cybergate | 2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926

Analysis

max time kernel
152s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Size

308KB
MD5

d255a9cc1c1fa4a08e322543673bcb7e
SHA1

b3ea990c7f730eb61ff4ed87748b150e34dbc76c
SHA256

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926
SHA512

a84b58693e1d5fe4e9d734b058c965a0bd1b0e64894c7dc301929eff31001fd39d31e0ee8d39e31122cf4e6b45def9ea38c5a1535c691fc6a53ceec86fcf1bd7
SSDEEP

6144:ikIZp16d70R3eArX76KRoGOAGw1nYCAtIRJNTu+SnumvMS1leV6EITBsllw:ikLdgR3e2GKKGOsUI0+VS10VCal

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victima

mayi100.zapto.org:82

Mutex

3RPDD4J3LU7HW3

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
SyStem32
install_file
winzip.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
error framework '.net framework 4.0 client profile' not installed
message_box_title
Autoclick faller
password
smail
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Executes dropped EXE 4 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exewinzip.exewinzip.exe

pid	process
748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
904	winzip.exe
1752	winzip.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}\StubPath = "C:\\Windows\\system32\\SyStem32\\winzip.exe Restart"	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}\StubPath = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/748-66-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/748-68-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/748-69-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/748-73-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/748-76-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/748-77-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/748-78-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/748-81-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/748-90-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1812-95-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1812-96-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/748-100-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/748-107-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1440-112-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1440-114-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/748-118-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1812-123-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1440-124-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid	process
1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Drops file in System32 directory 4 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SyStem32\	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
File created	C:\Windows\SysWOW64\SyStem32\winzip.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
File opened for modification	C:\Windows\SysWOW64\SyStem32\winzip.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
File opened for modification	C:\Windows\SysWOW64\SyStem32\winzip.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	pid	process	target process
PID 1952 set thread context of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid process

748 2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid process

1440 2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid	process
1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exeexplorer.exe2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	pid	process
Token: SeDebugPrivilege	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Token: SeBackupPrivilege	1812	explorer.exe
Token: SeRestorePrivilege	1812	explorer.exe
Token: SeBackupPrivilege	1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Token: SeRestorePrivilege	1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Token: SeDebugPrivilege	1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Token: SeDebugPrivilege	1440	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid process

748 2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.execsc.exe2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	pid	process	target process
PID 1952 wrote to memory of 1940	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	csc.exe
PID 1952 wrote to memory of 1940	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	csc.exe
PID 1952 wrote to memory of 1940	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	csc.exe
PID 1952 wrote to memory of 1940	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	csc.exe
PID 1940 wrote to memory of 1420	1940	csc.exe	cvtres.exe
PID 1940 wrote to memory of 1420	1940	csc.exe	cvtres.exe
PID 1940 wrote to memory of 1420	1940	csc.exe	cvtres.exe
PID 1940 wrote to memory of 1420	1940	csc.exe	cvtres.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1952 wrote to memory of 748	1952	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE
PID 748 wrote to memory of 1272	748	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
"C:\Users\Admin\AppData\Local\Temp\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tcfmk8tw.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC2F2.tmp"
4⤵
PID:1420

C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:652

C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
"C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\SyStem32\winzip.exe
"C:\Windows\system32\SyStem32\winzip.exe"
5⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\SyStem32\winzip.exe
"C:\Windows\system32\SyStem32\winzip.exe"
4⤵
- Executes dropped EXE
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
225KB

MD5
8ea1994dd8b598e65cc052118859d5f5

SHA1
b335111c6e8e7700d8422b6a50c78364bea760ba

SHA256
8a80ee972e96e1f94f92e7b5b53309ac6b1ec1dcbdfaf875170cbaa1ea5dacc1

SHA512
c37b331033140ad42efe5d65fa6ca661aa96dd7225ddb9c232fa427e1cc2b904aba7431e84f55f9298bb1a5ec6a2a9c82f675171420ff404e59c82f047b15906

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC38F.tmp
Filesize
1KB

MD5
3b4f0b2808c15ce250e8471f5d9e7a0a

SHA1
9da524db8b83e6bd15b4578daf2a0c6bf9a371ab

SHA256
8c04d23a3821820acccfaaed2ac730ba2f22d6f62e80c0e494ed9fa14fa29372

SHA512
00c18347433fa7986b7b4c7f2b718f8ed459390501e132bacf718880774acd44413382c823dab5b88262ad9d9195a0b3a025cce5e6ad90c2d826688b4f9224bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcfmk8tw.dll
Filesize
5KB

MD5
a81d36a5f738df4a152aa8614af89996

SHA1
dddb5701ad2f06110fe9e98a3a838c39fa165c84

SHA256
10ca9182fe4355bf94141e7081cbf2e8facfd6fb8e487897ad1e25012b5c0938

SHA512
2e96660ae0a128166f71529e8243f2e621b07f1d416b4ce6747f924dca4a87647b7dc846295ac8426636f7480666edaa411a93cc18633ea9af6e848808cb26d1

Download Submit
C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC2F2.tmp
Filesize
652B

MD5
6b3d5765e340ceebb2f94ae0c2f39c11

SHA1
e0dd45422d3861cc05bab404e05a30d965386067

SHA256
19665c0a9c0ef483c5c700d47d5ff6ec95512935d62369ff2938c8fc809b8168

SHA512
3edb74b6dcb93b3349c38db8bde5f5c5cbb307f6160308d5035d5e94790879cf921ded50440033469d9ec505446e01a38096c55dd87e3ef496f014852d81a27b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tcfmk8tw.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tcfmk8tw.cmdline
Filesize
206B

MD5
6ffdefcf5b8ffb7b2f5d9d5c67a82c81

SHA1
e8f4d3a672fc9966dd80272b9d3902c352eeb30d

SHA256
e4c6aa3c5295ff61ffa1365529f4b7888374d42c7bf47800b7c62fb008c09986

SHA512
b397fd4b79a4b91d45d702a0c1a4cc54a50f3e7e88acb6d4e0479508158ac34e5d4189584b0676261661b23e890deaa0b67ff5eb99e308ea3f2c28136514faed

Download Submit
\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
memory/748-66-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-69-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-77-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-78-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-118-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-81-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/748-73-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-100-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/748-70-0x0000000000455140-mapping.dmp

Download
memory/748-90-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/748-76-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-107-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/748-68-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/748-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/904-116-0x0000000000000000-mapping.dmp

Download
memory/1272-84-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1420-59-0x0000000000000000-mapping.dmp

Download
memory/1440-124-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1440-112-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1440-104-0x0000000000000000-mapping.dmp

Download
memory/1440-114-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1752-121-0x0000000000000000-mapping.dmp

Download
memory/1812-95-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1812-87-0x0000000000000000-mapping.dmp

Download
memory/1812-89-0x00000000746D1000-0x00000000746D3000-memory.dmp

Filesize
8KB

Download
memory/1812-123-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1812-96-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1940-56-0x0000000000000000-mapping.dmp

Download
memory/1952-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1952-74-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download