agenttesla | 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
Size

858KB
MD5

ab816e184fb037214548c813795ede45
SHA1

19ee539d547e67119f0314a261c7220bf5a8399f
SHA256

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3
SHA512

70464e04a7c6777836c35354b5e28ea3fa41adbb498d268756d42b341752962fb055769302cc17cc38ea1c19c053dda0c9f8b3fb469fdfb7993802d2f875a933
SSDEEP

24576:/EN973phvt8tmUdkw1xG8fFjGMaOnO+pwFL9N09PPP:/EN973PvEL2wHBODLcPX

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-11-0x0000000000080000-0x00000000000DE000-memory.dmp	family_agenttesla
behavioral1/memory/2200-10-0x0000000000080000-0x00000000000DE000-memory.dmp	family_agenttesla
behavioral1/memory/2200-3-0x0000000000080000-0x00000000000DE000-memory.dmp	family_agenttesla
behavioral1/memory/1552-954-0x00000000000F0000-0x000000000014E000-memory.dmp	family_agenttesla
behavioral1/memory/1552-962-0x00000000000F0000-0x000000000014E000-memory.dmp	family_agenttesla
behavioral1/memory/1552-961-0x00000000000F0000-0x000000000014E000-memory.dmp	family_agenttesla
behavioral1/memory/2416-1679-0x00000000000C0000-0x000000000011E000-memory.dmp	family_agenttesla
behavioral1/memory/2416-1687-0x00000000000C0000-0x000000000011E000-memory.dmp	family_agenttesla
behavioral1/memory/2416-1686-0x00000000000C0000-0x000000000011E000-memory.dmp	family_agenttesla
behavioral1/memory/1740-1977-0x0000000000110000-0x000000000016E000-memory.dmp	family_agenttesla
behavioral1/memory/1740-1985-0x0000000000110000-0x000000000016E000-memory.dmp	family_agenttesla
behavioral1/memory/1740-1984-0x0000000000110000-0x000000000016E000-memory.dmp	family_agenttesla

Executes dropped EXE 6 IoCs

Processes:

mighost.exemighost.exemighost.exemighost.exemighost.exemighost.exe

pid process

288 mighost.exe
1552 mighost.exe
1648 mighost.exe
2416 mighost.exe
540 mighost.exe
1740 mighost.exe

pid	process
288	mighost.exe
1552	mighost.exe
1648	mighost.exe
2416	mighost.exe
540	mighost.exe
1740	mighost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000EC0000-0x000000000105E000-memory.dmp	upx
behavioral1/memory/2200-13-0x0000000000EC0000-0x000000000105E000-memory.dmp	upx
behavioral1/memory/3016-515-0x0000000000EC0000-0x000000000105E000-memory.dmp	upx
behavioral1/memory/3016-948-0x0000000000EC0000-0x000000000105E000-memory.dmp	upx
C:\Users\Admin\cdp\mighost.exe	upx
behavioral1/memory/288-951-0x0000000000A40000-0x0000000000BDE000-memory.dmp	upx
behavioral1/memory/288-1244-0x0000000000A40000-0x0000000000BDE000-memory.dmp	upx
behavioral1/memory/288-1245-0x0000000000A40000-0x0000000000BDE000-memory.dmp	upx
behavioral1/memory/1648-1676-0x0000000000A50000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/2416-1688-0x0000000000A50000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/1648-1968-0x0000000000A50000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/1648-1972-0x0000000000A50000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/540-1974-0x0000000000FC0000-0x000000000115E000-memory.dmp	upx
behavioral1/memory/1740-1986-0x0000000000FC0000-0x000000000115E000-memory.dmp	upx

