8ac6ab42b1eedf46f32884f295cb91e94aa785b43e2d38adc613c4e7a536cce3

Analysis

max time kernel
26s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04f51edd6c765a44e833a13065fb3dee.exe
Size

483KB
MD5

04f51edd6c765a44e833a13065fb3dee
SHA1

26b91f0551ded7441f207c337bafd0d4752c52ca
SHA256

8ac6ab42b1eedf46f32884f295cb91e94aa785b43e2d38adc613c4e7a536cce3
SHA512

1c5ef401f645866b29cfa83c62ef95a7900f9b12c3dc87f33ba1f6504100d7bccbf5648cb1fa9b670450268d0ed624599c599e757e837d715b236c2b17500c07
SSDEEP

12288:vuEfwYdSiKMxVC3KxLOcQds0wmJcDJyhzmFx4ibhZpeV:vpdcMxVkuQXdqlypm8i9Zg

Score

10^/10

aspackv2 persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	lncom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lncom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	lncom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	lncom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	lncom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	lncom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000800000001604a-79.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
2924	TABUUUUU.exe
2396	lncom.exe
2616	TABUUUUU.exe
2996	fservice.exe
3064	services.exe

Loads dropped DLL 17 IoCs

pid	Process
1880	04f51edd6c765a44e833a13065fb3dee.exe
1880	04f51edd6c765a44e833a13065fb3dee.exe
2924	TABUUUUU.exe
2924	TABUUUUU.exe
2924	TABUUUUU.exe
1880	04f51edd6c765a44e833a13065fb3dee.exe
1880	04f51edd6c765a44e833a13065fb3dee.exe
2616	TABUUUUU.exe
2396	lncom.exe
2396	lncom.exe
2396	lncom.exe
2996	fservice.exe
3064	services.exe
3064	services.exe
2996	fservice.exe
2396	lncom.exe
2840	DllHost.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015df8-16.dat	upx
behavioral1/memory/2924-18-0x00000000079A0000-0x0000000007B9C000-memory.dmp	upx
behavioral1/files/0x0008000000015df8-19.dat	upx
behavioral1/files/0x0008000000015df8-21.dat	upx
behavioral1/files/0x0008000000015df8-33.dat	upx
behavioral1/memory/2396-35-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/files/0x0008000000015ea1-64.dat	upx
behavioral1/files/0x0008000000015ea1-60.dat	upx
behavioral1/files/0x0008000000015ea1-66.dat	upx
behavioral1/files/0x0008000000015ea1-65.dat	upx
behavioral1/files/0x0008000000015ea1-58.dat	upx
behavioral1/memory/2996-71-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-81-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/files/0x0030000000015ca1-76.dat	upx
behavioral1/files/0x000700000001604a-70.dat	upx
behavioral1/memory/2396-84-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-86-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2996-97-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2396-106-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/files/0x0030000000015ca1-94.dat	upx
behavioral1/memory/3064-110-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-113-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-115-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-117-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-119-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-121-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-123-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-125-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-127-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-129-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-131-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-133-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/3064-135-0x0000000000400000-0x00000000005FC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	04f51edd6c765a44e833a13065fb3dee.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	lncom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lncom_.JPG	DllHost.exe
File created	C:\Windows\SysWOW64\lncom_.JPG	TABUUUUU.exe
File created	C:\Windows\SysWOW64\fservice.exe	lncom.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	lncom.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\lncom.exe	TABUUUUU.exe
