cybergate | ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Size

907KB
MD5

26ea14da98482ae649cc2c8bbb7424d0
SHA1

9ec86f9604c780d916200487670377d3404ff528
SHA256

ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878
SHA512

64c7468bcd63d210762918f1481ca3f68559248979ecb8f560c6848d61c82d29016cf9e483523a4978fe8bb860fdc9d38da56c5c37363a4f1b62447b15f46f61
SSDEEP

12288:1HLUMuiv9RgfSjAzRtyey5fqBhoC6bunRiSzp0/du8VihHwTrr9AJZGeR3p+PD7e:9tARIkToC6qnL3qihHIKJZGeFg/e

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

201.233.66.121:81

Mutex

Microsoft Firewal

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
Svchost.exe
install_dir
Software Distribution
install_file
wmplayer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123
regkey_hkcu
Actualizacion 2.2.3
regkey_hklm
Inicio del Sistema

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}\StubPath = "C:\\Windows\\Software Distribution\\wmplayer.exe Restart"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}\StubPath = "C:\\Windows\\Software Distribution\\wmplayer.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
1848	wmplayer.exe
644	wmplayer.exe

Loads dropped DLL 2 IoCs

pid	Process
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Inicio del Sistema = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Actualizacion 2.2.3 = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2296-10-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral1/memory/1848-9735-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 1848 set thread context of 644	1848	wmplayer.exe	36

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2296-0-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2512-3-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2512-11-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2512-14-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2512-15-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2512-12-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2296-10-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2512-13-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2512-7-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2512-5-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2512-2760-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/files/0x0009000000015cdd-6036.dat	upx
behavioral1/memory/3260-6062-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2512-9412-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/3260-9723-0x0000000011B60000-0x0000000011C5C000-memory.dmp	upx
behavioral1/memory/1848-9735-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/644-20612-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/3260-20613-0x0000000000400000-0x00000000004FC000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Software Distribution\wmplayer.exe	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
File opened for modification	C:\Windows\Software Distribution\wmplayer.exe	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
File opened for modification	C:\Windows\Software Distribution\wmplayer.exe	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
File opened for modification	C:\Windows\Software Distribution\	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Token: SeDebugPrivilege	3260	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 2296 wrote to memory of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 2296 wrote to memory of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 2296 wrote to memory of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 2296 wrote to memory of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 2296 wrote to memory of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 2296 wrote to memory of 2512	2296	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	30
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21
PID 2512 wrote to memory of 1180	2512	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1016
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1772
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:7676
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:15496
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:664
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1120
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1020
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:276
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1044
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1136
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:748
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2232
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2324
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
  "C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:8180
  - - C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
      "C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3260
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\codes de aplicacion que oculta archivos y carpetas by retroblackztar.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8816
    - - C:\Windows\Software Distribution\wmplayer.exe
        
        "C:\Windows\Software Distribution\wmplayer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1848
      - C:\Windows\Software Distribution\wmplayer.exe
        
        "C:\Windows\Software Distribution\wmplayer.exe"
        6⤵
        Executes dropped EXE
        
        PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
606KB

MD5
87d6dbcabec22c31dda4cec4203a630e

SHA1
870cec6f5654a9ad203443500985c49329772257

SHA256
75d12e2a9f84a6d6a7c1bbfbffa74e54d07a666bc7698051d346ff04618c89af

SHA512
f7e914b6be1add64e59da91ca2ef3b7c00c1cbddcfe533a2e24531f8c3e73540682a4ca78a8e0a4c85fd7c1126efcab16f45336a454625ef0a5e350e5fbd501a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e58b5def402d58351ebe9f55d537f4c1

SHA1
6effa6776286543ffafbfb8eecfde0e37be03c68

SHA256
1d605819c1244c4b21afc33af8f0a518041c4211b71b58c1cb196bef12fafacc

SHA512
f72d134f247df94e72f363f8878b7407884e1f7435a3042a5874c5fc60b9d2366ce186bbab565716051b9de72884ef09ac5e01a82aec21241058aec7490a030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c9dd6fc4c19972c8c9fc15788363b66c

SHA1
05b4ad8ba9fcd282f74721741d4efee9cb7bc02c

SHA256
bf807714c169dd032afb3c4977b4731006d8e062239d691cb69723041de4f950

SHA512
1782c17301e51a2db0043fda32243aeec82c2a36b18b24c91d727d1e08a6a225aea2663caed8a4fb2f89c70a2f185d58675c165204cdefaa521dc432fba58e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
03bb74cd251f8d483159820107c39346

SHA1
f3c5824688db55086926b8a37c0d5a67734e276c

SHA256
b5e3f988aa7b8be970e356ee73b8fb4318a8da84acc67949b13d3dd07860a040

SHA512
590b70dcbd2d416ab9dcb30b27aa20adc12f0229e11c51a46e72d74a9b2a79b38954ac2b55459b83f8a4c65e7bd3851b07eccf18cb9a6cf8b0b12e5b644c2e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b810f336a7aa762786b433eb0b6ca618

