cybergate | ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Size

907KB
MD5

26ea14da98482ae649cc2c8bbb7424d0
SHA1

9ec86f9604c780d916200487670377d3404ff528
SHA256

ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878
SHA512

64c7468bcd63d210762918f1481ca3f68559248979ecb8f560c6848d61c82d29016cf9e483523a4978fe8bb860fdc9d38da56c5c37363a4f1b62447b15f46f61
SSDEEP

12288:1HLUMuiv9RgfSjAzRtyey5fqBhoC6bunRiSzp0/du8VihHwTrr9AJZGeR3p+PD7e:9tARIkToC6qnL3qihHIKJZGeFg/e

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

201.233.66.121:81

Mutex

Microsoft Firewal

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
Svchost.exe
install_dir
Software Distribution
install_file
wmplayer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123
regkey_hkcu
Actualizacion 2.2.3
regkey_hklm
Inicio del Sistema

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}\StubPath = "C:\\Windows\\Software Distribution\\wmplayer.exe Restart"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EW1T5IA-LJAA-K258-R6H1-1808U4C1IYF5}\StubPath = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmplayer.exe

Executes dropped EXE 5 IoCs

pid	Process
6872	wmplayer.exe
6904	wmplayer.exe
6992	wmplayer.exe
920	wmplayer.exe
1192	wmplayer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Inicio del Sistema = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Actualizacion 2.2.3 = "C:\\Windows\\Software Distribution\\wmplayer.exe"	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5036-4-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral2/memory/6872-1377-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral2/memory/920-2115-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe
behavioral2/memory/920-2149-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 4796	5036	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	86
PID 6872 set thread context of 6904	6872	wmplayer.exe	93
PID 920 set thread context of 1192	920	wmplayer.exe	97

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-0-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/4796-1-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/4796-3-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/5036-4-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/4796-6-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/4796-5-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/4796-33-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/704-700-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/4796-699-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/4796-1367-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/files/0x0008000000023c6f-1369.dat	upx
behavioral2/memory/6904-1375-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/6872-1377-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/6904-2059-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/920-2115-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/1192-2119-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/920-2149-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/1192-2154-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Software Distribution\wmplayer.exe	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
File opened for modification	C:\Windows\Software Distribution\wmplayer.exe	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
File opened for modification	C:\Windows\Software Distribution\wmplayer.exe	wmplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
448	4968	WerFault.exe	87
4556	1192	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
6904	wmplayer.exe
6904	wmplayer.exe
6904	wmplayer.exe
6904	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe
6992	wmplayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6992	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	6992	wmplayer.exe
Token: SeDebugPrivilege	6992	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4796	5036	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	86
PID 5036 wrote to memory of 4796	5036	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	86
PID 5036 wrote to memory of 4796	5036	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	86
PID 5036 wrote to memory of 4796	5036	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	86
PID 5036 wrote to memory of 4796	5036	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	86
PID 5036 wrote to memory of 4796	5036	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	86
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56
PID 4796 wrote to memory of 3524	4796	ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:800
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3080
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3836
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3932
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3996
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:612
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3416
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2356
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4440
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4540
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2124
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:4864
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3848
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4024
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:5168
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:6824
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:6924
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:6240
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:6616

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1680

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2744

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
  "C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 844
        5⤵
        Program crash
        
        PID:448
  - - C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe
      "C:\Users\Admin\AppData\Local\Temp\ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878N.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:704
    - - C:\Windows\Software Distribution\wmplayer.exe
        
        "C:\Windows\Software Distribution\wmplayer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6872
      - C:\Windows\Software Distribution\wmplayer.exe
        
        "C:\Windows\Software Distribution\wmplayer.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6904
        
        C:\Windows\Software Distribution\wmplayer.exe
        
        "C:\Windows\Software Distribution\wmplayer.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:6992
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\codes de aplicacion que oculta archivos y carpetas by retroblackztar.txt
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\Software Distribution\wmplayer.exe
        
        "C:\Windows\Software Distribution\wmplayer.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\Software Distribution\wmplayer.exe
        
        "C:\Windows\Software Distribution\wmplayer.exe"
        9⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 540
        10⤵
        Program crash
        
        PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3684

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4968 -ip 4968
  2⤵
  PID:4044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1192 -ip 1192
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
606KB