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3016-515-0x0000000000EC0000-0x000000000105E000-memory.dmp	autoit_exe
behavioral1/memory/3016-948-0x0000000000EC0000-0x000000000105E000-memory.dmp	autoit_exe
behavioral1/memory/288-1244-0x0000000000A40000-0x0000000000BDE000-memory.dmp	autoit_exe
behavioral1/memory/288-1245-0x0000000000A40000-0x0000000000BDE000-memory.dmp	autoit_exe
behavioral1/memory/1648-1968-0x0000000000A50000-0x0000000000BEE000-memory.dmp	autoit_exe
behavioral1/memory/1648-1972-0x0000000000A50000-0x0000000000BEE000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemighost.exemighost.exemighost.exe

description	pid	process	target process
PID 3016 set thread context of 2200	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 288 set thread context of 1552	288	mighost.exe	mighost.exe
PID 1648 set thread context of 2416	1648	mighost.exe	mighost.exe
PID 540 set thread context of 1740	540	mighost.exe	mighost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09F3E541-3746-11EF-B02E-F637117826CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000001c8364d37adbf5115b89472b713047ca47ccf640e108bf791d3b4969bba8efbd000000000e8000000002000020000000b2bad69e0a32be1adc5ea968503e1f0c74332566029e22aa33cb3b61e4c7b5ce9000000048e0ce9dda34ddc74a0d46a064aab21ae974c5b69fab223ca27b42a2a8ca26e4a03a0dea6372f2fc34fbb58fc8d66e6229840b686bdc3b8df0fcea269cc001a29530c059d9eb9dc9eee400ebde5842a7989bf21acd35dab85381e19b3a010947f388f7be4660491f8b7c4e36b3d7f9bc03783aa4a97094e9d12b1cfcbbbe36c07bbe6add8237428ca84165e0e6b61cff40000000081ed26b2a352eee13c7fe957b2a84477930907e96ff697bb892382218adddfd84d6b7f72eb60316ae9999cbc481c51edbb54b8e34666d91ae73598a6ab0525c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425957809"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000006590e4423bd266fa89386cbe8d2cdacd577f1688ad5c2a0d53709d0baaa034a7000000000e80000000020000200000005862b22276446bb5f60116bfdfc8b28f02b001926e72daa4109b19ee1868ec4520000000f265769b3bdb92774bf69c9aaf85d48d5b0614af052d90bd49adf0ff2e92c64b40000000bf2b640b4d5750b0e2da6ff14c4661808c741c0f25643df9bd1d46b8142226a1891509c1f52fa429b11de53aed870aea636b3f770807c813c493a76513c4cf6d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002e86d852cbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2192 schtasks.exe
1800 schtasks.exe
2700 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iexplore.exe

pid process

856 iexplore.exe
856 iexplore.exe

pid	process
2192	schtasks.exe
1800	schtasks.exe
2700	schtasks.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exeiexplore.exemighost.exemighost.exemighost.exe

pid	process
3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
856	iexplore.exe
288	mighost.exe
288	mighost.exe
288	mighost.exe
1648	mighost.exe
1648	mighost.exe
1648	mighost.exe
540	mighost.exe
540	mighost.exe
540	mighost.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemighost.exemighost.exemighost.exe

pid	process
3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
288	mighost.exe
288	mighost.exe
288	mighost.exe
1648	mighost.exe
1648	mighost.exe
1648	mighost.exe
540	mighost.exe
540	mighost.exe
540	mighost.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
856	iexplore.exe
856	iexplore.exe
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exeiexplore.exetaskeng.exemighost.exemighost.exemighost.exe

