cybergate | 5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Size

662KB
MD5

3ff099ce85b4d0730540d4273444b8fe
SHA1

933e66bb416e12d70deacf23c21aa75b197c11b9
SHA256

5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b
SHA512

90d38b118b5b55bd0d372033d89b1af3a094827f00801fa0b2927fd02b2e56e3dd2e877c69db3fdf48d178f37c0cee1b81fd68cf9ffc15bc111303a60044657c
SSDEEP

12288:43fQAnUFGBEJdWuLHfBGu68zEKtzKrcVPkCjuKjQhxFta6Ios1ZVzYKj86sMbw:43VqGBEJdWMJGuXzEKtKrmlWIos1ZpYB

Score

10^/10

cybergate öííé discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

dr-dior.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Executes dropped EXE 2 IoCs

pid	Process
4568	windows.exe
1572	windows.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\microsoft\windows.exe	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3772 set thread context of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 4568 set thread context of 1572	4568	windows.exe	96

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2996-44-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2996-45-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2996-46-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2996-49-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2996-51-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2996-54-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/2996-56-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/2996-58-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2996-190-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1572-620-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
1572	windows.exe
1572	windows.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
Token: SeDebugPrivilege	4368	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 3772 wrote to memory of 2996	3772	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	89
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56
PID 2996 wrote to memory of 3436	2996	5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:804
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2972
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3752
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3848
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3912
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4020
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4168
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4160
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:316
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4784
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:664
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:3160
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3960
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1532
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4764
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3048
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4564
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:3828

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1080
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1904

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2764

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
  "C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
    C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe
      "C:\Users\Admin\AppData\Local\Temp\5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4368
    - - C:\windows\SysWOW64\microsoft\windows.exe
        
        "C:\windows\system32\microsoft\windows.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
      - C:\windows\SysWOW64\microsoft\windows.exe
        
        C:\windows\SysWOW64\microsoft\windows.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4052

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3636

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ad7b47a11ceaed9851cf27f3067cf4ee Vy2zX/pOcUOyE+7hoIbkWw.0.1.0.0.0
1⤵
PID:4952
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4104

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
c2678343d5373848add08c631b0a4590

SHA1
9297d3d28bd9353e61776cc1992a1f86a58a06cf

SHA256
93a13d14c5c792c116f8ec859fbd53751c192727a0baa8c130021d204b5f78ac

SHA512
e6f6c8bfa4240735b4a0b9e58d8e757f33a8c4ab2eb5bf80265ce9dd2770c86ca981dd47d79edc0d071d9f36d428fefbe98278bf9067730794834e2ca256dd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d88a29d36e3749fe5eab6a70efd56271

SHA1
b7d6a521c5e319a6e87be4fa0a34465ac9a30b31

SHA256
5d952a8e035fef858d76d211edf393d6d53b1c384ef6e97225838a7985b2e8bb

SHA512
4d537d70db3e3ccc3f9611149b44708ae20ae1863a40c33548b9fc5bc5531e487847dcb494ed5f3e3dff07f77e095f1aec64fdac9d4002ae2f8aeb66a3ea476a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df3fa896bd77da5782795483f1ec7474

SHA1
d23e8cd865e243bf69e6516bb5eb60c8c20d40f7

SHA256
29bfe4f8d52ca8e6021af424f86a3fe256ae8b2640af8ffabe51c433254c7c5c

SHA512
766e1e80c34aa0a1ca335348d1e870b92efc2fff5cb9d9ce8e5736d7b5c625d8bdcea3e5be937d4d1fa71bb2690d418aace5b1033f4a932fe008460ae7750f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
af367ea14dea3511c2e8fae5f2430448

SHA1
3a0cf4b550fb075a61bff9fa14912d866b413d59

SHA256
28f9ce876995ab074a6aa8228fe8cb69e8b15cf1a3d29c4e6964e63a73291f1a

SHA512
c1720f99a5b0a2cd398cdcbb7fe5839d4a2c7b1c58135d8ce48bf543f48cd6d566014667a9398f585c8be6c2f7d5643f8f4fd79b07f040a28cf207a8afd24053

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ff06a1ed261e77ada5379dacadaefbc