File created	C:\Windows\SysWOW64\lncom.exe	TABUUUUU.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\lncom.exe.bat	lncom.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sservice.exe	lncom.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	lncom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3064	services.exe
3064	services.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2840	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3064	services.exe
3064	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2924	1880	04f51edd6c765a44e833a13065fb3dee.exe	28
PID 1880 wrote to memory of 2924	1880	04f51edd6c765a44e833a13065fb3dee.exe	28
PID 1880 wrote to memory of 2924	1880	04f51edd6c765a44e833a13065fb3dee.exe	28
PID 1880 wrote to memory of 2924	1880	04f51edd6c765a44e833a13065fb3dee.exe	28
PID 1880 wrote to memory of 2924	1880	04f51edd6c765a44e833a13065fb3dee.exe	28
PID 1880 wrote to memory of 2924	1880	04f51edd6c765a44e833a13065fb3dee.exe	28
PID 1880 wrote to memory of 2924	1880	04f51edd6c765a44e833a13065fb3dee.exe	28
PID 2924 wrote to memory of 2396	2924	TABUUUUU.exe	30
PID 2924 wrote to memory of 2396	2924	TABUUUUU.exe	30
PID 2924 wrote to memory of 2396	2924	TABUUUUU.exe	30
PID 2924 wrote to memory of 2396	2924	TABUUUUU.exe	30
PID 2924 wrote to memory of 2396	2924	TABUUUUU.exe	30
PID 2924 wrote to memory of 2396	2924	TABUUUUU.exe	30
PID 2924 wrote to memory of 2396	2924	TABUUUUU.exe	30
PID 2924 wrote to memory of 2848	2924	TABUUUUU.exe	32
PID 2924 wrote to memory of 2848	2924	TABUUUUU.exe	32
PID 2924 wrote to memory of 2848	2924	TABUUUUU.exe	32
PID 2924 wrote to memory of 2848	2924	TABUUUUU.exe	32
PID 2924 wrote to memory of 2848	2924	TABUUUUU.exe	32
PID 2924 wrote to memory of 2848	2924	TABUUUUU.exe	32
PID 2924 wrote to memory of 2848	2924	TABUUUUU.exe	32
PID 1880 wrote to memory of 2616	1880	04f51edd6c765a44e833a13065fb3dee.exe	33
PID 1880 wrote to memory of 2616	1880	04f51edd6c765a44e833a13065fb3dee.exe	33
PID 1880 wrote to memory of 2616	1880	04f51edd6c765a44e833a13065fb3dee.exe	33
PID 1880 wrote to memory of 2616	1880	04f51edd6c765a44e833a13065fb3dee.exe	33
PID 1880 wrote to memory of 2616	1880	04f51edd6c765a44e833a13065fb3dee.exe	33
PID 1880 wrote to memory of 2616	1880	04f51edd6c765a44e833a13065fb3dee.exe	33
PID 1880 wrote to memory of 2616	1880	04f51edd6c765a44e833a13065fb3dee.exe	33
PID 2616 wrote to memory of 2280	2616	TABUUUUU.exe	34
PID 2616 wrote to memory of 2280	2616	TABUUUUU.exe	34
PID 2616 wrote to memory of 2280	2616	TABUUUUU.exe	34
PID 2616 wrote to memory of 2280	2616	TABUUUUU.exe	34
PID 2616 wrote to memory of 2280	2616	TABUUUUU.exe	34
PID 2616 wrote to memory of 2280	2616	TABUUUUU.exe	34
PID 2616 wrote to memory of 2280	2616	TABUUUUU.exe	34
PID 2396 wrote to memory of 2996	2396	lncom.exe	36
PID 2396 wrote to memory of 2996	2396	lncom.exe	36
PID 2396 wrote to memory of 2996	2396	lncom.exe	36
PID 2396 wrote to memory of 2996	2396	lncom.exe	36
PID 2396 wrote to memory of 2996	2396	lncom.exe	36
PID 2396 wrote to memory of 2996	2396	lncom.exe	36
PID 2396 wrote to memory of 2996	2396	lncom.exe	36
PID 2996 wrote to memory of 3064	2996	fservice.exe	37
PID 2996 wrote to memory of 3064	2996	fservice.exe	37
PID 2996 wrote to memory of 3064	2996	fservice.exe	37
PID 2996 wrote to memory of 3064	2996	fservice.exe	37
PID 2996 wrote to memory of 3064	2996	fservice.exe	37
PID 2996 wrote to memory of 3064	2996	fservice.exe	37
PID 2996 wrote to memory of 3064	2996	fservice.exe	37
PID 3064 wrote to memory of 2856	3064	services.exe	38
PID 3064 wrote to memory of 2856	3064	services.exe	38
PID 3064 wrote to memory of 2856	3064	services.exe	38
PID 3064 wrote to memory of 2856	3064	services.exe	38
PID 3064 wrote to memory of 2936	3064	services.exe	41
PID 3064 wrote to memory of 2936	3064	services.exe	41
PID 3064 wrote to memory of 2936	3064	services.exe	41
PID 3064 wrote to memory of 2936	3064	services.exe	41
PID 2396 wrote to memory of 1500	2396	lncom.exe	42
PID 2396 wrote to memory of 1500	2396	lncom.exe	42
PID 2396 wrote to memory of 1500	2396	lncom.exe	42
PID 2396 wrote to memory of 1500	2396	lncom.exe	42
PID 2396 wrote to memory of 1500	2396	lncom.exe	42
PID 2396 wrote to memory of 1500	2396	lncom.exe	42
PID 2396 wrote to memory of 1500	2396	lncom.exe	42

