Overview

overview

10

Static

static

10

JaffaCakes...b8.exe

windows7-x64

10

JaffaCakes...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 14:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_180db7e810bf0f1117487007f0ef09b8.exe

  • Size

    875KB

  • MD5

    180db7e810bf0f1117487007f0ef09b8

  • SHA1

    149e8a5bbd67e5d9072ebc8a6f96d452c10a1c03

  • SHA256

    bac2bab7e7613b445d7f815a1cc8184747862821f82c29a8fbb6308a1f99bae6

  • SHA512

    e24797226dbc342765cb3c9b7b16f3ea8bf3a33db97ef7df2b91f56555570de5f7ca144ced81f5a91660d6d33d8a618c8ce5c73e39c66f2bc81ed5a56aa5804a

  • SSDEEP

    24576:B5T0kUJQzdHVFQlyOW8oooiAhYJWtA7q:B53UoHVFQAp5iAOgtAG

Score
10/10
cycbotmodiloaderponybackdoorcredential_accessdefense_evasiondiscoverypersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 2 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • Modiloader family
    modiloader
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • ModiLoader Second Stage 9 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 19 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:828
  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_180db7e810bf0f1117487007f0ef09b8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_180db7e810bf0f1117487007f0ef09b8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_180db7e810bf0f1117487007f0ef09b8.exe
      JaffaCakes118_180db7e810bf0f1117487007f0ef09b8.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Users\Admin\Ww9OoYLk.exe
        C:\Users\Admin\Ww9OoYLk.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Users\Admin\bphis.exe
          "C:\Users\Admin\bphis.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
      • C:\Users\Admin\athost.exe
        C:\Users\Admin\athost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Users\Admin\athost.exe
          athost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2924
      • C:\Users\Admin\bthost.exe
        C:\Users\Admin\bthost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Users\Admin\bthost.exe
          bthost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1156
      • C:\Users\Admin\cthost.exe
        C:\Users\Admin\cthost.exe
        3⤵
        • Modifies security service
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • System policy modification
        PID:1344
        • C:\Users\Admin\cthost.exe
          C:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\503FF\E4023.exe%C:\Users\Admin\AppData\Roaming\503FF
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2168
        • C:\Users\Admin\cthost.exe
          C:\Users\Admin\cthost.exe startC:\Program Files (x86)\FFB22\lvvm.exe%C:\Program Files (x86)\FFB22
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2764
        • C:\Program Files (x86)\LP\2315\760A.tmp
          "C:\Program Files (x86)\LP\2315\760A.tmp"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2144
      • C:\Users\Admin\dthost.exe
        C:\Users\Admin\dthost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2220
      • C:\Users\Admin\ethost.exe
        C:\Users\Admin\ethost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_180db7e810bf0f1117487007f0ef09b8.exe
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2324
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1992
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    1⤵
    • Loads dropped DLL
    PID:1020
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3064
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:800