description	pid	process	target process
PID 3016 wrote to memory of 2200	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 3016 wrote to memory of 2200	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 3016 wrote to memory of 2200	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 3016 wrote to memory of 2200	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 3016 wrote to memory of 2200	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 3016 wrote to memory of 2200	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
PID 2200 wrote to memory of 856	2200	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	iexplore.exe
PID 2200 wrote to memory of 856	2200	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	iexplore.exe
PID 2200 wrote to memory of 856	2200	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	iexplore.exe
PID 2200 wrote to memory of 856	2200	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	iexplore.exe
PID 856 wrote to memory of 2952	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2952	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2952	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2952	856	iexplore.exe	IEXPLORE.EXE
PID 3016 wrote to memory of 1800	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	schtasks.exe
PID 3016 wrote to memory of 1800	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	schtasks.exe
PID 3016 wrote to memory of 1800	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	schtasks.exe
PID 3016 wrote to memory of 1800	3016	1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe	schtasks.exe
PID 2136 wrote to memory of 288	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 288	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 288	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 288	2136	taskeng.exe	mighost.exe
PID 288 wrote to memory of 1552	288	mighost.exe	mighost.exe
PID 288 wrote to memory of 1552	288	mighost.exe	mighost.exe
PID 288 wrote to memory of 1552	288	mighost.exe	mighost.exe
PID 288 wrote to memory of 1552	288	mighost.exe	mighost.exe
PID 288 wrote to memory of 1552	288	mighost.exe	mighost.exe
PID 288 wrote to memory of 1552	288	mighost.exe	mighost.exe
PID 856 wrote to memory of 2632	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2632	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2632	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2632	856	iexplore.exe	IEXPLORE.EXE
PID 288 wrote to memory of 2700	288	mighost.exe	schtasks.exe
PID 288 wrote to memory of 2700	288	mighost.exe	schtasks.exe
PID 288 wrote to memory of 2700	288	mighost.exe	schtasks.exe
PID 288 wrote to memory of 2700	288	mighost.exe	schtasks.exe
PID 2136 wrote to memory of 1648	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 1648	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 1648	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 1648	2136	taskeng.exe	mighost.exe
PID 1648 wrote to memory of 2416	1648	mighost.exe	mighost.exe
PID 1648 wrote to memory of 2416	1648	mighost.exe	mighost.exe
PID 1648 wrote to memory of 2416	1648	mighost.exe	mighost.exe
PID 1648 wrote to memory of 2416	1648	mighost.exe	mighost.exe
PID 1648 wrote to memory of 2416	1648	mighost.exe	mighost.exe
PID 1648 wrote to memory of 2416	1648	mighost.exe	mighost.exe
PID 856 wrote to memory of 2352	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2352	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2352	856	iexplore.exe	IEXPLORE.EXE
PID 856 wrote to memory of 2352	856	iexplore.exe	IEXPLORE.EXE
PID 1648 wrote to memory of 2192	1648	mighost.exe	schtasks.exe
PID 1648 wrote to memory of 2192	1648	mighost.exe	schtasks.exe
PID 1648 wrote to memory of 2192	1648	mighost.exe	schtasks.exe
PID 1648 wrote to memory of 2192	1648	mighost.exe	schtasks.exe
PID 2136 wrote to memory of 540	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 540	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 540	2136	taskeng.exe	mighost.exe
PID 2136 wrote to memory of 540	2136	taskeng.exe	mighost.exe
PID 540 wrote to memory of 1740	540	mighost.exe	mighost.exe
PID 540 wrote to memory of 1740	540	mighost.exe	mighost.exe
PID 540 wrote to memory of 1740	540	mighost.exe	mighost.exe
PID 540 wrote to memory of 1740	540	mighost.exe	mighost.exe
PID 540 wrote to memory of 1740	540	mighost.exe	mighost.exe
PID 540 wrote to memory of 1740	540	mighost.exe	mighost.exe

C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
"C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
"C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275475 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:472087 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:603170 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\taskeng.exe
taskeng.exe {7A0592E7-656C-4B95-8CBA-E236D7AB37F7} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\cdp\mighost.exe
C:\Users\Admin\cdp\mighost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\cdp\mighost.exe
"C:\Users\Admin\cdp\mighost.exe"
3⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Users\Admin\cdp\mighost.exe
C:\Users\Admin\cdp\mighost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\cdp\mighost.exe
"C:\Users\Admin\cdp\mighost.exe"
3⤵
- Executes dropped EXE
PID:2416

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Users\Admin\cdp\mighost.exe
C:\Users\Admin\cdp\mighost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\cdp\mighost.exe
"C:\Users\Admin\cdp\mighost.exe"
3⤵
- Executes dropped EXE
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
Filesize
252B

MD5
5d6e010d18d362a9dda61be64ae6629b

SHA1
405d1460553395c2c08cc01dea127ada79b90769

SHA256
83216262dabc7396b3074ce6434c8667e5f9bec8b09ac205f18ce8f6b19ead03

SHA512
7aa61fa2d3e73ae73633555a03ecc4cc5c74aa95b6213a861cebdfba54f4fb15bec9bdbc9ce976f7945bfc1f876118efcdda18111eb403c9524b28c54dd71355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
40a6140b3e934010f67dc41b5c0b8bb6

