3aa1de50ef1ad0cd07e7b0beb870162474522685c67187b2d62f94977c2b6ad7

Analysis

max time kernel
20s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f749a8cc9c570d1c61feafe433b1e6f.exe
Size

381KB
MD5

4f749a8cc9c570d1c61feafe433b1e6f
SHA1

39c1be99061596587ef547b248edf0298cba9dec
SHA256

3aa1de50ef1ad0cd07e7b0beb870162474522685c67187b2d62f94977c2b6ad7
SHA512

96e87da556e04e07476e8ee94cc1ba73985fe0f29e00d24b92ac201ce8f1ca6e390cb3760b2aeb34d920390ea54fb61673613a9a05036b973867c68cdd4e812c
SSDEEP

3072:q+AEoOscDUWpXfgp9ZglH5u3goLM+i/+d9AlNkOhDNHEZ8Vjzg2fYG2lO/BZ:qVexpPgsuQkM+igArXhVke

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zrjFmh2a.exe"	4f749a8cc9c570d1c61feafe433b1e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zrjFmh2a.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zrjFmh2a.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zrjFmh2a.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\system32\\zrjFmh2a.exe"	lsass.exe

ACProtect 1.3x - 1.4x DLL software 9 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000300000001f45f-2.dat	acprotect
behavioral2/files/0x000600000002322b-85.dat	acprotect
behavioral2/files/0x000600000002322b-83.dat	acprotect
behavioral2/files/0x000600000002322a-70.dat	acprotect
behavioral2/files/0x000600000002322a-68.dat	acprotect
behavioral2/files/0x0006000000023229-51.dat	acprotect
behavioral2/files/0x0006000000023229-49.dat	acprotect
behavioral2/files/0x0006000000023228-27.dat	acprotect
behavioral2/files/0x0006000000023228-25.dat	acprotect

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
1484	winlogon.exe
4944	smss.exe
1064	service.exe
4484	lsass.exe

