cybergate | d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Size

284KB
MD5

c716367a1771cb09ada30f56d3ca54cd
SHA1

3bb7123c13b84ff81d20101fd755efcc705f3a89
SHA256

d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622
SHA512

a876447d41ba27c4103a86a4858af3604d5ad52310cf4229bbf921c84188e827f61183cb94d99f5e5d206995702a1e97a87beebe31a452432ad464ae1b1e3386
SSDEEP

6144:Bk4qmkG62H1fy75z2ipU8yiUR7NT+OUJR96t/lPC9Q+iha:W9N5KWKR50Jr6/yQDM

Score

10^/10

cybergate victima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victima

curuza.no-ip.org:8560

Mutex

***MUTEX***

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
El ejecutable no es compatible con su sistema operativo.
message_box_title
Error 0x0125698
password
1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}\StubPath = "c:/windows\\install\\windows.exe Restart"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}\StubPath = "c:/windows\\install\\windows.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1784-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1784-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1784-64-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1636-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1784-69-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1636-68-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-72.dat	upx
behavioral2/memory/5072-135-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/1784-137-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2748-531-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1636-532-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/5072-549-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\install\windows.exe	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
File opened for modification	\??\c:\windows\install\windows.exe	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	2748	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
2056	WerFault.exe
2056	WerFault.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	explorer.exe
Token: SeDebugPrivilege	5072	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1784 wrote to memory of 3436	1784	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:808
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:372

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:768
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3744
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3840
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3908
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4028
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4128
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:5000
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2080
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1940
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:5116
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4320
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1772
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4448
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:3964

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1140
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1936

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
  "C:\Users\Admin\AppData\Local\Temp\d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
  - - C:\Windows\install\windows.exe
      "C:\Windows\install\windows.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 576
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3344

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2748 -ip 2748
  2⤵
  PID:3556

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 65a5793d5fe98992bc4ccb461883e0fb B1HvZtDm4U+TaHy20YJLtg.0.1.0.0.0
1⤵
PID:3652
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3172

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
9dced70ec47fb1a48f90bcee992b460f

SHA1
8fc41236995530c620c2c333d7bee0081824b501

SHA256
356e4f6e50b656184fd56b7972625c0f7488f5e5e663943c3aca91366148df84

SHA512
a62d4eeeb78975f1df531f89867745a6cb7d2d79a08b239345a25cbc4dd04d2fbc5897526e0ca145ef7c48535b9ed4de380d3009fa091c2521accf79aa375d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f80f946c83093f1ce266df53e4cdbbf9

SHA1
c4cb13e75e1e1293d7405953b1803778b0451d33

SHA256
003314e15d7b5a29c1e2ea6ef71ddcd42eec4691a209af12e5768462cd93a2a6

SHA512
7dbc53e8eeb48f95de71db78696fba89c9fd98e16a16612bfe9cc1b42a511283912b3e32f305aada03ea81f2e1a2168f7de11fc53455e8df6de4e032a13a789b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
61826d5caf73cc2e075916f234993bb1

SHA1
ad68eecacdd2f8b819b9e78e7214142b1a5c1c09

SHA256
3095a418f42c728788c070bbfc5e2589653c94995fe326f84af65857282ee42c

SHA512
36c20f10b9553dea9a9d6db341fd696ea66a02f66929d1ba80248ad892f55cc0a349f9f4f7cb2754f1716c34bdcd51d89b4f8478fa6fbf810c995eebe92bd94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ff60d5d0bda2d1ebbb0c3c2d9043f72

SHA1
5b07e0de90e8ae40facc864de8e70f105fe329b7

SHA256
d4f3c36fc03d5dfd336f0c851568a8a01b5f275c0d89434afdfa035b075aef30

SHA512
a5ebf450fbab62f0c08966cd19b21fe83a01897100f1d879c35b3930a1284aba1629763f801d78eab8b6b00af583252ab8c8588e3f8ae1c2644bf0e9cbe606aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e4226f60d830af3928b073cfd3c8a31

