Analysis
-
max time kernel
123s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 19:41
Behavioral task
behavioral1
Sample
Hellgate.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Hellgate.exe
Resource
win10v2004-20220901-en
General
-
Target
Hellgate.exe
-
Size
1.0MB
-
MD5
e1cdb32a46b1bf6b3c4dffdaf1058100
-
SHA1
0405bafb45a384e6e9855f1ca37b3be965e59406
-
SHA256
96b725f4b6600d65455c4b7c67e417a8c819f06079634f9f8828093509a16054
-
SHA512
b986e2c5bda8704bd4534098e0becde31588a5d8ae9f9e052869409ad8943bebe9909b9b2d2f4a5f77a546dd23997ee80905c89c0186f7020618ea2b52769906
-
SSDEEP
6144:GSncRllCFdsiI8WZWuPf021sgkvnHn/gkvnHnldAnHnQbGYzN7+fdTd:L4mtItn021wvJvo8zF+
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/987640098617172000/PbaLpTwyRpxg4qbEnOz-zr-tqlDiGl8IEoGkhHD7lhsWbbidSSOOQHu7ONx6CmdAgK7-
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 30 IoCs
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions GATE.EXE -
Executes dropped EXE 30 IoCs
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEpid process 520 GATE.EXE 1544 GATE.EXE 1524 GATE.EXE 1020 GATE.EXE 932 GATE.EXE 1728 GATE.EXE 1028 GATE.EXE 1640 GATE.EXE 872 GATE.EXE 2036 GATE.EXE 1000 GATE.EXE 1088 GATE.EXE 1816 GATE.EXE 316 GATE.EXE 1608 GATE.EXE 1684 GATE.EXE 988 GATE.EXE 1520 GATE.EXE 2084 GATE.EXE 2160 GATE.EXE 2232 GATE.EXE 2404 GATE.EXE 2792 GATE.EXE 3000 GATE.EXE 1884 GATE.EXE 2248 GATE.EXE 3200 GATE.EXE 3360 GATE.EXE 3504 GATE.EXE 3712 GATE.EXE -
Looks for VMWare Tools registry key 2 TTPs 30 IoCs
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools GATE.EXE -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GATE.EXE -
Loads dropped DLL 30 IoCs
Processes:
Hellgate.exeHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEconhost.exeHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEconhost.exeHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEpid process 1008 Hellgate.exe 1516 HELLGATE.EXE 912 HELLGATE.EXE 748 HELLGATE.EXE 888 HELLGATE.EXE 1884 HELLGATE.EXE 1724 HELLGATE.EXE 1964 HELLGATE.EXE 1704 HELLGATE.EXE 956 conhost.exe 1644 HELLGATE.EXE 1288 HELLGATE.EXE 2028 HELLGATE.EXE 1372 HELLGATE.EXE 632 HELLGATE.EXE 836 HELLGATE.EXE 1620 conhost.exe 552 HELLGATE.EXE 1776 HELLGATE.EXE 2120 HELLGATE.EXE 2196 HELLGATE.EXE 2272 HELLGATE.EXE 2436 HELLGATE.EXE 2860 HELLGATE.EXE 3036 HELLGATE.EXE 2080 HELLGATE.EXE 2240 HELLGATE.EXE 3236 HELLGATE.EXE 3408 HELLGATE.EXE 3564 HELLGATE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 64 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 177 ip4.seeip.org 182 ip4.seeip.org 187 ip4.seeip.org 49 ip4.seeip.org 188 ip4.seeip.org 36 ip4.seeip.org 40 ip4.seeip.org 42 ip4.seeip.org 65 ip4.seeip.org 76 ip4.seeip.org 183 ip4.seeip.org 39 ip4.seeip.org 73 ip4.seeip.org 78 ip4.seeip.org 70 ip4.seeip.org 176 ip4.seeip.org 189 ip4.seeip.org 75 ip4.seeip.org 67 ip4.seeip.org 69 ip4.seeip.org 83 ip4.seeip.org 84 ip4.seeip.org 33 ip4.seeip.org 46 ip4.seeip.org 47 ip4.seeip.org 58 ip4.seeip.org 72 ip4.seeip.org 38 ip4.seeip.org 81 ip4.seeip.org 87 ip4.seeip.org 173 ip-api.com 186 ip4.seeip.org 52 ip4.seeip.org 54 ip4.seeip.org 178 ip4.seeip.org 185 ip4.seeip.org 44 ip4.seeip.org 74 ip4.seeip.org 86 ip4.seeip.org 55 ip4.seeip.org 50 ip4.seeip.org 77 ip4.seeip.org 88 ip4.seeip.org 89 ip4.seeip.org 181 ip4.seeip.org 43 ip4.seeip.org 35 ip4.seeip.org 53 ip4.seeip.org 56 ip4.seeip.org 66 ip4.seeip.org 79 ip4.seeip.org 34 ip4.seeip.org 80 ip4.seeip.org 82 ip4.seeip.org 85 ip4.seeip.org 179 ip4.seeip.org 180 ip4.seeip.org 45 ip4.seeip.org 61 ip4.seeip.org 64 ip4.seeip.org 71 ip4.seeip.org 175 ip4.seeip.org 41 ip4.seeip.org 48 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 60 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum GATE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 30 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5428 3712 WerFault.exe GATE.EXE 5420 1816 WerFault.exe GATE.EXE 5460 1524 WerFault.exe GATE.EXE 5448 988 WerFault.exe GATE.EXE 5520 872 WerFault.exe GATE.EXE 5512 2084 WerFault.exe GATE.EXE 5504 1000 WerFault.exe GATE.EXE 5496 1884 WerFault.exe GATE.EXE 5488 3200 WerFault.exe GATE.EXE 5480 1608 WerFault.exe GATE.EXE 5472 2232 WerFault.exe GATE.EXE 5528 1028 WerFault.exe GATE.EXE 5536 932 WerFault.exe GATE.EXE 5552 3360 WerFault.exe GATE.EXE 5580 3504 WerFault.exe GATE.EXE 5616 1728 WerFault.exe GATE.EXE 5644 1544 WerFault.exe GATE.EXE 5748 2160 WerFault.exe GATE.EXE 5740 2404 WerFault.exe GATE.EXE 5732 3000 WerFault.exe GATE.EXE 5724 1684 WerFault.exe GATE.EXE 5716 1088 WerFault.exe GATE.EXE 5692 316 WerFault.exe GATE.EXE 5684 2792 WerFault.exe GATE.EXE 5676 1020 WerFault.exe GATE.EXE 5668 520 WerFault.exe GATE.EXE 5660 2036 WerFault.exe GATE.EXE 5652 1640 WerFault.exe GATE.EXE 5636 2248 WerFault.exe GATE.EXE 5624 1520 WerFault.exe GATE.EXE -
