Overview

overview

10

Static

static

3

2b36ac84fc...1N.exe

windows7-x64

10

2b36ac84fc...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b36ac84fcaf5b888f8ed974369a858d9dd5e3ca2e7ff3be4e0ac697c7177581N.exe

  • Size

    1.0MB

  • MD5

    bb64bee2678c3ad97a8d1243f25f1020

  • SHA1

    89a98429a22ddf320a87d1d48d09869858c4d9c7

  • SHA256

    2b36ac84fcaf5b888f8ed974369a858d9dd5e3ca2e7ff3be4e0ac697c7177581

  • SHA512

    e9b49a3f54db702b325ba8c1480690cba32462446228523f9b2be069e71eef170c4c9ad7d6d0dc8df37a0423af8228e38d1bb84da713cc7873e0a8f50a6e9026

  • SSDEEP

    24576:0NA3R5drX4GcPNYCgLplxEMJ7cPbLLnhyRWG+pkllQORg:V5/cPuRrxEM9CXN6WGmOi

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    60000

  • install_path

    temp

  • port

    1391

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b36ac84fcaf5b888f8ed974369a858d9dd5e3ca2e7ff3be4e0ac697c7177581N.exe
    "C:\Users\Admin\AppData\Local\Temp\2b36ac84fcaf5b888f8ed974369a858d9dd5e3ca2e7ff3be4e0ac697c7177581N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sifhxtr.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Users\Admin\AppData\Local\Temp\shtuid.sfx.exe
        shtuid.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pyjfoalepodtyadfdyehngfszalhmuiofxvflffugyRhvqxsdfHbgnmeU
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\AppData\Local\Temp\shtuid.exe
          "C:\Users\Admin\AppData\Local\Temp\shtuid.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gfgdf.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2332
            • C:\Users\Admin\AppData\Roaming\gdbfxn.sfx.exe
              gdbfxn.sfx.exe -dC:\Users\Admin\AppData\Roaming -ptyuhngfszafupbodgeyhrntdesczopthnymkdesyRhvqxsdfHbgnmeL
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4300
              • C:\Users\Admin\AppData\Roaming\gdbfxn.exe
                "C:\Users\Admin\AppData\Roaming\gdbfxn.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2300
                • C:\Users\Admin\AppData\Roaming\gdbfxn.exe
                  C:\Users\Admin\AppData\Roaming\gdbfxn.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2304
                  • C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe
                    "C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4124
                    • C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe
                      C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1912
                    • C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe
                      C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:5088
                    • C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe
                      C:\Users\Admin\AppData\Local\Temp\UpdateManager\gdbfxn.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:972
                • C:\Users\Admin\AppData\Roaming\gdbfxn.exe
                  C:\Users\Admin\AppData\Roaming\gdbfxn.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1080
                • C:\Users\Admin\AppData\Roaming\gdbfxn.exe
                  C:\Users\Admin\AppData\Roaming\gdbfxn.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1752
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks.exe" /Create /TN "UpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B34.tmp" /F
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:4976
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pago20.pdf"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4068
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2064
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F3FFE4370D8463491F9C7E6EBA761CF --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1040
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=538B0FE0772EDB6E933F8E9DB7EACEF7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=538B0FE0772EDB6E933F8E9DB7EACEF7 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2140
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0654A6466D4793B9B7B2610F6E087E5F --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2384
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EF5CCA39ECED536FF57B3E535D6C070 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4272
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5F8FFE53F23A9AFB248321FB77221538 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5F8FFE53F23A9AFB248321FB77221538 --renderer-client-id=6 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job /prefetch:1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4300
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=47EB484BB2C843AEDA8297CC34D930B5 --mojo-platform-channel-handle=2736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:232
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    1⤵
      PID:2884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
      Filesize

      36KB

      MD5

      b30d3becc8731792523d599d949e63f5

      SHA1

      19350257e42d7aee17fb3bf139a9d3adb330fad4

      SHA256

      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

      SHA512

      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
      Filesize

      56KB

      MD5

      752a1f26b18748311b691c7d8fc20633

      SHA1

      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

      SHA256

      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

      SHA512

      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
      Filesize

      64KB

      MD5

      164e3a501ba83ec7042cebeed7cec141

      SHA1

      c33bf6b62afee999cbd0640b5ea1dd37873fb23e

      SHA256

      26c705bae72cf582b3280db67b2c463b56e4a3c063c03f7e0ff7d46d26254b2d

      SHA512

      a8841037ecc0fde3dce5a6e5e2bf0058e246844ebc0a93d2cdc788cb13b994b68f75b629087ec4f7b8d4699c1b93f0b69f5962267ddcd77172b1a0f9a5af9688

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gdbfxn.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Pago20.pdf
      Filesize