Loads dropped DLL 10 IoCs

pid	Process
5016	4f749a8cc9c570d1c61feafe433b1e6f.exe
5016	4f749a8cc9c570d1c61feafe433b1e6f.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
1064	service.exe
1064	service.exe
4484	lsass.exe
4484	lsass.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8QW2ON4zi = "C:\\Windows\\QW2ON4spawn.cmd"	4f749a8cc9c570d1c61feafe433b1e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8QW2ON4zi = "C:\\Windows\\QW2ON4spawn.cmd"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8QW2ON4zi = "C:\\Windows\\QW2ON4spawn.cmd"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8QW2ON4zi = "C:\\Windows\\QW2ON4spawn.cmd"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8QW2ON4zi = "C:\\Windows\\QW2ON4spawn.cmd"	lsass.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\v:	service.exe
File opened (read-only)	\??\o:	lsass.exe
File opened (read-only)	\??\y:	lsass.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\z:	service.exe
File opened (read-only)	\??\k:	lsass.exe
File opened (read-only)	\??\p:	lsass.exe
File opened (read-only)	\??\h:	winlogon.exe
File opened (read-only)	\??\z:	winlogon.exe
File opened (read-only)	\??\i:	lsass.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\g:	service.exe
File opened (read-only)	\??\w:	service.exe
File opened (read-only)	\??\j:	lsass.exe
File opened (read-only)	\??\w:	winlogon.exe
File opened (read-only)	\??\p:	winlogon.exe
File opened (read-only)	\??\v:	winlogon.exe
File opened (read-only)	\??\j:	service.exe
File opened (read-only)	\??\t:	service.exe
File opened (read-only)	\??\h:	lsass.exe
File opened (read-only)	\??\u:	lsass.exe
File opened (read-only)	\??\e:	winlogon.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\q:	lsass.exe
File opened (read-only)	\??\j:	winlogon.exe
File opened (read-only)	\??\o:	winlogon.exe
File opened (read-only)	\??\t:	winlogon.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\k:	service.exe
File opened (read-only)	\??\q:	service.exe
File opened (read-only)	\??\m:	winlogon.exe
File opened (read-only)	\??\l:	winlogon.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\m:	lsass.exe
File opened (read-only)	\??\i:	winlogon.exe
File opened (read-only)	\??\y:	winlogon.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\l:	service.exe
File opened (read-only)	\??\o:	service.exe
File opened (read-only)	\??\g:	lsass.exe
File opened (read-only)	\??\k:	winlogon.exe
File opened (read-only)	\??\m:	service.exe
File opened (read-only)	\??\e:	lsass.exe
File opened (read-only)	\??\n:	lsass.exe
File opened (read-only)	\??\e:	service.exe
File opened (read-only)	\??\x:	winlogon.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\p:	service.exe
File opened (read-only)	\??\y:	service.exe
File opened (read-only)	\??\v:	lsass.exe
File opened (read-only)	\??\q:	winlogon.exe
File opened (read-only)	\??\r:	winlogon.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\i:	service.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\2rjFmh2\smss.exe	service.exe
File created	C:\Windows\SysWOW64\zrjFmh2a.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dr4Vlb843.exe	lsass.exe
File created	C:\Windows\SysWOW64\dr4Vlb843.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2	smss.exe
File opened for modification	C:\Windows\SysWOW64\zrjFmh2a.exe	service.exe
File created	C:\Windows\SysWOW64\dr4Vlb843.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\dr4Vlb843.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\zrjFmh2a.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2	service.exe
File opened for modification	C:\Windows\SysWOW64\dr4Vlb843.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2	lsass.exe
File created	C:\Windows\SysWOW64\dr4Vlb843.exe	lsass.exe
File created	C:\Windows\SysWOW64\zrjFmh2a.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\2rjFmh2\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\zrjFmh2a.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dr4Vlb843.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\dr4Vlb843.exe	smss.exe
File created	C:\Windows\SysWOW64\2rjFmh2\lsass.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\zrjFmh2a.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2	winlogon.exe
File created	C:\Windows\SysWOW64\zrjFmh2a.exe	smss.exe
File created	C:\Windows\SysWOW64\dr4Vlb843.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\SysWOW64\2rjFmh2\smss.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\SysWOW64\zrjFmh2a.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\SysWOW64\2rjFmh2\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\dr4Vlb843.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\zrjFmh2a.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\2rjFmh2\lsass.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\zrjFmh2a.exe	winlogon.exe
File created	C:\Windows\SysWOW64\2rjFmh2\smss.exe	smss.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\QW2ON4spawn.cmd	service.exe
File opened for modification	C:\Windows\QW2ON4	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\QW2ON4\service.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\QW2ON4	winlogon.exe
File created	C:\Windows\QW2ON4\winlogon.exe	winlogon.exe
File created	C:\Windows\QW2ON4spawn.cmd	smss.exe
File opened for modification	C:\Windows\QW2ON4	lsass.exe
File created	C:\Windows\QW2ON4\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\QW2ON4spawn.cmd	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\QW2ON4\winlogon.exe	smss.exe
File opened for modification	C:\Windows\QW2ON4\service.exe	smss.exe
File created	C:\Windows\QW2ON4\service.exe	service.exe
File created	C:\Windows\QW2ON4\service.exe	lsass.exe
File opened for modification	C:\Windows\QW2ON4\winlogon.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\QW2ON4spawn.cmd	winlogon.exe
File opened for modification	C:\Windows\QW2ON4\service.exe	winlogon.exe
File opened for modification	C:\Windows\QW2ON4	smss.exe
File opened for modification	C:\Windows\QW2ON4	service.exe
File created	C:\Windows\QW2ON4spawn.cmd	4f749a8cc9c570d1c61feafe433b1e6f.exe
File opened for modification	C:\Windows\QW2ON4spawn.cmd	winlogon.exe
File opened for modification	C:\Windows\QW2ON4spawn.cmd	smss.exe
File created	C:\Windows\QW2ON4\winlogon.exe	service.exe
File created	C:\Windows\QW2ON4spawn.cmd	lsass.exe
File opened for modification	C:\Windows\QW2ON4spawn.cmd	lsass.exe
File created	C:\Windows\QW2ON4\winlogon.exe	4f749a8cc9c570d1c61feafe433b1e6f.exe
File created	C:\Windows\QW2ON4spawn.cmd	service.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
1064	service.exe
1064	service.exe
4484	lsass.exe
4484	lsass.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
1064	service.exe
1064	service.exe
4484	lsass.exe
4484	lsass.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
1064	service.exe
1064	service.exe
4484	lsass.exe
4484	lsass.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
1064	service.exe
4484	lsass.exe
1064	service.exe
4484	lsass.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
1064	service.exe
4484	lsass.exe
1064	service.exe
4484	lsass.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
4484	lsass.exe
1064	service.exe
4484	lsass.exe
1064	service.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
4484	lsass.exe
1064	service.exe
1064	service.exe
4484	lsass.exe
1484	winlogon.exe
1484	winlogon.exe
4944	smss.exe
4944	smss.exe
1064	service.exe
4484	lsass.exe
1064	service.exe
4484	lsass.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5016	4f749a8cc9c570d1c61feafe433b1e6f.exe
1484	winlogon.exe
4944	smss.exe
1064	service.exe
4484	lsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1484	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	96
PID 5016 wrote to memory of 1484	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	96
PID 5016 wrote to memory of 1484	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	96
PID 5016 wrote to memory of 4944	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	94
PID 5016 wrote to memory of 4944	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	94
PID 5016 wrote to memory of 4944	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	94
PID 5016 wrote to memory of 1064	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	90
PID 5016 wrote to memory of 1064	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	90
PID 5016 wrote to memory of 1064	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	90
PID 5016 wrote to memory of 4484	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	93
PID 5016 wrote to memory of 4484	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	93
PID 5016 wrote to memory of 4484	5016	4f749a8cc9c570d1c61feafe433b1e6f.exe	93

