gh0strat | b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Size

3.5MB
MD5

8e1d90f09e0627a3b6225ae5be6ce80d
SHA1

578fd8c25ce5ef60dd5786940e90a44f3ff420cc
SHA256

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e
SHA512

9ae682cf05c361e49778f5fb589c5da00997919ce72ea56a7cf588560557b77e9b93e4ea450ee2dce972c41216a9c51e0b4ba2ffecfde60f00ca579f7939a65d
SSDEEP

98304:A1VVv28GMAMV4nsmtk2aSrJpmPhekGZvQYocMRMh6:ytGLLpt6

Score

10^/10

gh0strat aspackv2 persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259424280.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GLk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\259424280.bat"	GLk.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	aspack_v212_v242

Executes dropped EXE 6 IoCs

Processes:

GLk.exeHD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeSynaptics.exesvchist.exe._cache_Synaptics.exe

pid	process
2512	GLk.exe
2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2976	Synaptics.exe
524	svchist.exe
3752	._cache_Synaptics.exe

Loads dropped DLL 19 IoCs

Processes:

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeGLk.exesvchost.exeHD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exesvchist.exeSynaptics.exe._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exe

pid	process
2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2512	GLk.exe
2692	svchost.exe
2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2692	svchost.exe
524	svchist.exe
2976	Synaptics.exe
2976	Synaptics.exe
2976	Synaptics.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

Drops file in System32 directory 26 IoCs

Processes:

._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exeGLk.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\WINABC.HLP	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\system32\WINABC.OVL	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\WINABC.CNT	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\system32\WINABC.OVL	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.CWD	._cache_Synaptics.exe
File created	C:\WINDOWS\SysWOW64\WINABC.IME	._cache_Synaptics.exe
File created	C:\Windows\system32\WINABC.CWD	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\SysWOW64\WINABC.CWD	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\system32\WINABC.CNT	._cache_Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.HLP	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\WINABC.IME	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\SysWOW64\WINABC.OVL	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.CNT	._cache_Synaptics.exe
File opened for modification	C:\Windows\system32\WINABC.IME	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\259424280.bat	GLk.exe
File opened for modification	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File created	C:\Windows\system32\WINABC.CNT	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\SysWOW64\WINABC.HLP	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\system32\WINABC.IME	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\WINDOWS\SysWOW64\WINABC.IME	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	GLk.exe
File created	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.OVL	._cache_Synaptics.exe
File opened for modification	C:\Windows\system32\WINABC.CWD	._cache_Synaptics.exe
File opened for modification	C:\Windows\system32\WINABC.HLP	._cache_Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.IME	._cache_Synaptics.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exe

pid	process
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

8324 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

pid process

2760 b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

pid	process
8324	EXCEL.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exeEXCEL.EXE

pid	process
2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2972	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
3752	._cache_Synaptics.exe
3752	._cache_Synaptics.exe
8324	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeHD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exesvchost.exeSynaptics.exe

description	pid	process	target process
PID 2760 wrote to memory of 2512	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	GLk.exe
PID 2760 wrote to memory of 2512	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	GLk.exe
PID 2760 wrote to memory of 2512	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	GLk.exe
PID 2760 wrote to memory of 2512	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	GLk.exe
PID 2760 wrote to memory of 2864	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2760 wrote to memory of 2864	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2760 wrote to memory of 2864	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2760 wrote to memory of 2864	2760	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2864 wrote to memory of 2972	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2864 wrote to memory of 2972	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2864 wrote to memory of 2972	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2864 wrote to memory of 2972	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 2864 wrote to memory of 2976	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	Synaptics.exe
PID 2864 wrote to memory of 2976	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	Synaptics.exe
PID 2864 wrote to memory of 2976	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	Synaptics.exe
PID 2864 wrote to memory of 2976	2864	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	Synaptics.exe
PID 2692 wrote to memory of 524	2692	svchost.exe	svchist.exe
PID 2692 wrote to memory of 524	2692	svchost.exe	svchist.exe
PID 2692 wrote to memory of 524	2692	svchost.exe	svchist.exe
PID 2692 wrote to memory of 524	2692	svchost.exe	svchist.exe
PID 2976 wrote to memory of 3752	2976	Synaptics.exe	._cache_Synaptics.exe
PID 2976 wrote to memory of 3752	2976	Synaptics.exe	._cache_Synaptics.exe
PID 2976 wrote to memory of 3752	2976	Synaptics.exe	._cache_Synaptics.exe
PID 2976 wrote to memory of 3752	2976	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
"C:\Users\Admin\AppData\Local\Temp\b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\GLk.exe
C:\Users\Admin\AppData\Local\Temp\\GLk.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2512