C:\Users\Admin\AppData\Local\Temp\04f51edd6c765a44e833a13065fb3dee.exe
"C:\Users\Admin\AppData\Local\Temp\04f51edd6c765a44e833a13065fb3dee.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\lncom.exe
    "C:\Windows\system32\lncom.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\services.exe
        
        C:\Windows\services.exe -XP
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        6⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        7⤵
        
        PID:1768
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        6⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        7⤵
        
        PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\SysWOW64\lncom.exe.bat
      4⤵
      PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe.bat
    3⤵
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe.bat
    3⤵
    PID:2280

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.JPG

Filesize
84KB

MD5
e6b87924a6569a4677cb9071e242d618

SHA1
9455057be66031c47551b3c9b3f9d73ea0973933

SHA256
da9d9c653734483de61a90d241314f7d759cad046accf5b07205d7ccfcb1994e

SHA512
166c1e92249c05622522c500926bfbb5b005dedaedb9e0bef221c1ddbc2c7a5d7fea6d8645c1c7761857a68f97eac9b609ac6ce1e9f0494b00b24e3dfa79849b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe

Filesize
351KB

MD5
7575df2de5ebe5f82da5da52f30bbbd5

SHA1
21060e34a75583557439647ac0bdf3a7837dcd59

SHA256
814639200ac3c1d2cc8f74abe70b701a4b3af630251cd3f202bd729579201a70

SHA512
c8938809ba5c28933fb762c48b424f5a06788b8764aec7f939dd63adb9c952ca3aa267d36ecd22b783c1183fa2af60a597f8cf0af4039668d126edbd0e2ee77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe.bat

Filesize
155B

MD5
03907e1a7a8e9fbe36ab1f953a146bb2

SHA1
3c3cbffe323eca64922f1b37300139abfc06c0bc

SHA256
838bf54245fb7f3cddc2024893be63bfbfb62507ed2b678360c5023a1cac9d54

SHA512
2685c346c3cce82730459234a930f0bf02333f9fb1eee588734ea08241bcc8b3f676e53984f88aa304b311d5e672f0a5590eabd366d82a023936e35c286d0337

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
178KB

MD5
a6c5af8e3240dec8e2891341e86956fb

SHA1
5ee0e25dba770b4f24b8d89ae1156b15fed9e405

SHA256
c87e10f404b0ef87e0c1bb83271f7136f4618d53475a99b9b1eea91eac1e0507

SHA512
5678172439d33b54ec1417272da75091c466beaf847748ee4e9d74454aae7a43efc45a2c1fd3ac5a6c3f931039766182731a42242aa53d6ff704bd5aa37d61cb

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
140KB

MD5
9e7148857d0d71e956b5496a8d3c5dfd

SHA1
3016d9c854870c160268aacb54d60f34d8d5cb66

SHA256
e478c7e1b5b64875eb03b89c703d0d5260d66f87bfdfb0d224f2a22dead393b5

SHA512
b875e824891339bdcc73a14bb16161f0e808fbc2231a99fa44aaab595d36cae9e7216a5e5eae884af122ff4722d1c5ff3b50d1e23cc257ea1b750507ee841249

Download Submit
C:\Windows\SysWOW64\lncom.exe

Filesize
68KB

MD5
f31f95eed11ee37f055144fd5139f7e0

SHA1
141e83eadf10cf0a491501a022e0896f53e3c981

SHA256
fec3e24446b5001370f27564ff0dff5408bf4b27f7822d3361dd488ea754d318

SHA512
6ebfbd179a5426b907cc4091d18c7cc31c450ebfb2fbf41ecd62df4d3ad32363eb3479f304954322ca0a2d933847f264feda18b4ff3962d1e3d063232160a8c3