    Network

    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
      Response
      crl.microsoft.com
      IN CNAME
      crl.www.ms.akadns.net
      crl.www.ms.akadns.net
      IN CNAME
      a1363.dscg.akamai.net
      a1363.dscg.akamai.net
      IN A
      104.77.160.74
      a1363.dscg.akamai.net
      IN A
      104.77.160.93
    • flag-gb
      GET
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      Remote address:
      104.77.160.74:80
      Request
      GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1036
      Content-Type: application/octet-stream
      Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
      Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
      ETag: 0x8DD1A40E476D877
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 4de75d1f-301e-000e-252a-4c7e5a000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Thu, 23 Jan 2025 14:18:36 GMT
      Connection: keep-alive
    • flag-us
      DNS
      www.microsoft.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      23.37.198.101
    • flag-id
      GET
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      Remote address:
      23.37.198.101:80
      Request
      GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1078
      Content-Type: application/octet-stream
      Content-MD5: HqJzZuA065RHozzmOcAUiQ==
      Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
      ETag: 0x8DD34DBD43549F4
      x-ms-request-id: 32543bec-f01e-0011-1fcb-66cd5e000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Thu, 23 Jan 2025 14:18:36 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV4a4a1507.0
      ms-cv-esi: CASMicrosoftCV4a4a1507.0
      X-RTag: RT
    • flag-us
      DNS
      csc3-2004-crl.verisign.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      csc3-2004-crl.verisign.com
      IN A
      Response
    • flag-us
      DNS
      browsermmorpg.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      browsermmorpg.com
      IN A
      Response
      browsermmorpg.com
      IN A
      172.66.40.218
      browsermmorpg.com
      IN A
      172.66.43.38
    • flag-us
      DNS
      seeworldonlines.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      seeworldonlines.com
      IN A
      Response
    • flag-us
      GET
      http://browsermmorpg.com/images/cpc2.png?pr=gHZutDyMv5rJciG1J8K%2B1MWCJbP4lltXIA%3D%3D
      cthost.exe
      Remote address:
      172.66.40.218:80
      Request
      GET /images/cpc2.png?pr=gHZutDyMv5rJciG1J8K%2B1MWCJbP4lltXIA%3D%3D HTTP/1.0
      Connection: close
      Host: browsermmorpg.com
      Accept: */*
      User-Agent: chrome/9.0
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Thu, 23 Jan 2025 14:18:39 GMT
      Content-Type: text/html
      Content-Length: 167
      Connection: close
      Cache-Control: max-age=3600
      Expires: Thu, 23 Jan 2025 15:18:39 GMT
      Location: https://browsermmorpg.com/images/cpc2.png?pr=gHZutDyMv5rJciG1J8K%2B1MWCJbP4lltXIA%3D%3D
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=azTdxTEqnNY7bnDCLC%2FhXK9k4tjnxb0AaCgLwoqE4NdHYFhP827bK%2F1zHKM76fBePehXDncFHflBQlZRkDVMJltwFcnYkcWr3SGdnUZl%2BXMafREOIDN4VtLD1PhiDgEGrwzVoA%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 90686a0baf943da9-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=47224&min_rtt=47224&rtt_var=23612&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=160&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
    • flag-us
      DNS
      webhomefordomains.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      webhomefordomains.com
      IN A
      Response
    • flag-us
      DNS
      ourthreedomains.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      ourthreedomains.com
      IN A
      Response
    • flag-us
      DNS
      www.microsoft.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      23.37.198.101
    • flag-us
      DNS
      ourdatatransfers.com
      760A.tmp
      Remote address:
      8.8.8.8:53
      Request
      ourdatatransfers.com
      IN A
      Response
    • flag-us
      DNS
      www.google.com
      cthost.exe
      Remote address:
      8.8.8.8:53
      Request
      www.google.com
      IN A
      Response
      www.google.com
      IN A
      142.250.179.228
    • flag-gb
      GET
      http://www.google.com/
      cthost.exe
      Remote address:
      142.250.179.228:80
      Request
      GET / HTTP/1.0
      Connection: close
      Host: www.google.com
      Accept: */*
      Response
      HTTP/1.0 302 Found
      Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPufybwGIjDkeB-dhfnsRvZqnqQ7y1tB7CZXeEVxrHqZN0zfzvSXt0K58UnfbVvG6AD5UjLkukkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      x-hallmonitor-challenge: CgwI-5_JvAYQroq78QISBLXXsFM
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-etm0zKUzp8lFjb4cIOTMQg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
      Date: Thu, 23 Jan 2025 14:19:39 GMT
      Server: gws
      Content-Length: 396
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: AEC=AZ6Zc-Wr2kcVkBkxqU5VgNAw9aFCYfvuPgzvPOXVrLdrX--_FmcuwTYNj-M; expires=Tue, 22-Jul-2025 14:19:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    • flag-gb
      GET
      http://www.google.com/
      cthost.exe
      Remote address:
      142.250.179.228:80
      Request
      GET / HTTP/1.1
      Connection: close
      Pragma: no-cache
      Host: www.google.com
      Response
      HTTP/1.1 302 Found
      Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPufybwGIjDkeB-dhfnsRvZqnqQ7y1tB7CZXeEVxrHqZN0zfzvSXt0K58UnfbVvG6AD5UjLkukkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      x-hallmonitor-challenge: CgwI_J_JvAYQuof6lQESBLXXsFM
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-xozfDSSPLSYkmo5-_62MmQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
      Date: Thu, 23 Jan 2025 14:19:40 GMT
      Server: gws
      Content-Length: 396
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: AEC=AZ6Zc-XoMXrYlGTbJElhHDwX1_0KvwWjLRyGZR5Ze82Btzz1FTSFJJVuEQ; expires=Tue, 22-Jul-2025 14:19:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
      Connection: close
    • flag-gb
      GET
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPufybwGIjDkeB-dhfnsRvZqnqQ7y1tB7CZXeEVxrHqZN0zfzvSXt0K58UnfbVvG6AD5UjLkukkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      cthost.exe
      Remote address:
      142.250.179.228:80
      Request
      GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGPufybwGIjDkeB-dhfnsRvZqnqQ7y1tB7CZXeEVxrHqZN0zfzvSXt0K58UnfbVvG6AD5UjLkukkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
      Connection: close
      Pragma: no-cache
      Host: www.google.com
      Response
      HTTP/1.1 429 Too Many Requests
      Date: Thu, 23 Jan 2025 14:19:40 GMT
      Pragma: no-cache
      Expires: Fri, 01 Jan 1990 00:00:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Content-Type: text/html
      Server: HTTP server (unknown)
      Content-Length: 3086
      X-XSS-Protection: 0
      Connection: close
    • 104.77.160.74:80
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      http
      445 B
       1.7kB
       5
      4

