3aa1de50ef1ad0cd07e7b0beb870162474522685c67187b2d62f94977c2b6ad7

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f749a8cc9c570d1c61feafe433b1e6f.exe
Size

381KB
MD5

4f749a8cc9c570d1c61feafe433b1e6f
SHA1

39c1be99061596587ef547b248edf0298cba9dec
SHA256

3aa1de50ef1ad0cd07e7b0beb870162474522685c67187b2d62f94977c2b6ad7
SHA512

96e87da556e04e07476e8ee94cc1ba73985fe0f29e00d24b92ac201ce8f1ca6e390cb3760b2aeb34d920390ea54fb61673613a9a05036b973867c68cdd4e812c
SSDEEP

3072:q+AEoOscDUWpXfgp9ZglH5u3goLM+i/+d9AlNkOhDNHEZ8Vjzg2fYG2lO/BZ:qVexpPgsuQkM+igArXhVke

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zk0FmCPa.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zk0FmCPa.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zk0FmCPa.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zk0FmCPa.exe"	4f749a8cc9c570d1c61feafe433b1e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zk0FmCPa.exe"	winlogon.exe

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001223a-2.dat	acprotect
behavioral1/files/0x0006000000016cc5-83.dat	acprotect
behavioral1/files/0x0006000000016c98-51.dat	acprotect
behavioral1/files/0x0006000000016c98-50.dat	acprotect
behavioral1/files/0x0006000000016c7d-29.dat	acprotect