SHA1
88428f993dbddbf01ecbc3219c49645ca6e27320

SHA256
1629dbf06626f252712d26eccdda32f228b242958ae6c8d50e749d08940a1b6e

SHA512
a60beafb7e94d97642d77962cc39fcfa5d3f31b9375cd67ee2a1bd7b221ee68602bcb0adbc66c02dc3739ef45fe7f4634354b57c191557df1a675bc603cb5258

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
645857ab07a2b6471a81c88e580fe264

SHA1
0756a685a3c0d86ad694d49752114aa7c059fbce

SHA256
d6d4a3020ad3cc92d63a4f438f8553be754161a21ef6f960bab1b72393db0ee4

SHA512
55c572a72e02a7685c43ec7aff522a9bb59e199d0c9c2a90bfef68b658261d60b9997d7fd5849fc5dc07cfa59d9d894d4f9a5c659e3ea3cad1b3a140cbdd6e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3bddbbb7bc167669bc169e321d5fbb24

SHA1
e3313c2e6ef3f081d7e7a6976d48d32118646441

SHA256
5bea8f818741fdbf0c0901e6439284f987ecdf274d36a5049f58c171817750cf

SHA512
6339e1c8be1e697350a44b508b215c56200edda51e10ad2217919e25c7fe88a57a1deb1e97107f78be5bf8f5fe0c215b1f01596cadd2c238b0916dba7c4b8b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7f3e5328d073830f8bde844f74703b1b

SHA1
3c1c0341eceafac2bf9dbe40a619428cb8bc6b70

SHA256
62965de7681dda3475db58481bd4ddba68f8b0443aee7773c6b75f1f0e215bd1

SHA512
1c2de4687f955496e086765451372b9c8b46c297cb1105d07f75022b9d1b53fbcc487a64a02c83950aaa3e33af8290169227a12df7c6870e28ed6c7a564a98a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7d518fb16b313168250d6cd2653a2f3

SHA1
41fd998ea28340695316f9c615ccced2b5399cdc

SHA256
2079485ef9db70e2da1639f58765e5f347885912d225fd8c06ae5c59817da77a

SHA512
5f680e7b9844dfb553391f965151071ecc97ba293194b39b8e4676995a15b35ff8759f112f71adac29b7621148b625168016c18c5d1b4b31d3c6863e00745043

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ba1430fd83e8c7fa4f5ecece669c3294

SHA1
a5b6030b55fb645203681c1c0125d94f39e173ee

SHA256
c692db54fbaeaec67f4f388f1fe450ea2ae55ab0a0484f9f68f3f545db6aa54e

SHA512
42fbb1dbc15d7885ba4986dfb9f603b8e71783a87f9f59963e4cdc9b43d2583e798766d0503935fbd4e6bb2edc9d40819c60d08a15aff9b5533bb91309636942

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2bcf149e1a55612b8ddb3e892db24e89

SHA1
3b81623a2a100cb948955021622106f301475522

SHA256
5f2246f5f02e7e2981c938a6c47fb8c2edf65c87cc579121e99572427b5ff6a4

SHA512
7ad8ef8f4bc68deb6fb91015f919943b3f454f4bb0818381f4a5db37252597d8715956054b46b0a845340b67a91834d4f40966492934d76f540c7b91c9d57730

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
15fa9e8d1fd68f3609340eeb151fda84

SHA1
1609704b479bc61143ef80a4cca00519300770e3

SHA256
ff7e82c41eae8732d0789822587d327b8004e09fc41afb32db87e7ccd5305bee

SHA512
c63f9a5cf26f94f6e9206f6e9eb42cf000743095610a612942d6c0f6493fc074317dfbda53bc34de2f7069b4d99d39b0789100a606607cd0de5a8e28463e99fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f45540d12edc3044b9fb68175cd3c4db

SHA1
de89213e26c08f856d5aa02fad0fdf993be708b8

SHA256
28404f56fb28adf7e2e2033db5ceebcec8920b20f4ca208d087d147c98d90584

SHA512
ac71b3e6ec3435783e4a61c668812471022e788c3c856df9a143e0b7923b38467a7e576d7f92a53a5d9e3d22ae7534334ddb3df105bbade0937fbc1a766558e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a675b249fe5beb6cc6a4d76600acfca4

SHA1
9558f52e1dd3de9e8ec406423ecc3ff781683d6c

SHA256
5e6fef1582df5d04f8a3b449a055946659711041a579426dd7768e20e69f9a9f

SHA512
51051d3b29db11e493475212e46fa777bccfc68b8883631bf48265c09741a4c9e818fcc72edb8ac61ce842354a206409d62247527d9301a4d3835e37033f2bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cffc9c4469774d6c2467ddf01388785a

SHA1
d86fbcdceccfc31625ac38e90cc9c51ef343acfe

SHA256
596e9a28fdac55a1d51e7253ff5df4af267565c3734a5f09447b95bca40a5ebe

SHA512
504bf8b813e29e310b00cd54017797b19ce1ade642421aae64aff8624446af8fbbdec3f3dc203c0e67245edce80f9fb9585185e51ba1bfcf256ba5dd77e38278