C:\Users\Admin\AppData\Local\Temp\4f749a8cc9c570d1c61feafe433b1e6f.exe
"C:\Users\Admin\AppData\Local\Temp\4f749a8cc9c570d1c61feafe433b1e6f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\QW2ON4\service.exe
  C:\Windows\QW2ON4\service.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Windows\SysWOW64\2rjFmh2\lsass.exe
  C:\Windows\system32\2rjFmh2\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4484
- C:\Windows\SysWOW64\2rjFmh2\smss.exe
  C:\Windows\system32\2rjFmh2\smss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4944
- C:\Windows\QW2ON4\winlogon.exe
  C:\Windows\QW2ON4\winlogon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dhi4825.tmp

Filesize
165KB

MD5
072f5b00b3a09c3c955f7950acb33eb4

SHA1
804a8995e9494607bd4827bc032a1c37f414bffd

SHA256
e2b6e511c15816522e387ab1d93322491dc014233fe5551a6ab8e243e22c0e54

SHA512
e0f3c38a3b90b6564694566aac10c40df727dc10bef90b20a728b0aa541d62731e65e0b40bb45aa0d0120020ace7cecc1f6dc5255e710360bb9b0edf1b919fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhi4825.tmp

Filesize
98KB

MD5
7e569900b086c0aa76f6c0ffee36fbb0

SHA1
1c5d0e21ca3d53b7a08504e99a943ff575cba988

SHA256
6a999e399d68450deff5e87b0273d7d76d81fca25226228b5574380fcc75552c

SHA512
7349ae6e1457e08f0c770761234addb0b4e72ba08a21df0806c015aa282ac6fa51eded64a109a87103468599152c324bab553129ec63370ca8d3479ec2107912

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhi4863.tmp

Filesize
162KB

MD5
195535bee37fa4096405be10a484e76a

SHA1
8c54a2afdb5267f0187fa2adee0b232285383bd8

SHA256
7404d35fb4d8f6cd087c52d70b6833da4b653bc241728baab6c6b7e50eb00975

SHA512
d669edd5d1fc95865a3b455e31f456bb83f0a647818bedeea28bc6911d8d3e14a157a6a007a913d1990c3bf1f4b071576c274c970f271ae42773ba978f8133f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhi4863.tmp