      HTTP Request

      GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

      HTTP Response

      200
    • 23.37.198.101:80
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      http
      439 B
       1.7kB
       5
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

      HTTP Response

      200
    • 127.0.0.1:80
      dthost.exe
    • 127.0.0.1:80
      dthost.exe
    • 127.0.0.1:80
      dthost.exe
    • 127.0.0.1:80
      dthost.exe
    • 127.0.0.1:80
      dthost.exe
    • 172.66.40.218:80
      http://browsermmorpg.com/images/cpc2.png?pr=gHZutDyMv5rJciG1J8K%2B1MWCJbP4lltXIA%3D%3D
      http
      cthost.exe
      436 B
       1.3kB
       6
      5

      HTTP Request

      GET http://browsermmorpg.com/images/cpc2.png?pr=gHZutDyMv5rJciG1J8K%2B1MWCJbP4lltXIA%3D%3D

      HTTP Response

      301
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 127.0.0.1:61293
    • 142.250.179.228:80
      http://www.google.com/
      http
      cthost.exe
      302 B
       1.5kB
       5
      5

      HTTP Request

      GET http://www.google.com/

      HTTP Response

      302
    • 142.250.179.228:80
      http://www.google.com/
      http
      cthost.exe
      307 B
       1.5kB
       5
      5

      HTTP Request

      GET http://www.google.com/

      HTTP Response

      302
    • 142.250.179.228:80
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPufybwGIjDkeB-dhfnsRvZqnqQ7y1tB7CZXeEVxrHqZN0zfzvSXt0K58UnfbVvG6AD5UjLkukkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
      http
      cthost.exe
      526 B
       3.7kB
       6
      7

      HTTP Request

      GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPufybwGIjDkeB-dhfnsRvZqnqQ7y1tB7CZXeEVxrHqZN0zfzvSXt0K58UnfbVvG6AD5UjLkukkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