MD5
87d6dbcabec22c31dda4cec4203a630e

SHA1
870cec6f5654a9ad203443500985c49329772257

SHA256
75d12e2a9f84a6d6a7c1bbfbffa74e54d07a666bc7698051d346ff04618c89af

SHA512
f7e914b6be1add64e59da91ca2ef3b7c00c1cbddcfe533a2e24531f8c3e73540682a4ca78a8e0a4c85fd7c1126efcab16f45336a454625ef0a5e350e5fbd501a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
606KB

MD5
6cad9526f15616a6efeb2fd25c1152aa

SHA1
061bdc8c87b76262b15d8ebcf9953ec00f364482

SHA256
01ec3f98055c7561f38a7d6d9a9904726337ff2ab43a38acf7bc1c0554782e43

SHA512
e7ae8181f0763cca47a60002bde04652725a6f69808be12a385b208d7f60fd1da6b591feffdf97e53b5c56e062160e1ca48ee7afd32c333871c651718b2b4bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a53559becfd21f1b58beb6fb46a8057e

SHA1
9ec70d497c44b48c1f11d42298bb2229f198fa68

SHA256
c5caa058698f6e06e4fede6dea366a4e9e63bf4bd659e0ccdeb7918492283c16

SHA512
5eb8ab9e60415536feee865ce77c2a09398a0050d31693a166215c69a7bc1bdf360a5af663eb5089e0df2b4b34e54432325de6a99e06a6c9ce767f27d5bb318e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d1decbb0b77998141b0705350977ae18

SHA1
d830e4ec2584e818f7bfc07c21dc471226adf93c

SHA256
be4cdf80ee082283193122d5fe707613361dcddd78dd5a52e3fb88425ffcbca9

SHA512
5956a7cfe9df21a88be6bc713a6ecc0ea2ebabb75034253b5e7e8a9ee6a7677777ead4955855f7a3a643003b2db052764b9d21743404ec602094bfe571ebd1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f3a042e9d0fe6aa22da214c72cd59fd

SHA1
a56788726c131e9af468e9b7e981028632a3a35e

SHA256
cdc9f47f85d45e4f31b32758cbeda69d7a06b593848a86481283c68b6332d7cf

SHA512
91720669d6f60db57753799ccb29af40f2b2929b7f82fbbb7967ed4d0b531d6b5abdb9791ab884776d4607f5018d5863f02d7ffb98b063881b26db0725ec601f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ec9f1a6946a90156877def946ff06e37

SHA1
5f7c781d945d581b20fa58c293ffae69f1fcddb0

SHA256
1e567a1b52ebad5650825fdebae278f1fa82832389c07a549e50240eb6c6cb70

SHA512
ea36a09fc7b559d19f0b8dccc64312d2468d2fe4fac06fab76210bfed1e6abcd7ba4e53af7c6b6a513dc21284e3ec81d24ddb995640628a69db53c6762198b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c277cdf0f8e1dfb6e00c418789a3439d

SHA1
4c2e2a6fe4dbfc33bddbb1dbac4ca5d1a24b27c3

SHA256
53e8dbc31195d87f0b5bd1369b394ba8de9627080e9473b0b8b5d7190a27902c

SHA512
3d7ac071a8659b6afbb8a6ffc0e30a030b4b9b89845b2da119b577b938a09591487314ff4ffb6e120cd5815c573777fec34d2a3e51d882d481c36d085c1a6e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a82d5f624c6d9576f0ca77ef4b9d1bc0

SHA1
62d2b7b21204c4a527651a026fdad857c0a1d423

SHA256
3c902021d518ed08a52956148b4636e790218f59a2b5d7f5ded5bb2222097ba9

SHA512
8b826ef315d9a1cd36cdca339c95c53577faa1a252f7edc07f27d1d63bed6605a7afdf588a6ed334097dbc5a5a0e43fa8739e27ef3a2b8e58ca93df45ab33d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
870a5dc8d01f4da7eb076c89cede82b0

SHA1
af4d557eb691e1cf4e44643a83c3f5f2989ec903

SHA256
f768ff50402b0de7d26ae072d50be212f43eefd9b4f8f47b648b958cc3e1eaa1

SHA512
fca838c29f7f2090e25ed038b54767ab3a61fe5b6a2a2ca5ffdb2aca7d55e5fe34b8d5fbe1a980498fcdd0f33bb32e9f0ea2e01129a28dd0494dc814259f2621