SHA1
e2b56df63369e7a8df2eac2506ebbeee3f376f6b

SHA256
d8b835118b2c63f949f4238ab8b40367003eeba1bcccfdbcde9c2504c1ca3fae

SHA512
4cd5a2c5079b759c0a49efce796dfa46ac33af43bbbfbac62ab525a42d9e0f9cde941a358195c4b17fc506b831247531abe9637b423ad9bee5330a60d11a19ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dc769b94c32f779a0db66830b3fa1d5c

SHA1
cf4440c0ec897f3fb7925825b23978efa528b915

SHA256
e1d2d47e33034563e83b3eebddf31ba6ec0e9463b24d16a97886d7125aeda6b4

SHA512
f54952c6e37c040e4de3a12605d76768d23e27b3a60deccb710b3795c4efb93affbc7d62d1ae5d28d1a705f1e13dc632a18bc53b7ca57a16b23950773b4d2a2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fa294d0e4ae8377bee8a760ec7e5e5d9

SHA1
a12fdb17a316db1fcb62d78d825501123d575f9c

SHA256
8d7e1fcf5eb32e4c708b090d3cccb7f7292cbf421387a0e4771864ecc5d9704d

SHA512
99055999078fb3ce546b260d9cf47fd62b8b89e0064103d837b37f55cfe6475e0372d85013e2eb43d5f386caf800b54437439d72547db601f0a78665d2d252cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3f913437e4131527855d9e0680b7a808

SHA1
99a1bcc677686fbb2c17c869f15e618877afd774

SHA256
0a0cd2246c387f7fa87227204d89bffe59887baec832304fb883c1f7f8c1e5ba

SHA512
383bb311df12a543620e5bcec554a46b40194fc6a894a95a807cd9e685340bf879a0c0cb523dcd00434faaf6b946158fff2fce96d9bafaf33e10ad6029129b30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7192751235b26d6e726f3051ea3ed9e3

SHA1
aeef7238fe353ac581355e4c3867e6542e6dbbc2

SHA256
be47e51480c52afd592f4ff1c103015120eabfbde8d24cdd2d47cb7b92055b6b

SHA512
d0e736b033430aecda75b6e04aaeb1e00e912c2bd803ccbac6009af85991257622fe2858c6d32ddcf90da81bea5781a7a52dc22df8f83af464de357f1ac895f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0fce41e011f49590dd3b33d0d3511cf5

SHA1
e9a27a5509089e2fdb65d56ce44eedcd8db7db21

SHA256
cc2094112a3840d335c6161b66e6ed1170fd5f88cdad8cc18db2c68275f6357c

SHA512
d7eafba3d47be8fd57af45e326f0a65042fe4cf4650266694e4394c9506a22d08ba39d4cd1cdc4ab3c02bc9488cc690f9101bf1407f8de315e1ef670e475a753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2dec700bb1dedaf3fe751833ded7600d

SHA1
116cbcc84c1ac38b46ccc20a62f6ecb7f16ae55d

SHA256
244485a3c2b62d30c0b7fc64ab8cfa7db59a43794ebf6a2b18a2c7e2cd5f29e7

SHA512
c32f37dddf1e41c4454ff50eb396d44ebb802315f74ab607de22208250dc66e625470ddeeecb0bc3e5f2f103a86110ecf5485c4e59f713e607f28cef43c7d4ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f548c9baffea04a3952201457ea1e424

SHA1
c20eb3e8a29648d39c7e0b89d3de5f5ae16080c1

SHA256
4883c2453140bea0248ff57cb771529b6c19ef59ce9de428a4bc5796a3f16f0f

SHA512
615db79362cc9f6adc477278beab7b52bec5185cf50dce7e7daf8aa4261b8b295d06e5452e6aa3002cbf428199fc012561b725156110fe8789755da6ed239b16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1c18044f44ecdeb3a53194811025c82c

