cybergate | 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe
Size

4.5MB
MD5

69198511f4cc27c6670f61757caa32e5
SHA1

8a8ad67be1c8e70a3674cff39ae9883e1cf8c6aa
SHA256

97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d
SHA512

353a91d6500da1221c3693d35ed35b919e8486ba96e09c87c121680ffba83f6aaea61ac2e13c4bf32faec68b433e54bb56a78d16977b93e2425c9bdea78f8947
SSDEEP

98304:ZdnVheNMO1AiE8fHmdgZYEMyHC/FZnwoP5zfgA8Zw4X++bPC:/Hg1o8fGdgeHnLKZZwYba

Score

10^/10

cybergate darkcomet modiloader bot persistence rat stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

Bot

chotilnw.no-ip.biz:81

Mutex

JMBJ1877RR46DI

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1100801319215a
regkey_hkcu
Windows Update
regkey_hklm
Windows Update

Extracted

Family

darkcomet

Botnet

Bot

chotilnw.no-ip.biz:83

Mutex

DC_MUTEX-YVG7SYP

Attributes

InstallPath
Microsoft\Microsoft\svchost.exe
gencode
hqGgcnPMuE8E
install
true
offline_keylogger
true
password
1100801319215a
persistence
true
reg_key
Windows Update

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

4811.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Microsoft\\Microsoft\\svchost.exe"	4811.exe

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1068\1068.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\1068\1068.exe	modiloader_stage2
C:\Users\Admin\AppData\Roaming\svchost.exe	modiloader_stage2
C:\Users\Admin\AppData\Roaming\svchost.exe	modiloader_stage2

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6023.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe"	6023.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe"	6023.exe

Executes dropped EXE 14 IoCs

Processes:

6572.exeBOT CG.EXEBOT DC.EXEBOT IPK.EXEBOT MD.EXEPERX UPDATED.EXE1068.exesvchost.exe1711.exe4811.exe6023.exesvchost.exesvchost.exesvchost.exe

pid	process
4592	6572.exe
1480	BOT CG.EXE
2892	BOT DC.EXE
220	BOT IPK.EXE
4840	BOT MD.EXE
2068	PERX UPDATED.EXE
3400	1068.exe
2764	svchost.exe
3040	1711.exe
1952	4811.exe
3480	6023.exe
4760	svchost.exe
4916	svchost.exe
4928	svchost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe6023.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O}\StubPath = "C:\\Windows\\system32\\Microsoft\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O}	6023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O}\StubPath = "C:\\Windows\\system32\\Microsoft\\svchost.exe Restart"	6023.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6572\6572.exe	upx
C:\Users\Admin\AppData\Local\Temp\6572\6572.exe	upx
behavioral2/memory/4592-135-0x0000000000A50000-0x0000000000F4E000-memory.dmp	upx
behavioral2/memory/4592-151-0x0000000000A50000-0x0000000000F4E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\4811\4811.exe	upx
C:\Users\Admin\AppData\Local\Temp\4811\4811.exe	upx
behavioral2/memory/1952-168-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3480-174-0x0000000010410000-0x0000000010480000-memory.dmp	upx
C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe	upx
C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe	upx
behavioral2/memory/3480-186-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/460-189-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/4760-190-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/460-191-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/1952-192-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3480-196-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/3480-201-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/2928-204-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/2928-205-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/4760-210-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/460-211-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/2928-212-0x0000000010560000-0x00000000105D0000-memory.dmp	upx

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1068.exeBOT DC.EXE4811.exeBOT CG.EXE97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe6572.exeBOT IPK.EXEBOT MD.EXE1711.exe6023.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1068.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BOT DC.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	4811.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BOT CG.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6572.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BOT IPK.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BOT MD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1711.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6023.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6023.exesvchost.exesvchost.exe4811.exeexplorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	6023.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\Microsoft\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\Microsoft\\svchost.exe"	4811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe"	6023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe"	6023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4592-135-0x0000000000A50000-0x0000000000F4E000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE	autoit_exe
behavioral2/memory/4592-151-0x0000000000A50000-0x0000000000F4E000-memory.dmp	autoit_exe

