to memory of 2904	1972	cmd.exe	40
PID 1972 wrote to memory of 2904	1972	cmd.exe	40
PID 2680 wrote to memory of 1596	2680	SearchUserHost.exe	41
PID 2680 wrote to memory of 1596	2680	SearchUserHost.exe	41
PID 2680 wrote to memory of 1596	2680	SearchUserHost.exe	41
PID 1596 wrote to memory of 2584	1596	cmd.exe	43
PID 1596 wrote to memory of 2584	1596	cmd.exe	43
PID 1596 wrote to memory of 2584	1596	cmd.exe	43
PID 2680 wrote to memory of 2324	2680	SearchUserHost.exe	44
PID 2680 wrote to memory of 2324	2680	SearchUserHost.exe	44
PID 2680 wrote to memory of 2324	2680	SearchUserHost.exe	44
PID 2324 wrote to memory of 3024	2324	cmd.exe	46
PID 2324 wrote to memory of 3024	2324	cmd.exe	46
PID 2324 wrote to memory of 3024	2324	cmd.exe	46
PID 2680 wrote to memory of 2372	2680	SearchUserHost.exe	47
PID 2680 wrote to memory of 2372	2680	SearchUserHost.exe	47
PID 2680 wrote to memory of 2372	2680	SearchUserHost.exe	47
PID 2372 wrote to memory of 2264	2372	cmd.exe	49
PID 2372 wrote to memory of 2264	2372	cmd.exe	49
PID 2372 wrote to memory of 2264	2372	cmd.exe	49
PID 2680 wrote to memory of 2836	2680	SearchUserHost.exe	50
PID 2680 wrote to memory of 2836	2680	SearchUserHost.exe	50
PID 2680 wrote to memory of 2836	2680	SearchUserHost.exe	50
PID 2836 wrote to memory of 2344	2836	cmd.exe	52
PID 2836 wrote to memory of 2344	2836	cmd.exe	52
PID 2836 wrote to memory of 2344	2836	cmd.exe	52
PID 2680 wrote to memory of 2180	2680	SearchUserHost.exe	53
PID 2680 wrote to memory of 2180	2680	SearchUserHost.exe	53
PID 2680 wrote to memory of 2180	2680	SearchUserHost.exe	53
PID 2180 wrote to memory of 1044	2180	cmd.exe	55
PID 2180 wrote to memory of 1044	2180	cmd.exe	55
PID 2180 wrote to memory of 1044	2180	cmd.exe	55
PID 2680 wrote to memory of 2212	2680	SearchUserHost.exe	56
PID 2680 wrote to memory of 2212	2680	SearchUserHost.exe	56
PID 2680 wrote to memory of 2212	2680	SearchUserHost.exe	56
PID 2212 wrote to memory of 1224	2212	cmd.exe	58
PID 2212 wrote to memory of 1224	2212	cmd.exe	58
PID 2212 wrote to memory of 1224	2212	cmd.exe	58

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1344
- C:\Users\Admin\AppData\Local\Temp\cloud.exe
  "C:\Users\Admin\AppData\Local\Temp\cloud.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\ylqivlpbmf.exe
    "C:\Users\Admin\AppData\Local\Temp\ylqivlpbmf.exe" "C:\Users\Admin\AppData\Local\Temp\qaupvjaxdz.exe" "C:\Users\Admin\AppData\Local\Temp\cloud.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\cloud.exe
      "C:\Users\Admin\AppData\Local\Temp\cloud.exe"
      4⤵
      Executes dropped EXE
      PID:2544
- - C:\Users\Admin\AppData\Local\Temp\laznflcvnk.exe
    C:\Users\Admin\AppData\Local\Temp\laznflcvnk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
  - - C:\Windows\System32\cmd.exe
      /c sc config msdtc obj= LocalSystem
      4⤵
      PID:1604
    - - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        5⤵
        Launches sc.exe
        