C:\Users\Admin\AppData\Local\Temp\HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
C:\Users\Admin\AppData\Local\Temp\\HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2972

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
PID:2564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\svchist.exe
C:\Windows\system32\svchist.exe "c:\windows\system32\259424280.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:8324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
6bc158e1e67fa0f6930651506d553118

SHA1
64418a0c8751adcf869bad8c5ba7314ba9d1e8b6

SHA256
3d97e9c9f64f303878cfa188d5dcf47ce75b5de30e94b02ccffa83ebb4f6908c

SHA512
6338408f2658eb9df8897c94de2a2ac73ed8fa8c3e6484d8d06b17cb24fdf262490db741df8ec7705eb5871663b63257909431fb7224da8a9324216019e96970

Download Submit
C:\Users\Admin\AppData\Local\Temp\T1zdi7Ta.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\SysWOW64\WINABC.CNT
Filesize
1KB

MD5
6dda1f4625d8d54da52938bc14723347

SHA1
634b03f556b05c7863b64e8bf9964de9ffaa3cd3

SHA256
4ea278e7d4ff35fa9023196f18432ab1451be0d45156ab098e3884a523c0b15b

SHA512
e522c307ef6be163bd8b49ca02e6fe181b340d5f1262acb8e4ce9e7da20d6f88deaa75bbb552e2c239d7c7b366cf4d0757494bd34e231a0467799b3c8edd2970

Download Submit
C:\Windows\SysWOW64\WINABC.CWD
Filesize
279KB

MD5
bbfc567b238c2a1a49e76f3183be2e5f

SHA1
d46f9bcfdcf2be0f2b75e3e591852c07c0f966a8

SHA256
dfc43d699cfd0b7afb3432b77b93bb46fdcb60a9fb519f23f34d72f533a7e947

SHA512
c045dfd061b9ca7b93a209eae2f03c2485dd275ac3cca93c18df5cf292989d57b7b7a62f7abf898c5aa979ac0d6726a139866e4350a811e37e74d25ddb4d05ab

Download Submit
C:\Windows\SysWOW64\WINABC.HLP
Filesize
338KB

MD5
37fb0e0c62ecdf058f6d368cdb70c1ea

SHA1
77b25681c22e0399bb0d7f8c21927966b5a80c96

SHA256
8864f200c309a9fafd3bc3878be7a8581e3379225bfbccba121c986b07338fd6

SHA512
f31f52fac14ee0fef21cbb90df63cd27cef1f8c9fa48ff3faa013c5bc57fc5a2ccada48b9895b0cd2e9da8e66f36b0d69da80d948b1ffbf2f2f8502c15a9eae0

Download Submit
C:\Windows\SysWOW64\WINABC.OVL
Filesize
75KB

MD5
56e55a412a19397e8e3709fc343ad787

SHA1
138e1707a795fe1e46cb14bf4861902e743e28ef

SHA256
79b3e83313f757245436d8b6d13ac717955c554c46af486167ce3b662e92cd8b

SHA512
16b997bb44324bdb5e5d859acfdf8e8bfa1ce6bd0f3f8dd294e24f4913c1de3d3e0e7224597cabf3e59edd3ee77dc268aa79f117abc8ce7ff892eabbf3c29c2b