Filesize
124KB

MD5
12d0a2c06b336e9de1f2537a9a7fa27d

SHA1
46241e235b879e588ddc70bdc9bbc8b7069a3524

SHA256
adc758bb50f761328b2a84f8892915d26dd438c08f7c282b09d8280c6b553c82

SHA512
bd2fd6ea56e039c97ccc8d712798e33fb34cba2f4fac2c67bd1cc14751a6546e903be3aba815dcdd1c7007d3984fc3c3293c7a722ace32a081bcfae257e9f37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhi4779.tmp

Filesize
126KB

MD5
ce51e1890344e087e5ab66d7f01ffd58

SHA1
3d3eb2903726f7aed18c5c10232aacb722224eaa

SHA256
5ea0cda91b26f42d7c5ea9f459bca56e8cbabc61c67c51a8d26411f362fce1ed

SHA512
3a924dd71e55bdf47ae41814dbd6424a6877d95d7e0bbac6acdab65ce6a657d45469752a7e00a6996040a16f7c7541ac6abd4345be1bf47cd43666596b78b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhi4779.tmp

Filesize
138KB

MD5
466fc35c67f9b0aed11c75d81fbc220f

SHA1
0f6eb64eca5455623295ea5de2f013de07065de9

SHA256
52c0ae9416be1b5bdf8d3e3756d1656977649e4b2ac151aa646529bd30a60b73

SHA512
54523e0c8676e71ca75c0393ffd3c4c071ad64a9307ab84b90f0fe5cf99e4087ac4b990ad2c6eb74923ef86258879dd1848b7b1fa0ffbe9db20c587a791fa899

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhi48A2.tmp

Filesize
86KB

MD5
fc1290eea050ba70ac450bcd4c0d7b46

SHA1
1fe0eeefdb6ad872e99933219683202f6dbe4505

SHA256
0f5dfef740b9045acac3134e0d35048daf038044b81a13e2ef4d58792a4dd19f

SHA512
6993faef841fd293a68f4671e21b887664645e478364887a1b512da8211e2441fa9e18b8f9184d70d14b90934eaabdf55a34a5f81e85eea98b4f5eba7fcdd7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhi48A2.tmp

Filesize
8KB

MD5
e39e9dd45e2344787fae7ea635eac339

SHA1
e8755140ff5c4e6c6fbf488f091a7a29b5b30b43

SHA256
637ebaba36977c5a2e368bd65ba8023c3bb45fc01a0eef276249bc2e9c1563aa

SHA512
8df88503f6f46b849902274d0741ace5124b2113d88756655059a22f9087ac9bae210d8c737c282878fdef63b1237d76a1b89357028645d74e99e8d0bd668eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhi46AE.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd

Filesize
167KB

MD5
a8fb1c8da9216f1ff5a9e5c597732d86

SHA1
3b211ece729b84b4952326c2783a2dcc4a70fabe

SHA256
61f61f9700f03fc739010da9f9d347536e04b8e542d5dd4e6c20825d95138631

SHA512
07f6ba599cb36b1d64d34d7fe70e5b2cc56c5ea39b411bd5bbb493a24d6b697ff885eb2a236a796400642511806ed5420157e58279a8076bf845b9ce24cb74bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd

Filesize
124KB

MD5
64d3469ab5551e262362ad709ed02565

SHA1
6b8e2828da02eec65bd26295e505c1eff4b51b43

SHA256
e584a841ebbb73b6c8ff2c6f87e5ff64c84e8431dbc9ffee520fffa69adc7077

SHA512
59b6400a776133fbdda440e67ae7cae68dab1464df0fdd7c64778e20ec3142ea82ff070c6b1dc597b3397c1a190bb5b03a3a05805dc009c275c8162ea136f163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msdos.cmd