Drops file in System32 directory 8 IoCs

Processes:

4811.exe6023.exeexplorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe	4811.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe	4811.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Microsoft\	4811.exe
File created	C:\Windows\SysWOW64\Microsoft\svchost.exe	6023.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\svchost.exe	6023.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\	6023.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\svchost.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

6023.exe1711.exe4811.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6023.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1711.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4811.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6023.exesvchost.exe

pid process

3480 6023.exe
3480 6023.exe
4928 svchost.exe
4928 svchost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

4760 svchost.exe

pid	process
3480	6023.exe
3480	6023.exe
4928	svchost.exe
4928	svchost.exe

pid	process
4760	svchost.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

4811.exesvchost.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1952	4811.exe
Token: SeSecurityPrivilege	1952	4811.exe
Token: SeTakeOwnershipPrivilege	1952	4811.exe
Token: SeLoadDriverPrivilege	1952	4811.exe
Token: SeSystemProfilePrivilege	1952	4811.exe
Token: SeSystemtimePrivilege	1952	4811.exe
Token: SeProfSingleProcessPrivilege	1952	4811.exe
Token: SeIncBasePriorityPrivilege	1952	4811.exe
Token: SeCreatePagefilePrivilege	1952	4811.exe
Token: SeBackupPrivilege	1952	4811.exe
Token: SeRestorePrivilege	1952	4811.exe
Token: SeShutdownPrivilege	1952	4811.exe
Token: SeDebugPrivilege	1952	4811.exe
Token: SeSystemEnvironmentPrivilege	1952	4811.exe
Token: SeChangeNotifyPrivilege	1952	4811.exe
Token: SeRemoteShutdownPrivilege	1952	4811.exe
Token: SeUndockPrivilege	1952	4811.exe
Token: SeManageVolumePrivilege	1952	4811.exe
Token: SeImpersonatePrivilege	1952	4811.exe
Token: SeCreateGlobalPrivilege	1952	4811.exe
Token: 33	1952	4811.exe
Token: 34	1952	4811.exe
Token: 35	1952	4811.exe
Token: 36	1952	4811.exe
Token: SeIncreaseQuotaPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeTakeOwnershipPrivilege	4760	svchost.exe
Token: SeLoadDriverPrivilege	4760	svchost.exe
Token: SeSystemProfilePrivilege	4760	svchost.exe
Token: SeSystemtimePrivilege	4760	svchost.exe
Token: SeProfSingleProcessPrivilege	4760	svchost.exe
Token: SeIncBasePriorityPrivilege	4760	svchost.exe
Token: SeCreatePagefilePrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeRestorePrivilege	4760	svchost.exe
Token: SeShutdownPrivilege	4760	svchost.exe
Token: SeDebugPrivilege	4760	svchost.exe
Token: SeSystemEnvironmentPrivilege	4760	svchost.exe
Token: SeChangeNotifyPrivilege	4760	svchost.exe
Token: SeRemoteShutdownPrivilege	4760	svchost.exe
Token: SeUndockPrivilege	4760	svchost.exe
Token: SeManageVolumePrivilege	4760	svchost.exe
Token: SeImpersonatePrivilege	4760	svchost.exe
Token: SeCreateGlobalPrivilege	4760	svchost.exe
Token: 33	4760	svchost.exe
Token: 34	4760	svchost.exe
Token: 35	4760	svchost.exe
Token: 36	4760	svchost.exe
Token: SeDebugPrivilege	2928	explorer.exe
Token: SeDebugPrivilege	2928	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6023.exe

pid process

3480 6023.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4760 svchost.exe

pid	process
3480	6023.exe

pid	process
4760	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe6572.exeBOT IPK.EXE1068.exeBOT MD.EXEBOT DC.EXE4811.exeBOT CG.EXE6023.exe