SHA1
77217c9ed7c1b1c0e4063330356f2cde2f1b21b1

SHA256
8cda0cfe88d57c23cd7bc30f5040a11fd17ed27d5d9ef6ae69126abf367496e2

SHA512
30f110b1cec43dd9a4086b3b5ec840e79682c860b059813fb95a9d071af0f1828888fb46459f740380b52126c0b0051b706b8ecacbf82d727b7b5f1d7be51541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f5fd35714e416c3c74d270c96c912573

SHA1
a9661d326f34f08153d1e93a2e2fcd6ac51c4979

SHA256
c3f938fef5c1d0b536e7d734ecfa844ebeab55c51e2117d8e77239454b28a343

SHA512
07a99e2c6bb067f2bbe2b6fa2083e234eebdcd88cbdbdd2c231f7a3dccd3dbf964479930f78c8f96af81d19ada52ada42d396476bb69a151fa3b07b01cf075b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
31617745b0595431f1ee6d1d3648dade

SHA1
fd5d362cefd5229c00a4a84e4643b5a8a7de8bfa

SHA256
d8910dbcee127733bbf304dbb725a3dac9f384d73cfffbe9385240ec44d0056e

SHA512
88c78d31db5f2db25bb8c8911e18cccdc54003e080f754daae9cedcbc628ee94c7199a188a305e618ae41094cdecdddaabd2cd26ef2f76d22736973b0b564fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0699df1c7f4378b3d512d7634967216e

SHA1
7232da2ca10949449cbb4cff921bc8ada52649d5

SHA256
fb5417e26903ad89994e6583930e9ae4a4721e0dcc1ac763eb2663ad38379220

SHA512
6712f3976e7dc3e8fa5db9f343b0fdae7488db8175f51f54ea52a80165d3b00997d0e184b71e66d7f3d25581e1b1abdf7717fbfeccd10787124ba543b27403ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0171df758c866f3058a72c5327b57204

SHA1
65302cf2a564e37addec54968e49a04b0e4a47b8

SHA256
29e841491773f67b6e2a81330f7d67643440d17f89d0b02aa750cd5510f85d5a

SHA512
e3201d50f423b59ade404047b2e9b891e37102b3542d2829e5c50209832e8812e4405ff6dbde20457152b927632611df6283bf7ae90787fdc95a6907af569ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7e1de02d926ed5a78ac423dfd8c4f752

SHA1
661e6409e322b8d76883ab7a93acb7cd8e8ccdbf

SHA256
358a2554c27536e85307f695719fcc1b4ae364e070bf55862ddbd604d54829eb

SHA512
f8c7c3393b14e8d2a9970e62ee4ee9738f21c3f22a28c741d05450ada9a89366047aaf93187e3c6566545ef2c0b29bfb838431392de5775ab64b01a6ba2c56b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8a2d04cf2090ed8fde6c46f3fa1b886b

SHA1
25f28cec2c889bb2ce5b0888e97b715ab44dca0a

SHA256
30704108a76e71914be2fc9691a7e6f81da0520db9ffa58ff8b2f38b86bcebef

SHA512
4e4111a66ddd392d46c6325a038ddf668f57c32ed92b74fea11787636ec8d995f2baf877b4b00f62e8a07b851392c4f05860bafaf4d4a17587a0b54e44631818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9dfcf6737b25352bf85f84630e90e8aa

SHA1
0244362b57e53614a08a7ba68ec1394fc23f3d29

SHA256
cd93db5101f35134c25e171a492c98f310621eb3c2855c41623143eaa6c81a02

SHA512
65f9d4fca8f2d5d9db3cb5384641027df625c0d2b4298bac2e00a7b0b6353ba441ce51ef586ba94f7b2621d87b94bffb6596b06368204bd4cef13cc79e53bbea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cd8749177b68a3e513764edf876a5c67

SHA1
e6f65481544e8f59184c6cf90031e3061c46c8a4

SHA256
7c7154748cde5a6c48bcbc10e63db10c3760feae3de7b2053e20edcf4d75f118

SHA512
986ca82c7c4e17a0d8d5f51016eb673d2f1599f2e2eb7464de1f306df60586b63f94f3fce036dfa6aa6e3e802e2219653c18da883759713ff87e45887872d3ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a10bb67f6796627286cfdfe91f7e67f5

