6d6e3e296a4289ef15765d0194fe4692ce9039956520d4a93e7387a89bba422d

Analysis

max time kernel
149s
max time network
168s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42145abf46516f72b3b6bdea8f13a85a.exe
Size

307KB
MD5

42145abf46516f72b3b6bdea8f13a85a
SHA1

b42b053c2c0f0a95157cd0cbcfc74c34d0fd0b96
SHA256

6d6e3e296a4289ef15765d0194fe4692ce9039956520d4a93e7387a89bba422d
SHA512

931411f83a8d2accae3cf6d11f4c0bd8cb133ba32b8ca37f7d639162e8b54b9b3aa6c3f9653698e7337feea29699112f3f868d24a65539925db35806eb487ae7
SSDEEP

6144:YwIL3lEohnNA002tJguq73j7DurAWsyXfhoGTT1kQpugSiE6067kyy36QNp:YwIz9nNA0uuqDj7CNsyPhoGTT1xpugS3

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fake.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fake.exe

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\57540.aqq	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\svchost.exe	42145abf46516f72b3b6bdea8f13a85a.exe
File created	C:\Windows\System32\drivers\etc\s7a.vbs	42145abf46516f72b3b6bdea8f13a85a.exe
File opened for modification	C:\Windows\System32\drivers\etc\alg.exe	42145abf46516f72b3b6bdea8f13a85a.exe
File opened for modification	C:\Windows\System32\drivers\etc\ctfmon.exe	42145abf46516f72b3b6bdea8f13a85a.exe
File created	C:\Windows\System32\drivers\etc\375519961O57540.bat	lsass.exe
File created	C:\Windows\System32\drivers\etc\__tmp_rar_sfx_access_check_259433063	42145abf46516f72b3b6bdea8f13a85a.exe
File opened for modification	C:\Windows\System32\drivers\etc\s7a.vbs	42145abf46516f72b3b6bdea8f13a85a.exe
File created	C:\Windows\System32\drivers\etc\lsass.exe	42145abf46516f72b3b6bdea8f13a85a.exe
File created	C:\Windows\System32\drivers\etc\alg.exe	42145abf46516f72b3b6bdea8f13a85a.exe
File created	C:\Windows\System32\drivers\etc\svchost.exe	42145abf46516f72b3b6bdea8f13a85a.exe
File created	C:\Windows\System32\drivers\etc\ctfmon.exe	42145abf46516f72b3b6bdea8f13a85a.exe
File opened for modification	C:\Windows\System32\drivers\etc\lsass.exe	42145abf46516f72b3b6bdea8f13a85a.exe

Executes dropped EXE 6 IoCs

pid	Process
2176	alg.exe
1612	lsass.exe
2580	ctfmon.exe
2708	svchost.exe
2680	OSE.EXE
2096	fake.exe

