cybergate | a52a9093fdad5cc696b11845e8c2514cdeac7d4a9d97a49369412c39de7e524d

Analysis

max time kernel
150s
max time network
110s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
Size

2.0MB
MD5

05bcfa3e64ce2d45b1457a1659291185
SHA1

da44bc916a7e619a4958c34fb425f149b1b252ec
SHA256

a52a9093fdad5cc696b11845e8c2514cdeac7d4a9d97a49369412c39de7e524d
SHA512

d746cd39811b77ba90b66d50ccad4be47bd5f9fc85de9761d3b04b46587bef6949a5690ccd2ff675d03673bc24490505d0a8d0b395fb61266ad54a872219c40e
SSDEEP

24576:96WOxWsYOWrK3TaUZ7pz3eCswkMjQ7cst8LSTAiV3yl5bvQVhG:9u8OoK3eUZzswnYPDAiV3ylSG

Score

10^/10

cybergate thecoin77eur discovery exploit persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

Thecoin77eur

ntspnet.no-ip.org:80

ntspnet.no-ip.org:81

ntspnet.no-ip.org:82

ntspnet.no-ip.org:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
x86_microsoft-windows-w..win32-dll.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Erreur de chargement de sqlite3.dll Fichier manquant ou endomagé.
message_box_title
Erreur de chargement
password
181098free
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}	Idman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}\StubPath = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe Restart"	Idman.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}\StubPath = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe"	explorer.exe

Possible privilege escalation attempt 12 IoCs

exploit

pid	Process
6744	icacls.exe
34268	takeown.exe
6588	takeown.exe
6680	icacls.exe
6716	icacls.exe
36580	takeown.exe
11472	icacls.exe
8648	icacls.exe
2288	icacls.exe
6692	takeown.exe
34260	takeown.exe
36592	icacls.exe

Executes dropped EXE 7 IoCs

pid	Process
2976	Idman.exe
2916	S.exe
2796	Windows Theme Installer v 1.1.exe
2724	Idman.exe
2752	UTP.exe
6812	Idman.exe
3552	x86_microsoft-windows-w..win32-dll.exe