SHA1
c92a76812af3e15655e6de581c762f689764f143

SHA256
b685ac9ac289f5bbdc52fe0f74de589e9f631c2c79913d63083c0185d942f5dd

SHA512
3abe92ef7fa4ef02c2ef098dc08a5914723c73e4da898492921f0e524cbafab731555780618645983ae6a5eb6cbb1c60985c61e3785c412c909bc030fcc3842b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2f2ec9b1c660c33055e6972415fd42dd

SHA1
f73faac5e7368793b67e33c1a627ae8eea485a4a

SHA256
415bf57c558d55010112bdcf362bec92c5ad6d00d8edc09fe6e5ead0725adc5d

SHA512
b947b36c20f26b9664ee0269be7a62ce77d3d469a18a80e75e676bb3f624e5f11eef65034ac442c4573b9e5ffca822a0eb9dde9830b9f0b4589094c293138fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
359a895966ad638e303fa8e644edeb83

SHA1
5c368114418956ec8101536f00589910e5a4ea27

SHA256
d1ae63d9f24d4ced87639c8b146b4ac07592b70b5bc9d167de8fecb8ba68f353

SHA512
f23b5402eb9894b6d956ee1aaaa28f77fbcb472e4fd97b8a21a5484875bfd0ab72a072493cead28ae67621fa4aba5444c57adfd66d21c3fa1670713ef11252f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f892948bbbce30aef8d0c83b58926825

SHA1
b51519d4fef1cb7c4258541f877bc0cd77cad4d4

SHA256
2abfb23bfbec50613821eaa4dc714cb30cde6b998e35ea57ca2c7353136d2ea2

SHA512
b4c9289bb5b5470b676dc992dc5bf4663ce2bf001de2e068a13065e608c93745ccd39abe1050e60e0ba476fee5a2587bcc4a43e9c1f9ecc818bc6950c1740999

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
96d1788dff96b9005654aa7549e93792

SHA1
fe653d721eccd9df15f6435c4406b412405ab971

SHA256
2892d1587abb9269ba54058dc123e970f6e7206f566bf6f15d7ce98219527c2f

SHA512
9f1d17c7ab146d44c1335ddc6950ee19965413988b840ce410b457b45173ff66fffe90c0dc00af041d30cfaa2f4b923a7b78aef7da58964beab124dfbb741eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1377793b7002338c3d6e688484bad506

SHA1
b284b88faa67994db31c620d296a777230b7b089

SHA256
da539bdb7852f31d329ea37760e91dff4c90faa0f64d676dc4d48bf02718f11f

SHA512
4cd0e9b4f6f7f3d74a5d75ad58a1ee8ba19135bdd1d4edcd96602f2f7cc091bbd61954bac86fb71cb008dfbce57141e44b90f9705c5637b2fabc85af6f9a6407

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
67e917cece0e4cae4ff742bf62ae2052

SHA1
4f08dd19bac8e6d78991fa5b0c3ddaeea4a7f930

SHA256
ce1791e45780c25b27886fb71f7baa2e2f3389cc44ebde52d74d819fc68b04b4

SHA512
29f845ac474571b76d2d5cb0104ea589975f5248c207f8c86664d502106802e4cfe9184b4e1c1af9f2bc06b13540dcee6c218ec0952cbfc083be8d961c6704b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
55e46065e5f3080c6c99d8789b3161c9

SHA1
6f5132f7ee8a00f892164682c4a2c26e2d45248a

SHA256
b2e7ca65d935f1f8455f13524354f202c46b3514138c640e1b38ae1a9f66fd17

SHA512
a0e2ee4d893fec3b9c359244365376bd4df2813d7603b1ec3154832ea3d255182bc579ade99e065868e83fca684263384eb0d37d3a7b02540bb392ce2e28e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9af58d49d0d8037079a985d34f7b85f1

SHA1
48ab33bd28da628eee92433bbb6679439e2caab7

SHA256
f2aa15e953d5556da88f4e73068deab1a9cbfc335a541cd9902eeb647e1a9423

SHA512
3f0998a60e6fff9dd5a4cb1e80a08e074ce93f2f4df90cfd6d2b748b99a0a2fc76c114097226e7da7802e50701b5a8e74349c7a045ce145dae750e9262376913