Loads dropped DLL 15 IoCs

pid	Process
2008	42145abf46516f72b3b6bdea8f13a85a.exe
2008	42145abf46516f72b3b6bdea8f13a85a.exe
2008	42145abf46516f72b3b6bdea8f13a85a.exe
2008	42145abf46516f72b3b6bdea8f13a85a.exe
2008	42145abf46516f72b3b6bdea8f13a85a.exe
2008	42145abf46516f72b3b6bdea8f13a85a.exe
2008	42145abf46516f72b3b6bdea8f13a85a.exe
2480	regsvr32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1612	lsass.exe
1612	lsass.exe
2652	regsvr32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000142c0-22.dat	upx
behavioral1/memory/2580-51-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x00070000000144b0-32.dat	upx
behavioral1/memory/2008-23-0x0000000002260000-0x00000000022B3000-memory.dmp	upx
behavioral1/memory/1612-70-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2580-71-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1612-524-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	fake.exe
File opened (read-only)	\??\E:	fake.exe
File opened (read-only)	\??\G:	fake.exe
File opened (read-only)	\??\H:	fake.exe
File opened (read-only)	\??\I:	fake.exe
File opened (read-only)	\??\J:	fake.exe
File opened (read-only)	\??\K:	fake.exe
File opened (read-only)	\??\L:	fake.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Web.ini	rundll32.exe
File created	C:\Windows\SysWOW64\try5166.dll	lsass.exe
File created	C:\Windows\SysWOW64\dllcache\try5166.dll	lsass.exe
File created	C:\Windows\SysWOW64\scuifile.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	OSE.EXE
File created	C:\Windows\SysWOW64\fake.exe	lsass.exe
File created	C:\Windows\SysWOW64\cy57540.dll	fake.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000012264-42.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e9178664000000000200000000001066000000010000200000009e12b119cfdd5ef22898ea008ae7c1f5748985ab6156b88120a0cd8631aeeece000000000e800000000200002000000093d43fea0ee22d68bbff1ed0d51b3aee9e4803f3b2e1a6dfa7fd4249a871b183900000001769fbe255f931e73eab813f819eccb2828376701b1a9f0542835e2ac7de241fc55909fcf612b387d0cbe342d0e1ef7e469f9161242c49dc49142317a8b83f74942f873ccc66eccf772eb921e01551cf10dfea7ecb5a1aa6676a5579d08d06b0246474e3575dad571f03526935d60a532125119ede27acb428797599ecb9b00bceecfd801f949a6939804208b9c46f2d400000003d9356841f15b915be92f050360f88fa75025a18ebc2b0ab582ed06f4b28fe624e39834185c931fc86f728b0f18aef6a158dc9c0a7529c61e0c92b700b5bf355	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411061435"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e9178664000000000200000000001066000000010000200000005e5922cfaae116f5c071332a896aef13c7f458273ffa65a7e15e1f866a5e5121000000000e8000000002000020000000076d06ad3f02406a63048cb3dc1a16436f3dd25794400df55c5888b98da4db9420000000814bc9b06f9db34dcc7b0293a04955a7671c55921eb4efad5d1b0cfc61c390524000000025b3949a5959fff54fe774e992797e0a9cfb01876e3d7111650ec53c73893c8dba8d4b4093fb16144ab2f5d95365c2f9cf89604a7f3f4742f4479f9accea3594	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204e9c8ad743da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B26312E1-AFCA-11EE-AC02-E6629DF8543F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	OSE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OSE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OSE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OSE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	OSE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	OSE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	OSE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{808011FA-6288-40E2-8745-EDE65DE179D6}\WpadNetworkName = "Network 3"	OSE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	OSE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	OSE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f010b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	OSE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OSE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	OSE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{808011FA-6288-40E2-8745-EDE65DE179D6}	OSE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{808011FA-6288-40E2-8745-EDE65DE179D6}\WpadDecisionReason = "1"	OSE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{808011FA-6288-40E2-8745-EDE65DE179D6}\WpadDecisionTime = 60b37980d743da01	OSE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	OSE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-6a-e5-c0-ad-cc\WpadDecisionReason = "1"	OSE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-6a-e5-c0-ad-cc\WpadDecisionTime = 60b37980d743da01	OSE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-6a-e5-c0-ad-cc	OSE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{808011FA-6288-40E2-8745-EDE65DE179D6}\WpadDecision = "0"	OSE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{808011FA-6288-40E2-8745-EDE65DE179D6}\b6-6a-e5-c0-ad-cc	OSE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-6a-e5-c0-ad-cc\WpadDecision = "0"	OSE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	OSE.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\cy57540.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\cy57540.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\scuifile.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\scuifile.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2176	alg.exe
