gh0strat | 38793cdce198f9972b28a4c2e1d1f909ae9b0ef93417ff54ab729db329733027

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.5MB
MD5

945d2c9d9eeb48366f3f29f1038ec995
SHA1

0997d0b535248bb80a0c127cab8b9dd9c3bceec3
SHA256

38793cdce198f9972b28a4c2e1d1f909ae9b0ef93417ff54ab729db329733027
SHA512

751686c17e6c35f02c11074553974914b5afb661fd3ffd83aed6d8882d9fb6d9ccc12b34b03e39edaedb5054074f7e3bf4094b7510c5d4071e57ea123dc0fbab
SSDEEP

24576:ynsJ39LyjbJkQFMhmC+6GD9hYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnPyzwOe+atyC:ynsHyjtk2MYC5GDrYREXSVMDi3XR+qf

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015bf2-23.dat	family_gh0strat
behavioral1/files/0x0008000000015bf2-40.dat	family_gh0strat
behavioral1/files/0x0006000000016d52-66.dat	family_gh0strat
behavioral1/memory/2204-72-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/2204-81-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/2528-96-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/2528-99-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/2204-71-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/2204-70-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000015bf2-116.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259410755.bat"	look2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259411613.bat"	look2.exe

Executes dropped EXE 8 IoCs

pid	Process
2960	._cache_tmp.exe
2704	look2.exe
2608	Synaptics.exe
2648	._cache_Synaptics.exe
2204	HD_._cache_tmp.exe
2208	look2.exe
2528	HD_._cache_Synaptics.exe
1528	svchcst.exe

Loads dropped DLL 16 IoCs

pid	Process
1140	tmp.exe
2960	._cache_tmp.exe
2704	look2.exe
1140	tmp.exe
1140	tmp.exe
2608	Synaptics.exe
2576	svchost.exe
2608	Synaptics.exe
2960	._cache_tmp.exe
2960	._cache_tmp.exe
2648	._cache_Synaptics.exe
2208	look2.exe
2648	._cache_Synaptics.exe
2648	._cache_Synaptics.exe
2576	svchost.exe
1528	svchcst.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXEB285D75 = "C:\\Windows\\XXXXXXEB285D75\\svchsot.exe"	HD_._cache_tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259410755.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\259411613.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\XXXXXXEB285D75\svchsot.exe	HD_._cache_tmp.exe
File opened for modification	C:\Windows\XXXXXXEB285D75\svchsot.exe	HD_._cache_tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1788	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2960	._cache_tmp.exe
2648	._cache_Synaptics.exe
2204	HD_._cache_tmp.exe
2204	HD_._cache_tmp.exe
2204	HD_._cache_tmp.exe
2528	HD_._cache_Synaptics.exe
2528	HD_._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2960	._cache_tmp.exe
2960	._cache_tmp.exe
2648	._cache_Synaptics.exe
2648	._cache_Synaptics.exe
1788	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2960	1140	tmp.exe	28
PID 1140 wrote to memory of 2960	1140	tmp.exe	28
PID 1140 wrote to memory of 2960	1140	tmp.exe	28
PID 1140 wrote to memory of 2960	1140	tmp.exe	28
PID 2960 wrote to memory of 2704	2960	._cache_tmp.exe	29
PID 2960 wrote to memory of 2704	2960	._cache_tmp.exe	29
PID 2960 wrote to memory of 2704	2960	._cache_tmp.exe	29
PID 2960 wrote to memory of 2704	2960	._cache_tmp.exe	29
PID 1140 wrote to memory of 2608	1140	tmp.exe	37
PID 1140 wrote to memory of 2608	1140	tmp.exe	37
PID 1140 wrote to memory of 2608	1140	tmp.exe	37
PID 1140 wrote to memory of 2608	1140	tmp.exe	37
PID 2608 wrote to memory of 2648	2608	Synaptics.exe	36
PID 2608 wrote to memory of 2648	2608	Synaptics.exe	36
PID 2608 wrote to memory of 2648	2608	Synaptics.exe	36
PID 2608 wrote to memory of 2648	2608	Synaptics.exe	36
PID 2960 wrote to memory of 2204	2960	._cache_tmp.exe	32
PID 2960 wrote to memory of 2204	2960	._cache_tmp.exe	32
PID 2960 wrote to memory of 2204	2960	._cache_tmp.exe	32
PID 2960 wrote to memory of 2204	2960	._cache_tmp.exe	32
PID 2648 wrote to memory of 2208	2648	._cache_Synaptics.exe	35
PID 2648 wrote to memory of 2208	2648	._cache_Synaptics.exe	35
PID 2648 wrote to memory of 2208	2648	._cache_Synaptics.exe	35
PID 2648 wrote to memory of 2208	2648	._cache_Synaptics.exe	35
PID 2648 wrote to memory of 2528	2648	._cache_Synaptics.exe	33
PID 2648 wrote to memory of 2528	2648	._cache_Synaptics.exe	33
PID 2648 wrote to memory of 2528	2648	._cache_Synaptics.exe	33
PID 2648 wrote to memory of 2528	2648	._cache_Synaptics.exe	33
PID 2576 wrote to memory of 1528	2576	svchost.exe	38
PID 2576 wrote to memory of 1528	2576	svchost.exe	38
PID 2576 wrote to memory of 1528	2576	svchost.exe	38
PID 2576 wrote to memory of 1528	2576	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    - Sets DLL path for service in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe
    C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\259410755.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1528