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2599585aa3784be78234e441da663389

SHA1
3ad640441e97890f30393ff5cefb60a05e33ebd8

SHA256
6d7fac9206c39a969956d8ebf58ef58faf6dc2f6ffc90a9d89f762a8c8fcb75e

SHA512
0fead48e2ef0011efc54c8d2b3f1a6d727aca526941d7e84b3d25d80269a37c0d88a8e39ed1149983dbbbfa9ffcd82bfc9e245c761b1191dd3d2cb59b5e63dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
15dd4e720aa36badf560f8b63db35431

SHA1
27c637366639058fb3068e08acb24feda5af6398

SHA256
4c138d4f7a26e86e1fbcea6109e1de7828e1b5481d608a2579fe750f02b810cc

SHA512
65006b37fc065e2a3c2a68c7bee94db42be37927096b8c115fd4cec62816626c9bbf49dc546c75da91e20ba3762b378e1580e049f15cf4b853c33d071a0aafcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ece3427e08c412b909b8f3206e06902d

SHA1
53984964f1af286cc2997ca8384cf824030d4892

SHA256
f17aa5e1e8cdc239bddcaff61e499e5453997bea869b51560fc7a99776df82cb

SHA512
159161e288fee504921fe98a5f12231adb97157fc29891f5050276d5c61166e72557a7cb923080847213aeb740698d20e8205a6cbec243be7f9f745729fbed19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
32ef470d96a05a1dacec6892345054db

SHA1
7929f4b04501c0d24e7c67d848a5a2bb8c1b882d

SHA256
89d1a520d26af5ca420bae4f349b276fe7b3e5334db2ae937745812f267c2e74

SHA512
a02389e9a75fe237cfdcd0bdafcc867cd816a9a4ff1208f5177cb5debe30a044b17de0d8f6be7516c0f2ed2f8e75102bc4edd2120d93a3a711b52515985b9249

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
35457de60b6fb25a5356749e18341c60

SHA1
f193ae1c6197a90629655145d2b681c46daa7f20

SHA256
74623447c9e7a6e87bc5853f613e4eb4ac95143530c70df14b8f4329f19935a9

SHA512
1604115c976f78a0b42ea07386f2d1612db5bec1695f5752a7cbaa1585107f808dbf5dbdd12104248b4c42e37c734064d83fac2757a7cbc7605382a0d3637df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a0732e6097a4482075a96f37e708db4

SHA1
09fb73aa2c3f138e30742ee467387044485df389

SHA256
61cbcdccfc85730256b618ce042a0518f318e5fc1765e9850e52137262d66c78

SHA512
4cfdac545b06c7734d8bea7b2c1936a4dd01493d88dc7d9fd32e369f44980ac5dc356605ed42ea9b16c520f4d322d7d7d151d1021e358f5d37797765c49737f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3cece7c8ea56a2edbeba45c619f4f3f3

SHA1
e78cb49bd09d7027271f957be03c740efa0c85ad

SHA256
a964373fd538826e9c481106d3aa070206b755e6459f934384173ddaabe099f2

SHA512
3d446080974ec991f5d458ce98d540266dc730d8884a1b3816227ae0b454410398e2b46e6311b0ad6b596c09568ef0f835fa2c259d5d2aba863c23ad1ced7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fd2357c64573ef492d22f1e137cf5cd

SHA1
d785ab7340f72f631e5c4c0358483cc5b16e9064

SHA256
c8bb7a03206454ee8f2fe8fcbe3d692bee023409cbc8033c26786745462c9d19

SHA512
f7507a94b03e0405386a76d84f6ec566cb83d33960866a5befd269496ac968d8cf80f277bc1d51b75b6a6e33123a99c7205d6e1ca10cf676f95f76a504210549

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4b952b07857a8af0d732ee7f44cc5d8