      HTTP Response

      429
    • 127.0.0.1:61293
      cthost.exe
    • 127.0.0.1:61293
      cthost.exe
    • 178.77.167.118:25700
      netsvcs
      152 B
       3
    • 67.186.31.220:25700
      netsvcs
      152 B
       3
    • 24.30.83.136:25700
      netsvcs
      152 B
       3
    • 75.72.192.235:25700
      netsvcs
      152 B
       3
    • 69.125.143.153:25700
      netsvcs
      152 B
       3
    • 112.204.125.129:25700
      netsvcs
      152 B
       120 B
       3
      3
    • 178.25.152.110:25700
      netsvcs
      152 B
       3
    • 69.121.187.108:25700
      netsvcs
      152 B
       3
    • 68.38.72.85:25700
      netsvcs
      152 B
       3
    • 91.207.60.22:25700
      netsvcs
      152 B
       120 B
       3
      3
    • 66.176.19.243:25700
      netsvcs
      152 B
       3
    • 68.53.148.33:25700
      netsvcs
      152 B
       3
    • 76.181.106.57:25700
      netsvcs
      152 B
       3
    • 92.251.95.88:25700
      netsvcs
      152 B
       3
    • 209.54.85.71:25700
      netsvcs
      152 B
       3
    • 96.43.165.233:25700
      netsvcs
      152 B
       3
    • 24.91.136.219:25700
      netsvcs
      152 B
       3
    • 99.226.194.80:25700
      netsvcs
      152 B
       3
    • 69.248.209.99:25700
      netsvcs
      152 B
       3
    • 98.254.140.67:25700
      netsvcs
      152 B
       3
    • 24.131.109.230:25700
      netsvcs
      152 B
       3
    • 71.82.69.117:25700
      netsvcs
      152 B
       3
    • 97.94.218.72:25700
      netsvcs
      152 B
       3
    • 173.100.95.110:25700
      netsvcs
      152 B
       3
    • 66.214.3.66:25700
      netsvcs
      152 B
       3
    • 173.80.50.54:25700
      netsvcs
      152 B
       3
    • 74.197.155.185:25700
      netsvcs
      152 B
       3
    • 98.215.24.164:25700
      netsvcs
      152 B
       3
    • 68.82.30.180:25700
      netsvcs
      152 B
       3
    • 107.48.207.76:25700
      netsvcs
      152 B
       3
    • 71.192.129.164:25700
      netsvcs
      152 B
       3
    • 188.113.127.144:25700
      netsvcs
      152 B
       3
    • 174.147.24.49:25700
      netsvcs
      152 B
       3
    • 201.164.200.39:25700
      netsvcs
      152 B
       3
    • 76.21.246.175:25700
      netsvcs
      152 B
       3
    • 141.114.222.182:25700
      netsvcs
      152 B
       3
    • 50.14.154.41:25700
      netsvcs
      152 B
       3
    • 70.122.106.37:25700
      netsvcs
      152 B
       3
    • 95.76.146.76:25700
      netsvcs
      152 B
       3
    • 67.10.112.153:25700
      netsvcs
      152 B
       3
    • 71.75.9.29:25700
      netsvcs
      152 B
       3
    • 108.68.45.91:25700
      netsvcs
      152 B
       3
    • 173.21.36.182:25700
      netsvcs
      152 B
       3
    • 24.218.25.53:25700
      netsvcs
      152 B
       3
    • 74.70.230.102:25700
      netsvcs
      152 B
       3
    • 75.254.11.28:25700
      netsvcs
      152 B
       3
    • 177.77.247.37:25700
      netsvcs
      152 B
       3
    • 149.149.40.6:25700
      netsvcs
      152 B
       3
    • 46.186.45.59:25700
      netsvcs
      152 B
       3
    • 173.26.197.202:25700
      netsvcs
      152 B
       3
    • 50.88.137.230:25700
      netsvcs
      152 B
       3
    • 174.48.223.63:25700
      netsvcs
      152 B
       3
    • 124.244.184.185:25700
      netsvcs
      152 B
       3
    • 68.103.79.198:25700
      netsvcs
      152 B
       3
    • 99.24.233.169:25700
      netsvcs
      152 B
       3
    • 28.237.137.201:25700
      netsvcs
      152 B
       3
    • 94.254.54.150:25700
      netsvcs
      152 B
       3
    • 71.196.17.89:25700
      netsvcs
      152 B
       3
    • 98.198.21.234:25700
      netsvcs
      152 B
       3
    • 24.228.226.50:25700
      netsvcs
      152 B
       3
    • 67.149.151.163:25700
      netsvcs
      152 B
       3
    • 98.250.121.59:25700
      netsvcs
      152 B
       3
    • 68.1.142.52:25700
      netsvcs
      152 B
       3
    • 12.205.9.236:25700
      netsvcs
      152 B
       3
    • 186.44.139.17:25700
      netsvcs
      152 B