C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
1⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
91KB

MD5
e79fb4c67a2bdb3776b1297164d26092

SHA1
dd0fcb00978caa5999ebe9dd4def537f29054fc6

SHA256
106c7db58f82b6a16bf4cf1d58ed39a9ed451cc2643bae4d19786fadc01af601

SHA512
fe93cc97739deaef7ef4f1dbacf8594d2d94fca3e14d4bca0228d513c14aa96bb17d89e4cfc3c611c7d055e3774280231481a66b2d32774e1c125aca85a0ad66

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
64KB

MD5
97cbff6bc8450154d8dca971c016b640

SHA1
9781d44406346ccb09ab05a4321696def3854d9d

SHA256
c30ad358ba488d343074c010f0cc0b7f73d356c71b60d74fcc99f57c0c83a6dc

SHA512
78b1fe1b67fb0b33b988ddfd80ce5ee11a89cb8e1265fce3f8c144356e9a25ce693bc2474584027242c9b3e3a6b54e39a979ef221df72758135eb9f038c50b2a

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
102KB

MD5
524f03ae5d79ba55196a03131e11eb47

SHA1
bb735246a6a51260cd5b3ce6d559f0f39f799fb5

SHA256
deba2b6783e9fb09bd812ca7580ef06dcdad48b873a99cc74be0f3b7fa0e2bdc

SHA512
30f0284985aa9205dbd99df304d6b56bdb963ca0527665642b34db9dd66e817dffb53945447ac446c0c227d165ea2b25f02f134068dca4b1e80e891d36afb180

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
23KB

MD5
94698b00e7171c7af154b1388bd3cba1

SHA1
89a57683b1cfba0f6b0cc9c5e034b5d4b397b737

SHA256
08f12c5d7a040ced665c4c029983a13c90c2762686c461ac69ddd8039ed7c2ce

SHA512
3c97b1166a2a85a61735adfce030301a2ff2b1c72a788fde87642a6b7f6fa43d9373cb721545180a88ec40c757c5fb1bf85ef7428ad7a3c5d5565009f36f9b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
92KB

MD5
f5f7c10cf0dbe724570d872852f5b8f7

SHA1
3deb4b7c8e124f44f39c849268b8f3efe09c59fd

SHA256
65df05900e076df9e9e79f4bf813c88aa0d874cef64adca8929f23d4dcab80e6

SHA512
8497d4574a88e9db38a5b247b87c378d2a8ef370c35812228b3a7c9733b25e598d476308952b420a524aabe648f4c2b920285acc5b03f2e18af60e07eaf9722b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
8KB

MD5
34e0b3bafe1b976ffc2c1ac1d47dd261

SHA1
70ac032bd3120bd38925b7c0083efd4cf4edf311

SHA256
bd91bcfd3e47c5738e47fab30c4fc17b59fd7b291919902e40a85ea38b0514f1

SHA512
81815ff87125c49b97e44fa4ee527e4f45c13413680d5963e12e3b973ce2af45f6228d78fa1b53cb63c1862d92e60f384203d215bc42427b763ba431176690b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
68KB