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
1004	rundll32.exe
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE
2680	OSE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	alg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2624	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1612	lsass.exe
2580	ctfmon.exe
2624	iexplore.exe
2624	iexplore.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2096	fake.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2176	2008	42145abf46516f72b3b6bdea8f13a85a.exe	28
PID 2008 wrote to memory of 2176	2008	42145abf46516f72b3b6bdea8f13a85a.exe	28
PID 2008 wrote to memory of 2176	2008	42145abf46516f72b3b6bdea8f13a85a.exe	28
PID 2008 wrote to memory of 2176	2008	42145abf46516f72b3b6bdea8f13a85a.exe	28
PID 2008 wrote to memory of 2176	2008	42145abf46516f72b3b6bdea8f13a85a.exe	28
PID 2008 wrote to memory of 2176	2008	42145abf46516f72b3b6bdea8f13a85a.exe	28
PID 2008 wrote to memory of 2176	2008	42145abf46516f72b3b6bdea8f13a85a.exe	28
PID 2008 wrote to memory of 1612	2008	42145abf46516f72b3b6bdea8f13a85a.exe	29
PID 2008 wrote to memory of 1612	2008	42145abf46516f72b3b6bdea8f13a85a.exe	29
PID 2008 wrote to memory of 1612	2008	42145abf46516f72b3b6bdea8f13a85a.exe	29
PID 2008 wrote to memory of 1612	2008	42145abf46516f72b3b6bdea8f13a85a.exe	29
PID 2008 wrote to memory of 1612	2008	42145abf46516f72b3b6bdea8f13a85a.exe	29
PID 2008 wrote to memory of 1612	2008	42145abf46516f72b3b6bdea8f13a85a.exe	29
PID 2008 wrote to memory of 1612	2008	42145abf46516f72b3b6bdea8f13a85a.exe	29
PID 2008 wrote to memory of 2580	2008	42145abf46516f72b3b6bdea8f13a85a.exe	34
PID 2008 wrote to memory of 2580	2008	42145abf46516f72b3b6bdea8f13a85a.exe	34
PID 2008 wrote to memory of 2580	2008	42145abf46516f72b3b6bdea8f13a85a.exe	34
PID 2008 wrote to memory of 2580	2008	42145abf46516f72b3b6bdea8f13a85a.exe	34
PID 2008 wrote to memory of 2580	2008	42145abf46516f72b3b6bdea8f13a85a.exe	34
PID 2008 wrote to memory of 2580	2008	42145abf46516f72b3b6bdea8f13a85a.exe	34
PID 2008 wrote to memory of 2580	2008	42145abf46516f72b3b6bdea8f13a85a.exe	34
PID 2008 wrote to memory of 2708	2008	42145abf46516f72b3b6bdea8f13a85a.exe	33
PID 2008 wrote to memory of 2708	2008	42145abf46516f72b3b6bdea8f13a85a.exe	33
PID 2008 wrote to memory of 2708	2008	42145abf46516f72b3b6bdea8f13a85a.exe	33
PID 2008 wrote to memory of 2708	2008	42145abf46516f72b3b6bdea8f13a85a.exe	33
PID 2008 wrote to memory of 2708	2008	42145abf46516f72b3b6bdea8f13a85a.exe	33
PID 2008 wrote to memory of 2708	2008	42145abf46516f72b3b6bdea8f13a85a.exe	33
PID 2008 wrote to memory of 2708	2008	42145abf46516f72b3b6bdea8f13a85a.exe	33
PID 2008 wrote to memory of 2696	2008	42145abf46516f72b3b6bdea8f13a85a.exe	30
PID 2008 wrote to memory of 2696	2008	42145abf46516f72b3b6bdea8f13a85a.exe	30
PID 2008 wrote to memory of 2696	2008	42145abf46516f72b3b6bdea8f13a85a.exe	30
PID 2008 wrote to memory of 2696	2008	42145abf46516f72b3b6bdea8f13a85a.exe	30
PID 2008 wrote to memory of 2696	2008	42145abf46516f72b3b6bdea8f13a85a.exe	30
PID 2008 wrote to memory of 2696	2008	42145abf46516f72b3b6bdea8f13a85a.exe	30
PID 2008 wrote to memory of 2696	2008	42145abf46516f72b3b6bdea8f13a85a.exe	30
PID 2696 wrote to memory of 2624	2696	WScript.exe	31
PID 2696 wrote to memory of 2624	2696	WScript.exe	31
PID 2696 wrote to memory of 2624	2696	WScript.exe	31
PID 2696 wrote to memory of 2624	2696	WScript.exe	31
PID 1612 wrote to memory of 2480	1612	lsass.exe	32
PID 1612 wrote to memory of 2480	1612	lsass.exe	32
PID 1612 wrote to memory of 2480	1612	lsass.exe	32
PID 1612 wrote to memory of 2480	1612	lsass.exe	32
PID 1612 wrote to memory of 2480	1612	lsass.exe	32
PID 1612 wrote to memory of 2480	1612	lsass.exe	32
PID 1612 wrote to memory of 2480	1612	lsass.exe	32
PID 2624 wrote to memory of 2452	2624	iexplore.exe	35
PID 2624 wrote to memory of 2452	2624	iexplore.exe	35
PID 2624 wrote to memory of 2452	2624	iexplore.exe	35
PID 2624 wrote to memory of 2452	2624	iexplore.exe	35
PID 2624 wrote to memory of 2452	2624	iexplore.exe	35
PID 2624 wrote to memory of 2452	2624	iexplore.exe	35
PID 2624 wrote to memory of 2452	2624	iexplore.exe	35
PID 1612 wrote to memory of 1004	1612	lsass.exe	36
PID 1612 wrote to memory of 1004	1612	lsass.exe	36
PID 1612 wrote to memory of 1004	1612	lsass.exe	36
PID 1612 wrote to memory of 1004	1612	lsass.exe	36
PID 1612 wrote to memory of 1004	1612	lsass.exe	36
PID 1612 wrote to memory of 1004	1612	lsass.exe	36
PID 1612 wrote to memory of 1004	1612	lsass.exe	36
PID 1612 wrote to memory of 2096	1612	lsass.exe	42
PID 1612 wrote to memory of 2096	1612	lsass.exe	42
PID 1612 wrote to memory of 2096	1612	lsass.exe	42
PID 1612 wrote to memory of 2096	1612	lsass.exe	42