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe

Loads dropped DLL 13 IoCs

pid	Process
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2300	winlogon.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2304	smss.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2900	service.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2628	lsass.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\8UMb402zi = "C:\\Windows\\UMb402spawn.cmd"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\8UMb402zi = "C:\\Windows\\UMb402spawn.cmd"	4f749a8cc9c570d1c61feafe433b1e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\8UMb402zi = "C:\\Windows\\UMb402spawn.cmd"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\8UMb402zi = "C:\\Windows\\UMb402spawn.cmd"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\8UMb402zi = "C:\\Windows\\UMb402spawn.cmd"	service.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	winlogon.exe
File opened (read-only)	\??\s:	winlogon.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\q:	service.exe
File opened (read-only)	\??\r:	service.exe
File opened (read-only)	\??\n:	lsass.exe
File opened (read-only)	\??\t:	lsass.exe
File opened (read-only)	\??\g:	winlogon.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\m:	service.exe
File opened (read-only)	\??\o:	service.exe
File opened (read-only)	\??\v:	service.exe
File opened (read-only)	\??\v:	lsass.exe
File opened (read-only)	\??\n:	winlogon.exe
File opened (read-only)	\??\v:	winlogon.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\h:	service.exe
File opened (read-only)	\??\j:	service.exe
File opened (read-only)	\??\z:	service.exe
File opened (read-only)	\??\h:	winlogon.exe
File opened (read-only)	\??\r:	lsass.exe
File opened (read-only)	\??\p:	winlogon.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\q:	lsass.exe
File opened (read-only)	\??\y:	lsass.exe
File opened (read-only)	\??\i:	winlogon.exe
File opened (read-only)	\??\i:	service.exe
File opened (read-only)	\??\p:	service.exe
File opened (read-only)	\??\w:	service.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\i:	lsass.exe
File opened (read-only)	\??\l:	winlogon.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\t:	service.exe
File opened (read-only)	\??\m:	lsass.exe
File opened (read-only)	\??\w:	winlogon.exe
File opened (read-only)	\??\y:	service.exe
File opened (read-only)	\??\p:	lsass.exe
File opened (read-only)	\??\l:	service.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\x:	service.exe
File opened (read-only)	\??\h:	lsass.exe
File opened (read-only)	\??\m:	winlogon.exe
File opened (read-only)	\??\o:	winlogon.exe
File opened (read-only)	\??\u:	lsass.exe
File opened (read-only)	\??\k:	winlogon.exe
File opened (read-only)	\??\n:	service.exe
File opened (read-only)	\??\s:	lsass.exe
File opened (read-only)	\??\r:	winlogon.exe
File opened (read-only)	\??\t:	winlogon.exe
File opened (read-only)	\??\u:	winlogon.exe
File opened (read-only)	\??\x:	winlogon.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\e:	service.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\2k0FmCP\smss.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\SysWOW64\dLEFkU243.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\zk0FmCPa.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP	service.exe
File created	C:\Windows\SysWOW64\dLEFkU243.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\zk0FmCPa.exe	winlogon.exe
File created	C:\Windows\SysWOW64\2k0FmCP\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\dLEFkU243.exe	smss.exe
File created	C:\Windows\SysWOW64\zk0FmCPa.exe	smss.exe
File created	C:\Windows\SysWOW64\2k0FmCP\smss.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\dLEFkU243.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\SysWOW64\dLEFkU243.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\dLEFkU243.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\dLEFkU243.exe	service.exe
File created	C:\Windows\SysWOW64\2k0FmCP\lsass.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP\lsass.exe	service.exe
File created	C:\Windows\SysWOW64\2k0FmCP\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dLEFkU243.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dLEFkU243.exe	smss.exe
File created	C:\Windows\SysWOW64\dLEFkU243.exe	service.exe
File created	C:\Windows\SysWOW64\zk0FmCPa.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\SysWOW64\zk0FmCPa.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP	smss.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\zk0FmCPa.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP	lsass.exe
File created	C:\Windows\SysWOW64\2k0FmCP\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\zk0FmCPa.exe	lsass.exe
File created	C:\Windows\SysWOW64\zk0FmCPa.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\2k0FmCP\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\zk0FmCPa.exe	service.exe
File created	C:\Windows\SysWOW64\zk0FmCPa.exe	lsass.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\UMb402\winlogon.exe	service.exe
File created	C:\Windows\UMb402\service.exe	service.exe
File created	C:\Windows\UMb402spawn.cmd	lsass.exe
File created	C:\Windows\UMb402\winlogon.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\UMb402\winlogon.exe	smss.exe
File opened for modification	C:\Windows\UMb402spawn.cmd	service.exe
File opened for modification	C:\Windows\UMb402	lsass.exe
File created	C:\Windows\UMb402spawn.cmd	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\UMb402\service.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\UMb402spawn.cmd	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\UMb402	winlogon.exe
File created	C:\Windows\UMb402\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\UMb402spawn.cmd	smss.exe
File opened for modification	C:\Windows\UMb402	service.exe
File created	C:\Windows\UMb402\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\UMb402spawn.cmd	lsass.exe
File opened for modification	C:\Windows\UMb402\service.exe	winlogon.exe
File created	C:\Windows\UMb402\service.exe	lsass.exe
File opened for modification	C:\Windows\UMb402\service.exe	smss.exe
File opened for modification	C:\Windows\UMb402	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\UMb402spawn.cmd	winlogon.exe
File created	C:\Windows\UMb402spawn.cmd	service.exe
File opened for modification	C:\Windows\UMb402spawn.cmd	winlogon.exe
File created	C:\Windows\UMb402spawn.cmd	smss.exe
File opened for modification	C:\Windows\UMb402\winlogon.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\UMb402	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2512	4f749a8cc9c570d1c61feafe433b1e6f.exe
2300	winlogon.exe
2304	smss.exe
2900	service.exe
2628	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2300	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	18
PID 2512 wrote to memory of 2300	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	18
PID 2512 wrote to memory of 2300	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	18
PID 2512 wrote to memory of 2300	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	18
PID 2512 wrote to memory of 2304	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	17
PID 2512 wrote to memory of 2304	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	17
PID 2512 wrote to memory of 2304	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	17
PID 2512 wrote to memory of 2304	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	17
PID 2512 wrote to memory of 2900	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	16
PID 2512 wrote to memory of 2900	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	16
PID 2512 wrote to memory of 2900	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	16
PID 2512 wrote to memory of 2900	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	16
PID 2512 wrote to memory of 2628	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	15
PID 2512 wrote to memory of 2628	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	15
PID 2512 wrote to memory of 2628	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	15
PID 2512 wrote to memory of 2628	2512	4f749a8cc9c570d1c61feafe433b1e6f.exe	15

C:\Users\Admin\AppData\Local\Temp\4f749a8cc9c570d1c61feafe433b1e6f.exe
"C:\Users\Admin\AppData\Local\Temp\4f749a8cc9c570d1c61feafe433b1e6f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\2k0FmCP\lsass.exe
  C:\Windows\system32\2k0FmCP\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Windows\UMb402\service.exe
  C:\Windows\UMb402\service.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2900
- C:\Windows\SysWOW64\2k0FmCP\smss.exe
  C:\Windows\system32\2k0FmCP\smss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Windows\UMb402\winlogon.exe
  C:\Windows\UMb402\winlogon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agl4200.tmp

Filesize
13KB

MD5
64dee1a369efce9bec065b45ee8c50f7

SHA1
76348041086abf2344b8644070a9d988fccbe92b

SHA256
1a330b77748957f4067e7ef5b6981fadd6abecfa6f7bcedd394c86724a5e6842

SHA512
68b61297e743913e73f169f3c2fde7ae86177d4a4b76a469a0fa091b16ab5033fcce75fcd180cba37e0b2782c527217ea364e4d4555dc851a94500e4567efe7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd

Filesize
11KB

MD5
8970dc8575db2ad84ed3ee7d75c2f8ba

SHA1
fcf9453c06c040bbf8414113277933d4ccf33b4e

SHA256
5cf132448e4bab17e5522b2c26cb41913b194633ea2ef36b8a8812c24adc97b5

SHA512
2ed0e45ae475ee14bd28fa71c262075197887731dd513d52ae8f72015d2a0d33cc437c8790ef9c941bcd8b964f10fe725a575fd057ce2a169f06bb9bb64d82ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd

Filesize
21KB

MD5
108827dba4f8b9954ef3a0fab772ba99

SHA1
d8c132b05e4ed34f245dfe1f37ec2f425a9e7eb6

SHA256
addc21b62e82406db36cdb4c4ecd6547fdb204a30569bb14491697a0a5c31697

SHA512
27d22557f07e6451f3e2281ee1630d5c3836a74e8a596c5ec295cf5582cafd9bdb71b10e6fcfe68f5694e20fee6552e4349ceca4fd0384b88e7c5ede1a68051a

Download Submit
C:\Users\Admin\Documents\about.html

Filesize
20B

MD5
5cc81d0fd525bf36d577d728572897aa

SHA1
5d12dac12a51d3ecd95d9c4a97ac3209f14eb3c4

SHA256
fb27201058302a5f6b9dd225cf5e53ecf5d0194803b16f9db5d9801efa4eab4f

SHA512
836723eea940f3eb357bb9bc9a8ba26e3749dabecc432c76c027a0f400c69726b8a4f31c8cd4aabff3d546d57ef71d126236103113e6b58f558ba155fe3ad951

Download Submit
C:\Windows\SysWOW64\2k0FmCP\lsass.exe

Filesize
47KB

MD5
fee2e604fedb5773701518c387094d99

SHA1
16f2042051b7f67e757958afd704babe8fe78d15

SHA256
90505f37ed2da22bc228e6e69a1f8014eb581fe82cfceeae457b6d878c02ce87

SHA512
f85594fefdd8d8845f4fc1a305aa049675e1eb5ca2f14962f3715ecbbbad826935b6c5ddf56f30a38cafb4add0fae8131241bfa206967ed1cea83d3f0ea61276

Download Submit
C:\Windows\SysWOW64\2k0FmCP\lsass.exe

Filesize
14KB

MD5
18bdd1af8f6732d208578239aa1ad58e

SHA1
1ab1710b9b9fb82369989ee7a78eeeaf0c6a9b61

SHA256
e539f2d55778ca7473e0122c1a28ea3d3a029ae36d50864ea37663ccfbcb20e4

SHA512
401ec4e571477961246d86b54e9a7779859273bac532fb650d50222b399d87d29bacc5ed971d52cb0efcd512df96a5f24753a01b8ec7e93f388abafe723d0bb5

Download Submit
C:\Windows\SysWOW64\2k0FmCP\lsass.exe

Filesize
8KB

MD5
a1be96839e9473529e09ab46b2922cae

SHA1
9050b07e1d814ef23b0af3ad431fe31798ef979d

SHA256
a8e39c5cf29919a66bfd55ab85826cd0da91cfc304272bc21717d5bb12f7ed58

SHA512
97de955000392f18749b49d427b5a30197b6ef398152f5634189af53e3e9483d7baeec04b4157a9419bd10f78d3151427a32dc785ac78abec3aad6c1fe301179

Download Submit
C:\Windows\SysWOW64\2k0FmCP\smss.exe

Filesize
10KB

MD5
0f530ebb60fb8579983620af6c4b1e25

SHA1
59d9d02f79d6fedf280b0fa652a9214adc3e9e5a

SHA256
e13a6136c7f6eb06a4625ebdd7dda9305d7a77eb665080bdc7ad694ad8d70290

SHA512
115bd3c4a89a0b8543fda5a90b6b03c93ca515707ed7f9f848914a6490ec3c548f41d517d392aa3d3e64bd1d797bff6a0a189916eccdb5d8edfe1c678f28fe34

Download Submit
C:\Windows\SysWOW64\2k0FmCP\smss.exe

Filesize
32KB

MD5
86edbbdecf41265f1263f99d2df1a875

SHA1
8aec6d442dfb95d5365115723e79260072d45264

SHA256
74db93050ade090e169559a69b42c6e20a154e2c07ddd98f20ace93dac974e97

SHA512
4535e9da826b6de22abbacaa3635d7660d00cfa7659a3230bf458527ac3f416da3f1eec1e0d43ca65407238d85a182e184c40a583c247245ff974299dbca13cd