Loads dropped DLL 25 IoCs

pid	Process
2976	Idman.exe
2976	Idman.exe
2976	Idman.exe
2976	Idman.exe
2976	Idman.exe
2976	Idman.exe
2724	Idman.exe
2724	Idman.exe
2724	Idman.exe
2724	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
3552	x86_microsoft-windows-w..win32-dll.exe
3552	x86_microsoft-windows-w..win32-dll.exe
3552	x86_microsoft-windows-w..win32-dll.exe
3552	x86_microsoft-windows-w..win32-dll.exe
2752	UTP.exe
2752	UTP.exe
2752	UTP.exe
2752	UTP.exe
2752	UTP.exe
2752	UTP.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2288	icacls.exe
6588	takeown.exe
6680	icacls.exe
6692	takeown.exe
11472	icacls.exe
8648	icacls.exe
36580	takeown.exe
6716	icacls.exe
6744	icacls.exe
34268	takeown.exe
34260	takeown.exe
36592	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe"	Idman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe"	Idman.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\ExplorerFrame_backup_wti.dll	Windows Theme Installer v 1.1.exe
File opened for modification	C:\Windows\SysWOW64\themeui.dll.tmp	UTP.exe
File created	C:\Windows\system32\ExplorerFrame_backup_wti.dll	Windows Theme Installer v 1.1.exe
File created	C:\Windows\SysWOW64\themeui.dll	UTP.exe
File opened for modification	C:\Windows\system32\OobeFldr_backup_wti.dll	Windows Theme Installer v 1.1.exe
File opened for modification	C:\Windows\system32\shell32_backup_wti.dll	Windows Theme Installer v 1.1.exe
File created	C:\Windows\SysWOW64\uxtheme.dll	UTP.exe
File created	C:\Windows\SysWOW64\themeui.dll.tmp	UTP.exe
File created	C:\Windows\system32\shell32_backup_wti.dll	Windows Theme Installer v 1.1.exe
File created	C:\Windows\SysWOW64\uxtheme.dll.backup	UTP.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll.backup	UTP.exe
File created	C:\Windows\SysWOW64\uxtheme.dll.tmp	UTP.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll.tmp	UTP.exe
File created	C:\Windows\SysWOW64\themeui.dll.backup	UTP.exe
File created	C:\Windows\system32\OobeFldr_backup_wti.dll	Windows Theme Installer v 1.1.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016cd8-37.dat	upx
behavioral1/memory/2724-38-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral1/memory/6812-6169-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral1/memory/2724-9530-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral1/memory/3552-9571-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral1/memory/6812-20746-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral1/memory/3552-20772-0x0000000000400000-0x00000000004AF000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UTP.exe	Windows Theme Installer v 1.1.exe
File created	C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe	Idman.exe
File opened for modification	C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe	Idman.exe
File created	C:\Windows\explorer_backup_wti.exe	Windows Theme Installer v 1.1.exe
File opened for modification	C:\Windows\explorer_backup_wti.exe	Windows Theme Installer v 1.1.exe
File created	C:\Windows\explorer.exe	Windows Theme Installer v 1.1.exe
File opened for modification	C:\Windows\explorer.exe	Windows Theme Installer v 1.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UTP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x86_microsoft-windows-w..win32-dll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe
6812	Idman.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6812	Idman.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	6588	takeown.exe
Token: SeTakeOwnershipPrivilege	6692	takeown.exe
Token: SeDebugPrivilege	6812	Idman.exe
Token: SeDebugPrivilege	6812	Idman.exe
Token: SeTakeOwnershipPrivilege	34268	takeown.exe
Token: SeTakeOwnershipPrivilege	34260	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	Idman.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	UTP.exe
2752	UTP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2976	432	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	29
PID 432 wrote to memory of 2976	432	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	29
PID 432 wrote to memory of 2976	432	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	29
PID 432 wrote to memory of 2976	432	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	29
PID 432 wrote to memory of 2976	432	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	29
PID 432 wrote to memory of 2976	432	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	29
PID 432 wrote to memory of 2976	432	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	29
PID 2976 wrote to memory of 2916	2976	Idman.exe	30
PID 2976 wrote to memory of 2916	2976	Idman.exe	30
PID 2976 wrote to memory of 2916	2976	Idman.exe	30
PID 2976 wrote to memory of 2916	2976	Idman.exe	30
PID 2976 wrote to memory of 2796	2976	Idman.exe	31
PID 2976 wrote to memory of 2796	2976	Idman.exe	31
PID 2976 wrote to memory of 2796	2976	Idman.exe	31
PID 2976 wrote to memory of 2796	2976	Idman.exe	31
PID 2916 wrote to memory of 2724	2916	S.exe	32
PID 2916 wrote to memory of 2724	2916	S.exe	32
PID 2916 wrote to memory of 2724	2916	S.exe	32
PID 2916 wrote to memory of 2724	2916	S.exe	32
PID 2916 wrote to memory of 2724	2916	S.exe	32
PID 2916 wrote to memory of 2724	2916	S.exe	32
PID 2916 wrote to memory of 2724	2916	S.exe	32
PID 2796 wrote to memory of 2752	2796	Windows Theme Installer v 1.1.exe	33
PID 2796 wrote to memory of 2752	2796	Windows Theme Installer v 1.1.exe	33
PID 2796 wrote to memory of 2752	2796	Windows Theme Installer v 1.1.exe	33
PID 2796 wrote to memory of 2752	2796	Windows Theme Installer v 1.1.exe	33
PID 2796 wrote to memory of 2752	2796	Windows Theme Installer v 1.1.exe	33
PID 2796 wrote to memory of 2752	2796	Windows Theme Installer v 1.1.exe	33
PID 2796 wrote to memory of 2752	2796	Windows Theme Installer v 1.1.exe	33
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20
PID 2724 wrote to memory of 1364	2724	Idman.exe	20

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1124
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1708
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:34152
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1300
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:340
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:268
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1044
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1212
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1560
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1972
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1488
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1364
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\Idman.exe
    "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\S.exe
      "C:\Users\Admin\AppData\Local\Temp\S.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\Idman.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:12284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6776
      - C:\Users\Admin\AppData\Local\Temp\Idman.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:6812
        
        C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe
        
        "C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\UTP.exe
        
        C:\Windows\UTP.exe -Silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
      - C:\Windows\SysWOW64\takeown.exe
        