Download Submit
C:\Windows\SysWOW64\lncom.exe

Filesize
69KB

MD5
86dcdd2e38f2b1a9970cd21e7b2566e4

SHA1
af2b9c6b01e7e18996c0c35b77c948be1db35810

SHA256
e0fb75ff69842c28dd453692cc48470407f86040cc272c51978ad6f3072147dd

SHA512
96c2773f4dca65f87cca54cb7df227997675a1838bf5ade77b628d090ccf51f2cd0ac87b46a991fdeb98c02581002b80ed427399cde4557f5ddeb59ffb0ceb7b

Download Submit
C:\Windows\SysWOW64\lncom.exe.bat

Filesize
99B

MD5
1f73e450d92934cd37c041eb3f1ff51f

SHA1
f3e9dece5d6b7d7a0e4966c16ffe31437539d4a0

SHA256
3a57d154715459926a51a9e3925687c0c78ec9c88bc39c303b5b93385d34d67e

SHA512
5f982d614e54870ae3ad212f049ca3685602812c1bb066a5f6155e694adb994d6d1608ca7a25bcab605812c6e7e6b22817aaf0dba9e906787add9b0a8e3f32a5

Download Submit
C:\Windows\services.exe

Filesize
187KB

MD5
d39525c8035e1e869f74da47a20ad246

SHA1
d739fa66a99874ee69ef74f926828a9aa83879d4

SHA256
881b0bc558f22cf0a6184b154d982dfc7b7c88ace2b047dd3e619218df38dfde

SHA512
3f69179dbf31baf33efece0fded59a63a9b1175003d404f3bdcbaa6f8a4374a0ddca764b92f6c8aad773fdac3226b8941d77cd15c4b83a6c5906faf43e94c6ae

Download Submit
C:\Windows\services.exe

Filesize
249KB

MD5
51429e9a5f49e44344adf7e1a6acb7ea

SHA1
05976a759261d1d757aa2beb8b3c8dca9380a9bf

SHA256
65fb1f2a4a564bf19eb82793ce8009811762a0022fc35ed364a9029bff73177a

SHA512
8b5070e7d68d44c230bb3f345fc5cc06742e511adbddae1f7f0e29096def874101a7e81c25a6174e5382ec3d3fdcca4a8ca453c0123bf6b5fc92e005ae2fa6c6

Download Submit
C:\Windows\system\sservice.exe

Filesize
253KB

MD5
50f1c97009b8865971d7487b0a4be8f9

SHA1
ea93dc7f4ee2063b25fe7b3254feb127279fed45

SHA256
f799593cb8395289c096a4882f4b61f5b5f944552c2d9fe5da9fdf78855c15f7

SHA512
b16f92174701026cbf9cab1bd937a856271b380073087391dc2b64c37cecc156bd3cab6dbf84d6d3d3910e595c01afe170a0d42479c54ffe50289fa171bb705e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe

Filesize
431KB

MD5
feb46757e030a98fa38e9f692c4bbfce

SHA1
42b855d1318bb28dcfc73d00b08249e9080863ab

SHA256
ef623e384e0f276e0a1df832fc68d8273ab8d6d0e689fb018a471b86031584a7

SHA512
66cb8f77152922012f7c0a547e5c4e91da9e2a5d3e2d9d194c8907c345da857f7ccfe096f950aa4737261675a6f12dbabd123e6d074e97dc836004b20e2b0360

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe

Filesize
410KB

MD5
b2b456fe6ddea8d18943a0abc7c5b79b

SHA1
4813f43d963fd9f834a2cf390ada151ed219dc32

SHA256
a7469117b0174c78ae4e1b3f4e0db3128aea1e37416a0fe77b7b767c1b6fbdba

SHA512
49780ff8e3712d1da58ffcb4f2595fc74e5666524763b47b4847c57eb433cfb150f0e0d5596dcefeb8f934de9b349209c11187e55adeac5cd36d31874fb46797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe

Filesize
358KB

MD5
22893cd698a3698da832a47256fbfd57

SHA1
d5e0c5e4133608f620b4c8c3066856ebc02b78bd

SHA256
530932018354c1fc5766fe0d8aa0aaa8bbd23a4c5733964e1977d60c267c91e0

SHA512
696f7229c6dcbb81338f52d3e74a7c4a306f16c8f6418736c58129ddc8197cdfb20cfa8c56d1e90d5903b90b462fbb7c872ae3fa42ed4383e4e971a75444dbe0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TABUUUUU.exe