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d62a2c35f144815e9a92295c6d2da11b

SHA1
52269fb4bce8769c7288ccc640705f7cc1c649bf

SHA256
9cdcbb1db52e9786ec26b4471e0e409dc7c9eef041ab9e568d30773dff23c29c

SHA512
eff99d74ded1ea3a205319d18b2989723d4a827d63081cd3fa9c3eb9dd705b6e9649dc866a6b7ab6107ce5618c5fea9923d1cc6c725d94cb3754add584731fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08f524da18b3f547fce7557c9676dea4

SHA1
a2b2c3e7ec55a0686c160757667dbb196dcf2c67

SHA256
e128972e173908971d10551df27d445cd18539cdd2c154c58394832baf9c48db

SHA512
6cec85a7180383198116e919a0e13427e0b6ef65c95d4c3b08232f0f650dbd5831077d1e4cae9d37fdab265ed1dfc64da8b5066cafdfca266c9cef960a5afd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4434362322cb311e3dfb54133860824c

SHA1
600833224457f4ec49c1023b156af812e4cd3b3b

SHA256
62774817255ae9a2afa34eca9f17540c9942d56b4b033f00baacd702482ca343

SHA512
c39c683d20b945b343558b6346e21afbfce2666a941bd9457767dcb104c517a22685965da6c1c21e01c7459741c6b020a7ba6030c7323868664792e5bcf4f5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
977453172419a991cffee4a8e8b3917e

SHA1
7749b3eb5ea244494a7807b8d99f39fad9c09822

SHA256
6e62e5a9b2ccf5b74e2665b38c9281dde4ed077bbb9b00a477c2dd6cce653b5d

SHA512
c429c6e8a1153cf584380a4c3b291e85e8607f848a065228cea92067a468df21bc2ca27a0add8868d48ba771e4f2d8f6f04ab32251bf46ec3ca8bae238a65cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ede329bf5d438717b2bc135d4ce304c

SHA1
b9be52d1cd2db582f8c0855972c28f5be7e5dc7c

SHA256
0b1c829dcbad05aa759cdc4ef81a70d8df0162c57f311bdfd858d9ca93a2e9fe

SHA512
3b781e6e7028857d1a1b4bd886849d79aff80a95b53c8397b5a86fc4f3905567d723dcda5fd2cb78961b729c6a2360459883929a2d5c1722718d2f8a9cd76330

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
06fd8c4997fbd4270b392ebf60a77545

SHA1
ea28ba069013d938d77cda26d0e87f0d0b5d4b74

SHA256
e41a7b1d68351bda99e75ea0a45a15fceb5fc55bba6085cd3940f46767555b47

SHA512
9f43be6c36f1a87f3b5b3baed472dddd9c028589292ce109b4d58abd8e5ce9dda374019260d55e1e4647661c878cb50286f5704edf58a195d0a39899ef700283

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ff421d94aa0bd0c3a6623219367bf97

SHA1
44c183ecfb1340f66c9328b7254c3b048347521d

SHA256
9e570e871427f56ea932cef64014ec7dc44b97a33e5282dd9fcb39c7c9448805

SHA512
8346347e317d0aec238092fa9b4b8ae7aff8fb55f935d356058ee1a9cdcf6e290ac7a05668b8b4557e74182b970eece494bfe036bf4b86656b29a99eb729ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea9dd8a8b9a3b4d910532ab53068d5c2

SHA1
a81e60442aa8c8519be799dfc7d8b4611b736f95

SHA256
8fbf9f673b46033c73fc6f4fe8f8ecd5ce6dae5ec50d99c432974cd72e4f3e06

SHA512
18f66a79913b38e81878bc5e05203b264f1a5a04b2b02878f225c8df5aa86a1967e2a19594c48a919a2b575632d25aa5d983ac7bfd676d4fa7377d4051665616

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
87902cc98b2f21a647b69d2c2747c45d