        "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\uxtheme.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6588
      - C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant %username%:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6680
      - C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\System32\icacls.exe" C:\Windows\System32\uxtheme.dll /grant *S-1-1-0:(F)
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6744
      - C:\Windows\SysWOW64\takeown.exe
        
        "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\themeui.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:34260
      - C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant %username%:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:8648
      - C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\System32\icacls.exe" C:\Windows\System32\themeui.dll /grant *S-1-1-0:(F)
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2288
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant administrators:F
        5⤵
        
        PID:6648
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\explorer.exe
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:6692
      - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\explorer.exe /grant administrators:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6716
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant administrators:F
        5⤵
        
        PID:32884
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\explorer.exe
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:36580
      - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\explorer.exe /grant administrators:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:36592
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c takeown /f C:\Windows\system32\OobeFldr.dll && icacls C:\Windows\system32\OobeFldr.dll /grant administrators:F
        5⤵
        
        PID:34312
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\system32\OobeFldr.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:34268
      - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\system32\OobeFldr.dll /grant administrators:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Idman.exe

Filesize
1.0MB

MD5
712f44fa4d49cc9cc7de5bf393858078

SHA1
644943daca2e8ee8ac8472d519d3e65d3171671a

SHA256
5689bdcb98e00b7a476558cd55161f744f04e15943ce52fc64a24be6d83c66ed

SHA512
281b7455331943d689959f0dc776c88244738ba632136197134f608409cdfc1b98ba785346e36611f86a9828f0aeeb119b31855d3be685929de5d97402a2692a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Idman.exe

Filesize
1.0MB

MD5
7b3ce789e266bcf032d193b4deb1cf44

SHA1
f5c0c5d14cce01096b4693a3e4bade6864645cde

SHA256
c060688ed4df13eeb4e78ad9f3a7408ccf88ed6ea593698f4e1d0f50571688d6

SHA512
4ee206357cd05affaf9944c4dba940b58eab67a8e38c9949d87938bbc1c2339ba2bc0d2b8276dc886b6cbddf03b9d89647c0ebffe87a5a05741846233edb223c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
605KB

MD5
e63285183e174aed7bda3c522b7df196

SHA1
cfdcf7408c04b2a62103ba992bb653d1bc51fbd1

SHA256
11f3700a8151d7ab37d5dedab9f558a558605db41abef0ccd5ee7415c7a4e82d

SHA512
9b415cd182b041cdce5df6a4dbbbf4d8f2d7018fde0cd7efdaee41f071a141f53297556a27e487d29b8f123be59440ba23ac97645f11459bf1e7b705982f8c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fac8a8aba35867405c517e5cf9480354

SHA1
05aacd4e7d4541f1002c72c4aa4986957a738019

SHA256
34e2a1e8846e4101082c6991467508d57c1d3c783622ebebf684d8dd51abfc8e

SHA512
0cc540bc0c20e8cf4a5994befb7dcd889e9b4dace649be3969540a76202e94e297ddaad9e50a9f6556b15cac3d7f0657d8d7026792d35aaa36798caff47c1295

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
515534b24cfec2d6802b6109f69b83c4

SHA1
1377d187cf2ac2403821b8c11890fe00cf14f29f

SHA256
f391ea3a70ff4d5d154ebcd0214141d002506339c4c15ae5aba580b19655ba92

SHA512
3b8396637e6a111b2b5cd60bac5a51aaae7a31e409c492db7f3220ee5696b6702f1fbcc906f54766dcc8c5be748db9c7cf1ed0ae40f729bf207ac5d6051f9d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26c0aa793ba4700c4acf490c0fadfbd6

SHA1
2058a3a8c3923c6ebc25ff0a316aac605994ac7a

SHA256
303cda5c0f13b44cfbe75efe87227b566826328f50f63c3cc7772a7d60b9eae2

SHA512
81388f71cd7387cbc966d0097f6dda46f774d6c429f35d5806fb8b7565b647eb8db07bf62c8374bcfc18ae563ed587ba0b4a636d5b7ab9f815dfa046e481b179

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f91cd03a4fb9861c64cde5a3288abbbd