Download Submit
C:\Windows\SysWOW64\dLEFkU243.exe

Filesize
57KB

MD5
c2456bb6da0787e76f93d8fb44c38696

SHA1
657109ed043acd434e9bd7ab1993c174d822343b

SHA256
7d5a1d2ca16626a827f03dbfa81e281222a40a06da57bc0306eaf2e59798d58d

SHA512
882a4e1ea5f54c685f7b7e14e66ea60f7681ae2a48c0b2c4dd30068e510cea6fa9192a5f969091a92a39e4b793f570f1ebe1aeff60c393492916de0fa05ba02c

Download Submit
C:\Windows\SysWOW64\zk0FmCPa.exe

Filesize
7KB

MD5
350635f4dae12ce029544019e1ea4fdd

SHA1
fbda16edbb1d273ff13491939ac3f345ce0c49f8

SHA256
04bdee5c48b0fb56976a9968e3300bd1f2b09e41cb7312543f72e6a062bbac5a

SHA512
6566b951a6cadb10942fbf0c2abd80a63622231c0a32c0c51823426a841dfdcac2e6362fc20fcfea5eeb7b1263aeaac74f33652ac731fdedfa2b8e3e7a45ecad

Download Submit
C:\Windows\UMb402\service.exe

Filesize
17KB

MD5
07065b8c4f56680a1ecc8e92aa1a1379

SHA1
bb5906a3f0bf692239c1cf06708d68ef5b2a1990

SHA256
4a40838691d6f1a67459567d9cc80093584c5136085ad36540fdec10d4942cec

SHA512
2fea9f1aa03b66e4f91fd646aee3238c81b64fffcdf93c75cc39558b2269493fb8f26c689d5c472525681439c7ee564057497fed70d2eb7a33aab5915beec3c8

Download Submit
C:\Windows\UMb402\service.exe

Filesize
28KB

MD5
2d7c66e1e1031be7a70dea65ebc5cf3d

SHA1
1a413c4a8848b05762c9a2d361fc3cb2c9d09e53

SHA256
df83e8fbbb4e91684dd7ce9ba14e66e3be2870d907195231e2a6998db9b79644

SHA512
1125ed589bd8a9b5a1eacc049bc637d9aa00d0516c3f28284f7e321f9d1f7eff7c81fc4d7eba9920dd8477c4c9e852e8241cd048877075881078f8cd6379c61f

Download Submit
C:\Windows\UMb402\winlogon.exe

Filesize
8KB

MD5
1bfefc65984785111dfb4a5f8ecb7257

SHA1
0c4ce77fe5893a6886c80ddbe6b49a73cb99c05c

SHA256
2c1006fb9e9b1e3a5eeb4a2afc8e4677337e78ee3b030a7af11c79abc713e02c

SHA512
d6e037a7dd6e143d8220de50c8e396bbaec83249360ec16cbdf2172fa40e92d96d6ed41e4fbb696ad0c4dc85667e0f9b3f8e2192f4d072b6bf781c45905de25d

Download Submit
\Users\Admin\AppData\Local\Temp\agl4200.tmp

Filesize
30KB

MD5
ad6e09c1a18918dbf52b3c4de8fdb733

SHA1
1402cad5b9fd14a13e13e7425a204571d1601020

SHA256
83a0422ab05e4ac0815e21f8db168b31604388b928ef024d62703398161ca497

SHA512
044123fd3f528c797873f0f09d3b9566fc2675369b0f5355a50cd3e3ead22c7ba91be330f787d7bfc728f823640b2022320ad83accf828b724ef767243bf30a9

Download Submit
\Users\Admin\AppData\Local\Temp\kgl4164.tmp

Filesize
15KB

MD5
1e6b21ed93dc4a1d60a8791ecb576687

SHA1
d12af8cc7d74b3305d27519bdb2718e4d8998739

SHA256
b2898f34b7cdbb412afbace3ca4b58a43fabb55c8e92e2f0aba3d1c40c1e232b

SHA512
92d1443cf66e0cdb57882aab9010f203309d2eda53b479f403df4baf156ccde1cdd7c02b72a72b1abfe5d2803fd6d08a909d45afa4a2d32933859eae9e13f63f