C:\Users\Admin\AppData\Local\Temp\42145abf46516f72b3b6bdea8f13a85a.exe
"C:\Users\Admin\AppData\Local\Temp\42145abf46516f72b3b6bdea8f13a85a.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\WINDOWS\system32\drivers\etc\alg.exe
  "C:\WINDOWS\system32\drivers\etc\alg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\WINDOWS\system32\drivers\etc\lsass.exe
  "C:\WINDOWS\system32\drivers\etc\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\System32\scuifile.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2480
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 try5166.dll , InstallMyDll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- - C:\Windows\SysWOW64\fake.exe
    C:\Windows\System32\fake.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c regsvr32 /s C:\Windows\System32\cy57540.dll
      4⤵
      PID:2596
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s C:\Windows\System32\cy57540.dll
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c 375519961O57540.bat
    3⤵
    - Drops file in Drivers directory
    PID:2600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\system32\drivers\etc\s7a.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" www.aesee.cn/xuke/mx/s7a.asp
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2452
- C:\WINDOWS\system32\drivers\etc\svchost.exe
  "C:\WINDOWS\system32\drivers\etc\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\WINDOWS\system32\drivers\etc\ctfmon.exe
  "C:\WINDOWS\system32\drivers\etc\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2580

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7323224abda0d543ff1cadf06a3abb9

SHA1
54b9a6aed20c8247a9f4f2dd1a3aee4cf4e70c13

SHA256
52323b0e3d0593a157ef67a7e28c89d247527020cde64cc2a956be72b7c48c82

SHA512
d364da770f33e902f1873770beb41e0926e75037ee3f20b0f44d034ba53938f45e6ea9f1a7ca14222c88156aa692be6e8f2086bdf99a8dcc3a6d2ec0f600e330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b64061783928d082f6b6b72f3ba8779