SHA1
47c3d3d696778ddbf6dfc552f1a9bc513b1e68e6

SHA256
48088fe461845212389487da0c264b53293085e5248051a5a68d3d3956e4a478

SHA512
f65a4fab03a19ce2ac9aabcc2a9812604df37c467f5a5bb95129a634b78fcc0575a28bbab4a039e8cb9f4520b3f2b742f6e0d7a5004fbcb20190592131bf9e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63d0d77062de97ca9372b706aaeac9af

SHA1
527b247579bd4b92dcb85b31a2d31202228666fc

SHA256
fd5b6da5d9a6522afd827369b749aaf4409e0ae966113c8ff97a58ecb013cac9

SHA512
eb38a1de5e8912742b72ea072957967bc94480fe6341bd8c6bf8d4d36d532cfaa812c44aa16e55889497b5548f0916edb34d9cf3a61f60b90b8949d6388f03e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b7f25b7508c163060b215e5e090fa28

SHA1
f5cc3f2146d85f782cd2c4a8e28c33a0eecd320c

SHA256
bf286bd20ab12efc64069638bf9090e1a7a6746b421ff4ffab27d796697b55bb

SHA512
1649eea510fe98a6ed2e0cf83d7a84464d3f58cc220dd98ef768fd000e83bd9771e335b5d05799954cd5d900a12ce0b25665feda3ead6ce9efb1287c93e02e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fa96a3f9b5f5b52edbd9df587938b1f

SHA1
c0326d41d18f2fd46c21a6a6a4f8e4a0969e37a2

SHA256
b521458cebe33abed9bda6cdb0b89ea1a4c43c694079a4d1deccd984e6cec99e

SHA512
53639fb3bc416c1f6e20b7e412d6c368439e0d9ac16630f2321835e23db9d7173dc383dfb85efc8c5b1bde5877bbc30da76f84fe494abd10f0edabad980f0533

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b058211afaa9aa561988ac346882fa89

SHA1
ce451f92235d446f8c7851eab30867fe69249502

SHA256
477b28003e974f468eabf53dc97cc8c92774cc9d30ae0e5cc954b459ce3f5169

SHA512
cf725638b30727542961dbb6923586d8dbbe82f60914ca18c79ab2ba8e1bcfdeeec5975eddd5e1a9f22501b1ad5d59c985e2dc135f17b2418b5536ac39c958f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
005b16f73342226dbd8c5a4d6e0cf681

SHA1
3f5b3c7ae64cb46056b1643e9ebfaebf2e660641

SHA256
ec71ad0436feae066ecbc8b2b291c8303dc62a14e1256c8429c69a9ffc0440ad

SHA512
044630dc23485a863c9535868b08ecae2d89cbef5db71262ce8fd167d64adb7e53bb0db211a6c03cc25a5f438856d41aa1caf8223a32aad14a6244449f0c7ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
579aa36b25f340a80c8dff82526eb269

SHA1
7398aa3c9caa4432c7748007857c8af93b3a1762

SHA256
f7c88d188bccea61a948668f38929be7cd34b50333dd660d79038914a26b63f0

SHA512
81a87cd933dd7f1e6e047fd068b45a7c27b00703b19724c1eadde2073b655090ea691b138b2bbe454a64bacedddbf29e818f02b886e5ca04a0f72e2e86d709eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f8e484d7b64997dc54d9fc782c475217

SHA1
998514356c4869ea76a64eef75f366c49fbad618

SHA256
535ac663a7653071f9817785bb4e093a5b44d995da798da037b46838401927fa

SHA512
2662bb18b330dce7b84aa7f85472e21cea4a6656d6b052c82bdc11acfb59d21d3d8c10717b7c0a94c5bc45f7a8464e64e7b4ed1531bb981f9ba1b35ab996126d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3068d5f530fd325bfb1499e990e9a612

SHA1
468dc6b35e430d5463074c518257ca39dc2abeab

SHA256
60135e491a8a2682c2b39574d0eff131df756815f784952d31aca901fac22745

SHA512
ea2745732cbe28b9cd7721899f86e3f7526084675c30e21cf78e2b6b8eed648f94fd278f466c8814a458877221673430748aa9291729651fc307020b6b95a920

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eebef440583482aebc2085f458e6cb82

SHA1
5129242fd54e35d00af9f6d3631f403fdf7a845f

SHA256
f03d6d4404c5cf1ca95424fb953d2bd85918a90265dc8cc09a37fdbe0e70c5b7

SHA512
975a9dbbbe331a2df3d8a9f882f4d62a4f458815613acb01097b67a01d4c1195d5263cc31feab0495544b1ab67f5c4c70ddd52d3a3f401fdaffc37922e544f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
64d90ba9f60512cdad60e80e923326f1