SHA1
d2ba0b8918afd2571a4f632a0d3c6c30ac53ff9c

SHA256
285b0a75a1bf1953608857542747fcd4cd6a0351555cd122b08ef5ed3b7a8948

SHA512
ae2756b7aeac2262842a7a0a846231da212685288bb59d353a73e0d7abc14c9f36f6549a2a7c493926987e14c0f86e9d352bb9beec82be0399fd54b1eff7f11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4a71c78ebee18744591db06c4e2a9e3

SHA1
3b4cfae045a0b5c8bd0aea1f5abe5b88e86e0e2c

SHA256
f547086efc52261a66f0cdbdbf51a7d7fc470c343c04dd23dc8ba2ae38444f65

SHA512
b5d129148caee115638c7eda2a2f41135c6d2461309434a18fecb37e4fc1ee61f1c17e9499da04942c9997856556e2d72becd817473da1722bc7def32b06bfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b031ef94aaa19da78ce7fc831fce5d66

SHA1
e3b30c81673433528a7ab502d28fd9bf7fca373d

SHA256
8a775ec48527bf54e7f135bad03f82141bd0609ca157a3a6f8fd5476fe999f6b

SHA512
ba4c0af7ea0d76a26592d98973188d9bb044f938a9f04b98882dce211250f0cd1adcd22718d5ee946d46ab6e22b87056598dc2ad7624b6ead15be09126ff14a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
214047e4cb25ba6d383492401006a6b4

SHA1
d4ac0b09c34f3b04546102edbfa235ed6b396906

SHA256
790f86e97b6aaec10a141e8e348da918fb3dd305bec15c5ea4c9e7d8bd6eee31

SHA512
3536fc64264e5794790c3f49fdbd60b0bdc0c410615692c7853c7645d9c324f12e9d0476fa624b70047163edbf6b2420008db4feb5ec1efbac8539b6ac1403ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
faf92308c04b41f4f37ec85292c52412

SHA1
7fd990a440bbf45839c34d4e79fce4b5df80af71

SHA256
c1db91f5cf21760bdb991dd972ee31bab8dfdde2744ee8d201d628a6830aa0c0

SHA512
dd3715c8a1c5b565706cdcf00c58dc6d8d366cb1380aee05339a95832ae5a9731c96a5cd27f4f8e23a7fa9ae67a7e87e735e75f2b9800b9f3d878cf1d8be6a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c387bcadb22314869b738dc6698166c8

SHA1
7cb3734f76ccb7324d8333f39ecde5e870ef17cc

SHA256
4e583f9c057aee7b4b6c2889e8dae9bd8acda83d05b128a3796354321c1a253e

SHA512
ab59c106262662d8719310452969744d792013a8394e40adad0a9c9dcd40bfcb305dc0172b2d169cf671be0f52489a1b54573509ac28e6bb1ae1ef88a2b336e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee54dfce06e231bb8d942d55302a52d6

SHA1
d91d8ecda1570b0854b6643a4717ee6ce41b898e

SHA256
f8b8778206a287827109e4867e88cc28077914c75f329d68962c2018788fcda3

SHA512
607e5391ae26a6cce24617fa2161dc8636beb830bf3dd6b61b1158a4aefc52d885b294eeeb437915e340bb1a958c79c90635b026c9259d808bc11bf3c054abbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9b48bbd79b25ce09c94a7d09be0d84cb

SHA1
2619a927d24db3288d0acab31a6c0b1913a89bfd

SHA256
9762de75e428c609933420f7aa9bb4b84b623a4fe4497ace7816e11b6784cba7

SHA512
cd61ddbadc800a5771f0d90937c544bdb64d97b9f3318d3ba13ab06832fb596f4be2285df82f113da5b3ab5adcad4dd5b7cc9c08e0293b1d976706bd2420a03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
51be2c48825e9fb0efc96a362e3422e2

SHA1
541c21a222b92a4a6177d495fd0f2bec0fb4e4a4

SHA256
4287e8c3f7065c3571177c8e055cd8a4bf367766f030e5e90fac34787bb502fd

SHA512
bcde9676fa153b3187a504c7c1d5ae613fe5cea37c1303d27e3f2769c5c03ee1c13d4bd545371d70d9208936ad616d9b1ee28ce281bbbba2a9d4c1271d897097