Download Submit
\Users\Admin\AppData\Local\Temp\pgl4099.tmp

Filesize
48KB

MD5
9975c648c46cd65afcf2bbb96259a61a

SHA1
86d5484da8ce8bec69e4bc72c7d49fca4dac2e7d

SHA256
b3e05888a79b43065243ef55ab34956d876f6cf78c88a97242550fa69da45b4d

SHA512
b6e253ae13efba70b39dabfe469b0d58b91cd5a220ade5af8f0baceeffe1384f720903bcf18260dfa92eec5771de7522724d67c2088e0254f2b188933cd86a94

Download Submit
\Users\Admin\AppData\Local\Temp\xgl42EA.tmp

Filesize
3KB

MD5
cf1dc75f5cd63b958761bef669374668

SHA1
3019569f33a40cbc02a9894cd5c07f0d1f782534

SHA256
a4e497c49e79318e05f3e4c3914f55016a651494c65a9d42825c182c164d46cc

SHA512
43e6b049aeb47116c577aedda4e0adbeb51105cb4838697beff5ffe736cfa12f024f54c601e00d55e0e54b32767f9b0bad27903cba8f1daba7c8ae66558a574c

Download Submit
\Windows\SysWOW64\2k0FmCP\lsass.exe

Filesize
20KB

MD5
7aef4d33bfacdf24360d04ea47742a4b

SHA1
34e03986a7e1db17299d31ba7668f6f90ad847a0

SHA256
fb421b6c2f2b448680177844447fec7369c5b4888bdaee04f38987f08cd9575b

SHA512
6a75dbad7639457e687c635cbd87f025af7be94fc3a4bcdeff0543c08b5003043eb32aca81e356205a8ff4b7e23b43931f634701f8383c7299fac39ef088060c

Download Submit
\Windows\SysWOW64\2k0FmCP\smss.exe

Filesize
19KB

MD5
0e92919af126f35f0110589f06214864

SHA1
2f28d6d0dfdd38201c5d0bc447e6e3021c208761

SHA256
be6616b97a0a75cdcaf5d92d3cfa34a2e5a0bb1f10231874f32eacfadfdf400d

SHA512
a3cdb3d29bda4901b9b2cc2172ea19b491a1128b0d1e9fa27720dfb8e4156a3b486bf43451e41a4fcfd97e394c976a14229c85adbee48ff53dc40009336d1347

Download Submit
\Windows\UMb402\service.exe

Filesize
24KB

MD5
072bdf790f121b206c5fcbf246b6172e

SHA1
f895fe8d7eaf888ef8e3d8610165483552e79417

SHA256
0619cd0deb1f8cca9ccec2c8aaa50756590b9925543e3bbea50b23a308d39275

SHA512
de92e6239e313d1446ca554a787d8e893f291a185154c59bc1ee42d10d9ab55b9d86d4de1ff4f8500dd3152e720000d1cfe1d60d316aad6dc9ee2a4f69c1b068

Download Submit
\Windows\UMb402\winlogon.exe

Filesize
1KB

MD5
027fe61f4a2bc4a8940a5bf990750312

SHA1
44ea4295caffc5e67ad8c972ac05f32264c703c5

SHA256
08b1b9fce5784d2e97682883e229d0b8ffc946bd37acf4c95c38babc49c3a708

SHA512
df956bf453adab1a2485f8faa70a6df31c29f18efff234bb0c787253106c8435fcde0128a2da70081539d5123ad5c7bc2c187bb6a244b0cdbaae7780793aa6ef

Download Submit
\Windows\UMb402\winlogon.exe

Filesize
31KB

MD5
d10bb80ec3aaee7a75d2079ac9db3c45

SHA1
a54e94f5614e9fe96ad26b28f8075a368541bd9f

SHA256
42db34094a6951997eaa54b221f766469dafa5878a9acdfb43d197cc166ff871

SHA512
f1f0c6e4f6c106486d5f22fc5490392ef85930dcdf605f4e7ec579c19715702e8c3c21b84d4ca5797f2246146268cb38faa0f9cfb900ca92471c83ce6e0e835f

Download Submit
memory/2300-31-0x00000000002D0000-0x0000000000343000-memory.dmp

Filesize
460KB

Download
memory/2300-92-0x00000000002D0000-0x0000000000343000-memory.dmp

Filesize
460KB

Download
memory/2300-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2304-53-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/2304-93-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/2512-67-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2512-65-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2512-25-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2512-90-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/2512-91-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-18-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2512-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-49-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2512-4-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/2628-86-0x0000000001BA0000-0x0000000001C13000-memory.dmp

Filesize
460KB

Download
memory/2628-95-0x0000000001BA0000-0x0000000001C13000-memory.dmp

Filesize
460KB

Download
memory/2900-77-0x0000000000290000-0x0000000000303000-memory.dmp

Filesize
460KB

Download