description	pid	process	target process
PID 4440 wrote to memory of 4592	4440	97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe	6572.exe
PID 4440 wrote to memory of 4592	4440	97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe	6572.exe
PID 4440 wrote to memory of 4592	4440	97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe	6572.exe
PID 4592 wrote to memory of 1480	4592	6572.exe	BOT CG.EXE
PID 4592 wrote to memory of 1480	4592	6572.exe	BOT CG.EXE
PID 4592 wrote to memory of 1480	4592	6572.exe	BOT CG.EXE
PID 4592 wrote to memory of 2892	4592	6572.exe	BOT DC.EXE
PID 4592 wrote to memory of 2892	4592	6572.exe	BOT DC.EXE
PID 4592 wrote to memory of 2892	4592	6572.exe	BOT DC.EXE
PID 4592 wrote to memory of 220	4592	6572.exe	BOT IPK.EXE
PID 4592 wrote to memory of 220	4592	6572.exe	BOT IPK.EXE
PID 4592 wrote to memory of 220	4592	6572.exe	BOT IPK.EXE
PID 4592 wrote to memory of 4840	4592	6572.exe	BOT MD.EXE
PID 4592 wrote to memory of 4840	4592	6572.exe	BOT MD.EXE
PID 4592 wrote to memory of 4840	4592	6572.exe	BOT MD.EXE
PID 4592 wrote to memory of 2068	4592	6572.exe	PERX UPDATED.EXE
PID 4592 wrote to memory of 2068	4592	6572.exe	PERX UPDATED.EXE
PID 4592 wrote to memory of 2068	4592	6572.exe	PERX UPDATED.EXE
PID 220 wrote to memory of 3400	220	BOT IPK.EXE	1068.exe
PID 220 wrote to memory of 3400	220	BOT IPK.EXE	1068.exe
PID 220 wrote to memory of 3400	220	BOT IPK.EXE	1068.exe
PID 3400 wrote to memory of 2764	3400	1068.exe	svchost.exe
PID 3400 wrote to memory of 2764	3400	1068.exe	svchost.exe
PID 3400 wrote to memory of 2764	3400	1068.exe	svchost.exe
PID 4840 wrote to memory of 3040	4840	BOT MD.EXE	1711.exe
PID 4840 wrote to memory of 3040	4840	BOT MD.EXE	1711.exe
PID 4840 wrote to memory of 3040	4840	BOT MD.EXE	1711.exe
PID 2892 wrote to memory of 1952	2892	BOT DC.EXE	4811.exe
PID 2892 wrote to memory of 1952	2892	BOT DC.EXE	4811.exe
PID 2892 wrote to memory of 1952	2892	BOT DC.EXE	4811.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1952 wrote to memory of 3416	1952	4811.exe	notepad.exe
PID 1480 wrote to memory of 3480	1480	BOT CG.EXE	6023.exe
PID 1480 wrote to memory of 3480	1480	BOT CG.EXE	6023.exe
PID 1480 wrote to memory of 3480	1480	BOT CG.EXE	6023.exe
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE
PID 3480 wrote to memory of 3044	3480	6023.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe
"C:\Users\Admin\AppData\Local\Temp\97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Local\Temp\6572\6572.exe
"C:\Users\Admin\AppData\Local\Temp\6572\6572.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE
"C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\6023\6023.exe
"C:\Users\Admin\AppData\Local\Temp\6023\6023.exe"
5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4336

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\Microsoft\svchost.exe
"C:\Windows\system32\Microsoft\svchost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE
"C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\4811\4811.exe
"C:\Users\Admin\AppData\Local\Temp\4811\4811.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:3416

C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe
"C:\Windows\system32\Microsoft\Microsoft\svchost.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE
"C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\1068\1068.exe
"C:\Users\Admin\AppData\Local\Temp\1068\1068.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2764

C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE
"C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Local\Temp\1711\1711.exe
"C:\Users\Admin\AppData\Local\Temp\1711\1711.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:3040

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
PID:4916

C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXE
"C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXE"
4⤵
- Executes dropped EXE
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1068\1068.exe
Filesize
36KB

MD5
71862d539820b6e844743c3c14b812f2

SHA1
c291d986e7c0a90dfac1985734b2b838e0ac1ba8

SHA256
c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f

SHA512
8aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1068\1068.exe
Filesize
36KB

MD5
71862d539820b6e844743c3c14b812f2

SHA1
c291d986e7c0a90dfac1985734b2b838e0ac1ba8

SHA256
c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f

SHA512
8aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1711\1711.exe
Filesize
141KB