SHA1
d92713e0a58408e2bd28fc9c3e1f027ed706e738

SHA256
8c2182dbddaf53872de1d00da8f9e1cdc129fd96afd3af85b93af3e382d95c8c

SHA512
32c6f87b2ef2ff04d4345e0e04bc596f32ba52dc519d07ee293b4674d3ad3f9cb30d7d9eb81ec22c6a901b332514b19f0709458a9b9483273a73ec954891d18b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e732c8858bdeea212baf3a2b69f4ffa

SHA1
cd4e2152e612948bed6189a885c5d08d4bb941e5

SHA256
8b80f9c3fc540019f32a9d17d808167fa87015f12df58ceb459245c0f005a3e7

SHA512
ab7a5caefd3fd0cf3ad774e278cd59a7752fbaa577ab5f45dd893cd26ab90ef833caba49c0a3f2c0c1ceaa29a0ec0f104ef4c6f02e138fe84296357d4f149156

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cac9f9b45540c41145a60eded0a1e0f0

SHA1
e795db5bd20f63f0d1c567242eb1e10b8417cf37

SHA256
92fd4157a8df1189e77d0102a7b5ee3a22396ca2c9f745da472e19fb7690401a

SHA512
0d272505371bb2eb2b4091fda2c49eaf61bf3ec08ddb1afb4193846fb35bbac217a411ca2cf238b050404ec9d581081d34dfb9c3dca68b4049c6b9a3747818b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f51145347a7b8ef12eacd0a7ff690493

SHA1
2815193c23aed2cd5dced99036a50fd74e154b94

SHA256
4be7cf96407d42cf85aebdedf4be60cba0e7bf06b1e57152cbca1904ee2d6871

SHA512
e4838e97ad2312b3fae7519df8f5d37e3fb43b55c7f812162c4c5ab8b0260292a7b627b35b8a9056785b73b28cfef7ff220b789f431c8a73414e30c18413879a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
741ec6c43c72bee0c94db411a8dcaea0

SHA1
37fb4c9eba27b94d38062a085094ec668fbfcf6f

SHA256
ba2315080ae37894f617fa0a99212c17b7d9ada1ec57a0667ae411bbb551bd40

SHA512
8337c6a81a2d4f583a4223994444a26cfb62795b23243d35df06ca9424549898a692e6bc32f07dd81e7e5d2975f7fe9a0ed260947638990f549ba872a9ad9eb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ad33a11156e1ef6a94e2f78f6c2e79a

SHA1
6586ffbc9d041c44824cc58f50d607035b6ecb06

SHA256
cc2b842795b944f4ff71b6f653cc516743895e51a7e70ef667c0a4824c625a01

SHA512
43eae35ef2762b3cee04e963c3c1fea62ba1463c8c3ae8dc453788eb3d3f7d93a7fbf1422359bb3ae559e23ce9a04f6e426c57b92b4e6936d9726a2c5f2b6f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d81b2fdaec9548bc4e1078cdef999b07

SHA1
4c0cec6ef2e562c31fde1e5ac8c7307543900893

SHA256
7c9071de517976a361fdd90d0861701a4dfe33e7d2538943b4ecbd12fb549e24

SHA512
7064be84dd7cdccb07c47c2f1b99715ca378f958a4ddbca9a483c8fbfdfe2fccdda911f000017d2dd33200b70aed5cb60ccfba14061db3a704089c4fb611435c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b77f8b270bec7001e005f6e84a4a27f

SHA1
8811c254e446aa309343ab00d2fa91c3aefcd4d9

SHA256
666c7b6d1bee141d9e311b5119674db58fbdd8fa061e68bbc295575e6cd8a988

SHA512
1f66573717d71f33d0312526b11dcc5ea8dc60ec9fd656e6723c16b5eeceaffc137e9f45a87751b97891a4975631f55a1d1c60837a668197f4a958fc2237888c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b39f09d6d9659d2f66fac7d4f5c57262