SHA1
1b86dfff3df2f39bb38d70ec81d3293fbede711f

SHA256
00954c098fa847852ba93d377530a9469560365d59d44d9dae52b2c1b1410f7b

SHA512
6b08c0e23bfff99271ed8e58cd6c9181e399c06dc4be56a6599e01f7590260e514d3589a74dc4760e1a2e3be4c367af2aa855d5e4a5a612a9eb138bacd25eccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
97bbbd1dc28813f02362fe1d55955c3a

SHA1
11923062283397ee39f70d896bcaecfece2b84f8

SHA256
d8c0110ab93b89e30604f3fca41ce59f61dc78c839092490241d100de9750ee9

SHA512
b7a1e689cc37ab00379b4d06506f7dce65f3e6d2400749c6b6c2008fa93b6699cc855e192d12f1fab30fa0b02fbdfee36cf43358b791c406a4484751e59ca879

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e0d8f4953ad156270488d72d9e5ace7

SHA1
af4132a47d5767b0a2d2115d7d8905c837386d9d

SHA256
88bb3f23cb496cd8dfaa60b99ea5b6b782b15e4d3d3eb65e1d6b33b39b551c38

SHA512
c7f88c8d03d9083898f2971970d211d168a05a63bbc16068fb7b77541766188863999b8673dc3e961d9b8972fe40457c2aa88c47f5dca649b44552cbc9cdb2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19252b5c03b62ffd28898fbd754c5a78

SHA1
aef8865ee123130d1e4685d2dcdd5b3d89d4f8bd

SHA256
a7139af2459d89026d68b0de056ef6c641b21d4137fb731fa373f46fa57b7dc6

SHA512
ecf0db8f46646d383e377f74b2dbc1770bd04fe63fcebd0fdca80bde043b1f191de14b8a0deb57d391a3cfa66f2dccaed43e7b20d2f5deddbd51bd1f87589216

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
261b5df639e3bb3ec7151f49dab93b5a

SHA1
0271b1b09ab996a4cc93847172ca9220f6eb9056

SHA256
a60b75e98db217701323aa848f91852fc047863af5e47ead0c223e24a445a8e6

SHA512
d484e57a91a40170ddfcc8af2851a0eafd1b4ea643bbc0dd7ba23f4a2d1a16fd034f32688aa5310fa997dfe24b5cc25b9cc398715768331446362298fba3f266

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86281a863e4d7c3d50483fd184ec2285

SHA1
6335dac26cf3aec8623835a843d17d7e12dd741e

SHA256
b93307f94e3c7b94d3a4a378a3aad1f345711592975936856c1378645d999700

SHA512
a54a35b4b82ce7b03d72cf99d27f91b95825e090a303730d9546a4dcd16b4392caaadd82d09f29e2b54cc8d3ef1cedceef13eda6c876fc46500299c01922b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
457ef0f9fbed5cb1d9b335aa3b79f080

SHA1
80cde7cc63266c055e7a64162cbe70e57a2eb8db

SHA256
933a1e7a367937ab68f5c13484ed8758f33794039b53cb3f2db800314cdc773d

SHA512
88ee387842b5694598fc2821df99def0d3bb683f3bac5f9d3e1a6c020a5af794e6b0fb2e2afe4f9034869d1718bd9f30f837f48c6ff1276bfce4f2bc834b9ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f69ba5c2a623cff43fa519db3c599670

SHA1
201bac6ac66bd3adfe709045b0b8143cbeace3ee

SHA256
0bdf762e926804652265c7caddc5339f0a0f0540379890a6f580382abd39e89c

SHA512
dcb39bdd721942b62affa87babde847abd8b879a146d89b64af88a7cbfaaa8f9afbd3d5a6ecf207575bde25385fd12adccd6972eebdaf37d5be4c1e54753cb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
42b52b99cf6b85c55cc5a9dfa1377f2b

SHA1
3f47b7e4b4f8e8c1d4226824486e73d98b54fc91

SHA256
cf628ac4e90b294604abab459479f24dcd24e3ceef22f8e5a9b414aff08912ae

SHA512
194f4d89fc9e48e57b560641f6ab329ab9631ddc63997ee2466b28faf81d00984dc26abbaac3c8fd0b880ab643362425cf7d65946db6f157c2e7b4f1d3f3e543