MD5
e48a136cdfab0086b19ec4eaa312ce0a

SHA1
6254300e31e20a22b4919755967cd98d4eebc6f2

SHA256
bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed

SHA512
113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\1711\1711.exe
Filesize
141KB

MD5
e48a136cdfab0086b19ec4eaa312ce0a

SHA1
6254300e31e20a22b4919755967cd98d4eebc6f2

SHA256
bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed

SHA512
113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\4811\4811.exe
Filesize
251KB

MD5
84b289aaeca9df588da3cb4e2c8c0df7

SHA1
8e187626bba2657a924e0bab5d6b93cad6642e83

SHA256
14a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76

SHA512
1e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843

Download Submit
C:\Users\Admin\AppData\Local\Temp\4811\4811.exe
Filesize
251KB

MD5
84b289aaeca9df588da3cb4e2c8c0df7

SHA1
8e187626bba2657a924e0bab5d6b93cad6642e83

SHA256
14a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76

SHA512
1e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843

Download Submit
C:\Users\Admin\AppData\Local\Temp\6023\6023.exe
Filesize
428KB

MD5
5266a01b55e2dd48a1ffa29e0c0db337

SHA1
cd10900e1d1164b27d71bedf953a365bfa113254

SHA256
66f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133

SHA512
83b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319

Download Submit
C:\Users\Admin\AppData\Local\Temp\6023\6023.exe
Filesize
428KB

MD5
5266a01b55e2dd48a1ffa29e0c0db337

SHA1
cd10900e1d1164b27d71bedf953a365bfa113254

SHA256
66f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133

SHA512
83b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319

Download Submit
C:\Users\Admin\AppData\Local\Temp\6572\6572.exe
Filesize
2.0MB

MD5
57496fd195ddc8c2b71e5350a52c7883

SHA1
aaecf75593281b80de21bdbccb5b9b68b69cf14c

SHA256
7ee3083d23dfe6ae5897ed15059323952a724056974f344f37a5a9d10444e798

SHA512
41917b2c398cf83016b331f73b8f35fea5abfdd0c63dc9017d75c9401ae644c4c264ba8106aba8de1893c02784c1176cc68e2126d21e97c5d506145442d84c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\6572\6572.exe
Filesize
2.0MB

MD5
57496fd195ddc8c2b71e5350a52c7883

SHA1
aaecf75593281b80de21bdbccb5b9b68b69cf14c

SHA256
7ee3083d23dfe6ae5897ed15059323952a724056974f344f37a5a9d10444e798

SHA512
41917b2c398cf83016b331f73b8f35fea5abfdd0c63dc9017d75c9401ae644c4c264ba8106aba8de1893c02784c1176cc68e2126d21e97c5d506145442d84c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
385KB

MD5
204107650c4d55dffd9d2bee78345a9a

SHA1
3a18430e339376408c449f28936678f09e903e4a

SHA256
f5f1e591d08f47b267da2e7c61c82bef06cbb233899d80949cdf0663538b721c

SHA512
a3fc2b53a1d69f5055be92ef14b9eef543c0ac0230127d56c483465e68aef12549c510f2521ad2e924c0a63cbc0dd9f44c9a92573eb109eeb805f67f24cede01

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE
Filesize
1.5MB

MD5
b87cb82351c228f2613a73037782a1e0

SHA1
120029c4a33f6ea2ce7309704451c537c70d2052

SHA256
341cab72e5448a26aa5ffa3da9b17254688c43e595e32710c815c2aa12bfb0e6

SHA512
8be6abf65bec2016ac45778382249e808e2855f9261a0ec05f14f5da537b37b233d076bf4b4711f1d1becd5196bc22772bce2df65b2c159dd778916cf94824cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE
Filesize
1.5MB

MD5
b87cb82351c228f2613a73037782a1e0

SHA1
120029c4a33f6ea2ce7309704451c537c70d2052

SHA256
341cab72e5448a26aa5ffa3da9b17254688c43e595e32710c815c2aa12bfb0e6

SHA512
8be6abf65bec2016ac45778382249e808e2855f9261a0ec05f14f5da537b37b233d076bf4b4711f1d1becd5196bc22772bce2df65b2c159dd778916cf94824cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE
Filesize
1.3MB

