cybergate | 5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Size

662KB
MD5

3ff099ce85b4d0730540d4273444b8fe
SHA1

933e66bb416e12d70deacf23c21aa75b197c11b9
SHA256

5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b
SHA512

90d38b118b5b55bd0d372033d89b1af3a094827f00801fa0b2927fd02b2e56e3dd2e877c69db3fdf48d178f37c0cee1b81fd68cf9ffc15bc111303a60044657c
SSDEEP

12288:43fQAnUFGBEJdWuLHfBGu68zEKtzKrcVPkCjuKjQhxFta6Ios1ZVzYKj86sMbw:43VqGBEJdWMJGuXzEKtKrmlWIos1ZpYB

Score

10^/10

cybergate öííé bootkit discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

dr-dior.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Executes dropped EXE 2 IoCs

pid	Process
6712	windows.exe
2188	windows.exe

Loads dropped DLL 2 IoCs

pid	Process
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
File opened for modification	\??\PhysicalDrive0	windows.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
File created	\??\c:\windows\SysWOW64\microsoft\windows.exe	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 6712 set thread context of 2188	6712	windows.exe	35

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-64-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2660-57-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2660-54-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2660-67-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2660-68-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2660-995-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2188-3702-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2188-3932-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
2188	windows.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Token: SeDebugPrivilege	900	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2616 wrote to memory of 2660	2616	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	31
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21
PID 2660 wrote to memory of 1220	2660	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:632
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:544
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:3180
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:2412
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2704
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:824
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2408
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1004
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1084
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:316
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2100
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1248
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
  "C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
    C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
      "C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:900
    - - C:\windows\SysWOW64\microsoft\windows.exe
        
        "C:\windows\system32\microsoft\windows.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6712
      - C:\windows\SysWOW64\microsoft\windows.exe
        
        C:\windows\SysWOW64\microsoft\windows.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
c2678343d5373848add08c631b0a4590

SHA1
9297d3d28bd9353e61776cc1992a1f86a58a06cf

SHA256
93a13d14c5c792c116f8ec859fbd53751c192727a0baa8c130021d204b5f78ac

SHA512
e6f6c8bfa4240735b4a0b9e58d8e757f33a8c4ab2eb5bf80265ce9dd2770c86ca981dd47d79edc0d071d9f36d428fefbe98278bf9067730794834e2ca256dd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dc8ea4b384ef7ed04039b893c968ce7f

SHA1
5078f6bc50a0d05b23bf5dfdc3f1a7a00d51ae14

SHA256
ec7f91ceee3c76b88934c45389cfaa359643cbf889b96a56a83c086f873d4e1c

SHA512
ca3039544648410e67f2b918f7095fce19b2ec9fa236d39bf9d18ed4a48d3cb39561d4884096071b2782ce9b28e033ac13b2133471d8958d11522d6e5739c51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ddce233d545d67f8d45331edf3880f6e

SHA1
a6e624f65631b93f996ebb5a02272761955d0893

SHA256
dfdb550ddb117a49487c77749ccecd8bcea76985b08001bb2c26923eda71ffd5

SHA512
19df630b8dbd0ca874f93e55de987e7a300d3f4530c11797588600a0a185f6729b84726d8ba1ab90d6fbf20658ba9c624c1e1318b8970c66f74b2e292f7eef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e3512358b16659b5e3ec555c1dee5561

SHA1
7c36713b703028d6c08d24928d4b96b0cfc42c2e

SHA256
2a42e136861abbc880614f36a6488b076c1c9d793ca16e921b565650affddc98

SHA512
7301ac5b9b1f9bcfb532707acbce32edaf992751823f91edd1f3417fc1dbacf058c079ccb6d849001e3f9d81bd61671f7787127875813c1a0474c8da9c92a4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9f66a2093e1a5b74ad8c95db65f2a2f7

SHA1
500976f2c83ebdfcd2e4cff46713a94d601ac824

SHA256
3c58eba667a86d1da0a74a773bab6f3c9b797afd9c3286dfa72914a5ba4054ec

SHA512
070c69357f904259a719526993c63780b9edae8df76f091f6c514dfaf09aaeff5ad21471f43f8eb34a88193ff5780dba4035f50df7426a66e3f7b73a887b2fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a433b651b13937cf6b9ea46ae9899049

SHA1
4695ab2e3ffb1a9dc021148bffc51698da6e263e

SHA256
b0eedb6816137320bd1c97d310c95709b7e5b63998106f0279e46ebc5acc6a13

SHA512
096375f30fce7d9c06fef74ae7e2751a41f2f39caf2321294eb13b51737ef5877d901f2e2b5c407db853b3bc95bf9acfd5e96adab2b2db58939b74173fd8aace