SHA1
d62794ce778d65dff0c8d2dda16e033fac41f83c

SHA256
9ff0f10e81c25a190065577d791cd26a12171a055339d7a2b235fa75c98fda07

SHA512
ee558ce068c171210b9d1c20845a942bf152d866ce91dec478143ddc61a00be5fd06acac3d7ac2431c0244bb021fbbc10ad5428b988cda9f677db97b1c02cf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
049bcc17f5c70939246a556d389a132a

SHA1
2e4ab46f1640d2a19e9d98505c5e1a86de2b170c

SHA256
f2d4fc8485874215939dd1eb4b4b84e398f5c925d867232c76be4086abeecdfb

SHA512
0c89e6e3e6ab0db1f7cff1988af80d7a0f16fea39e38a85aa13b1595a5904af21c865554feaad3fa7e761739d35c89e55798c6c4e276efaac6beb69991fab42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
44ba5d9131b714d271fadff9aadf79fb

SHA1
629eb20d5af6fc3431fe3f21729c7e60e00eca9c

SHA256
6ccb492cc63dc6d9f8718f4607d055c807fcc80a641150b2bbc5aef1ddff92c0

SHA512
eb0eae352033ced152ff3e18a8537103cb26a38af50d459a0f48a2b944bc01de69a72fd8a4ef83aba9e0ff9de163d2da3d8f1c10d943988e14c305dd4f916ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
399a66fd12ff3f141a41050d363faa89

SHA1
84c082f116949efa65f56d23af632e1c7415b2e3

SHA256
26b1f555123edb8e43c2003f5f77b35a61e4927a88907abbbc25dd5601326a5f

SHA512
894f594cc50d1592104e76da3f46a8f6913a5d1d027f093163b8e256a811d4b98392bdde2655f996198229533b8592d6ee9af9dfbca4fbff7e6c03578e006fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
12367fc300273885a1513b4ece0fd5cb

SHA1
a01c1b744a527a1f1c18bd908c1beb7dba4f98a2

SHA256
c9e2f70998d76bbafbfbd65acbc450cebbd12b5fede21fad81d2e1c910599644

SHA512
aaa4aa6299336cc57aa711c8b034b3cb362cf100735835cb3b76fc9a5105eef3338799fa13384c3c92ac7c695fb1c78972bb743390af059f407b16f62e351395

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bcde6f177654f2dea0bafab402ab5ad4

SHA1
d44c37e8c026b3fc4711a895f59d4a622329eb25

SHA256
5d54cd29e97f5dfaf6b8083c8bac525789edeb2ddf359c22bd5324c592aef25e

SHA512
f8511749ecd8cd24f1528f93093152a7afd73c23d33fe67a45527691399b5e60f21ded920acc930bdee1efbd0c502cf579d5ead6669fe266304028cccce256d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a3f6f2c96e15f079bc527450346cd9da

SHA1
0ca35f8aad19f9f9c43f44e29b984b18b3f7facf

SHA256
04db02d1cc6f7b778c1eaf8fb1381cdd991509de0b4c9ccdae2e144ce1e9a389

SHA512
a944e1d71890603512e1b2668833759e9cd97879cfff8f90ea798c7c3e5e39595f68d81e43450629ede841c8e8ebb2b2708f8a4c9388dbc785b6bb32c39d13ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6d186520573bd969cf0b657c95e40411

SHA1
178287cec1a0e83d7680318f99d781c5a00032b9

SHA256
78b65c5158cc3b39b8e23d440b31f7ca93f668ae6e30d4ca9b864ae3a226f165

SHA512
9f3648d958da406da59814496bbb512c5bbfa424b7d9488aac62bdfad7e3a37e9a6de28d74f40590fc1e926c8b52dfbbc6450463dbb0622bd176fa97f74a81e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3235bac60a74581d733256bc2a872037

SHA1
b934a44266ef70d3c7696b2b24320b20b9fa733c

SHA256
1adaa611395811455bdfb140424e37d6d25264bdd75dfcbbc028f79cbaa878f0

SHA512
2ba027352140b485525c5b4198b7cd6804885c25909e96cbf1301d6aa0959d4b6264c0cf0453cbb260ed445dc1362f9b9e074a983554a4fd40926a9b95f02372

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cfa1fb642a867c92d227d0065f01e8f1