SHA1
53fd97704b5c981af46f33267c6f749e9ad1391a

SHA256
fa3e4dc025ce3f8c4f73ec6c54117fb636ed3c6a8722d8c0217f9b40e4ca3514

SHA512
839f36aa48a0fca6b10af94b5e3f949a6cc2212dbc96767c54e48a851130bf00318805c504f960db0cd43e7ab6987243f6d2599b60ab4c5e1c0904d366f892f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e06266b3e1272ac134f6a0481d2b8a20

SHA1
7995cbf0d43fbb7b48d56cfa4b053995b998f12a

SHA256
3e8de25162f1332fde0eece348451a377d6837976555a384fb44a5a7a341c4e9

SHA512
48e4429938ccac2116060707c1b5b7ef85941baa9e86d2d0bd793877a977eb1f2bdf459aa60aa4cff87042b555645e73473d23608ce702803f3306e6272f7b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3bf2c740c53ebca1b41b93a5fd60fd63

SHA1
6865e09012b044d4aa752831c68d27f3ae18fa3d

SHA256
b43dfa5696d4152b8c26467a17f13dbfe713f7e7efde64e45afedad36e19558d

SHA512
b700a5cc7bc0233e43f2187b69f6458c54bc74e3e4f499b88e1f177b25f291b80bb2ec048f49d9472a98b02a471bb542d5588aee2fc05efa5cbfd210d2d380b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
332d6522a2a6d487d6bf4b2a2be055b2

SHA1
ea584786931f83027d99bd7d21ad79623b65469d

SHA256
942baa84698e32eaeb88698b5cc22afe841ed2cd678ebc06aa28b16aa7819695

SHA512
d31281599095ffb516101549fcbecac5806a5126425d0079ab69731288ef1a64f7d0085ffe5a0058e340149675126a2a8c8a695ae0b67ae1f023463a5bb3d381

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
139f8e136165fa31087f6631c8966ba2

SHA1
3f11532a8faa9e452c07e8fccb83d8fdcc10834e

SHA256
9b94e00f02c2ae835bbb3248f221fcc32e5b25c7e93f723f6199143d49c03ed2

SHA512
12302595200adc418b46b06b0df7cabce210f060e175a217c7f230b3df70dcb31f204387583920b7a150ff47534fd3868b6e0bdf1cc0110e0f4bf634d530e170

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3526d8b3d1d8e928aa87975966c4ff91

SHA1
ac82fc12744967eeaccd41b8eb0bab402600e78f

SHA256
085280ffafe8d0c7830b674def57a03271e38029060016d864ebd91ad42fd05d

SHA512
4c8731c2ee6e688ed5bb470df81bfa2fc88b14edbd80d61a1e131d0b59b9107bbf3642c8d36ecbcc0ec7f8a0e624a252df4064b5829753f586fcae7cc9f1c648

Download Submit
C:\Users\Admin\AppData\Local\Temp\codes de aplicacion que oculta archivos y carpetas by retroblackztar.txt

Filesize
1KB

MD5
1e0c0ab1799e78cd32e0a6f96da61aea

SHA1
4631b87d2f08f7e1aad68f7e44e3cea102eac214

SHA256
53acc4313b47638643cfe6389e29f7849a14cb69766ac02b192682701d3889b7

SHA512
505361dbcfada713778c610a8a31f42bdf87ed83cd2269999622a7044651b91f40782ae62eac6909de53cd87516fb47159a7948709401f49d908350f1bf8831b

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\Software Distribution\wmplayer.exe

Filesize
907KB

MD5
26ea14da98482ae649cc2c8bbb7424d0

SHA1
9ec86f9604c780d916200487670377d3404ff528

SHA256
ab9c3e608c8d019feef8168a6788e0889d8a562d0d86032b8a3c161dcd31b878

SHA512
64c7468bcd63d210762918f1481ca3f68559248979ecb8f560c6848d61c82d29016cf9e483523a4978fe8bb860fdc9d38da56c5c37363a4f1b62447b15f46f61

Download Submit
memory/704-700-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/920-2149-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/920-2115-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-2154-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1192-2119-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4796-6-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4796-3-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4796-16-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/4796-5-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4796-1367-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4796-699-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4796-10-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/4796-1-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4796-33-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4968-18-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4968-17-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4968-686-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/4968-1379-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/5036-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5036-4-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/6872-1377-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/6904-1375-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/6904-2059-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download