Download Submit
C:\Windows\SysWOW64\svchist.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\System32\WINABC.IME
Filesize
96KB

MD5
34b248ee78201f3f72a648527e2bf945

SHA1
c5e2e01a69981d7084b23959b397f716641eaeb8

SHA256
36589d83c62074584a27c19759d86b4576450141afca34c1f5cb19016c6e7042

SHA512
acf3b6b15b254e9070efbbe66d1293659fb3feb58b9a7fb5ddd9a784e4d43d869cf1e1a40359c580331fd3a0f1254159ede106258af155fe4ba3495712408e74

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Filesize
1.6MB

MD5
2b3251d0bebf9f9def96ef04b4069322

SHA1
44d9979dd657ac7038f98cb68e4a68f95190d1d8

SHA256
cdd6df5224a715af8fbcd8fa573ac7957c2632c6eccf1cc2278a08eba450360e

SHA512
f382c2de2c43187c417fbb20238d82fc893592c55c9c1a7883905f5274399457e7d50d491ce07b446bf2b4aa2dacabd39cf15f833fc9d8cc675963c2b3b9dd1d

Download Submit
\Users\Admin\AppData\Local\Temp\GLk.exe
Filesize
337KB

MD5
b8e58a96761799f4ad0548dba39d650c

SHA1
c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

SHA256
334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

SHA512
1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

Download Submit
\Users\Admin\AppData\Local\Temp\HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Filesize
2.3MB

MD5
5e5b275c606e3c1f6aba6ef699721459

SHA1
36a5222fc094e4b5132c389632d3253fd01f1130

SHA256
0df9cda418c04e4bbbf8efb50fa2be7b02ae72408559b1dfe0efe8c9d08c4b72

SHA512
4be9825d6a7a40e9bb0c7e275b15005c87f4bc54a8c08ad17c73cd2141d505329d2500dface014879f0af0213088aecf73fddf4cd24829b43fe8a809b2838835

Download Submit
\Windows\SysWOW64\259424280.bat
Filesize
51KB

MD5
f46ddfd4cbcd2928b8c7e63987eefae9

SHA1
381fe18f20fa7b91d68a04c06853621f9d710248

SHA256
c1f507c1534f54270750a1c0cc9309343da9699bb450d13bca2278155fcd02bb

SHA512
de2ab922354047dc2b96decd2d310c6926170821164b3fb027295e5715c082e3c31fd0153988a4b1070a9550b004c078046fde2e1f8ebe53ea52c57e431c026c

Download Submit
memory/2864-57-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2864-46-0x0000000005060000-0x00000000052B7000-memory.dmp

Filesize
2.3MB

Download
memory/2864-44-0x0000000005060000-0x00000000052B7000-memory.dmp

Filesize
2.3MB

Download
memory/2972-946-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-892-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-912-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-910-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-908-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-906-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-904-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-932-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-930-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-926-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-925-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-922-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-920-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-918-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-902-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-900-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-898-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-896-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-894-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-914-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-890-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-889-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-929-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-948-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-916-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-944-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-942-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-940-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-938-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-936-0x00000000024F0000-0x0000000002601000-memory.dmp

Filesize
1.1MB

Download
memory/2972-8785-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2972-48-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2972-47-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2972-45-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2972-59-0x0000000075EC0000-0x0000000075F07000-memory.dmp

Filesize
284KB

Download
memory/2976-886-0x0000000004F70000-0x00000000051C7000-memory.dmp

Filesize
2.3MB

Download
memory/2976-17526-0x0000000004F70000-0x00000000051C7000-memory.dmp

Filesize
2.3MB

Download
memory/2976-885-0x0000000004F70000-0x00000000051C7000-memory.dmp

Filesize
2.3MB

Download
memory/3752-887-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3752-17502-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download