gh0strat | 38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 14:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
Size

3.5MB
MD5

9faace482045ab5df714a1e42ccca112
SHA1

85156d4347decd70b060f7f90aea67fc7ca7bde8
SHA256

38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33
SHA512

874f04dfad6149d0635c84bf3e6c51caf74a7d5ae7ac62477d6760cfa19dfe8571c2da6e1b149e7f837407cc5e905b4767015e0608d3554ef2a9e05bb87ca083
SSDEEP

49152:9YREXSVMDi34QnsHyjtk2MYC5GDsVN/wEwqq8u5zn:S2SVMD8dnsmtk2alWqTuxn

Score

10^/10

gh0strat parallax persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015b12-6.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 25 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/2144-86-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-92-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-98-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-120-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-121-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-122-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-124-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-125-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-126-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-127-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-128-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-130-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-131-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-132-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-133-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-134-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-135-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-129-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-123-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-118-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-90-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-88-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2476-170-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2144-180-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2476-183-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259395779.bat"	look2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe

Executes dropped EXE 6 IoCs

pid	Process
1700	look2.exe
2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2584	Synaptics.exe
2948	._cache_Synaptics.exe
1640	svchcst.exe

Loads dropped DLL 15 IoCs

pid	Process
3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
1700	look2.exe
2120	svchost.exe
3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2584	Synaptics.exe
2584	Synaptics.exe
2584	Synaptics.exe
2120	svchost.exe
1640	svchcst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259395779.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
540	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe
2948	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
540	EXCEL.EXE

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1700	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	28
PID 3032 wrote to memory of 1700	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	28
PID 3032 wrote to memory of 1700	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	28
PID 3032 wrote to memory of 1700	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	28
PID 3032 wrote to memory of 2376	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	31
PID 3032 wrote to memory of 2376	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	31
PID 3032 wrote to memory of 2376	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	31
PID 3032 wrote to memory of 2376	3032	38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	31
PID 2376 wrote to memory of 2700	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	38
PID 2376 wrote to memory of 2700	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	38
PID 2376 wrote to memory of 2700	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	38
PID 2376 wrote to memory of 2700	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	38
PID 2376 wrote to memory of 2584	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	37
PID 2376 wrote to memory of 2584	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	37
PID 2376 wrote to memory of 2584	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	37
PID 2376 wrote to memory of 2584	2376	HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	37
PID 2584 wrote to memory of 2948	2584	Synaptics.exe	35
PID 2584 wrote to memory of 2948	2584	Synaptics.exe	35
PID 2584 wrote to memory of 2948	2584	Synaptics.exe	35
PID 2584 wrote to memory of 2948	2584	Synaptics.exe	35
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2700 wrote to memory of 2144	2700	._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe	32
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2948 wrote to memory of 2476	2948	._cache_Synaptics.exe	34
PID 2120 wrote to memory of 1640	2120	svchost.exe	39
PID 2120 wrote to memory of 1640	2120	svchost.exe	39
PID 2120 wrote to memory of 1640	2120	svchost.exe	39
PID 2120 wrote to memory of 1640	2120	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
"C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
  C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\259395779.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1640

C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
1⤵
PID:2144

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:540

C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Filesize
92KB

MD5
4174755650da6cf0921ef9218c11ebd7

SHA1
5de91f032c5357f0c570469fc64b015970da72c8

SHA256
97a3fd03eb743e47dd688c452749aacbd9606c058bcd9f5d61d93a29d5a9acd3

SHA512
1af854d7d2064476f8b4a5de02404e3b99bab6fa421ededbd2fe11fc59c5003ef091c0d7fdee1b6a382f304311bab55a614bab5eb576d14245180cf6856d1361

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Filesize
678KB

MD5
47c9fafe7a473c8b7289d1b40e1a5403

SHA1
751cd578b10180ef4e7bf34d1d68ebaf5e80a1c7

SHA256
bf54ddc771f78c0b114f58a3cffc2fbaa86629964631451854cddd238582c751

SHA512
bf5a1ea8b765cc684766ab1b5acd8f11b8818e043b4e5dff34ee798d4c1eba68b3d521c8b0b0423f8078d328a785ccba1db8b516cf4c8e82ba28a598959260b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Filesize
98KB

MD5
a341fd72bcbfb8193299710ab892f7fc

SHA1
8f17a5e05e03fdccef627d7087ce54e006903a95

SHA256
ca63f23295b0ea785a406fe4c2cba200823b860e9fa35e518bef0e82440b9679

SHA512
144f644a746230e62f9d79f416e683fbf5306ceb9728aaea85d19c025d857a893078b7fb0a9766517168a3e21532296776954dc43ca950d4849404716fcf78b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Filesize
1.1MB