SHA1
88a4a7bfe4b2d5fa588c515ceba9af262478526a

SHA256
4c63bb84bd69e1fe4d79470b93803cec28f7df551c6f7301032889534d951569

SHA512
cf273f8a8322b25cef1bbe721cf1d7fc1b5c2a1ef1118873f1982fc0a4d6f6365eee9e29d1f96879da39c7d25d02fd2b58147f7cd233c83a3462d6ae043061e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b18efd4c169788006c73c27178de29a

SHA1
cb530d97c9342cf6d4b78904b21063f379ef732d

SHA256
03ae5db9c186dbb75976e877a54ed767d7064622536f3a528d1b466e5bad9196

SHA512
661f344908f30cd32baf1b74c1856a4aed5feee861d797bd4b97af26bc1e60e5324f723bfaa4005067a4bf796e17e5939451813a3c2a92b5d276b8cdb0365a5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8f8ac24bb2a0573f356abbd6e3209d8

SHA1
9ea369aa05992a4454d45efca46df61e9369f3de

SHA256
3d03f33edb61a31b17fe01f6f20e3fa602bcec11ca9b7e376e71d95781cd6989

SHA512
5a586fb6732c8b21cdba08a66e0936372b7f656f98de147928323b3912398fa75ed24ca19beb7dcacf0bbf694d554132e56473d21d3039361729f044e350aabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d1c10d36b8e99d3944c4401874112c5

SHA1
213ce79afa882b030cfd1b473059fd4c6d741193

SHA256
dcae5a8657de52e7053366bee06f5eef91b1f94748d741d6c1657f2ceee01b65

SHA512
58b05006393dd86b05a5edffe4aadef60fb3e70223e73a2e5c22bcdbebbca9fdc977d2785c812359e914738ef3cf56b4f8806b4631c537d12d96300da227e433

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19c75492420a99f79f9d3922d1ba9a0e

SHA1
b47162a546ee3fad73e78d56ad56ec5961eb90ea

SHA256
e85f59e315671ac7dfad5319534e0c7bac6531224980340f5584e98f7255c520

SHA512
23f4827ee02ff98f4a795b40df5ff91740a4ec8bee9b194a6ea615b3fc9db8d33a5bb2b8d14f7687d89be5e652983bca146c022919450e6f24c300c7dcfd735f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bf1966e90256035fef918f0ba9ff1fe

SHA1
82280f56070ec6c3139fc83f2694403bbccbaae6

SHA256
a45e2932fb278bbf3fbf25edc92e7f0c864f911f7b5d20194dc25365d0ffb195

SHA512
506e79c1ddec8cba87b42fb5279f8b84ceaa47ef0e92d0395cafe8a777f5da4aabea48a50a72f064cfacf8fcbb336f84cc37f7f631327680c3e840d78a1f371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE522.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5A4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
2KB

MD5
57b072487974f0769e67aef2a186e542

SHA1
0b2f51e497a2a0fbd0f37217af61b62e811025cd

SHA256
6ab10c6479adfa279c4d69a599993f9d9497a56d721e1bf3e0a67b159ac999d6

SHA512
39d95b9520a0b14aa003b433d4a7ab1176cca6abac94e6de48b389165f47b0d70e6c449f52934308e4084620fed2bd6c659c93d5a75a9d054855431cd3dbd917

Download Submit
C:\Windows\SysWOW64\cy57540.dll

Filesize
48KB

MD5
f3a8b05a9863427bb1fc1174ffa92889

SHA1
dc5b8c07a7df32b6ad388ccc47fad6b99672cd63

SHA256
9bdf92e58ab0f3411979b5ad2c104961de7f14ac60928b7f531fb4b32972258b

SHA512
e38c76408bada065c211334811a363e3a79ba7dec6b4805d59a1e3f934838ea1a67255b13f78a9f2b7eac6263164e3e8fdb3c61b651a21e39818ce1b908fdb65