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c2d07557136953d06b6c8faa0262ed0

SHA1
b774644445a04e2e5cba8c0c87bc76300c9745c7

SHA256
84950bc6d8704775a5e444d636f26e2f42a632556a953312b6901abc312c780a

SHA512
32c86803801ecac942a79c623f3668ad0e7bce26a4d0256cdc71beac551b92d713291b8fffbaa7962d779509106f2c44a5f37324870b37da3e4ae40e27cb8a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
583cb2bdeef69de4f30c35b1c5ca978c

SHA1
7b82fce2ecfa0ad80cfab2dcdc7c4c9b496cf2d5

SHA256
bc08e97af70cc32c99b8908cf9f637be9440f7ad67acf97ecbea185e903aa943

SHA512
aeb5c18d586a14e71ebb6675f912196496cec0c9e96deaaa09a0028e91196f9c00e165cc5624cfed8c39f61015c95341632f927dfc1b04c5ec3799f7bdee1197

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08544f12b1897c4947e8eb075c4a38cc

SHA1
0ef9f884e03dca881d189b1f3e107f013a95db0c

SHA256
467fe4c097997bdb252eda048a52fea01f33d825f7f78fa54ef9a1537d86a87e

SHA512
b751c0bb9efe1817c474583419a14078375862d4fe853ed4476c60a09ee3c42ce65dd0ff67f56e79b005015ea3b546dad3515fc3cb4ec2bf0da81bcf1b5f6bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a84d4a4b0ecc69b30f3d2443ff3d8f8

SHA1
01f8eceadf7ccf2f965e4208ab57902fb78ecbd8

SHA256
9eb1acd86d9d2eeb21fa8e59fcc044906af6102a92c3bb7a71a6c9b0200c196d

SHA512
6665eae4bfe188321fc1b9d7ce8bc12de54d25a76b0e44bf90151d55d8f4fb13eae9cda11b97b2eefcd6dce0f0e31d52e0de496770826f66b411493f9d0b4724

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df3fa896bd77da5782795483f1ec7474

SHA1
d23e8cd865e243bf69e6516bb5eb60c8c20d40f7

SHA256
29bfe4f8d52ca8e6021af424f86a3fe256ae8b2640af8ffabe51c433254c7c5c

SHA512
766e1e80c34aa0a1ca335348d1e870b92efc2fff5cb9d9ce8e5736d7b5c625d8bdcea3e5be937d4d1fa71bb2690d418aace5b1033f4a932fe008460ae7750f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
049bcc17f5c70939246a556d389a132a

SHA1
2e4ab46f1640d2a19e9d98505c5e1a86de2b170c

SHA256
f2d4fc8485874215939dd1eb4b4b84e398f5c925d867232c76be4086abeecdfb

SHA512
0c89e6e3e6ab0db1f7cff1988af80d7a0f16fea39e38a85aa13b1595a5904af21c865554feaad3fa7e761739d35c89e55798c6c4e276efaac6beb69991fab42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
399a66fd12ff3f141a41050d363faa89

SHA1
84c082f116949efa65f56d23af632e1c7415b2e3

SHA256
26b1f555123edb8e43c2003f5f77b35a61e4927a88907abbbc25dd5601326a5f

SHA512
894f594cc50d1592104e76da3f46a8f6913a5d1d027f093163b8e256a811d4b98392bdde2655f996198229533b8592d6ee9af9dfbca4fbff7e6c03578e006fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bcde6f177654f2dea0bafab402ab5ad4

SHA1
d44c37e8c026b3fc4711a895f59d4a622329eb25

SHA256
5d54cd29e97f5dfaf6b8083c8bac525789edeb2ddf359c22bd5324c592aef25e

SHA512
f8511749ecd8cd24f1528f93093152a7afd73c23d33fe67a45527691399b5e60f21ded920acc930bdee1efbd0c502cf579d5ead6669fe266304028cccce256d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6d186520573bd969cf0b657c95e40411

SHA1
178287cec1a0e83d7680318f99d781c5a00032b9

SHA256
78b65c5158cc3b39b8e23d440b31f7ca93f668ae6e30d4ca9b864ae3a226f165

SHA512
9f3648d958da406da59814496bbb512c5bbfa424b7d9488aac62bdfad7e3a37e9a6de28d74f40590fc1e926c8b52dfbbc6450463dbb0622bd176fa97f74a81e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a55c5e83822800a956672b2b5f831b38