        PID:916
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\lDmOJkVR.bat"
      4⤵
      PID:2288
  - - C:\Windows\System32\bindsvc.exe
      "C:\Windows\System32\bindsvc.exe"
      4⤵
      Executes dropped EXE
      PID:836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1184
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904
- - C:\Windows\system32\cmd.exe
    /c "netstat -ano"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2584
- - C:\Windows\system32\cmd.exe
    /c "ipconfig /all"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3024
- - C:\Windows\system32\cmd.exe
    /c "route print"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2264
- - C:\Windows\system32\cmd.exe
    /c "arp -a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:2344
- - C:\Windows\system32\cmd.exe
    /c "tasklist /m msfte.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\system32\tasklist.exe
      tasklist /m msfte.dll
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1044
- - C:\Windows\system32\cmd.exe
    /c "net share"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\system32\net.exe
      net share
      4⤵
      PID:1224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:1788
- - C:\Windows\system32\cmd.exe
    /c "ping server"
    3⤵
    PID:1076
  - - C:\Windows\system32\PING.EXE
      ping server
      4⤵
      Runs ping.exe
      PID:1008
- - C:\Windows\system32\cmd.exe
    /c "sc query hfile.sys"
    3⤵
    PID:1444
  - - C:\Windows\system32\sc.exe
      sc query hfile.sys
      4⤵
      Launches sc.exe
      PID:2248
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2084844033-2744876406-2053742436-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2084844033-2744876406-2053742436-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2100
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 556 560 568 65536 564
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1128
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
13e9eb241198d0e0e9b0b493dce09ef6

SHA1
7ac8f0b2a70d7fe0830168dcbc0e59f93295b5b0

SHA256
946270eabd4b4d37f2968bc65a7e614601da38af7e266ef8066e1e1694fdb3fa

SHA512
0c6fb6f871a427f6f3db6abf22ad0e5df059b3c0c823658c6a2d46eddd65a41d9c55d374ac4736245a1c482829885d3532c53437851d35f03398af3da3347e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\cloud.exe

Filesize
188KB

MD5
46e3e78d92aa3c2152489ef20b7d871f

SHA1
132dea1d7cbc4af735f0de8bbac25122713e0c2c

SHA256
89c9e691059c50d71a0463912874d77b95b01817fe074e5daf09a694467378b5

SHA512
5f3e2117e4eb4aa32e0607eaf79fd51c6f19cea72d45826e77d3b8e0e781412e655a6694f0208dd830cf744fefd44e7122fc0d34044bf82b3b29a30808cf9c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\cloud.exe

Filesize
188KB

MD5
46e3e78d92aa3c2152489ef20b7d871f

SHA1
132dea1d7cbc4af735f0de8bbac25122713e0c2c

SHA256
89c9e691059c50d71a0463912874d77b95b01817fe074e5daf09a694467378b5

SHA512
5f3e2117e4eb4aa32e0607eaf79fd51c6f19cea72d45826e77d3b8e0e781412e655a6694f0208dd830cf744fefd44e7122fc0d34044bf82b3b29a30808cf9c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\lDmOJkVR.bat

Filesize
196B

MD5
2f8ec859486c582ed9ed99a9f746a8b1

SHA1
2f0d44e56c1d6bb84c101e92abee65efc855b368

SHA256
6a5e65978eda807d22f66ffee0fc7700a67b19d984b70152d5193142cd669c68

SHA512
31d6cd84895a53c3bdb61c12b75b2f5d57e086222321d16e59fc7a1a1151314dde09748331c9096aa28cd876d1714bc3f1daf9f55638564f4293d7e20c71bca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lDmOJkVR.bat

Filesize
196B

MD5
2f8ec859486c582ed9ed99a9f746a8b1

SHA1
2f0d44e56c1d6bb84c101e92abee65efc855b368

SHA256
6a5e65978eda807d22f66ffee0fc7700a67b19d984b70152d5193142cd669c68

SHA512
31d6cd84895a53c3bdb61c12b75b2f5d57e086222321d16e59fc7a1a1151314dde09748331c9096aa28cd876d1714bc3f1daf9f55638564f4293d7e20c71bca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\laznflcvnk.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\laznflcvnk.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\laznflcvnk.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaupvjaxdz.exe

Filesize
188KB

MD5
46e3e78d92aa3c2152489ef20b7d871f

SHA1
132dea1d7cbc4af735f0de8bbac25122713e0c2c

SHA256
89c9e691059c50d71a0463912874d77b95b01817fe074e5daf09a694467378b5

SHA512
5f3e2117e4eb4aa32e0607eaf79fd51c6f19cea72d45826e77d3b8e0e781412e655a6694f0208dd830cf744fefd44e7122fc0d34044bf82b3b29a30808cf9c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylqivlpbmf.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylqivlpbmf.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
4KB