MD5
91bab5861028d7d32f17a02548e3381c

SHA1
48830f92cedd466d701cd1b5ae2092c974068120

SHA256
e0e1627020977c927ddb41af278680249f081accab30b7543e3fbc1652631840

SHA512
f528cb27d1c860d971ea550e5e14cdc543715a9f27795ca8cad3e5fc6cdfd3ec60a19867140140e5a680c2336b2644eda9b154b33966f6f8f09928013485b893

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
92KB

MD5
9f83e4088fe4b87b661ef0b9e5ad5587

SHA1
3eebbfda5f650f6179726e205e00a8c2260d4f22

SHA256
b2f3c2d37f2823b8ed3a655add6fc520c933427019773d45cbbce51787847269

SHA512
536b01fb9e5e75eb45e190cc060821f117d34ec3cc665efc62966ea788d6b7d1f3319a4242c463aee6dd7d27de60aaa96fc8279217f61035ba3a201f2d17864c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db5cb5Jp.xlsm

Filesize
13KB

MD5
c95ffd0bbf356318b48cb02ceedc3e6a

SHA1
d2b657a6130f38fd81f7234887b8602059db70b7

SHA256
8672327a41078075a62fe1135906c77db383dc7c7c3acd95d2d25baa2d80c643

SHA512
5e3ee6b033f4c65c0c6a0461716e2a6e00ab7d6962b808f77cff760791ef65041896d8bdde8bf60fe2af4da38df3a6b7709919db0df48901c2d0030772e101a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe

Filesize
127KB

MD5
9dd931504db090d761d908bddf6832f7

SHA1
64afe2e774bb63c215eeea06ca9668d497ee27c1

SHA256
042915711b4244133f8a67391be45b7153428a0d01ab4d7b574cd42fa6273b8b

SHA512
57bfb87485d73fcecab9fec3eb696b20bf758a54b78445c383329525f842f7bd0d8d5d2d5f03a52e5711c30244d162760848402db4a0d99c8dccfa3bc58fe170

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe

Filesize
130KB

MD5
700cf98bea6345d6cf8283e29ca946a7

SHA1
8eb2ee90d42515397df80c88a102d61b2b4e1f1f

SHA256
64d54fe566d1cdb5fafabeb1850744f04d4c1736e50430ddd23fc18ba75a9719

SHA512
9bc72d2dcf6aa30526248fb24fadc10bf8b234810e3be523b4268aefaf8bf046e6bfc64784a4feb39c659bdaf29b9e0c5ddaec09968b711b8220245bd3440588

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe

Filesize
103KB

MD5
6aaf90bd2a26fce8d577cf4fb7fae59f

SHA1
866b7ce1fe1089c8920bec75d56374624e4d1fd6

SHA256
c81b9139bb8002337f5c8aa88b9fede3a05660b96e17cad0a9303608dab32119

SHA512
f6512ef1bf651a61559f03c36d0f18922aca058878bf50a67707a8d6601ae34875b292c1f7af8e9cfdf59cb25ecb45a68fc0c3fb0003a1f48c300256905500b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe

Filesize
109KB

MD5
147a77487875b0df06f6073eece1e26c

SHA1
0af820bb225b785c0987a7179b4ac51f1d8737ac

SHA256
03705dda89d7c91ee2d02276597dd84ebbdf35da06cf7a38cffbbe731974d1bc

SHA512
84ad1765cac6b936ed9c30117d91aa8e981eedb684d4fb5faf588e52a55af6531a918d8155028cdffc3da27b933c2155cc29cd1da3f19ef1b714504832f7ca94

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
10KB

MD5
cd2faf543ec270b68d28ec58e59db762

SHA1
a9fe02221558d8c54d7c99a458cd42a64ca3c2c7

SHA256
b7c32b147f6b370d3459674e4572b64ba3e3ed56c1ff63bcc1fa82823a915289

SHA512
a48660a6646bfa73f7a7d50a833dbf326a08664a7d5b9ae77b345032682292b2f2096897892e010b86805c65d1f5922a0f99ed1f4c53b68c5acc762af8f3e931