MD5
e96cf578d5afe615b8d90b59aafd2631

SHA1
4b1367561ce5602d92572c9099e73ed344ce6076

SHA256
a06d95ee00fac4716600db5be785fe7f2059b14e9d00e571c78ea9f64c1b1be4

SHA512
18941c1d8f2890f0171baeaf57300e4910888696fb27a3097c4d5ff1fe974d4c7e323a7026dc000359eec9f1b5841ff52f274dea05f56e551384402802054be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
92KB

MD5
07b1ce545b7c5d9114717d643a6fae6e

SHA1
4c47d982fa87478754c1ea6733c5a1b62cd6d698

SHA256
e88dd28d7731349f4ef74f5413bd7ec0990f3b48aefcd56b70368d53eadbc3a4

SHA512
3ff2e738bf3c5348f4d6f4d29628e65f57b44926fbe68de82a88118b0b3b7d209dcb817f1f52c7c3e6764f334a63bd489c1d615a6f09f784a8a4b53bbfec2839

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Filesize
894KB

MD5
1f0f44135d50afb231c2c5ed5938f659

SHA1
79f6f29f8d31f8cf647e6c8b8b0803f75d95fd80

SHA256
987391c9ee6b7ace09697308212cc331b3ba419d86ea91c8cecdab0496a91b1f

SHA512
320e864495be9e550990dc21e3ea7c7d50e94a96ea3cdf5a512561d6b61dfbb3ee22f607d23ec3f8ea5ad433eb3f692a8e20b74681f22d7275ce5f67c048ec01

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Filesize
381KB

MD5
172ad4330f354a946837c90d0a4e56b2

SHA1
d79f808f72e9403aea8880e95ecbbee5ad555cd7

SHA256
296789f4ee01c92f8e4a6547d190385f699faa518ebd949a09b3eb215ad90810

SHA512
312b7a163bbe8322bb98a88ecea40fa784863c491b79deb6a4da494af6ee1056d809e3f367736b756498cc597e8c6017776c327f00f10fa7dc1a51843ff7445d

Download Submit
\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

Filesize
1024KB

MD5
6ca8163f84901d6f0ac29572891a7d3f

SHA1
417a658e7e831341e5b5edd9f3670bd6107efc86

SHA256
e77944626926d4f79871c5ff08153f3c74e2c953ec1fb9ac4cf09c0ee9ee6c17

SHA512
67b4029de78879ee1d309b026f71ec1c3b297e2d6550b3681685edd4c4a062aa9983ca5a6490b056c5b5b10d04f4d961e9cb188f7a97c361c22f8554649ab492

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
\Windows\SysWOW64\259395779.bat

Filesize
51KB

MD5
77ee8b76fe6eef8886d07761a5bd5684

SHA1
730a38753eb9e63d7744638d91888f034908e8cb

SHA256
3e3eef887a53eade7e5c10d4487c3588f4befcfec41ef1d59748469d3de2884b

SHA512
743b8f1c746b2877053aff00996b1f6ccb336e7c4cc1cfc627ba901af02e5c5f0d897d0a9e51a1529bc0d5fd026cb3f04c9ed9f116b04a85996ac433622c2e00

Download Submit
memory/540-181-0x0000000071DED000-0x0000000071DF8000-memory.dmp

Filesize
44KB

Download
memory/540-137-0x0000000071DED000-0x0000000071DF8000-memory.dmp

Filesize
44KB

Download
memory/540-136-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2144-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-118-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-120-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-121-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-124-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-125-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-126-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-127-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-128-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-131-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-106-0x0000000076F8F000-0x0000000076F90000-memory.dmp

Filesize
4KB

Download
memory/2144-134-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-86-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-98-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-116-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2144-105-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2144-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-90-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-88-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2144-84-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2376-66-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/2376-22-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-170-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2476-183-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2476-171-0x0000000000418000-0x000000000042A000-memory.dmp

Filesize
72KB

Download
memory/2584-179-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/2584-67-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2584-178-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2584-213-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/2700-56-0x0000000000280000-0x0000000000300000-memory.dmp

Filesize
512KB

Download
memory/2700-119-0x0000000000280000-0x0000000000300000-memory.dmp

Filesize
512KB

Download
memory/2700-60-0x0000000076F8F000-0x0000000076F90000-memory.dmp

Filesize
4KB

Download
memory/2948-80-0x0000000000150000-0x00000000001D0000-memory.dmp

Filesize
512KB

Download
memory/2948-169-0x0000000000150000-0x00000000001D0000-memory.dmp

Filesize
512KB

Download