Checks SCSI registry key(s) 3 TTPs 30 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S GATE.EXE -
Checks processor information in registry 2 TTPs 60 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GATE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GATE.EXE -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName GATE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation GATE.EXE -
Processes:
GATE.EXEGATE.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef4240f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 GATE.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 GATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 GATE.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 GATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 GATE.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 GATE.EXE -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEdescription pid process Token: SeDebugPrivilege 2160 GATE.EXE Token: SeDebugPrivilege 316 GATE.EXE Token: SeDebugPrivilege 1020 GATE.EXE Token: SeDebugPrivilege 2036 GATE.EXE Token: SeDebugPrivilege 1520 GATE.EXE Token: SeDebugPrivilege 1544 GATE.EXE Token: SeDebugPrivilege 1088 GATE.EXE Token: SeDebugPrivilege 1728 GATE.EXE Token: SeDebugPrivilege 1684 GATE.EXE Token: SeDebugPrivilege 1640 GATE.EXE Token: SeDebugPrivilege 2232 GATE.EXE Token: SeDebugPrivilege 1000 GATE.EXE Token: SeDebugPrivilege 988 GATE.EXE Token: SeDebugPrivilege 932 GATE.EXE Token: SeDebugPrivilege 520 GATE.EXE Token: SeDebugPrivilege 1816 GATE.EXE Token: SeDebugPrivilege 1028 GATE.EXE Token: SeDebugPrivilege 872 GATE.EXE Token: SeDebugPrivilege 2084 GATE.EXE Token: SeDebugPrivilege 1524 GATE.EXE Token: SeDebugPrivilege 1608 GATE.EXE Token: SeDebugPrivilege 2404 GATE.EXE Token: SeDebugPrivilege 2792 GATE.EXE Token: SeDebugPrivilege 3000 GATE.EXE Token: SeDebugPrivilege 1884 GATE.EXE Token: SeDebugPrivilege 2248 GATE.EXE Token: SeDebugPrivilege 3200 GATE.EXE Token: SeDebugPrivilege 3360 GATE.EXE Token: SeDebugPrivilege 3504 GATE.EXE Token: SeDebugPrivilege 3712 GATE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Hellgate.exeHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEdescription pid process target process PID 1008 wrote to memory of 520 1008 Hellgate.exe GATE.EXE PID 1008 wrote to memory of 520 1008 Hellgate.exe GATE.EXE PID 1008 wrote to memory of 520 1008 Hellgate.exe GATE.EXE PID 1008 wrote to memory of 520 1008 Hellgate.exe GATE.EXE PID 1008 wrote to memory of 1516 1008 Hellgate.exe HELLGATE.EXE PID 1008 wrote to memory of 1516 1008 Hellgate.exe HELLGATE.EXE PID 1008 wrote to memory of 1516 1008 Hellgate.exe HELLGATE.EXE PID 1008 wrote to memory of 1516 1008 Hellgate.exe HELLGATE.EXE PID 1516 wrote to memory of 1544 1516 HELLGATE.EXE GATE.EXE PID 1516 wrote to memory of 1544 1516 HELLGATE.EXE GATE.EXE PID 1516 wrote to memory of 1544 1516 HELLGATE.EXE GATE.EXE PID 1516 wrote to memory of 1544 1516 HELLGATE.EXE GATE.EXE PID 1516 wrote to memory of 912 1516 HELLGATE.EXE HELLGATE.EXE PID 1516 wrote to memory of 912 1516 HELLGATE.EXE HELLGATE.EXE PID 1516 wrote to memory of 912 1516 HELLGATE.EXE HELLGATE.EXE PID 1516 wrote to memory of 912 1516 HELLGATE.EXE HELLGATE.EXE PID 912 wrote to memory of 1524 912 HELLGATE.EXE GATE.EXE PID 912 wrote to memory of 1524 912 HELLGATE.EXE GATE.EXE PID 912 wrote to memory of 1524 912 HELLGATE.EXE GATE.EXE PID 912 wrote to memory of 1524 912 HELLGATE.EXE GATE.EXE PID 912 wrote to memory of 748 912 HELLGATE.EXE HELLGATE.EXE PID 912 wrote to memory of 748 912 HELLGATE.EXE HELLGATE.EXE PID 912 wrote to