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
123KB

MD5
43e98d15cd60b96e4c08ba05d26981d7

SHA1
9d71ca463e24bd67154f79aa0cc9536089a8e8c2

SHA256
b8cfef604301838ec683f66cfadec2b22eb73b3db39b9f9a26b1d6ce439c3850

SHA512
b470ddb07057fc27d5723525b0208dc1c943da8abe504c6b0e70fd16139563124e784e440cda5904c18bab0499c0e0efe659357e429eff5d583cfb5eee50d509

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
15KB

MD5
0504455e2643876d97007daf54edf995

SHA1
1ac8282e394f0b677bcff88abc940e4d08b6951a

SHA256
a48fcbb8b90a0ddaa5209cd407eefb47bdeed1c6747bdede9b92dea7fb1c35d7

SHA512
8e6813c6709c7bd2912b71cd5694ffcdf7c01f7c1c4d08b24a59f992d4dd78e9d04ff31befde63b81739ad7ecb552e11fefd7113107c30f92abe34ae69c9c0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
8KB

MD5
a4a6dcada1581397922e505f7d778d93

SHA1
04a631f00ab8db5b9544454b85fcd3404cae7979

SHA256
c8efc0a384a14e60bf8b9733f5b6e1cb59071ad10baab71560d0bf2b69241a4e

SHA512
b46f66bdfa13e7dc052ca3191c9506086812f71d97a71719197c2ccbb7db394c415ad0bb027fcecb64459db18092a9d329bff31c911c6ab83f43264bbc4732bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
8KB

MD5
7303d238abd82e2f6f0b7a426d02a82e

SHA1
7a1bf5b3390b71a9dd9b21923fea47405e605e20

SHA256
b00a1bdb2d4bf9caeba77dea721db149aea00853dde84e98fbbae3a7916ac1e4

SHA512
0f58edf52d3ad678e876bf2434d0eefb3ed9280c471cc4e4c2d4aa97550784ea28fd27027fcf7ba90d2b4125a0a26a6b3f5f2978ed0bf6dfe529e6715b6be2ae

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
42B

MD5
6e60360a72cd1f519d57ffd990c19139

SHA1
30ca1b3c62bad92bc79dcfd8693f4514cba95c3e

SHA256
791fa6519bfc9d904208f6a2d7152a83254cd0cfaa896a2e7fc2bb74d8e6c886

SHA512
00a65d1bb099191588c55ae67ed21f77121b3d46341f500224d1acaef2a749bdd8c6b4b1b72cc4449604ff02f33bd06ef232cf5a608b2f49ce2b1b995f9543a6

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
9KB

MD5
4a4f7bae1706193770d5292f2a89319c

SHA1
f55f01c2873731de0e417e966673eaa2c23c68e1

SHA256
7c7986fda6c1f3167def3756fc0ec98a5f925259456a28768abccd9127961880

SHA512
5eb7b68b10dc73eae1796e9c06fb503c220e5222a6ebff95edca27121709879c804dd57983e28763a22d6af1e793979dc503d3654f4f3212e0479bd9a9f0acc6

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
20KB

MD5
3ee15118848c37c5afec9746d7db2817

SHA1
1db35d771267d8fd0786622e62d018cf05317b62

SHA256
6653aae4714d17b4bf8e6aa8922f4bc94995501cd4232db4e3185e6aca1f50d0

SHA512
be5d6f6d600a7e2c5c61e4b527f4872143f00358ed299ffeea0cdf1e27dcf08fc5cc7544709032b2d2191aa0119233e715cd6a2f0fc76d14480cfa19ee61ddf4

Download Submit
\??\c:\windows\SysWOW64\259410755.bat

Filesize
26KB

MD5
ef0277e2bbc6933bb1cc87d4f4ef3446

SHA1
e542b2315d1ec83267acf7febe79859e14ec8ac7

SHA256
12a5f8eee862a7b351ef6028fa9a4cd5eb76ca0e310de1f1c528ea5af3272308

SHA512
647a28fed8b8d3376528ff97db137034aad0040af6e90b92a1b075e02f783e3496ecffc106a337296da393e43ed9e9fd1bb7d650a68a4c3391f7aa61980ce762