MD5
a5ed82ea60f9b5dd29f6d8e375a09b11

SHA1
6427aef33e82e330cd64fcd31517a57d6dd13c39

SHA256
3383ccd6b7a8b5bfc9c0ec4e241a02627444bc11f36967581cd407fb1489e785

SHA512
6392d0990e89309318c7b286350faec073a02d921250f7d5ce2ebc068d722ad951d6a853fd29b1c861aff97cbc6fb0b573fb883f2334fd7dcdf7ee701dac8c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE
Filesize
1.3MB

MD5
a5ed82ea60f9b5dd29f6d8e375a09b11

SHA1
6427aef33e82e330cd64fcd31517a57d6dd13c39

SHA256
3383ccd6b7a8b5bfc9c0ec4e241a02627444bc11f36967581cd407fb1489e785

SHA512
6392d0990e89309318c7b286350faec073a02d921250f7d5ce2ebc068d722ad951d6a853fd29b1c861aff97cbc6fb0b573fb883f2334fd7dcdf7ee701dac8c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE
Filesize
894KB

MD5
bafbad9ae37bff4842733ddf2cd8dc60

SHA1
096e10c3fdf4c13309480608482650b79943c794

SHA256
7a092f8a206b05aa6d224d804d3f296aebb8fd010ea8f72f8f5990b994d5978e

SHA512
96aad5a2f485219a74100ef7e43479467b120a4391d7b80ce7e888039b57473240e3ec4ea8cbfc4b456e4e6da1be110c917b574443fbf25bc54877c98d5818a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE
Filesize
894KB

MD5
bafbad9ae37bff4842733ddf2cd8dc60

SHA1
096e10c3fdf4c13309480608482650b79943c794

SHA256
7a092f8a206b05aa6d224d804d3f296aebb8fd010ea8f72f8f5990b994d5978e

SHA512
96aad5a2f485219a74100ef7e43479467b120a4391d7b80ce7e888039b57473240e3ec4ea8cbfc4b456e4e6da1be110c917b574443fbf25bc54877c98d5818a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE
Filesize
1.0MB

MD5
015f387a76fe9ca8385328e94cc4334e

SHA1
a6d09677f1c9cb97eacc3705bdd1714976035f1e

SHA256
329c2a640272393e9d24d07cdcf254522329ea8f817443c82fa8461d46290946

SHA512
7e58e770a9ea2802d30d0b835454c354bce00717e1bca3b38969ac3c42d40f20f53c5b93bf31028a08ae0145e5a6d543f5bcd0f203cf6c75aa603807c33d00b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE
Filesize
1.0MB

MD5
015f387a76fe9ca8385328e94cc4334e

SHA1
a6d09677f1c9cb97eacc3705bdd1714976035f1e

SHA256
329c2a640272393e9d24d07cdcf254522329ea8f817443c82fa8461d46290946

SHA512
7e58e770a9ea2802d30d0b835454c354bce00717e1bca3b38969ac3c42d40f20f53c5b93bf31028a08ae0145e5a6d543f5bcd0f203cf6c75aa603807c33d00b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXE
Filesize
233KB

MD5
8c4adab323fa75d5aede1abf3e366226

SHA1
10ffb2983f15ab01d7594a63391de3f734d62982

SHA256
efbf5fbeb95dbc2bcb9c49ddb506d83d61c1faea4ebadb323fd3bf8348f02368

SHA512
6cb4cad588c24d627ddf214c3b8650043706cde3fcbdd4da1ac97f189613e35902bb1fe9d6f46bfaaef7526d378144c6c3273181db2e025652728ba76cc26463

Download Submit
C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXE
Filesize
233KB

MD5
8c4adab323fa75d5aede1abf3e366226

SHA1
10ffb2983f15ab01d7594a63391de3f734d62982

SHA256
efbf5fbeb95dbc2bcb9c49ddb506d83d61c1faea4ebadb323fd3bf8348f02368

SHA512
6cb4cad588c24d627ddf214c3b8650043706cde3fcbdd4da1ac97f189613e35902bb1fe9d6f46bfaaef7526d378144c6c3273181db2e025652728ba76cc26463