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a36ef46624f01ac532d96d188b6d805

SHA1
30bcd8d6ec404bbe940dbf05b2b519949c0dc007

SHA256
531776806bf07a60271cce2f58f155b62436e0140f8139e446ad34ffcba1d317

SHA512
81bb5e0ccd7fcf76742d1c4382c220384e17141d0dafc3a75b4097070f9208fc8ddb40ac6d0c685830bccb63f456173de82766fe3f7c3ccec32365415750dc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f5b2e4c2e0286192dbf70c9c41bfe54

SHA1
c6ebfab48011105816f145eddedbb7cd3eca2cf7

SHA256
32aac4c25517763077108b02d40524817886507fdf38caeeaafac4d182f32ebf

SHA512
92a18f01966bbdc7f6f04de6bc6d9314e2352afe3cd40d2f53719eaeb1e1cb96744f62bb1d480bfc11097ba267c36b5fb4774785c850dcad764b282857adfef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb287aa17785d8ad5cdb13359f4f018d

SHA1
e0b9d19c06f32146adadb5c69d7e9f394f626c57

SHA256
76918c52396903f1834addba41c8e77ff0323c0af5171665014a309ef27bb6d3

SHA512
ad9588ec99e3bbe5310fc7dea51280cdb2d5e4d40adbd0fecaae96e9e881ac0f43a97092e3b10861dd3a0f3ba5b36a605d061b229d56df8c61fc492f4883bd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f822c27ada4d11b7298b665a7b357dce

SHA1
98e9e89d9af9085db7b9084a99300d891f45e50a

SHA256
03dada1d674f5591f1f06de1e5e30ab8da4782e01d4c211e856d9eb86022038a

SHA512
4ae695f17732370932e0dc1c829251e0ec3f4a8e68509dff9837c69aaf93347b2b7b5dbca02f6bbf95675cf79316ec50bf343219f01fd738bd51f6daf1229be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5cd1ab5c34232b8b8d6dec9319f329fc

SHA1
cc842b9ff527347102c64743058716ec545a8138

SHA256
967cef540f65c2a454223058edbab1aaeffddb338c6578fe57d39593e1f79d7d

SHA512
eb562c7be5990da7ce67405e17b5650ee3b705f8fd234d5d942bf499199f764a0aa863134937749571a0ad09249bfb8730927d360b9179b0a98a147d2927bb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb23ce679adda64ee7955d9bb124940b

SHA1
418bd8a6d0be0e2b34e19aa62e0d7ee6abb7c870

SHA256
19e12f8140090d2548abe4b66248b30e5cf04e72772ad0a2fffe16d8c50a2ef0

SHA512
515dcd26c6700e1aa1045ac17d44c222cf594eb4baec56c3c032a8a4fe6628cdada273e46dbf51bfe433b34dc3b13deb6482e341f68dbb5238ff24b3ea20df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
503968cea021356e5b34d7e0acd832be

SHA1
5a482c65570862c7097064682a014f6be8e7e38d

SHA256
1bda1692b4ef37f1b60b6135f50a76ec7c14d2259c66d46e7e487f7100053189

SHA512
01b0f5e754fbe42d6f80b4e651027e2b693b76c2c92eeedf8db04659df685eb0f485a7d2deac5269bb86c8cdc3911b746495a97b148a6c2ea95a21459ec43946

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fa5390dbc5fe10b8cee8b97ff0c3ceff

SHA1
31956070cb428385c10daacff2d26479607d289c

SHA256
2e4d14ad969b984303ef3019b5a18f31d638f7862d51e3ccf3d875522b8e6e20

SHA512
ce7254e3e34467054df83f59b5e3149cfa0fffdf4fec9b99f03704cc59a9881609567649d106fe740c5bed4d83d1d1228d8110503d3c90a47ece5d6aa4e5b52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
352ea3fd51808b10e0f35ae720f7b7a0

SHA1
0bf1e0889be563bb612e52de3aaf80c9f26c17bf

SHA256
17df0ff8034c28a6bf7a4f0c38e8d0b7bd43898e553d8bb6ec6de5facedf5e15

SHA512
398e63203891673e6f54a9a1b877ad5b56f78122f0cb4babc72403610c9482d78c8cea4e23bd2db313e2fe38b7a9be527db4e953948d21cda906bbd1beace055