memory of 748 912 HELLGATE.EXE HELLGATE.EXE PID 912 wrote to memory of 748 912 HELLGATE.EXE HELLGATE.EXE PID 748 wrote to memory of 1020 748 HELLGATE.EXE GATE.EXE PID 748 wrote to memory of 1020 748 HELLGATE.EXE GATE.EXE PID 748 wrote to memory of 1020 748 HELLGATE.EXE GATE.EXE PID 748 wrote to memory of 1020 748 HELLGATE.EXE GATE.EXE PID 748 wrote to memory of 888 748 HELLGATE.EXE HELLGATE.EXE PID 748 wrote to memory of 888 748 HELLGATE.EXE HELLGATE.EXE PID 748 wrote to memory of 888 748 HELLGATE.EXE HELLGATE.EXE PID 748 wrote to memory of 888 748 HELLGATE.EXE HELLGATE.EXE PID 888 wrote to memory of 932 888 HELLGATE.EXE GATE.EXE PID 888 wrote to memory of 932 888 HELLGATE.EXE GATE.EXE PID 888 wrote to memory of 932 888 HELLGATE.EXE GATE.EXE PID 888 wrote to memory of 932 888 HELLGATE.EXE GATE.EXE PID 888 wrote to memory of 1884 888 HELLGATE.EXE HELLGATE.EXE PID 888 wrote to memory of 1884 888 HELLGATE.EXE HELLGATE.EXE PID 888 wrote to memory of 1884 888 HELLGATE.EXE HELLGATE.EXE PID 888 wrote to memory of 1884 888 HELLGATE.EXE HELLGATE.EXE PID 1884 wrote to memory of 1728 1884 HELLGATE.EXE GATE.EXE PID 1884 wrote to memory of 1728 1884 HELLGATE.EXE GATE.EXE PID 1884 wrote to memory of 1728 1884 HELLGATE.EXE GATE.EXE PID 1884 wrote to memory of 1728 1884 HELLGATE.EXE GATE.EXE PID 1884 wrote to memory of 1724 1884 HELLGATE.EXE HELLGATE.EXE PID 1884 wrote to memory of 1724 1884 HELLGATE.EXE HELLGATE.EXE PID 1884 wrote to memory of 1724 1884 HELLGATE.EXE HELLGATE.EXE PID 1884 wrote to memory of 1724 1884 HELLGATE.EXE HELLGATE.EXE PID 1724 wrote to memory of 1028 1724 HELLGATE.EXE GATE.EXE PID 1724 wrote to memory of 1028 1724 HELLGATE.EXE GATE.EXE PID 1724 wrote to memory of 1028 1724 HELLGATE.EXE GATE.EXE PID 1724 wrote to memory of 1028 1724 HELLGATE.EXE GATE.EXE PID 1724 wrote to memory of 1964 1724 HELLGATE.EXE HELLGATE.EXE PID 1724 wrote to memory of 1964 1724 HELLGATE.EXE HELLGATE.EXE PID 1724 wrote to memory of 1964 1724 HELLGATE.EXE HELLGATE.EXE PID 1724 wrote to memory of 1964 1724 HELLGATE.EXE HELLGATE.EXE PID 1964 wrote to memory of 1640 1964 HELLGATE.EXE GATE.EXE PID 1964 wrote to memory of 1640 1964 HELLGATE.EXE GATE.EXE PID 1964 wrote to memory of 1640 1964 HELLGATE.EXE GATE.EXE PID 1964 wrote to memory of 1640 1964 HELLGATE.EXE GATE.EXE PID 1964 wrote to memory of 1704 1964 HELLGATE.EXE HELLGATE.EXE PID 1964 wrote to memory of 1704 1964 HELLGATE.EXE HELLGATE.EXE PID 1964 wrote to memory of 1704 1964 HELLGATE.EXE HELLGATE.EXE PID 1964 wrote to memory of 1704 1964 HELLGATE.EXE HELLGATE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hellgate.exe"C:\Users\Admin\AppData\Local\Temp\Hellgate.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 520 -s 18683⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"3⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1544 -s 18764⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"4⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1524 -s 18565⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"5⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1020 -s 18526⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"7⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1728 -s 18528⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"8⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1028 -s 18489⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"9⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1640 -s 187210⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"10⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 872 -s 183611⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"10⤵
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"11⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2036 -s 186412⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"11⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"12⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1000 -s 186413⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"12⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"13⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1088 -s 185614⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"13⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"14⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"15⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 316 -s 186416⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"15⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"16⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1608 -s 185617⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"16⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"17⤵