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
141KB

MD5
e48a136cdfab0086b19ec4eaa312ce0a

SHA1
6254300e31e20a22b4919755967cd98d4eebc6f2

SHA256
bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed

SHA512
113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
141KB

MD5
e48a136cdfab0086b19ec4eaa312ce0a

SHA1
6254300e31e20a22b4919755967cd98d4eebc6f2

SHA256
bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed

SHA512
113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
36KB

MD5
71862d539820b6e844743c3c14b812f2

SHA1
c291d986e7c0a90dfac1985734b2b838e0ac1ba8

SHA256
c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f

SHA512
8aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
36KB

MD5
71862d539820b6e844743c3c14b812f2

SHA1
c291d986e7c0a90dfac1985734b2b838e0ac1ba8

SHA256
c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f

SHA512
8aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046

Download Submit
C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe
Filesize
251KB

MD5
84b289aaeca9df588da3cb4e2c8c0df7

SHA1
8e187626bba2657a924e0bab5d6b93cad6642e83

SHA256
14a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76

SHA512
1e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843

Download Submit
C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe
Filesize
251KB

MD5
84b289aaeca9df588da3cb4e2c8c0df7

SHA1
8e187626bba2657a924e0bab5d6b93cad6642e83

SHA256
14a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76

SHA512
1e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843

Download Submit
C:\Windows\SysWOW64\Microsoft\svchost.exe
Filesize
428KB

MD5
5266a01b55e2dd48a1ffa29e0c0db337

SHA1
cd10900e1d1164b27d71bedf953a365bfa113254

SHA256
66f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133

SHA512
83b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319

Download Submit
C:\Windows\SysWOW64\Microsoft\svchost.exe
Filesize
428KB

MD5
5266a01b55e2dd48a1ffa29e0c0db337

SHA1
cd10900e1d1164b27d71bedf953a365bfa113254

SHA256
66f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133

SHA512
83b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319

Download Submit
memory/220-142-0x0000000000000000-mapping.dmp

Download
memory/460-191-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/460-189-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/460-211-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/460-178-0x0000000000000000-mapping.dmp

Download
memory/1480-136-0x0000000000000000-mapping.dmp

Download
memory/1536-185-0x0000000000000000-mapping.dmp

Download
memory/1952-165-0x0000000000000000-mapping.dmp

Download
memory/1952-168-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1952-192-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-148-0x0000000000000000-mapping.dmp

Download
memory/2068-209-0x00000000054A0000-0x00000000054F6000-memory.dmp

Filesize
344KB

Download
memory/2068-208-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/2068-158-0x00000000007C0000-0x0000000000802000-memory.dmp

Filesize
264KB

Download
memory/2068-159-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/2068-160-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/2068-161-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/2764-155-0x0000000000000000-mapping.dmp

Download
memory/2892-139-0x0000000000000000-mapping.dmp

Download
memory/2928-205-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/2928-204-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/2928-212-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/2928-200-0x0000000000000000-mapping.dmp

Download
memory/3040-162-0x0000000000000000-mapping.dmp

Download
memory/3400-152-0x0000000000000000-mapping.dmp

Download
memory/3416-169-0x0000000000000000-mapping.dmp

Download
memory/3480-186-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/3480-170-0x0000000000000000-mapping.dmp

Download
memory/3480-174-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/3480-196-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/3480-201-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/4592-135-0x0000000000A50000-0x0000000000F4E000-memory.dmp

Filesize
5.0MB

Download
memory/4592-132-0x0000000000000000-mapping.dmp

Download
memory/4592-151-0x0000000000A50000-0x0000000000F4E000-memory.dmp

Filesize
5.0MB

Download
memory/4760-179-0x0000000000000000-mapping.dmp

Download
memory/4760-190-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4760-210-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4840-145-0x0000000000000000-mapping.dmp

Download
memory/4916-180-0x0000000000000000-mapping.dmp

Download
memory/4928-206-0x0000000000000000-mapping.dmp

Download