       3
    • 68.190.217.152:25700
      netsvcs
      152 B
       3
    • 31.134.28.179:25700
      netsvcs
      152 B
       3
    • 85.227.241.180:25700
      netsvcs
      152 B
       3
    • 62.216.126.169:25700
      netsvcs
      152 B
       3
    • 24.25.247.135:25700
      netsvcs
      152 B
       3
    • 89.132.138.115:25700
      netsvcs
      152 B
       3
    • 186.99.208.230:25700
      netsvcs
      152 B
       3
    • 174.66.161.86:25700
      netsvcs
      152 B
       3
    • 178.90.195.112:25700
      netsvcs
      152 B
       3
    • 74.62.70.92:25700
      netsvcs
      152 B
       3
    • 72.222.208.181:25700
      netsvcs
      152 B
       3
    • 76.121.106.239:25700
      netsvcs
      152 B
       3
    • 74.89.52.9:25700
      netsvcs
      152 B
       3
    • 75.215.226.96:25700
      netsvcs
      152 B
       3
    • 71.58.13.43:25700
      netsvcs
      152 B
       3
    • 182.63.47.129:25700
      netsvcs
      152 B
       3
    • 50.83.56.179:25700
      netsvcs
      152 B
       3
    • 107.57.146.89:25700
      netsvcs
      152 B
       3
    • 95.24.27.226:25700
      netsvcs
      152 B
       3
    • 24.117.119.234:25700
      netsvcs
      152 B
       3
    • 76.170.163.158:25700
      netsvcs
      152 B
       3
    • 74.90.145.35:25700
      netsvcs
      152 B
       3
    • 173.26.155.6:25700
      netsvcs
      152 B
       3
    • 112.202.37.212:25700
      netsvcs
      152 B
       3
    • 75.47.235.209:25700
      netsvcs
      152 B
       3
    • 137.152.79.154:25700
      netsvcs
      152 B
       3
    • 24.177.98.207:25700
      netsvcs
      152 B
       3
    • 24.231.219.215:25700
      netsvcs
      152 B
       3
    • 76.88.225.64:25700
      netsvcs
      152 B
       3
    • 188.187.5.232:25700
      netsvcs
      152 B
       3
    • 107.3.180.48:25700
      netsvcs
      152 B
       3
    • 190.186.119.93:25700
      netsvcs
      152 B
       3
    • 95.56.26.138:25700
      netsvcs
      152 B
       3
    • 173.217.229.160:25700
      netsvcs
      152 B
       3
    • 115.132.58.106:25700
      netsvcs
      152 B
       120 B
       3
      3
    • 98.239.9.151:25700
      netsvcs
      152 B
       3
    • 72.159.141.230:25700
      netsvcs
      152 B
       3
    • 97.96.203.76:25700
      netsvcs
      152 B
       3
    • 66.110.123.148:25700
      netsvcs
      152 B
       3
    • 186.13.130.156:25700
      netsvcs
      152 B
       3
    • 69.254.208.118:25700
      netsvcs
      152 B
       3
    • 74.199.66.124:25700
      netsvcs
      152 B
       3
    • 84.240.205.250:25700
      netsvcs
      152 B
       3
    • 128.211.234.19:25700
      netsvcs
      152 B
       3
    • 24.159.58.10:25700
      netsvcs
      152 B
       3
    • 99.57.220.199:25700
      netsvcs
      152 B
       3
    • 70.130.39.237:25700
      netsvcs
      152 B
       3
    • 97.88.167.116:25700
      netsvcs
      152 B
       3
    • 75.191.172.162:25700
      netsvcs
      152 B
       3
    • 72.203.130.227:25700
      netsvcs
      152 B
       3
    • 92.47.137.205:25700
      netsvcs
      152 B
       3
    • 68.94.208.140:25700
      netsvcs
      152 B
       3
    • 189.119.219.231:25700
      netsvcs
      152 B
       3
    • 187.75.56.200:25700
      netsvcs
      152 B
       3
    • 108.67.245.85:25700
      netsvcs
      152 B
       3
    • 182.62.27.45:25700
      netsvcs
      152 B
       3
    • 65.191.55.185:25700
      netsvcs
      152 B
       3
    • 115.118.81.67:25700
      netsvcs
      152 B
       3
    • 184.81.130.85:25700
      netsvcs
      152 B
       3
    • 112.200.224.69:25700
      netsvcs
      152 B
       3
    • 182.62.101.198:25700
      netsvcs
      152 B
       3
    • 75.111.97.154:25700
      netsvcs
      152 B
       3
    • 98.245.70.217:25700
      netsvcs
      152 B
       3
    • 76.213.220.121:25700
      netsvcs
      152 B
       3
    • 69.201.173.247:25700
      netsvcs
      152 B
       3
    • 190.83.159.214:25700
      netsvcs
      152 B
       3
    • 75.200.116.17:25700