SHA1
44166dc37d391360e5559001959d33dd2a9c67e4

SHA256
665d8f83dbb245d947b55c9ebae6c4763ce72e9af57290075f63579eab0f4b99

SHA512
5e475e9fcaae671e54d55bb520d542f14598848b758e627841bbddeccee6ec3b98299d3f645577943cf18eeb309bc438d83f7fdd67a8a84c549f4330df28566e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3c6ea7deeac8bc526d175ab2ea5bc30a

SHA1
625d0806d2e0e984ff52c34fdfe48c98b86f1d26

SHA256
f0c031be8540665b9dbbcfab13165077b0a1228719f2ec86b9edcae3808171d0

SHA512
e1caae4ffb15a4aee5b8e6312a852e6b427562487e7ee275feefa7755d0ef2bbe96897ec7e073997a0d7cd792c546740db1d8d16f6c4ef271344fb7cfc42664d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2abe6d36eeed6925bc0acde93e8d6c75

SHA1
252bafcf15649457f85345e89f96e34e8f6c87e7

SHA256
4a9a643e2a7872149c1e91b5198209c71884f7a24bb59b197280ddca36586b15

SHA512
0d1c654cb7f0980892628f63ea0345d74a306f7a807a44a7c1549431de449b962753246f6807b70ea00f63d7f10dead8c0529749adcb6e5e0d1d20813ac0c699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
409b2dd3fdc315915396f44cd193ae07

SHA1
b246a814a94d3be9c869b149427c313a5613eec4

SHA256
1f0cf6c7f0862b30769185918e77c0b161091bc3264c3c3983557f23f8b74c98

SHA512
4966cff9f6702239dc0f6fb9851ae8fb74034caa9a75e8a150d6b2591e268e4c304e8d693045e7afa7c3ab2daf4a9965017f13654f9af08d00fd284f7ec89de3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c4c3e259b289456bcb7060a3ad763719

SHA1
0b91268625abff5efef812d2617bf44eedc9de28

SHA256
82060ab5073f7ce5ce0ceaaae4aa96143d83f56eadb66eb7739c581eb371bb56

SHA512
fa1df35c8837edca298b2dbb5521379e106a6cf42436c6fef373007789a2c843a88832048227efd83bd06538e5fb818dd01c62a956afa031ad633fd2ba1cb583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1273814421463358ab8e80b786d4ad81

SHA1
f58312536ba219a35b90565ea826c74bcebc19d9

SHA256
18cff2031284ab07fee019cb040832d09a84512ef32f9e36ad5b7f5566fc09c6

SHA512
4ba3c4c1caa5f44321f1282dc01ea0c8c21bb4a74b37f93383ed4a92237d3e938731bb65ec91d2cb5a36159f5533b2a426cd0e62d716d7335e9b8f14793d9a9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8909c315078ddbbfe9e15922329ea639

SHA1
a3ff74ee2e4b9b8785c5d13d7c4d561a7fb22026

SHA256
b263954f71c383f0f6f834e08a750f731cf970e97a9dce4294d269a88c84cc8c

SHA512
96a28cc0535892a8005445cc7113383dfaa9275059c9f4007f9f5f8a50ead7d20a36ee4b0db12480a5ece64cbc3e00051174a5eb289d7f71f59dabed1c94e5d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5ad279cc73a4e1eaf75acc6197da8130

SHA1
009a54b14e519d27cd35a0e7a7d98178d35a8fff

SHA256
1485a9e693405cba4b2fb0cce51770aad20afe32861e8c0ffbad241e810a583b

SHA512
a10f960cc275b8893a3b1b8727504f3c95c048d978cc98f7fe25716930072935dc2a613fc9fa6c443c189ff6cdc02a38cf583192cb3e5629763bea33e6f49951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e43547092ce32249d90953231ac3600e