Download Submit
C:\Windows\SysWOW64\scuifile.dll

Filesize
68KB

MD5
9fb5f49d248df6f26b6bd691658cf435

SHA1
b32f55f3bd8dbc9c9e12e3e283e4a3fc5faccbbc

SHA256
de34b6c2f27b8ce367cf2c4bea551e46c44d1b5a654ab22f502fa80b46605d1e

SHA512
d585c625e40409a2f06dc60572beac323db6e45101f29fb733c2ab7737a1ec593abc0babec1a740be41da52de71c33059738d94a6c203c092a173bf8da8a91c8

Download Submit
C:\Windows\SysWOW64\try5166.dll

Filesize
56KB

MD5
1d9d487ff4980d6f3ea952f845289add

SHA1
b35211ea60b0c205436db05c715c8f6aa6eef300

SHA256
a44d6cee36cf9a6578af0076d86e6ed4db06e406545f7dd07894b7cf33425861

SHA512
fbbcdb31e87e0679f6f1a4a5c8d9ce377aa4074a97fa168f0d477850b320f0f9b74204d0405d0b96e54bd1b0e1e774bd4c83048abc7c21673fdfa8a0b7ec46dd

Download Submit
C:\Windows\System32\drivers\etc\375519961O57540.bat

Filesize
2KB

MD5
8bd9cc70f908ab943d0ed7039f59a564

SHA1
4a81d61d7645437caa80604d8b0501f40ba006f8

SHA256
dcf58dbab27c43279cab7722a5d3598a8e9751bea722b5ae5acf6671ce93fce9

SHA512
f7788e6cbb40a4e9b3b3af95b7c3b13c42c6ae11244554ef4de462db55b18e9b2c2d55211c4a3df127a8851b50ccbb195936ea6d4da9051e2cb621ac105bb70c

Download Submit
C:\Windows\System32\drivers\etc\alg.exe

Filesize
112KB

MD5
11c0f86025c65fe4dfd5e66f112d4d35

SHA1
f40cb7174a5224fc2614f6de007f75f3eff77f95

SHA256
cff65f5b347754e9d20efdd2307b78fb3bfa112ec01fcb8f5f60467fea766577

SHA512
449194b3159c372115a4d82a905f877683540faf7dfb983a2abf9da18366ebdb2b331d1bc923ca1b442037769f67fb53bec45ca0bf20c1e7ae75588b94c432f6

Download Submit
C:\Windows\System32\drivers\etc\lsass.exe

Filesize
69KB

MD5
e38d5b69da3f9707a98448ddef2eadbf

SHA1
00ea304b3aa0a5929f86d3eb695cefacead2288e

SHA256
0e97d76234b9ff536fafb96e40e65ccef2ec04c44e4497f5852799b295ac11ff

SHA512
8a2a0c54d4a452d2c89417465ab6dd7c20ddd7f73c36fc58ef3388411bb23a68dff9be5b8e3cb87f12c82c9f55b93ce77d00daba1b67d65e03fe73c382904877

Download Submit
C:\Windows\System32\drivers\etc\s7a.vbs

Filesize
117B

MD5
9deb5959e05fd8b98d155fb74cad25c9

SHA1
83a5e12ba5f56424ca7d19f8d05443d978eaa8e9

SHA256
59c15ec66014164ecced0d54b8115223c7d84d924ea7d24f34d5c68949e7b432

SHA512
8c1e4d68e54ec6c34d29106d2d5509b74e36f40118dd3e27d655d8ffd835c4a116b2a02666a350aefcd66769ce627ac3655264538d2704122d4f2da77ec25efa

Download Submit
C:\Windows\System32\drivers\etc\svchost.exe

Filesize
65KB

MD5
3ef91300d27814a368836b7388766844

SHA1
1575b08dbc47e570801c1087d560be628e957c59

SHA256
92f1e159df314cb0f88ee47b170cbed672e121b676571f250d79ef28f0404e72

SHA512
774d00fd605847d7d1b4d2af1f724422193a95b6747c5413edc70bee090b20e5263386ab822ce746b1f1292a323c8e633e32230700310ea7d7de611426d50f00