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
178KB

MD5
048e8ad4cb49df7afe0583e8f2b7bcd5

SHA1
3783e71812c9e7b4cab8cbdc8441b5056c25a0c5

SHA256
04ca1eb557a6c058562f6d6c2072f5253b4b6ae2599ba1f4f82e8dafe06f2fe0

SHA512
03fc40a32337e6e9bd1c1a294598004e5b4f9be1fb43eba2f954e09b5fc87435c1c304d5134a71e9ffccb66b7918789f88e287fc9ff576d539d4dd9b155b6c19

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
64KB

MD5
77f5182be088006c2862f97672d5532b

SHA1
845e52945d8453fb483543281ea85edaa24df3b1

SHA256
4b1c013c7a7b13fc7612d558445ceaa2ee8af87048e142547e696f7ce926d850

SHA512
19d92964687c9d1f9a92336872274dd6cad70db30ab6334199c21a27d0f1c030c6843f0d6dcf09c5c4eb15d5c6b096c1493ffa604ffb585f91d2f293738bd561

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
114KB

MD5
9b674b519cb5a02e387548c9a99b1e3f

SHA1
03505c6d78263954c8420c203c9cf8f4ea976b19

SHA256
a702d3f65c0fc2b8a35dbdb91f160ee5dedb73aedbff6c607096175a70d2c2bb

SHA512
b70f4d67536d790f9b8c4efcf488048946d6c07f756b569a0c9a1967e555137ddd0b340e64707fe37f1cdb69b9de5a425d64d996eee011e2488115ba582c4799

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
211KB

MD5
564e3f8697d742d2c8dbebf3d4bca0ee

SHA1
8d2c828c29775dce7090b4c2b841be51c4a75b9c

SHA256
3062cb9b51a44816d18d2e03fcf209f56d89da06a5ebbcfc71adef7b8ab25aed

SHA512
e3ed4e6a9bbc6d2dc1cc38263d908005dbf3cd78c2820d507643c57df0f0a041e30c97ac7ad3139a595babf7aca29be88fdaf1aab3a45a8fe6acaa0c5571ecc4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
110KB

MD5
b6a925878768c524863fc593b009d3f8

SHA1
731122c5f43e0e1214310742e42dc2032b3a0b07

SHA256
5772856e2d0dc5d33239b2e0d66fded9096180bcc331079c149d7a65caf6845a

SHA512
c561b835acfba585687ce93ef3dd23afaf0b2b724f78938d6953e4cc55a24f066bcac074fa7c38fd9659e519bf432ef21dfa38ddfe1af232a977f538dfc9b664

Download Submit
\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe

Filesize
123KB

MD5
aa3445e19dd11d88ee0651bdf414e8f7

SHA1
00ac9bdf647b49a98882c86c1e8d10a87582fb2e

SHA256
433c89355474af0703a5bab9e9b0c7963c730a92418bd111642de2444bd0e224

SHA512
f40770fce87eea95f744213b75a36886d9c1b626ccca94ef762501daf593be1b3496e34780a861acf7cff199ac8d07b85d8217bca2973cdb084fc88be40ff2ec

Download Submit
\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe

Filesize
132KB

MD5
cab30a5f84a9d2abf27d69eb5b78e57a

SHA1
32cdc9035029b859b6f5d2c4247b8285a6fb5de5

SHA256
c1947c75fb83d32863680e43a8e71d1c31cf661044e4aea9cd075aef2b42adb8

SHA512
cee8d373d8681a7bdf529f91b2ad760d58fdc8d4d14bb6b3051e479b47b04b221ba82434de3bcab26e25bb30baf2db59adc6f72ecc97efdc4cdb7a03f31bd9d8

Download Submit
\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe

Filesize
50KB

MD5
14fe6a58c9988adbdfd102650fef9dc3

SHA1
feb829b85ebfde902165b627e9969a1d9f6d8c17

SHA256
0b7d95c5b51062d38d11b31c12e835e57e23528469af807060ad05e26866a48f

SHA512
16c0a4e8ba270877942971bfa516c51989f82a1ee4884561d0f5c75661805944abe5c284effa445815a4e01b66aa300fc50830ac75ab59d629ce07d5d729b8ac