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
464589312b3bd03beafb403eeb5a7aca

SHA1
c0220be2f0d99eec47ecde96823a45365167d5d3

SHA256
b0db74dc7440e6106f7c951ee341867ac2c171db6406dc924b45df9db3591812

SHA512
a3ff01633961e6f421d90d8561bfd3bfe40d1b52ad0114cec25277a64b240ccd0a6b640e86296c4a00296105bc468c2f05b1cc14e134901802cb123fcb579668

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
796134159f1821d21c66f2d8dc86c99e

SHA1
7f7bc5e9c4d8bd7c0156fc07f9061d24ffe38006

SHA256
83e676aa162986e4884d590bfece009f8952f5644d56aaac297ae7dc1f150bc1

SHA512
94da5d5daeb4b9a8c3f0603713f3fd60bd16f4830dc7abd5a371bab5ffc32f176e9cf2b884dd388e334e9ea0d1d515e077d25130407bcd8de56c0ec6f1476318

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
09c1cfea6717315100428c8612e25046

SHA1
bf77e6a581b5686f9ce0fbceafef9c1210c60113

SHA256
b11945192a66106eeab530ee0f20c7ce8066495c4e6632096311800fe0600b6e

SHA512
65a9039d2a431e3ecbcd1d6c2a00308b7cb33f56c16e3c2a46f9e5e2d492db69ab3418dc81032eb9d956ffd875a21322225932309d57e84da6ec36c8a22b32c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
80fd00a31f434b7b70c21328295aa8c1

SHA1
fa24cf0387532cebd244e8811eb97d62581b78d5

SHA256
7f60a9627dee367cf579214f76352d6a76765d9dd176be4f1dd28e5fd9ba6771

SHA512
bac880d00c90818bd39de8f30ed3b97aea9b939ae66ace47ec93004276d2c8a535116c6f9092023447024a4e9be0c804acd80e7539a7983b17b5d718ab23076c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\themeui.dll

Filesize
2.6MB

MD5
1d81652c6689543c4965fb13698400ed

SHA1
9d269c05c7586368946d1755352d52f32ccbd148

SHA256
8d8f9b41d4e26fa65f04fdd18a50926d930b45925a5ae813c0cd72e582c110a8

SHA512
7cc1f5d668c05444eeb0322fabce1a1b0fc3febfecc7c32c255d5989b1d64ebf1535b4b00a340e25788584943f60014bb3f1ff35217de803763365825df5ff06

Download Submit
C:\Windows\SysWOW64\uxtheme.dll

Filesize
240KB

MD5
5791d764ef253b4400b53d15ae6a5c17

SHA1
d197f0ca64552ae0a858582ae94e58aeb2e4a283

SHA256
9771210f4de326d030260c95988f9862e1e93770fb318909adeb3dd7f15882aa

SHA512
96e28598146268fb258da5d0d204103c4056d3b2c56c2584dd631f611ce53e40aa9256146d43b948c29835ab026bbc41d6d275dbf58c1eb3863f52046e01ea21

Download Submit
C:\Windows\UTP.exe

Filesize
49KB

MD5
e126b77aa21df82fbd267b6785b5c154

SHA1
4dabd87c4d7c3bd5d6b75157ddafafefc233cbe9

SHA256
70fc5da0c8090091e9abba82f6185f60606b0e5f5bcb3fb03e0a6289c6c911f3

SHA512
7e2ec83c395c0a0210f308f87beeab6bb0e0c5331aef24cac1513617001db3eb099fb3144b9437b9e063eb987e256c56a930b61ce686e232edf532e227e45d39

Download Submit
C:\Windows\explorer.exe

Filesize
2.7MB

MD5
ac4c51eb24aa95b77f705ab159189e24

SHA1
4583daf9442880204730fb2c8a060430640494b1

SHA256
6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a

SHA512
011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81

Download Submit
\Users\Admin\AppData\Local\Temp\S.exe

Filesize
1.5MB

MD5
b598f74bc5257fabd541c48ed549d1af

SHA1
7c40ae388cce2dd6363a1c6b45da5ac16add2d9c

SHA256
9ed830fc5f59c7c35195aa5d719e0b225757ed0a115a5eeba429b69d8725e5b0

SHA512
8e074d43db1b5e0eaf5e8c8cb48ac8af6b260226e86fd790e91ffa186432558059742ef639f9f58520b3dabb5f76c32bdaf96780dcf06acb33a1578300b6ab11