Filesize
39KB

MD5
f15f14fa7c02bdd49bd63dd45a418853

SHA1
993fe06df06569448bc0000792bd76d7286a4f86

SHA256
d58dbe23044cbf307e072ecd8b5d8aca82986267d07cb8996d62299984ca538c

SHA512
7e1d181a605b7d6ac5c6a4f7ac4a078f171cd45b339ae05128eaf6dee7618d314de0c380a43432b779404b371114600b44aa1552f2df891c8fce7550c39cf0ab

Download Submit
C:\Users\Admin\Documents\about.html

Filesize
20B

MD5
5cc81d0fd525bf36d577d728572897aa

SHA1
5d12dac12a51d3ecd95d9c4a97ac3209f14eb3c4

SHA256
fb27201058302a5f6b9dd225cf5e53ecf5d0194803b16f9db5d9801efa4eab4f

SHA512
836723eea940f3eb357bb9bc9a8ba26e3749dabecc432c76c027a0f400c69726b8a4f31c8cd4aabff3d546d57ef71d126236103113e6b58f558ba155fe3ad951

Download Submit
C:\Windows\QW2ON4\service.exe

Filesize
158KB

MD5
7c28c5f3481d2f5ab71ce3030eb03a7e

SHA1
ed51c60000d0b7447c4f88184bab89a753d17ebe

SHA256
739c1cbc1587d032e25f83cc1ea189e9eb98e2a399449a4a2ebf4de1fb46b03c

SHA512
a7eb0b6ae5eb9b93efebfda0400e445e8218fca8c5061432871d210aa66c2595173e4255671c77d6b6b4a96af824568a9b936dff975dd823919a41a7a8c0f039

Download Submit
C:\Windows\QW2ON4\service.exe

Filesize
210KB

MD5
f3057654f7ab5f5dc9eb9953d21cc106

SHA1
1313f4c57ec9eb58852b5bfbca7f5883c8b4d237

SHA256
93022b126cba92b9bd3e1049b77a89a5795f3a8903059eca3c0e3c34411d169d

SHA512
05339f8e0b3c9c24dd2097abd29e220a93929beacec050955ce01c823ffd9ed1ec5eac0adf98d3d0508da1daccdcf2c29a64fe753be33a7081d3cc32d6f21090

Download Submit
C:\Windows\QW2ON4\service.exe

Filesize
145KB

MD5
27cce3897a5b6598acf6000b99a41ed4

SHA1
3457ab0238ad1904186be514f64b826fc9b395b0

SHA256
bf01959690e3ad21ccf23121ffa5d9205d480316b0a827535759feff96238bf4

SHA512
82da64c521956c79b2e7ea78ab5b671bc7fa9ca0c1cd628c6bed689cfb400ced0f5f66e5d992aa748912c3db8a70a6207c2d49ce89050a9a260d2d0f5a49f1dc

Download Submit
C:\Windows\QW2ON4\service.exe

Filesize
71KB

MD5
46256bbea2ed1683e0038063cc4346d7

SHA1
3b78fe6a071c8100cbecc8d7c6655e33f790c524

SHA256
1695f7fdf5ef71009642238fc3b19621f20f89ae77fef7e106e5cf27b4263ac9

SHA512
adb453aed3bd3d21c48c5ad6b12d9adf1f58bb0c73b3346590f2ccc2a20995481d0f686e18fe337247198a0d197f656d601a62ee92ed8a86bd332f721dc75b15

Download Submit
C:\Windows\QW2ON4\winlogon.exe

Filesize
236KB

MD5
76b183b06b8740ab50b8e628641cb11f

SHA1
b6acf9200634f8180a5d147bd9688fdb0f2842a1

SHA256
a5922516167a16ebd22bc4399ac61ab92e3e468b99fe03e631b769dd17790308

SHA512
12e3105b0050bb70fa517bb698e2ec02b90f1445edf57dc5e999576d4d1cb2b362a04d5166e0c85f4dc69ebe63be7cdf1bb1ce8421c810aea60369e0b5e9bd6e