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"18⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"19⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"20⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"21⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"22⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"23⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"24⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2792 -s 186425⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"24⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"25⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"26⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"27⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"28⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"29⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"30⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"31⤵
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"31⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3712 -s 185232⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"30⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3504 -s 186831⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"29⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3360 -s 188030⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"28⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3200 -s 186429⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"27⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2248 -s 185628⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"26⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1884 -s 186427⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"25⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3000 -s 185226⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"23⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2404 -s 186024⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"22⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2232 -s 185223⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"21⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2160 -s 185622⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"20⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2084 -s 185621⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"19⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1520 -s 184820⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"18⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 988 -s 184419⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"17⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1684 -s 186418⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"14⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1816 -s 187215⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXE"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"6⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 932 -s 18567⤵
- Program crash
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1788006722-511198662-265515806-544246569-7423863621813184736-2101715010111338041"1⤵
- Loads dropped DLL
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1682113020-1671060950-616534623527804605-506443869666465388-19814812491344188956"1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AFilesize
893B
MD5d4ae187b4574036c2d76b6df8a8c1a30
SHA1b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA5121f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15AFilesize
252B
MD502a0c916f24edd87c7065ac4922b491d
SHA10392141b3583f901ba52d4a4487d54afd8276813
SHA25665cdadfe55823b7bbf33b668be79a029554775f317e717b32fdd9b696ebbd084