Download Submit
\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe

Filesize
217KB

MD5
8f5039ee8bb70e023cbc4f7eadf224ac

SHA1
464118b0cc3de4bc16e0cc18ff223c0aaeeac5c7

SHA256
6cb9915465db88b118f7a3c6311120a5665dae158eb1b44f7241101a8f0208f4

SHA512
3e920a6af501e2b87427ccad6caa1e278b415681d3481e65fea4ee98ad091cbbf892d5278466f450972b5d042cbab3165ece1ff3f47f8e73baa28cdd13091a3e

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
67KB

MD5
20bc11169c99ed58d48613b0857b8633

SHA1
0fee72635ee86eb95a9c7e2ed793474da50317ec

SHA256
6863a85d0d9980bf914e379eec983255206e34d68b4821ad51a1925aa3c18452

SHA512
cc31cb4c355701cd1cc3213665568cb985f312721a5e11010a2756bc676f978448e4228c01e6c45c12cac9dcdd82ce872f6a515d15bb10ac9ef649ad56cf6891

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
5KB

MD5
718326edb6e699cec3a9391ba7b2ed26

SHA1
cbc0902f1a52930bab4cf0ffbd46bf705409f80b

SHA256
73558671e7a79e78f0cc8a888054301810ada49b57282a349833c15d57432f92

SHA512
1383edec3b08628cbafe1727bab1a7ccd899e9d1bbd7fb3ca9422d24bb43c27628c1dc8f46c2e74eb009350dc475938e5efa83acac5c0e2d6ac5ddb7ff330c4d

Download Submit
\Windows\SysWOW64\259410755.bat

Filesize
19KB

MD5
2671025e2babb00417266f15f4cd456f

SHA1
0d7cb62f447a237571c35ced75bc49a7926e496b

SHA256
e7d05635e43c7bcedade485a39c93e8a656a90b45b3887004d6aeaec16f7b2b3

SHA512
5b7e90f5514f3fcd71f82e5bfb623674696dc1a15b269dcf0bbf2901c05c5e8e68a272628f01fdf59e3b35a18f47abc5f935701ffe56d67c4ea2fd468045c113

Download Submit
\Windows\SysWOW64\259410755.bat

Filesize
51KB

MD5
d67e761823693bac055aeee8df2eb2db

SHA1
6eb16fe1fbbef10bb993f8daabf0b71ce56e344c

SHA256
65a0bb35dbe0f4ffad44b5ed6389e9a6bd333908c54f0d125a329618a54e69d7

SHA512
fd19080e9944a9f330bb90d6424c1fe318169c1756ef8e5849f8ff4c75167597f1c793d2ab0c9af6779c2daeba362de650cee991cbcb2d93741e30029341b935

Download Submit
\Windows\SysWOW64\259411613.bat

Filesize
6KB

MD5
f834b6f61e1193c1fa06b446bde95a93

SHA1
ddf662719ddc0cde145bc3dd9c22074a9596a4fc

SHA256
e8f09d55e38004a57a182f85794642e0112f675fba26e595f8fe0d4a1e6be5a5

SHA512
a81d0a262f4ffde64c78307da1e2c009eae74b609de46cb3f19854c0c26691c4c1b0c9d3e56a83fc97b4ca86c624d52d8c68807a7dbaa04699b3e507391c8fc4

Download Submit
\Windows\SysWOW64\svchcst.exe

Filesize
1KB

MD5
7d5707db3c2653268f20049e47e53345

SHA1
f41110ae60b7a69606ef8b813b4b144b00ab0f74

SHA256
f3e93cb1567b52f0e51cdbf25a3ec6b8fe75b018e4cd2445464fcaa0ace70347

SHA512
497cbb1147d3ca69fee7e716cc778660b111fd1fe9a7b9bd8a521370bb7be8cae212285afabfabdca88a9e92e3a39de7f3333a24e6e573697dd56abe90b3475c

Download Submit
memory/1140-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1140-33-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/1788-137-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download
memory/1788-108-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download
memory/1788-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-70-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2204-71-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2204-72-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2204-81-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2204-68-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2528-99-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2528-95-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2528-96-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2608-34-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2608-134-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/2608-135-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2608-136-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/2608-167-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download