SHA1
0caca70c3af4b7dc011646fac5b8ecf8d2e7ee2b

SHA256
5337513425a9a96691cba4e606b80164b98706572b8394e0a269fdbaee32d005

SHA512
ac46a2a951b3f4d81cb1e5faf6134b0c13b5bbfba5ddf0e1cdad5d0c2546a03ff11e4f50714fda4261f86925efc64ace8d52a656f9d99d30b8e94a7b90675b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a55c5e83822800a956672b2b5f831b38

SHA1
91648091003f16cc5e1d4cf549842c43bd79f077

SHA256
50ab7a11ab93e7fd02cd6c102684a0553b6ff9b06efcbe382afae6197929ced6

SHA512
6b46f0d2c5a1f4df6f302cf3e62dab0cf0a4305a777917a97ad65110e38c5569681bc6ab28920a50fd1a388a23a5973c4f34400c993f45a27ad4a48d84bfc964

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5ec05404794ca2db8c7245aeb5ec02cc

SHA1
2de22bfefb9477930a608c972c7749dfcd5ad400

SHA256
7a6f628919a67e0c6fc830ca17fa3fdc7d4ff55ad0387ebe563a7d5c5f72a8cd

SHA512
d351e8c10f6a37a756b5f1eef8bc27fede0b92a8727fc2243948c0066e7d93552e5ce61b6e5d68925baa61b0743cc9f7eb2f9dc1b45e3e2835aa251dd30bff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
594aefbe23e53ec660c553d50a5c4dfd

SHA1
dcde5482f0cbc86003638f3a51009bdeb86331dc

SHA256
beefde9e68126afe1fa7808dc014a0b9f7a61eade510e48dec3619072dc62720

SHA512
99d06ef5bd2f24ccc0c568ff18388ab6db514a88deb75916d1c62e18db725fffa70d25b2d6e6265ecbd814e60596462da865e379a8be62ba3bc0a28db0acda15

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4fd39df2fc9284ebbf5a1a540d054c0

SHA1
8722561a01926e29c63a72e75411a6e59c9217a2

SHA256
5b370ddf05f60313a66a75d0070a382f068a6a1180ec1ff055eff14af691836e

SHA512
868aa061a306c608fe0180d8630d238c162989c61c026e83696d914f1216605da86ca8a09adff57aaa01de7d9823ca12ffbbe141e6e5bfc2825f4f1819e45612

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ac4ef5aea35833a816ce17ff82ecf04

SHA1
baf008b76f2596458a2e947f9302db6f19d3c1de

SHA256
d9dcabdb229a12da1b551e482e8c5c41ca39ec5d20fbd825c023bd0267fb070e

SHA512
10a38f11dd15a3894f8b4339c52807e4027e5ba91ea290f9d65992bf4e204eaea373ba1cf2d57c71d88a38028b6b3bed72c31b8f4505a11878cca686398a528a

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\windows\SysWOW64\microsoft\windows.exe

Filesize
662KB

MD5
3ff099ce85b4d0730540d4273444b8fe

SHA1
933e66bb416e12d70deacf23c21aa75b197c11b9

SHA256
5087813ebfa48176b6fc67c1f5126bd159f2ed180c74fb832c3d6f426a40bf4b

SHA512
90d38b118b5b55bd0d372033d89b1af3a094827f00801fa0b2927fd02b2e56e3dd2e877c69db3fdf48d178f37c0cee1b81fd68cf9ffc15bc111303a60044657c

Download Submit
memory/1572-620-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2272-59-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2272-60-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/2996-44-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-58-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2996-190-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-56-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2996-54-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2996-51-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-49-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-46-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3772-39-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3772-6-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-33-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3772-32-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3772-38-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/3772-31-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3772-40-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/3772-0-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3772-41-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-43-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3772-42-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-37-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3772-36-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3772-34-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3772-50-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3772-30-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3772-26-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-28-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-29-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-27-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-3-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-4-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-5-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-35-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3772-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-8-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-1-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3772-9-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-2-0x00000000024E0000-0x00000000024E3000-memory.dmp

Filesize
12KB

Download
memory/3772-10-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-11-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-12-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-13-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-14-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-15-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-21-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-22-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3772-23-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-24-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3772-25-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-16-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-18-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-19-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-20-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3772-17-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4368-621-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4568-570-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download