SHA51209749785a02672095d9110a01284588b373304a1800662dec11eb09ff63047cfb49c720e04814f6c5ce43bb5dd069468a55a7023e32818f76ca943b728c77904
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15AFilesize
252B
MD502a0c916f24edd87c7065ac4922b491d
SHA10392141b3583f901ba52d4a4487d54afd8276813
SHA25665cdadfe55823b7bbf33b668be79a029554775f317e717b32fdd9b696ebbd084
SHA51209749785a02672095d9110a01284588b373304a1800662dec11eb09ff63047cfb49c720e04814f6c5ce43bb5dd069468a55a7023e32818f76ca943b728c77904
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
C:\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
\Users\Admin\AppData\Local\Temp\GATE.EXEFilesize
107KB
MD51fdbfec3f56386b3f45e3676724818ba
SHA1d295930d5d25c5b8e1968f92016d3aae771303b7
SHA25667dbd4013e250850e4f6a564c601d7ed342f51220378238902b2dcc09bb9b483
SHA5128ba022689896b209be7731e4cc8823e84ee3e4b04d795dd3f2c5a5292a24ca2e56aa78c78cac6ec6e78ca3770dcb891976bf808e752e8cf40803f44a0aa2b114
-
memory/316-122-0x0000000000000000-mapping.dmp
-
memory/520-56-0x0000000000000000-mapping.dmp
-
memory/552-140-0x0000000000000000-mapping.dmp
-
memory/632-124-0x0000000000000000-mapping.dmp
-
memory/748-69-0x0000000000000000-mapping.dmp
-
memory/836-130-0x0000000000000000-mapping.dmp
-
memory/872-97-0x0000000000000000-mapping.dmp
-
memory/888-74-0x0000000000000000-mapping.dmp
-
memory/912-64-0x0000000000000000-mapping.dmp
-
memory/932-77-0x0000000000000000-mapping.dmp
-
memory/956-99-0x0000000000000000-mapping.dmp
-
memory/988-138-0x0000000000000000-mapping.dmp
-
memory/1000-107-0x0000000000000000-mapping.dmp
-
memory/1008-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/1020-72-0x0000000000000000-mapping.dmp
-
memory/1028-87-0x0000000000000000-mapping.dmp
-
memory/1088-112-0x0000000000000000-mapping.dmp
-
memory/1288-109-0x0000000000000000-mapping.dmp
-
memory/1372-119-0x0000000000000000-mapping.dmp
-
memory/1516-58-0x0000000000000000-mapping.dmp
-
memory/1520-143-0x0000000000000000-mapping.dmp
-
memory/1524-67-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x0000000000000000-mapping.dmp
-
memory/1608-128-0x0000000000000000-mapping.dmp
-
memory/1620-135-0x0000000000000000-mapping.dmp
-
memory/1640-92-0x0000000000000000-mapping.dmp
-
memory/1640-126-0x00000000001C0000-0x00000000001E0000-memory.dmpFilesize
128KB
-
memory/1644-104-0x0000000000000000-mapping.dmp
-
memory/1684-133-0x0000000000000000-mapping.dmp
-
memory/1704-94-0x0000000000000000-mapping.dmp
-
memory/1724-84-0x0000000000000000-mapping.dmp
-
memory/1728-82-0x0000000000000000-mapping.dmp
-
memory/1776-145-0x0000000000000000-mapping.dmp
-
memory/1816-117-0x0000000000000000-mapping.dmp
-
memory/1884-178-0x0000000000000000-mapping.dmp
-
memory/1884-79-0x0000000000000000-mapping.dmp
-
memory/1964-89-0x0000000000000000-mapping.dmp
-
memory/2028-114-0x0000000000000000-mapping.dmp
-
memory/2036-102-0x0000000000000000-mapping.dmp
-
memory/2080-180-0x0000000000000000-mapping.dmp
-
memory/2084-148-0x0000000000000000-mapping.dmp
-
memory/2120-150-0x0000000000000000-mapping.dmp
-
memory/2160-153-0x0000000000000000-mapping.dmp
-
memory/2196-155-0x0000000000000000-mapping.dmp
-
memory/2232-158-0x0000000000000000-mapping.dmp
-
memory/2240-185-0x0000000000000000-mapping.dmp
-
memory/2248-183-0x0000000000000000-mapping.dmp
-
memory/2272-160-0x0000000000000000-mapping.dmp
-
memory/2404-163-0x0000000000000000-mapping.dmp
-
memory/2436-165-0x0000000000000000-mapping.dmp
-
memory/2792-168-0x0000000000000000-mapping.dmp
-
memory/2860-170-0x0000000000000000-mapping.dmp
-
memory/3000-173-0x0000000000000000-mapping.dmp
-
memory/3036-175-0x0000000000000000-mapping.dmp
-
memory/3200-188-0x0000000000000000-mapping.dmp
-
memory/3236-190-0x0000000000000000-mapping.dmp
-
memory/3360-193-0x0000000000000000-mapping.dmp
-
memory/3408-195-0x0000000000000000-mapping.dmp
-
memory/3504-198-0x0000000000000000-mapping.dmp
-
memory/3564-200-0x0000000000000000-mapping.dmp
-
memory/3712-203-0x0000000000000000-mapping.dmp
-
memory/3748-205-0x0000000000000000-mapping.dmp
-
memory/5420-210-0x0000000000000000-mapping.dmp
-
memory/5428-211-0x0000000000000000-mapping.dmp
-
memory/5448-212-0x0000000000000000-mapping.dmp
-
memory/5460-213-0x0000000000000000-mapping.dmp