      netsvcs
      152 B
       3
    • 131.246.225.177:25700
      netsvcs
      152 B
       3
    • 98.178.213.106:25700
      netsvcs
      152 B
       3
    • 116.88.226.175:25700
      netsvcs
      152 B
       3
    • 186.160.53.72:25700
      netsvcs
      152 B
       3
    • 173.16.139.252:25700
      netsvcs
      152 B
       3
    • 50.135.120.174:25700
      netsvcs
      152 B
       3
    • 186.99.207.241:25700
      netsvcs
      152 B
       3
    • 108.118.69.172:25700
      netsvcs
      152 B
       3
    • 72.254.139.5:25700
      netsvcs
      152 B
       3
    • 145.118.115.145:25700
      netsvcs
      152 B
       3
    • 69.112.140.213:25700
      netsvcs
      152 B
       3
    • 174.69.218.68:25700
      netsvcs
      152 B
       3
    • 98.231.186.191:25700
      netsvcs
      152 B
       3
    • 72.159.141.228:25700
      netsvcs
      152 B
       3
    • 76.87.31.219:25700
      netsvcs
      152 B
       3
    • 74.90.163.215:25700
      netsvcs
      152 B
       3
    • 24.145.233.38:25700
      netsvcs
      152 B
       3
    • 186.123.219.170:25700
      netsvcs
      152 B
       3
    • 71.66.97.215:25700
      netsvcs
      152 B
       3
    • 98.218.141.14:25700
      netsvcs
      152 B
       3
    • 117.104.181.208:25700
      netsvcs
      152 B
       3
    • 24.205.154.36:25700
      netsvcs
      152 B
       3
    • 87.187.127.146:25700
      netsvcs
      152 B
       3
    • 173.103.129.38:25700
      netsvcs
      152 B
       3
    • 95.57.250.39:25700
      netsvcs
      152 B
       3
    • 50.15.160.69:25700
      netsvcs
      152 B
       3
    • 98.150.59.103:25700
      netsvcs
      152 B
       3
    • 99.109.9.206:25700
      netsvcs
      152 B
       3
    • 107.41.26.69:25700
      netsvcs
      152 B
       3
    • 216.38.2.213:25700
      netsvcs
      152 B
       3
    • 68.118.15.80:25700
      netsvcs
      152 B
       3
    • 76.188.150.92:25700
      netsvcs
      152 B
       3
    • 72.209.158.132:25700
      netsvcs
      152 B
       3
    • 67.83.102.88:25700
      netsvcs
      152 B
       3
    • 76.122.64.105:25700
      netsvcs
      152 B
       3
    • 76.22.187.33:25700
      netsvcs
      152 B
       3
    • 174.147.250.209:25700
      netsvcs
      152 B
       3
    • 50.13.217.227:25700
      netsvcs
      152 B
       3
    • 107.31.235.90:25700
      netsvcs
      152 B
       3
    • 71.234.232.35:25700
      netsvcs
      152 B
       3
    • 91.141.69.187:25700
      netsvcs
      152 B
       3
    • 68.52.114.254:25700
      netsvcs
      152 B
       3
    • 98.229.80.195:25700
      netsvcs
      152 B
       3
    • 112.203.119.87:25700
      netsvcs
      152 B
       120 B
       3
      3
    • 68.61.131.155:25700
      netsvcs
      152 B
       3
    • 189.93.224.202:25700
      netsvcs
      152 B
       3
    • 24.38.240.71:25700
      netsvcs
      152 B
       3
    • 24.46.122.99:25700
      netsvcs
      152 B
       3
    • 76.172.129.20:25700
      netsvcs
      152 B
       3
    • 77.122.34.255:25700
      netsvcs
      152 B
       3
    • 69.118.195.104:25700
      netsvcs
      152 B
       3
    • 76.91.116.64:25700
      netsvcs
      152 B
       3
    • 75.254.246.151:25700
      netsvcs
      152 B
       3
    • 67.243.133.161:25700
      netsvcs
      152 B
       3
    • 75.84.97.1:25700
      netsvcs
      152 B
       3
    • 69.29.108.221:25700
      netsvcs
      152 B
       3
    • 184.253.48.64:25700
      netsvcs
      152 B
       3
    • 186.98.158.136:25700
      netsvcs
      152 B
       3
    • 174.69.122.126:25700
      netsvcs
      152 B
       3
    • 68.63.43.33:25700
      netsvcs
      152 B
       3
    • 184.167.74.193:25700
      netsvcs
      152 B
       3
    • 98.65.245.241:25700
      netsvcs
      152 B
       3
    • 207.98.202.154:25700
      netsvcs
      152 B
       3
    • 187.116.146.217:25700
      netsvcs
      152 B
       40 B
       3
      1
    • 8.8.8.8:53
      crl.microsoft.com
      dns
      63 B
       162 B
       1
      1