SHA1
91648091003f16cc5e1d4cf549842c43bd79f077

SHA256
50ab7a11ab93e7fd02cd6c102684a0553b6ff9b06efcbe382afae6197929ced6

SHA512
6b46f0d2c5a1f4df6f302cf3e62dab0cf0a4305a777917a97ad65110e38c5569681bc6ab28920a50fd1a388a23a5973c4f34400c993f45a27ad4a48d84bfc964

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
594aefbe23e53ec660c553d50a5c4dfd

SHA1
dcde5482f0cbc86003638f3a51009bdeb86331dc

SHA256
beefde9e68126afe1fa7808dc014a0b9f7a61eade510e48dec3619072dc62720

SHA512
99d06ef5bd2f24ccc0c568ff18388ab6db514a88deb75916d1c62e18db725fffa70d25b2d6e6265ecbd814e60596462da865e379a8be62ba3bc0a28db0acda15

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4fd39df2fc9284ebbf5a1a540d054c0

SHA1
8722561a01926e29c63a72e75411a6e59c9217a2

SHA256
5b370ddf05f60313a66a75d0070a382f068a6a1180ec1ff055eff14af691836e

SHA512
868aa061a306c608fe0180d8630d238c162989c61c026e83696d914f1216605da86ca8a09adff57aaa01de7d9823ca12ffbbe141e6e5bfc2825f4f1819e45612

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ac4ef5aea35833a816ce17ff82ecf04

SHA1
baf008b76f2596458a2e947f9302db6f19d3c1de

SHA256
d9dcabdb229a12da1b551e482e8c5c41ca39ec5d20fbd825c023bd0267fb070e

SHA512
10a38f11dd15a3894f8b4339c52807e4027e5ba91ea290f9d65992bf4e204eaea373ba1cf2d57c71d88a38028b6b3bed72c31b8f4505a11878cca686398a528a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3235bac60a74581d733256bc2a872037

SHA1
b934a44266ef70d3c7696b2b24320b20b9fa733c

SHA256
1adaa611395811455bdfb140424e37d6d25264bdd75dfcbbc028f79cbaa878f0

SHA512
2ba027352140b485525c5b4198b7cd6804885c25909e96cbf1301d6aa0959d4b6264c0cf0453cbb260ed445dc1362f9b9e074a983554a4fd40926a9b95f02372

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ff06a1ed261e77ada5379dacadaefbc

SHA1
d62794ce778d65dff0c8d2dda16e033fac41f83c

SHA256
9ff0f10e81c25a190065577d791cd26a12171a055339d7a2b235fa75c98fda07

SHA512
ee558ce068c171210b9d1c20845a942bf152d866ce91dec478143ddc61a00be5fd06acac3d7ac2431c0244bb021fbbc10ad5428b988cda9f677db97b1c02cf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d88a29d36e3749fe5eab6a70efd56271

SHA1
b7d6a521c5e319a6e87be4fa0a34465ac9a30b31

SHA256
5d952a8e035fef858d76d211edf393d6d53b1c384ef6e97225838a7985b2e8bb

SHA512
4d537d70db3e3ccc3f9611149b44708ae20ae1863a40c33548b9fc5bc5531e487847dcb494ed5f3e3dff07f77e095f1aec64fdac9d4002ae2f8aeb66a3ea476a

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\windows\SysWOW64\microsoft\windows.exe

Filesize
662KB

MD5
3ff099ce85b4d0730540d4273444b8fe

SHA1
933e66bb416e12d70deacf23c21aa75b197c11b9

SHA256
5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b

SHA512
90d38b118b5b55bd0d372033d89b1af3a094827f00801fa0b2927fd02b2e56e3dd2e877c69db3fdf48d178f37c0cee1b81fd68cf9ffc15bc111303a60044657c

Download Submit
memory/900-2919-0x0000000006090000-0x00000000061E9000-memory.dmp

Filesize
1.3MB

Download
memory/900-685-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2188-3932-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2188-3702-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2616-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-13-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-10-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-7-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-5-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-4-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-0-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2616-50-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2616-49-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2616-48-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2616-47-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2616-46-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2616-45-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2616-44-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2616-43-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2616-42-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2616-41-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2616-51-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2616-38-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2616-65-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2616-40-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2616-63-0x00000000033E0000-0x0000000003539000-memory.dmp

Filesize
1.3MB

Download
memory/2616-37-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2616-36-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/2616-35-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-34-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-33-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-12-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-11-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-14-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-32-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-30-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-16-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-39-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2616-29-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-18-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-19-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-20-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-21-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-22-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-23-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-24-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-25-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-26-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-27-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-28-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2660-995-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-684-0x0000000001E90000-0x0000000001FE9000-memory.dmp

Filesize
1.3MB

Download
memory/2660-68-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/6712-3701-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6712-2920-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download