cybergate | ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
Size

763KB
MD5

83130f02fd8838f5ce5cfce99224f189
SHA1

c6a646e023e545a3ffc10e4b8c074607418343d7
SHA256

ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea
SHA512

4f91508f16acc625a9c02095790483407989726bcc95b14d8393a1ab451335c00e177d8934b2a9cb3137ffc848e600f98ab30dab1234d4374fca0e95cb8f8975
SSDEEP

12288:4kz0FKDXSKz+E5IQqEN3uSFnQBbC2WBHfXe0EkoCEc5f5XDF9:rz0MlzrSQ/3uinQl3WBHfX1oLaF9

Score

10^/10

cybergate cyber remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

ephercyber.no-ip.biz:100

Mutex

IP8GB2A7S2E5NR

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

cybergate

Version

v1.02.0

Botnet

remote

itsarat.zapto.org:999

Mutex

5N7YEV262Y07QQ

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
sdffsd
message_box_title
fdssdf
password
password
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	svchost.exe
2972	Svchost.exe

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1BX7W47-XK3E-7GJV-PV4U-KT0AP24SQ6UE}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1BX7W47-XK3E-7GJV-PV4U-KT0AP24SQ6UE}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{NKWG57NH-75DH-XG1Q-B4N4-X3L0GSHB0012}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{NKWG57NH-75DH-XG1Q-B4N4-X3L0GSHB0012}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1BX7W47-XK3E-7GJV-PV4U-KT0AP24SQ6UE}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{NKWG57NH-75DH-XG1Q-B4N4-X3L0GSHB0012}\StubPath = "C:\\Windows\\system32\\Windir\\Svchost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{NKWG57NH-75DH-XG1Q-B4N4-X3L0GSHB0012}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{NKWG57NH-75DH-XG1Q-B4N4-X3L0GSHB0012}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe Restart"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1BX7W47-XK3E-7GJV-PV4U-KT0AP24SQ6UE}\StubPath = "C:\\Windows\\system32\\system32\\svchost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{NKWG57NH-75DH-XG1Q-B4N4-X3L0GSHB0012}	vbc.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1580-202-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1800-201-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1324-239-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1780-240-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1996-241-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/1800-244-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1580-245-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1324-256-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1996-257-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/2640-274-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/2640-281-0x0000000024070000-0x00000000240CF000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
2640	vbc.exe
2896	svchost.exe
2896	svchost.exe
1580	explorer.exe
2972	Svchost.exe
2972	Svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Windir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\fsoliYHEKt.exe"	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\Windir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\Windir\Svchost.exe	vbc.exe
File created	C:\Windows\SysWOW64\Windir\Svchost.exe	vbc.exe
File created	C:\Windows\SysWOW64\system32\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\system32\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\system32\svchost.exe	vbc.exe
File created	C:\Windows\SysWOW64\system32\svchost.exe	vbc.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 set thread context of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1748 set thread context of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 set thread context of 340	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1988	vbc.exe
1244	vbc.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1580	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
Token: SeDebugPrivilege	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
Token: SeBackupPrivilege	1580	explorer.exe
Token: SeRestorePrivilege	1580	explorer.exe
Token: SeBackupPrivilege	1800	explorer.exe
Token: SeRestorePrivilege	1800	explorer.exe
Token: SeBackupPrivilege	1324	vbc.exe
Token: SeRestorePrivilege	1324	vbc.exe
Token: SeDebugPrivilege	1580	explorer.exe
Token: SeDebugPrivilege	1580	explorer.exe
Token: SeDebugPrivilege	2640	vbc.exe
Token: SeDebugPrivilege	2640	vbc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1988	vbc.exe
1244	vbc.exe
1580	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1580	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1244	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	28
PID 1884 wrote to memory of 1748	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	29
PID 1884 wrote to memory of 1748	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	29
PID 1884 wrote to memory of 1748	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	29
PID 1884 wrote to memory of 1748	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	29
PID 1884 wrote to memory of 1748	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	29
PID 1884 wrote to memory of 1748	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	29
PID 1884 wrote to memory of 1748	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	29
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1884 wrote to memory of 2044	1884	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	30
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 1988	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	31
PID 1748 wrote to memory of 340	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	32
PID 1748 wrote to memory of 340	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	32
PID 1748 wrote to memory of 340	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	32
PID 1748 wrote to memory of 340	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	32
PID 1748 wrote to memory of 340	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	32
PID 1748 wrote to memory of 340	1748	ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
  "C:\Users\Admin\AppData\Local\Temp\ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1244
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1780
- - C:\Users\Admin\AppData\Local\Temp\ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe
    "C:\Users\Admin\AppData\Local\Temp\ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1988
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Loads dropped DLL
        Drops desktop.ini file(s)
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1580
      - C:\Users\Admin\AppData\Roaming\Windir\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windir\Svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2972
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      PID:340
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
      - C:\Users\Admin\AppData\Roaming\system32\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:2044
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
57e5aa8e93425194f5ba85856cb9f9e5