Filesize
346KB

MD5
0c847bae9475d8df5be9645fde6ff847

SHA1
d656826cf3bc0761353b6eeeff22a6c7e051e56b

SHA256
9f9167588db0a31d5cd9be242d4ac6bd7137170e16cfe4cca0649a6290aeecee

SHA512
3a475c520a7752afdf2864973a039b8ed94a1003723ac9aae1bddf4a4ab309e064a03183b5867fa2005a2126c14ccfa05dfa75e9d4f5f3ba17928ad4128e8357

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
188KB

MD5
163dddebac821e8d89360ce36f81c0a4

SHA1
44bd1789f89f49afcbe1d9fd8bb628259636cc5f

SHA256
69a220fd49d3d3ccb3026e053c8df85d96d7b73bad44629112934c1697a4d974

SHA512
ece11632efc7ae446591218bfbbe0e69aeb4a56241ed745f2c5ecd7ad522f52ed971e3cbb9787d1c3ca1d1c11730e9b68e1fcee8f74042ac1d7fac757051f269

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
136KB

MD5
05f00833bc8cafed175a7d328e6a684a

SHA1
cc17b6d1208d84993923f36f56116652e549ffcc

SHA256
3e1a914a1fef91e31afd7d3129b875edeb682a3b85b37d760ce855215761d457

SHA512
c32c4ef04a66c2335026f7d9d83ecda8026d5ced587787a31e9e6272b54c7e2ce756a3b4d5b7311744f039a7e8baa621df339ce7ad61bccb19b2b45aa3c241e3

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
220KB

MD5
4995c0de98cfcaa5b2025f541c14eb8f

SHA1
005a66fdadbf3d1b4f2d7d62198ad9aee175675b

SHA256
fac765e017872e3c8985f6579d86e71da48e321fde133cd5cdc808c1e3008447

SHA512
23c112274474aac83b96fd9b23582b79ffddd5138ec2f6267ca6ba04eeb5b9e1350c4afd7608590637e5015a8a052563845273efd1be9987af3e8a2c286f0075

Download Submit
\Windows\SysWOW64\lncom.exe

Filesize
342KB

MD5
6c02b1fdb72e1f50501053335a961e5f

SHA1
3ef7b1517ab69c99d63bdbd7ea3cd154fde1de39

SHA256
0ae9a34b85b6cc98b2aa4f593932e6e441b2001df9b989d59245e100d89ebbea

SHA512
3d96b0edf4559d8726cdddddc9349a15fae7a6248ab1047ada30fc1814ea34939493fcf678dd134b88f069c526a8c2887a4745a3a643e29d56ad4f47349fc609

Download Submit
\Windows\SysWOW64\lncom.exe

Filesize
288KB

MD5
2b8c44f37700f64be110cf0ec5e3b23c

SHA1
370132097e56cc791538693b247cfdadd6dc7fc6

SHA256
f1c5bc265a067aad90f780ca82f95c47d95e1e31ba8f3ebe282fbe37a9962449

SHA512
1340d42b26aefc17d48b8b12994af907db94cf6d5ad6ae2de6ae291183f4199fde511e559d8c7aca752a5f49a10ff9e9b4c6e4db31f73c4e010509bef324498f

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
memory/2396-84-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2396-35-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2396-106-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2840-14-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2924-34-0x00000000079A0000-0x0000000007B9C000-memory.dmp

Filesize
2.0MB

Download
memory/2924-18-0x00000000079A0000-0x0000000007B9C000-memory.dmp

Filesize
2.0MB

Download
memory/2924-13-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/2924-36-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2996-88-0x0000000000D10000-0x0000000000F0C000-memory.dmp

Filesize
2.0MB

Download
memory/2996-97-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2996-67-0x0000000000D10000-0x0000000000F0C000-memory.dmp

Filesize
2.0MB

Download
memory/2996-71-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2996-77-0x0000000003120000-0x000000000331C000-memory.dmp

Filesize
2.0MB

Download
memory/2996-89-0x0000000003120000-0x000000000331C000-memory.dmp

Filesize
2.0MB

Download
memory/3064-113-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-117-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-83-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3064-87-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3064-86-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-112-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3064-110-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-82-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3064-115-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-81-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-119-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-121-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-123-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-125-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-127-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-129-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-131-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-133-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3064-135-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download