MD5
67b2fdccf4faa48af07af1b79e6d5a3e

SHA1
bbebf697192eaf27b9e3a77adc8a06a95859b08c

SHA256
38b18dada8409b9e30a3d69e9c40f69f44d1dfbe5d70054c3591c358f7834f0f

SHA512
739ba7af71608cadbb196bfe1772e8a342973d51514e3d63a5cc69161defa042f8bb46e72adc855a6e382c638460e388ff2baab318a964730e55aa241fd287e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
1a00e8a2d50beee6d4c96a1bbdbe2ac7

SHA1
4d53c8f42aa62b3ea4067c342dc1c4b1bb1e7786

SHA256
bb33ad19d645674443b53eeedbf480fdc870585ae99ddcc533117831e00f25f2

SHA512
eaf6dc3e332ccf1f570e466005a19b354f7cb633a04c5c3a8c870595d1f755a393d30d72efa9428387f12636b39cb4e7b7bc46a17f205f4d97be6af639ce6a5e

Download Submit
C:\Windows\SysWOW64\wideshut.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
C:\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
C:\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
C:\Windows\system32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Users\Admin\AppData\Local\Temp\cloud.exe

Filesize
188KB

MD5
46e3e78d92aa3c2152489ef20b7d871f

SHA1
132dea1d7cbc4af735f0de8bbac25122713e0c2c

SHA256
89c9e691059c50d71a0463912874d77b95b01817fe074e5daf09a694467378b5

SHA512
5f3e2117e4eb4aa32e0607eaf79fd51c6f19cea72d45826e77d3b8e0e781412e655a6694f0208dd830cf744fefd44e7122fc0d34044bf82b3b29a30808cf9c70

Download Submit
\Users\Admin\AppData\Local\Temp\laznflcvnk.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
\Users\Admin\AppData\Local\Temp\laznflcvnk.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
\Users\Admin\AppData\Local\Temp\ylqivlpbmf.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
\Users\Admin\AppData\Local\Temp\ylqivlpbmf.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
memory/1128-346-0x000007FEB8B90000-0x000007FEB8B9A000-memory.dmp

Filesize
40KB

Download
memory/1128-321-0x000007FEF3DB0000-0x000007FEF3EF3000-memory.dmp

Filesize
1.3MB

Download
memory/1128-232-0x000007FEB8B90000-0x000007FEB8B9A000-memory.dmp

Filesize
40KB

Download
memory/1128-231-0x000007FEF3DB0000-0x000007FEF3EF3000-memory.dmp

Filesize
1.3MB

Download
memory/1272-20-0x00000000021D0000-0x000000000234A000-memory.dmp

Filesize
1.5MB

Download
memory/1272-15-0x00000000021D0000-0x000000000234A000-memory.dmp

Filesize
1.5MB

Download
memory/1344-40-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2308-28-0x0000000001300000-0x000000000147A000-memory.dmp

Filesize
1.5MB

Download
memory/2308-158-0x0000000001300000-0x000000000147A000-memory.dmp

Filesize
1.5MB

Download
memory/2628-98-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/2628-410-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/2628-221-0x0000000003380000-0x0000000003388000-memory.dmp

Filesize
32KB

Download
memory/2628-92-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

Filesize
32KB

Download
memory/2628-69-0x0000000001A60000-0x0000000001A70000-memory.dmp

Filesize
64KB

Download
memory/2628-106-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2628-115-0x00000000010A0000-0x00000000010A8000-memory.dmp

Filesize
32KB

Download
memory/2628-336-0x00000000054A0000-0x00000000054A8000-memory.dmp

Filesize
32KB

Download
memory/2628-409-0x00000000039C0000-0x00000000039C8000-memory.dmp

Filesize
32KB

Download
memory/2628-53-0x0000000001960000-0x0000000001970000-memory.dmp

Filesize
64KB

Download
memory/2628-494-0x0000000005070000-0x0000000005078000-memory.dmp

Filesize
32KB

Download
memory/2628-104-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

Filesize
32KB

Download
memory/2628-592-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2628-598-0x0000000004230000-0x0000000004238000-memory.dmp

Filesize
32KB

Download
memory/2628-735-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/2628-736-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download