Download Submit
C:\Windows\QW2ON4\winlogon.exe

Filesize
93KB

MD5
71644caf6300c2a8086fcad2bc2b6345

SHA1
3a588ad41d4bb7d3561842912f7e2700283f0ec8

SHA256
4930b22a06d1460c9cd0923a6bdc1e7759d805103110f508414769776a45b1c8

SHA512
cd57af49e6dec39205c1287d7519d13c75e58c1114b9795fd6668ef63350b73d1a6d755b89a63a4b43f6bd6e91c0660ebef5bf848e0be05a7c242bb8fc1f7e74

Download Submit
C:\Windows\QW2ON4spawn.cmd

Filesize
134KB

MD5
d786e6a5e9d75ecb3868462e5ae75d68

SHA1
2140175a4016ab250afdc2f4ef175e3cbc6f6383

SHA256
2ed7cb76dbc6e80aa79135be7574b34e2836fc1a85b0c2ccb844f03241a76899

SHA512
88f0a55155e463bcdd7a47b5127746faca014560b3d0f6637df6bbbcf442b6c73d2d057112c4353a2e512344b27ec5c17b3e699929b971c5e34ae440bcfaeff1

Download Submit
C:\Windows\SysWOW64\2rjFmh2\lsass.exe

Filesize
182KB

MD5
3ac64d7805cfa551e60b462155f75074

SHA1
4ce0c1acb2e840d3fae0098fd3e0953a4c0eb125

SHA256
986f683c338fc4eca402e8eea0a520df9c73edd34dc73d662f0e7e2af3eb3907

SHA512
2c88dd6204104a57f5b256652a00703ddc8ad504693b319c072d4fe09fc4cba98b3913a9d72001cd16cea0dc4c7d722d83a848b6c045c550b0bb887d831b08cf

Download Submit
C:\Windows\SysWOW64\2rjFmh2\lsass.exe

Filesize
96KB

MD5
b0ac866c9296d34f08fb5d6b79ffc4e6

SHA1
79464f8fd377998035fee7d97e7cce110ac1fbd1

SHA256
b52910f62781a77c2cde363ec603f7eb140f877b20324eefb136926a27791945

SHA512
b6d415f65a17eb2f4d37e5b5708a2872c915ba5b15d195f2022243759a1148b5d831ea3a87b1af16241541b22dd82bfd9321c9c2e2a619226a78fecee035827a

Download Submit
C:\Windows\SysWOW64\2rjFmh2\lsass.exe

Filesize
84KB

MD5
561785eed81f27aa0ba4646d4dd05afb

SHA1
bfe5ab9b75f74ba4758d0461afb48ed19f0b00b3

SHA256
9505d156bfb95e682bfb81b22eecb0eb64090569407fe71a16d5a47dfdc98a1e

SHA512
763b7bb7e9c1e461ad477400c6ed12d63fede3315c50651a221fda26b2662d904b967a4186208a0103a37d673a4f36f27edb5031285a9e7c85434a88da24de52

Download Submit
C:\Windows\SysWOW64\2rjFmh2\lsass.exe

Filesize
30KB

MD5
9abdec5f42b02268cadd4231afb0e3ae

SHA1
feff683ef4e5d9d70e4e8b2556d1ea486ff2692b

SHA256
2469c92efafd3f033e5a26f915bbeebd3bdf60f29276a9fdec5c703287b46f48

SHA512
57fc57f3e1e5dc604f9395d0a87ca69cd91cc935852a67054fc3da72e2dc9871bdd4fc7c14b076f90a3873b98e41cb3cb8e4158dee883f6001b1b9ca67cceb94

Download Submit
C:\Windows\SysWOW64\2rjFmh2\lsass.exe

Filesize
90KB

MD5
0daac1945ec03a3126b401f9959f550a

SHA1
159686d80ab647bc8efa92d6a15b0de06a536ef1

SHA256
5878b4ea744ee350d7d7d4b574c108195421f8df7eb46cdb06f8980319dd0cfb

SHA512
f3a54fb261cb28ea10f43e9779f2e2474832ddff786c376726fd0b3e0b29761a23c8f7b672d2090e21e8a9eacca99ddfe09add4fc87afaa600ba51455a8c118e