      DNS Request

      crl.microsoft.com

      DNS Response

      104.77.160.74
      104.77.160.93

    • 8.8.8.8:53
      www.microsoft.com
      dns
      cthost.exe
      63 B
       230 B
       1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      23.37.198.101

    • 8.8.8.8:53
      csc3-2004-crl.verisign.com
      dns
      cthost.exe
      72 B
       127 B
       1
      1

      DNS Request

      csc3-2004-crl.verisign.com

    • 8.8.8.8:53
      browsermmorpg.com
      dns
      cthost.exe
      63 B
       95 B
       1
      1

      DNS Request

      browsermmorpg.com

      DNS Response

      172.66.40.218
      172.66.43.38

    • 8.8.8.8:53
      seeworldonlines.com
      dns
      cthost.exe
      65 B
       138 B
       1
      1

      DNS Request

      seeworldonlines.com

    • 8.8.8.8:53
      webhomefordomains.com
      dns
      cthost.exe
      67 B
       140 B
       1
      1

      DNS Request

      webhomefordomains.com

    • 8.8.8.8:53
      ourthreedomains.com
      dns
      cthost.exe
      65 B
       138 B
       1
      1

      DNS Request

      ourthreedomains.com

    • 8.8.8.8:53
      www.microsoft.com
      dns
      cthost.exe
      63 B
       230 B
       1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      23.37.198.101

    • 8.8.8.8:53
      ourdatatransfers.com
      dns
      760A.tmp
      66 B
       139 B
       1
      1

      DNS Request

      ourdatatransfers.com

    • 8.8.8.8:53
      www.google.com
      dns
      cthost.exe
      60 B
       76 B
       1
      1

      DNS Request

      www.google.com

      DNS Response

      142.250.179.228

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    5
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    3
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Process Discovery

    1
    T1057

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\LP\2315\760A.tmp
      Filesize

      95KB

      MD5

      a1d80ed250788260ffd66258555a4876

      SHA1

      10b81c2cdc4a7d645f9058c220587fac79281351

      SHA256

      d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3

      SHA512

      fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\503FF\FB22.03F
      Filesize

      600B

      MD5

      8ba7b4e7f11aa9ea8df14e7c744feaea

      SHA1

      786ca648d81fff87314f50257ec9f104dc9946bd

      SHA256

      38d508f4a13676e02c01c7e0533db7aab4fff58f4519d98250d3baca257190f6

      SHA512

      2d06723b31e6f8825a8f9afe651af191a79a20ab70278bc7c4252d11dbeb237f6cbf9a3df7a3b08a3c73b3409abddad4f790845ee3a70d52df5f36e57fbd1889

      Download Submit

    • C:\Users\Admin\AppData\Roaming\503FF\FB22.03F
      Filesize

      996B

      MD5

      eadfdef7239a823e387274c96da316af

      SHA1

      710449aab4386745f6176c20f2cac521536c0d19

      SHA256

      83df357e9e2e9289ebb3a0dd20ddc72fb23279332fb733e3099659fde1c78f3a

      SHA512

      8c37c57b4fa878afad4a3e8a227a0409680144223a21098c377ec732ab6a22a3a5b0b1c2cdb42c3b9ee755ffa7841791606015fb5f9a6e49a8ed37c2c80bf746

      Download Submit

    • C:\Users\Admin\AppData\Roaming\503FF\FB22.03F
      Filesize

      1KB

      MD5

      67a5727af823fb7dcab537006aa75973

      SHA1

      df2577b42816f650c62d450b6df3962611b84fea

      SHA256

      22382ba625a5579d198b55ffb272c8b207f00cb8872cc7c3a82e347a026607d1

      SHA512

      352047493aeb3b544b3bbc986a1514b9553d193487b42c05d695f273e56ed1b88e5d4415dc37e031660776db9413a0b7eca4dcdead614eee4c309fe066402a88

      Download Submit

    • \??\globalroot\systemroot\assembly\temp\@
      Filesize

      2KB

      MD5

      142e42aa8e3bbb3109ede01c39060ff3

      SHA1

      29c25951f236bc372c24f01122c891d5b5351f68

      SHA256

      887c2149fa7e8e52beeb718d9026bb6789d5fcb2dc21475672fdc25b790bff5a

      SHA512

      860b7966ef67c30025bb5d8c51e8ee1427b269887576b0c7df82993f27201cd14500b16338fa46a94cb442be7527d7f6b362d8ce61e69cfe8ead3bf49031d867