SHA1
048139a651caceb76e9f3a42ac73dd552743bd41

SHA256
a5dcb7a96a9a9e9798dbfca51afb5505e0accba5ef1ac398da1b7b3dfc3fc201

SHA512
f394f720b5feb1c116300ebb48957867c3d90904e2ed9fbed9519f242f16289dd3dcf6fd2843e261b5da9e3b4bb8f1d9dd705fd218b30af43e18ffac7f628821

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
57e5aa8e93425194f5ba85856cb9f9e5

SHA1
048139a651caceb76e9f3a42ac73dd552743bd41

SHA256
a5dcb7a96a9a9e9798dbfca51afb5505e0accba5ef1ac398da1b7b3dfc3fc201

SHA512
f394f720b5feb1c116300ebb48957867c3d90904e2ed9fbed9519f242f16289dd3dcf6fd2843e261b5da9e3b4bb8f1d9dd705fd218b30af43e18ffac7f628821

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
1d6538910341ada8641c23caae02cdcf

SHA1
9cd4240a585efe97ae13b2389798b5a2f7f82650

SHA256
1a43aec6f5f6d5c2923385e43963184341ea195def1d594e4a4031dd9cf2c877

SHA512
1c8c6918d82aeba584b6cbc1ab08086df60857da16e1492308c447ed0a9955e680a53c3f561f4ec426cd933bf1577d851485f1079307d9aefd2b14cde1ed64a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
1d6538910341ada8641c23caae02cdcf

SHA1
9cd4240a585efe97ae13b2389798b5a2f7f82650

SHA256
1a43aec6f5f6d5c2923385e43963184341ea195def1d594e4a4031dd9cf2c877

SHA512
1c8c6918d82aeba584b6cbc1ab08086df60857da16e1492308c447ed0a9955e680a53c3f561f4ec426cd933bf1577d851485f1079307d9aefd2b14cde1ed64a6

Download Submit
C:\Users\Admin\AppData\Roaming\Windir\Svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\Windir\Svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\fsoliYHEKt.exe

Filesize
763KB

MD5
83130f02fd8838f5ce5cfce99224f189

SHA1
c6a646e023e545a3ffc10e4b8c074607418343d7

SHA256
ed6398e53818d2ea061d755216099a8868b1ca975d8ef29a7920b231c7badbea

SHA512
4f91508f16acc625a9c02095790483407989726bcc95b14d8393a1ab451335c00e177d8934b2a9cb3137ffc848e600f98ab30dab1234d4374fca0e95cb8f8975

Download Submit
C:\Users\Admin\AppData\Roaming\system32\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\system32\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\Windir\Svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\system32\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\Windir\Svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\Windir\Svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\Windir\Svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\system32\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\system32\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\system32\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/340-70-0x000000000040BCA4-mapping.dmp

Download
memory/340-273-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/340-158-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/340-242-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1244-58-0x000000000040E1A8-mapping.dmp

Download
memory/1244-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1244-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1244-157-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1244-233-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1324-214-0x0000000000000000-mapping.dmp

Download
memory/1324-256-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1324-239-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1580-202-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1580-176-0x0000000000000000-mapping.dmp

Download
memory/1580-245-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1748-238-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1748-68-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1748-57-0x0000000000000000-mapping.dmp

Download
memory/1780-209-0x0000000000000000-mapping.dmp

Download
memory/1780-240-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1800-177-0x0000000000000000-mapping.dmp

Download
memory/1800-244-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1800-201-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1884-55-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-217-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1988-156-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-66-0x000000000040E1A8-mapping.dmp

Download
memory/1988-236-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-113-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-97-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-121-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-89-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-105-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1996-241-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1996-257-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1996-187-0x0000000000000000-mapping.dmp

Download
memory/2044-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-110-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-86-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-102-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-118-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-243-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-159-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2044-62-0x000000000040BCA4-mapping.dmp

Download
memory/2044-94-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-274-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2640-255-0x0000000000000000-mapping.dmp

Download
memory/2640-281-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2896-268-0x0000000000000000-mapping.dmp

Download
memory/2972-276-0x0000000000000000-mapping.dmp

Download