Download Submit
C:\Windows\SysWOW64\2rjFmh2\smss.exe

Filesize
189KB

MD5
f92df574844b077d47677a51c72b9998

SHA1
56274c8b00543e9e7e7d0dcfbf3887ff195aae53

SHA256
a7934d8bc2ef2639e3d516f986e71c336bcd4e3e27263b2ea1780cd6686b32c5

SHA512
9370b9838c97f1e3e2bf5cfff80080dcf6302552a2a26527702d0cd83968470934080b0efb190f68452e7c5506e2b072d573dbe30067390c1b3bce0f54e759db

Download Submit
C:\Windows\SysWOW64\2rjFmh2\smss.exe

Filesize
37KB

MD5
aceb931f0d2188eb4588361442d16e00

SHA1
f70b7134fcc82e2627f246fc381e65551348207f

SHA256
b309c52b38fda7d12ddb349cf3e7cca74db42b9529e193346a9da92661c4ffb7

SHA512
025d0de1c1d04f006f8b02ad5b7d8eeafb3441032633e49009f37899b821c05ccb94c026f09373f2939c796e78b90a3310b4d12aa67b630654425bd17858ab2b

Download Submit
C:\Windows\SysWOW64\2rjFmh2\smss.exe

Filesize
76KB

MD5
e995452c81f6c278c147b9fba4eff23e

SHA1
05ed0ba04434d54ff85e846391382c6448cbd2f5

SHA256
7e4c2bc7023ba8853882db7853283e365857155d22103b14c5e330c004c09371

SHA512
819614ced85a4d7497063a8aad2b9e67175df89bce65fc6641d94d625014f345685b66f3be8fde7b26c9e722cfef12306cfcece7672e2fc4d6017ac9cf26022e

Download Submit
C:\Windows\SysWOW64\dr4Vlb843.exe

Filesize
204KB

MD5
f126429c4139e9adbf499c2be38faa22

SHA1
cea2f12f7fa6bc7bb4ad4ac2cd0609c2cadbd6ab

SHA256
9718370c7087ead842c3804e5cd0f9600cc2e8c231c383df6ac3d396f6d9650c

SHA512
8ec89d5e93db58cee9034371bdd976a80ae8d5885d8b6a8d30718704fdeee638810a635b83881013aef3407b3686a27a016b6aeda9e5e22a5201bd2b67c22370

Download Submit
C:\Windows\SysWOW64\zrjFmh2a.exe

Filesize
216KB

MD5
516f698c13357a86cc4dbf0e0085589f

SHA1
ad7d1f25a4b3eebad6e43d2db098665ab0e08235

SHA256
dd70efc99146a832512cbf3f7d893439babf9fb11209d90f3f2ef6850d734f33

SHA512
e25a628a9761900d65af437fbd7fd253f14f5113c7f0df120e3ba472516ee16344a5eed3b43993d3d4fe3576c7377b31ad13f4bf5feca40959cb46d62f964f08

Download Submit
C:\Windows\SysWOW64\zrjFmh2a.exe

Filesize
181KB

MD5
5a0cf0fc733cf895282793c28776f2c8

SHA1
f5b7b4d2e2744740fe001dd9987c96e0d6cf27b7

SHA256
0bdc0cace61eb4ea404f54afbba4075e07421364e3cb92fc5c71951b816aac09

SHA512
4a1ab180b2c6173c973cd6b878a987b3305a35889e6fb3603d3b4f61e84cb3861fcc688113d34fbcd90b58017f6c6741c2fe3181590b76e9931cb003e8ea8705

Download Submit
memory/1064-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1064-93-0x0000000000530000-0x00000000005A3000-memory.dmp

Filesize
460KB

Download
memory/1484-32-0x0000000002020000-0x0000000002093000-memory.dmp

Filesize
460KB

Download
memory/4484-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4484-96-0x00000000023A0000-0x0000000002413000-memory.dmp

Filesize
460KB

Download
memory/4944-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4944-63-0x00000000023A0000-0x0000000002413000-memory.dmp

Filesize
460KB

Download
memory/5016-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5016-92-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/5016-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5016-8-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/5016-5-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download