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe

Filesize
224KB

MD5
1dafaf48678f594b202a772905b47129

SHA1
a4c66a74d0b86370f66036c977ad763ae2b2883e

SHA256
d128551002d4323679f1db77fe3a6100ba55a14c90680caf515179d49eb589b1

SHA512
f74aea180deea6ce2e07be8f27411940c74a2c97845a9381f46ccc66f21f86000ae49aceb2c6254ca2759f607b14a12859c04c5778c63ce9c5a2e5299bbb5467

Download Submit
\Windows\SysWOW64\themeui.dll.backup

Filesize
2.6MB

MD5
5992a9df57fd5e6960fdcc2db69867f7

SHA1
c5db35169d1ca2db1a8450f49a9aa0a52facdc05

SHA256
9be3a7bedb18ab9399d2b665ee9edc553e63599f51d98a1b43e6aeb0c1e1b166

SHA512
3c118e0d263c85d04bcb0fbd169da859310e5c4f286a215e84b307fcd3944147faa44e24e6c7dfcd0a3ebf0fb09410c421316e18c934ec822d6b74cbab0af34c

Download Submit
\Windows\SysWOW64\uxtheme.dll.backup

Filesize
240KB

MD5
43964fa89ccf97ba6be34d69455ac65f

SHA1
391fa4e8020c872311e8a7daf6540687133f9496

SHA256
10e3b89a5470e1bb6f73382135dd2352f5073c1ee8485d7476cfb5122d4aaa2f

SHA512
b87b15bf18b51181971b702a3bec476db263c248f619541d1c8ced30c0d401dfd4b77a5ceb56a0a39e12cf3962b5ac62dbddee7cb5fcdf8d3cf14da898858511

Download Submit
memory/432-0-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp

Filesize
4KB

Download
memory/432-12-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

Filesize
9.6MB

Download
memory/432-3-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

Filesize
9.6MB

Download
memory/432-2-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

Filesize
9.6MB

Download
memory/432-1-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

Filesize
9.6MB

Download
memory/1364-52-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2724-6165-0x0000000001F30000-0x0000000001FDF000-memory.dmp

Filesize
700KB

Download
memory/2724-38-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2724-44-0x0000000000230000-0x00000000002DF000-memory.dmp

Filesize
700KB

Download
memory/2724-43-0x0000000000230000-0x00000000002DF000-memory.dmp

Filesize
700KB

Download
memory/2724-51-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2724-9531-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2724-9530-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3552-9571-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3552-20772-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3552-18647-0x00000000002D0000-0x000000000037F000-memory.dmp

Filesize
700KB

Download
memory/3552-15198-0x00000000002D0000-0x000000000037F000-memory.dmp

Filesize
700KB

Download
memory/3552-15248-0x00000000002D0000-0x000000000037F000-memory.dmp

Filesize
700KB

Download
memory/6812-9569-0x000000000A2F0000-0x000000000A39F000-memory.dmp

Filesize
700KB

Download
memory/6812-20791-0x000000000A2E0000-0x000000000A38F000-memory.dmp

Filesize
700KB

Download
memory/6812-9567-0x000000000A2E0000-0x000000000A38F000-memory.dmp

Filesize
700KB

Download
memory/6812-9382-0x0000000000620000-0x00000000006CF000-memory.dmp

Filesize
700KB

Download
memory/6812-9311-0x0000000000620000-0x00000000006CF000-memory.dmp

Filesize
700KB

Download
memory/6812-6169-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/6812-6171-0x0000000000620000-0x00000000006CF000-memory.dmp

Filesize
700KB

Download
memory/6812-20746-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/6812-20748-0x0000000000620000-0x00000000006CF000-memory.dmp

Filesize
700KB

Download
memory/6812-20747-0x0000000000620000-0x00000000006CF000-memory.dmp

Filesize
700KB

Download
memory/6812-20777-0x0000000000620000-0x00000000006CF000-memory.dmp

Filesize
700KB

Download