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9c6b171624653b1d8de082bb0d1eac3b

SHA1
53d3eaea7ee0e2bd29060422ceb51f374c695a93

SHA256
d741476ab50f19f428e99decc38f25619a3aebd2d26006c2fd3045849fc92491

SHA512
8c5a4865f7121db16c66c6a9a89ac0e2d4554d413cdf402aab90d5be393241a958416f3e77ca1e54db3d5267d5561332ff5efa0337752cfca052589829e08109

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
071a3ba5e9b20b0d0b6d5ad558b3fea4

SHA1
48e0ab9f275a6cf305eb566e4d689c87b461a1b9

SHA256
8c0a8789a3ae8433d6427618fb9b3cef2153882e8dcabd1ceba0f7d10c79759b

SHA512
b04f17d1030f493e4fe735fa8a13056d5ef3f6a3c7c3f86596a77e9114ef4e8229088ad73d031f821c94321d6cdc0ab9aeb2f02d53c98534010575dca899df74

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
563737c029c52f6f7abb43a2a7fc9954

SHA1
db79005a86742e4f4743c4e6bee51c7e0a1030d8

SHA256
f1d2daa6b33b20d3f994bd3197aa78fc011534048983fc7a8d08719b0561e4f9

SHA512
e04165d88ce13de16a2e6cc7979d361461c179e24ffecb7c4c9118e99acd4615ba2bfdb1f59af340b2215b01f642f0a7d8cafeda08b04e1219f7da53f8786df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
774bba31fc546cabd7c925db29add5e6

SHA1
52b40739dab02bb9f52626977500737ba9caf4a6

SHA256
3d173246683baeca265943ca3c69cceba1314f3da2ec6689925c4c29a074143a

SHA512
e4389c706222724d37561fc3e036b3660f111b7979d7bff9392522ab8d88c6df846d734c53eb4bce9aa076fad45639177aaff6a2b490874710c96c55852e5b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bb5e8be5d311a8cd6acc8afa5e86bdce

SHA1
456deaf4aaf5652812b67e812b09d70772d6d405

SHA256
d76c4681004367f21a54c9a7dd6ca52b25d2b24a2d1a8afc73cccf2e053cadd8

SHA512
0ac08ece59dbe3d82568d3b6ace7fe9be4d70c2fbc12726290e568a5bbdef907c13253f816bf7912ef68fdf11afdac5a619c9c8811be14560ab2e68232f0219a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
44c9d39ab3f030ee8ae497362675e8fe

SHA1
d50358302fe4179e3319f325480e9c2204336a1d

SHA256
f23ebc2466c3c31a3ced43eead34f9ed311b77f3ac1b0631b85d8b7e8c9ba823

SHA512
7cb1f8801fe23137d68335ad4ce4d7f75925eae129554056f86978fd447c45f01b00df3204fe5a787d0e046a9a121986decfe13c26eefc37d2536a32669c5145

Download Submit
C:\Users\Admin\AppData\Local\Temp\codes de aplicacion que oculta archivos y carpetas by retroblackztar.txt

Filesize
1KB

MD5
1e0c0ab1799e78cd32e0a6f96da61aea

SHA1
4631b87d2f08f7e1aad68f7e44e3cea102eac214

SHA256
53acc4313b47638643cfe6389e29f7849a14cb69766ac02b192682701d3889b7

SHA512
505361dbcfada713778c610a8a31f42bdf87ed83cd2269999622a7044651b91f40782ae62eac6909de53cd87516fb47159a7948709401f49d908350f1bf8831b

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\Software Distribution\wmplayer.exe

Filesize
907KB

MD5
26ea14da98482ae649cc2c8bbb7424d0

SHA1
9ec86f9604c780d916200487670377d3404ff528

SHA256
ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878

SHA512
64c7468bcd63d210762918f1481ca3f68559248979ecb8f560c6848d61c82d29016cf9e483523a4978fe8bb860fdc9d38da56c5c37363a4f1b62447b15f46f61

Download Submit
memory/644-20612-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1180-19-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1848-9735-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2296-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2296-10-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2512-2760-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-5-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-3-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-11-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-14-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-15-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-12-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-9412-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-6061-0x00000000023C0000-0x00000000024BC000-memory.dmp

Filesize
1008KB

Download
memory/2512-13-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-1-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2512-7-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3260-9723-0x0000000011B60000-0x0000000011C5C000-memory.dmp

Filesize
1008KB

Download
memory/3260-6062-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3260-20616-0x0000000011B60000-0x0000000011C5C000-memory.dmp

Filesize
1008KB

Download
memory/3260-9724-0x0000000011B60000-0x0000000011C5C000-memory.dmp

Filesize
1008KB

Download
memory/3260-20613-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3260-20614-0x0000000011B60000-0x0000000011C5C000-memory.dmp

Filesize
1008KB

Download
memory/8180-2702-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/8180-6034-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/8180-2768-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/8180-20603-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download