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fcbe93e180c1065d2a441faf348c53c

SHA1
e91fbd62cb287c25fc24cc2f5ed1cde85621eb32

SHA256
091762ee2305f5e6e9f4ea40ca5de13a09934f1af43ba9a8d59a463ac6664dd6

SHA512
0471652898ac10dac1553144377deeaea00725e89adc7eac1535e144373f7b8b82108888c199b99b5a4cbc54b05b21ffad48b31363dd66fb5be2da27875728be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ab3d7b47429eac1d6e214f583369830

SHA1
9d18f161855e87271e436e2297a27212840ff593

SHA256
2b1b4e6674c39f008d4eb798a9564c92641b2da67756d9871ab9c0c6e6a63142

SHA512
0d4575b50f467e99ec9ffce598c7a56a80c4cc0722eb28b2c5a66b4a0e70b39e12a3d1ebabbcad3635b2fe83376483a71172ae598c2de5971dfc3f89b4051559

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
88b1eeeca61f4e96c7e3b949334185d5

SHA1
e61d3355ab77177f3cd323cd029bd7911aae992d

SHA256
a706117ffa696b40c8d60292972d636cf78be2b2a2777307edda86e1887a6a0d

SHA512
95f697622ca3b9a70cec282642a5eebcc8dae6f042767307bdf8b94e2f498a3b0f0a8453d1235b895b1c9ec7c4eece1bd55054122fd0323f9bdaf578200dc39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
53a8de950ffa7bfaf8daabe3b7c53a4f

SHA1
223d115a414ea8bcd65926b98aa1320b2dac12d7

SHA256
54e7cec4650635afa2d9ec3b1e082923e0cd6c734f4c19027078a4aef40ddb35

SHA512
b635602da395973950a761107d3bb892efd1ca118076555a40ecc546d847ec7dbc55b7acf4423b4e6faaac7590e6b510dd41b8579f1d48d9bc526eac4731d1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
38819cfbd8b91bb2545d549b6cc5c30b

SHA1
f067d838af3b5069304103313cec4e650da8994d

SHA256
74007eff804c5e8c40f023f8ca894c87aaa1cf8d1f69d65c62211d1d21642fee

SHA512
9309dc8b85e57041c28c616dad75e7bb156a1335b31ca3b2f67ef5ab5f4a0ce44525d5ca9615fbd8cdd93fb02df7c6306da05b69a5e90068b79824331443bc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f73fc02387bd5650a8a714001cec69c2

SHA1
6bc7e094b5b23b2f78be6e230686b0bf4c783a4f

SHA256
8e523f2e4d138a9f76a3d3365479219cffb6efca1c189849caba6c1f951ae2e4

SHA512
57063157d26cce8e9117ed242bebc87b4ba42b1593091a77065b67c63f5955f30b52e461fcd1e563e709f364e95f9281010f2fc384c39d2238771d57849131cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
781f45e9238441f4fd0b0b2e3a3068c8

SHA1
83b99d49ab78535d3b1b3290ccdfde149412ce94

SHA256
2322faacf20edb712ea05952fe03193497b09c42e8a351a12397ecb44dfb9c78

SHA512
e0f6238f5c7fc40d982b1c9df34ac312d9a59fbd18a0baa8d8bfdba4e1ef58183cc3383df6e9c897ff1bc085a70498d97dd96a4b8056cd28a654ed1033f8ce2c

Download Submit
\??\c:\windows\install\windows.exe

Filesize
284KB

MD5
c716367a1771cb09ada30f56d3ca54cd

SHA1
3bb7123c13b84ff81d20101fd755efcc705f3a89

SHA256
d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622

SHA512
a876447d41ba27c4103a86a4858af3604d5ad52310cf4229bbf921c84188e827f61183cb94d99f5e5d206995702a1e97a87beebe31a452432ad464ae1b1e3386

Download Submit
memory/1636-532-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1636-68-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1636-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1636-9-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1636-8-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1636-67-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/1784-69-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1784-64-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1784-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1784-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1784-4-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2748-531-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5072-549-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/5072-135-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download