Download Submit
\Windows\SysWOW64\fake.exe

Filesize
92KB

MD5
8d51bbda2b25ed99b2795cab359370ba

SHA1
693f6e511c6de40d16efe2e2ce891c3bb5187494

SHA256
4cf1d5ac2c911c974e597f59729524c03107f0aa27ce9003d3467d5ae1bb4713

SHA512
594ab7dcaa48eefe520e0fb48e9e661d9ff7dcfab8dfcbd28e524d87f866f9045a8276dafce39ecd11188d97898844407a316c13571f1aee22d258ce27662cf1

Download Submit
\Windows\SysWOW64\try5166.dll

Filesize
60KB

MD5
00532a7583ee423f7bbe4783bb6af302

SHA1
7d388bf20bed19e8c400e15c8ab4d973dc49239d

SHA256
7309d2426b719e81c902c2861e2c831a8e59b4634cfa8dec5ea7e4306a4f2447

SHA512
3960c9fdd2c8e7bc243c07393f35bb46dd1b763047b1aa16841b11c594aa31e52ae8013865a2dbcaa2168d4a1518fcb5c45d2b9a89a8f891b2dc1713da30907b

Download Submit
\Windows\SysWOW64\try5166.dll

Filesize
109KB

MD5
b0d74628a542b5d1adcb6ed7a81712d2

SHA1
5f2d15346555190e378ff7bbd62a780a865bc71a

SHA256
e07c3700cec7fad2940ba225975d5908d36c332a425d023bd87e92f48c668067

SHA512
c319cf5bd19eb3aa18fb9f510dd36cd79e721f789205f77405927656df883c110cac52526a1bde50ea6d1e35d7b4663c293054c10591325678794cc3918e276a

Download Submit
\Windows\SysWOW64\try5166.dll

Filesize
61KB

MD5
2b738ad1383079d8f560bfb524d296e2

SHA1
24c50cd83b215f0de2178b9a5216ee62498b1cdc

SHA256
412810e4b1a297b12674aa7cb3ea5d300eecc9e71229c833575ddf8f17c17215

SHA512
1d1af18c65eab012575fed2da5d57284460ab7ef59231894a177affe0a298c73905819ede760fc7e5e6c1444f7ca080b0e7664e431d39823f1c1964bc86308ba

Download Submit
\Windows\SysWOW64\try5166.dll

Filesize
50KB

MD5
66171caa3d0484d7cb1dbb0f97e2df54

SHA1
8c67f3c559874fe5a2ab3e598489233175bcdaaa

SHA256
7e29748aef0f637e3e0ca7e1294d34a58ce22d9a2c5a8f9c66d10c16618709c8

SHA512
00b939e3cc9ab8490825cc7cfb3367203d2935b360d668b11be1744f946a8948d25016949a3619324e6b3792b01b833b5b370b498455425dcbff87caa7a56551

Download Submit
\Windows\System32\drivers\etc\ctfmon.exe

Filesize
67KB

MD5
f0e1566d6a41d9b18c42745664fb7dd3

SHA1
97f830c9593d6ad03b12fd2703284e259c3c56be

SHA256
51e793152b391b08c31b2785d595e914b9f8d5942f61e42b379540c502686edb

SHA512
976e909642ce56f5955f8721543b1ac464ef34ea8fef072ac48d403756b65803e6f9dc95b5eb677b00bf08397b6dd51aa10159b9fe6971ebb9d0cac83801bb9e

Download Submit
memory/1612-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1612-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-23-0x0000000002260000-0x00000000022B3000-memory.dmp

Filesize
332KB

Download
memory/2008-36-0x0000000000740000-0x000000000076C000-memory.dmp

Filesize
176KB

Download
memory/2008-46-0x0000000002260000-0x00000000022B3000-memory.dmp

Filesize
332KB

Download
memory/2008-49-0x0000000000740000-0x000000000076C000-memory.dmp

Filesize
176KB

Download
memory/2580-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download