      Download Submit

    • \Users\Admin\Ww9OoYLk.exe
      Filesize

      256KB

      MD5

      77e425fe955cbc4b6245cf8a3ed645b3

      SHA1

      921dad95a28283f2138e8c36d4cbf295572d33ac

      SHA256

      86b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809

      SHA512

      ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b

      Download Submit

    • \Users\Admin\athost.exe
      Filesize

      263KB

      MD5

      6b7d559166467ef651497836feef65e3

      SHA1

      9edda6cd07a1960ba52abe17fc7402ff93d44ce6

      SHA256

      6151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0

      SHA512

      d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356

      Download Submit

    • \Users\Admin\bphis.exe
      Filesize

      256KB

      MD5

      481d069bbaa141ef34eb9c48163a6a49

      SHA1

      b7aa8b66c16b11a15108129f20379906732ddda6

      SHA256

      63e856189d5381c37b128d6aa5307c5b8780ee66dce52b93509d2daceef93cf0

      SHA512

      2543828694531ad966443cad95f7dae47c55ad95543ef4c2a417b228a885444673160a6ca6f217c647892694a758e8d6b379cf7d34d845400af573ffe562bbb7

      Download Submit

    • \Users\Admin\bthost.exe
      Filesize

      153KB

      MD5

      f28e94ce33674d8cf13f31bb5f20f745

      SHA1

      e79332b18af7b31caa195956c23303d35c2808c8

      SHA256

      42f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f

      SHA512

      8bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112

      Download Submit

    • \Users\Admin\cthost.exe
      Filesize

      278KB

      MD5

      d0bf4ea3b6fc02afd2c6ed5f4b0d142e

      SHA1

      2187968df184c18f945497dd410f90f4b6ff186d

      SHA256

      3c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0

      SHA512

      e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4

      Download Submit

    • \Users\Admin\dthost.exe
      Filesize

      227KB

      MD5

      d39d17b38909180b0c65cb4081154100

      SHA1

      b7a11d389d940273b91dd9ddb11137404eedceea

      SHA256

      590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3

      SHA512

      5a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6

      Download Submit

    • \Users\Admin\ethost.exe
      Filesize

      24KB

      MD5

      b38b2a8c25efb39b245dbfa6c1ccc29b

      SHA1

      62fda766006bfbccbfaade649ceb29764c216ea4

      SHA256

      1fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d

      SHA512

      8cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d

      Download Submit

    • \Windows\System32\consrv.dll
      Filesize

      53KB

      MD5

      63e99b675a1337db6d8430195ea3efd2

      SHA1

      1baead2bf8f433dc82f9b2c03fd65ce697a92155

      SHA256

      6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

      SHA512

      f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

      Download Submit

    • \Windows\assembly\GAC_32\Desktop.ini
      Filesize

      4KB

      MD5

      758f90d425814ea5a1d2694e44e7e295

      SHA1

      64d61731255ef2c3060868f92f6b81b4c9b5fe29

      SHA256

      896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433

      SHA512

      11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

      Download Submit

    • \Windows\assembly\GAC_64\Desktop.ini
      Filesize

      5KB

      MD5

      92f9cdae857253a3895faffa85b3d8b9

      SHA1

      d28352ff5a02eeb98334e3d0f845a259b2aacff3

      SHA256

      5653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b

      SHA512

      f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6

      Download Submit

    • memory/336-132-0x0000000002550000-0x0000000002562000-memory.dmp

      Filesize

      72KB

      Download

    • memory/916-88-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1156-82-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-80-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-78-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-93-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-92-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-91-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-86-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1344-165-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/1576-9-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1808-122-0x0000000002080000-0x00000000020C5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1808-118-0x0000000002080000-0x00000000020C5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1808-138-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1808-126-0x0000000002080000-0x00000000020C5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1808-124-0x0000000002080000-0x00000000020C5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1808-123-0x0000000002080000-0x00000000020C5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1808-113-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1808-114-0x0000000002080000-0x00000000020C5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/2168-153-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/2284-105-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-11-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-110-0x0000000000370000-0x00000000003D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2284-12-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-111-0x0000000000370000-0x00000000003D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2284-15-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-3-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-354-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2284-8-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-0-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2284-2-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2556-66-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2924-69-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2924-51-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2924-163-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2924-59-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2924-55-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2924-65-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2924-61-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2924-53-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.