      30KB

      MD5

      fa0a0bc195062f035e0b7971ead10491

      SHA1

      ca2d4bd456ccba9fceb3f2b9ffefeb59615e12c9

      SHA256

      7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03d

      SHA512

      c5a47170ad1ec061b37fd8c0726998400b144decccee65b9225184425da047e7abe007e17197c8423a5d9331c751d7f7d0512fa48de3fecbca0a5989e5c42ae4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\shtuid.exe
      Filesize

      622KB

      MD5

      7c1185d81f87bcedb2eb2060f6e43b39

      SHA1

      cf1dad12725cb9d42be12b6ee79a492c5808ea2b

      SHA256

      378521d47e91640b5eb6015a46bd4e07bdb4a823e7cf056ce5623bcb31e0568f

      SHA512

      7fe26ef5056a6a90d2ae1f46b5300d6be8980c54ec35766dff38c1e4f16f24821c95d742a6ceb6512e6333329c8d4a6b3e3174732efcb8ecafb63aa1d7314576

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\shtuid.sfx.exe
      Filesize

      776KB

      MD5

      3b63a9e19434b6ad83825cb9d5d9fe45

      SHA1

      77db1260bf42aea137e9ce4fbb5ad77f06a44631

      SHA256

      c4b4f4273ecfa0817bee21a3c1252795a8bcb4ea1d19fc019dcd4ab51c6ae95d

      SHA512

      08ea176dd8a1a817ce2a38f837389e8a15474dded9459a17e23036200f0c254cef384c5d73751d624a036c1b3ba87c7bdb2819bd3a5a14f113e2031a0ebcb965

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sifhxtr.cmd
      Filesize

      18KB

      MD5

      acf982e756017cd7e1f2e6391652442f

      SHA1

      84def5229cf1f85c91a730e3b221b40fb320c851

      SHA256

      f043c184340ea5bf28f095374a1b85ea844e87573b77c6b01c077bd4d167f977

      SHA512

      7f80503c65f272c64d27ee4b588316268953fd4e4909529904207a2a918ce05ddeb8e22951ded24ecf18851e44d2734c89704a573e3bc24f84ccd12136e82e65

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8B34.tmp
      Filesize

      1KB

      MD5

      5261c036f1ca199ad1a69a6bab8f0ed3

      SHA1

      b02f0d9141a904a1a629bfbe2694a1cd0c08d536

      SHA256

      c8c9294cdc2d1191ae0eaefbe969061e204d5b5858656ee4514c7eccc121d66e

      SHA512

      219dae74c2fadf774108efe2ba42587524a76150e5d118b21c9ebdf96c38a108fb90422838a65e61e4398bc164bf09a8c1fa8ad34db91a046301d2660aed2112

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gdbfxn.exe
      Filesize

      252KB

      MD5

      95114ee4faf8ca38611e81d5e6395db0

      SHA1

      e0a6b16b2a8357c2dc191e8a96dfd2c7cde216f3

      SHA256

      e0a74972b31b4ebfc9e3b6e2d2330b6f726ffbe8b31f9057ba62d096516bb3fb

      SHA512

      f26f8c2c709f8898950b280aafc636da8e301c8fb9794f04298b01c403e5fc22e65fdc6e38555b139437c298a7703a326147df2c9e3b0a933b98c8cacbdff225

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gdbfxn.sfx.exe
      Filesize

      481KB

      MD5

      160d9d47abc4052297a9261fd33bfd7f

      SHA1

      e9d70901e7c9ea80a37275b0a877f4dda9a0ec80

      SHA256

      690534b998cc62f7e17629fd27a217882d9503fa8d0ca6cc85b08349e7985961

      SHA512

      bc585f9f563c33366a244495f701403daf7676e2ba15b3677364b1f0504546255e6fcd69c833a6007a02735d066080c68f74aa42ef458ac6c4f9e9c0728888d4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gfgdf.bat
      Filesize

      18KB

      MD5

      5cf9fd93b1460af90b20555cd78cb019

      SHA1

      439b87a47ac28e7549adca232b4e8737c220f215

      SHA256

      6ec30dc4bdfac5002d135329096cc57ca8b8dfa09d1ee32548a77c87905d1c36

      SHA512

      9ae4d176cf96dbfee1cc55562d060a85c93f23c76f45994001895c2f9734dcb748fbcdf98eca14afa731393343d8266947e1c2494169b6a610ebe3c5b6733c04

      Download Submit

    • memory/2300-49-0x00000000076B0000-0x0000000007C54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2300-50-0x0000000007100000-0x0000000007192000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2300-51-0x0000000004BD0000-0x0000000004BD6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2300-48-0x0000000007060000-0x00000000070FC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2300-47-0x00000000025B0000-0x00000000025F0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2300-46-0x00000000025A0000-0x00000000025A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2300-45-0x0000000000090000-0x00000000000D8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2304-52-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download