SHA1
f7054a99dca4ba7a97ce792e749521a3f95eb825

SHA256
16b473bb1f9328fc9d1f8c798364879a1175d16bd3f7e1b771eb2f36122137ca

SHA512
5cdfb344a4b016729abd19b26dde5cf9b43fd4ad559360352ab50da4b78db8ad5ff8d2187eb4c2d0d83c2ae9501a5bee7ded3d3f10c04925c572ed7943315681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
77abf3884dc3aba11e49f57ec01cc1c1

SHA1
e9fad2b44c2aae3deeea0ca5c52b735e3edeb47f

SHA256
d109b0a77f065b4da5064ffeefc5a95f9a9b63569d823127a42473bbdd10f16e

SHA512
4d5a40af8e05558e638fe4c4f4ebd9de18d6c7abe7f1a8c88a079b7e9355fc059e9ae05865f04362a7516b92293b477a35191c2c45887bbba653978414c2cad9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
896e21496a3df7714e0dac7ca8a28176

SHA1
9578b1bcf1f2ebacedc451818cc188fd0a9b065f

SHA256
26f9fcc3533236e5a1614047c64a7c9402a9a3b7ea77f3549e060bd2bd4bd7c3

SHA512
42fb620f784f9ad9decc8aadfaef8b1fd2062a776634cf0227121f64235ee08635930886edb63dbeedde4d639fb155443488f4328efc3bc2d2601feb364d6aaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1ecbf34322185690bf3ede34b396a0be

SHA1
83d0b72766bf7996cad2c5fd81c3dfdd294f35d5

SHA256
660a212caad40ef4a0c7383100bc490e98387e5b71f174070ff8fdf22c2faf3e

SHA512
97078cb6902a45608f2db697135ecf1982f29c86a011043e7476632c828ac1de632dcf9b6912f49d02c8100ddb3b6c6468e7ce0858d0392a8e8324a8b383c9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e94472178026e520589e41c33d1604ae

SHA1
41411ac03101ff0547f5cd3b0ee0adf99a50aca9

SHA256
b64d62851efea6d2ec9db462d7bc8622f61acb0843c524b0f3f31aae2bb7057a

SHA512
6f0a46bac9d6ae630a4929e8d1cdc0dede227571f500f0b25273c07c79ea22d1249c4d9e2ec6905b0785f7e775cc286a511260f4e60a61ee39d76d938492df0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b1d5916ade03e5f5b51c1bf205dc6657

SHA1
ad29869b4a40dfed4d309531cb0a774b575946e7

SHA256
ee5dfe6226e59637d2580af2ff38a624a602cb1032e03962751b12d0a2a46690

SHA512
2f69127a145c2b72223ae8195d24cfcd468d7e346ec5894e0f2ff19dfdeaac55c1aaf5bd9161e7438950086f4e77fa396ae96a496eef1d93b429e291d325b97c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ba42f1a65dd7bdc0022cfb6b57bf5ece

SHA1
2522e85fab38ad7452e5879042c4b082d50f2eae

SHA256
e88ceb5d70d4ea406537c7d390903ffde6d18657491894af55902d928599fa41

SHA512
012dece1715b7218850428ef2451715655c24ab6df4e92174b2ea5c266e1f6eeef06bf90afbd6307b5c423bfb6ff9ec57b43a6bca55ea580fba5aacd7cd3afe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
af3010c4d725556ba43a9f84c30e89d8

SHA1
5e459051ad2f77fdedb6ec836f0654f4eb4e23e3

SHA256
6bf321fa6c25fb01f7c0d64a3033b0a5ed86608ed52a4b92620dacd0de78e76e

SHA512
af2ca35145b38e29460ba4daf33a209ffa41a38a4be65f5ed7b0e7b86a545a06c0a574eb8f8039c7a801bb8db08bb86786d8d0fca78f41428d44ab9c5620892a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
df92f1a8b68eb3c4be48c2989ad108eb

SHA1
113ea8483f996ff3569817b7e1f7328b6d79594b

SHA256
89dbcbd7a777e3666c7418616099636c85d987debf02e4391938ac3a446f3166

SHA512
bd670e5fb9db11304420309d6dd0d12b6f5212b17e61d828b44f96400b8f28f74cd6e378bbf22f38ddd3ae70b16d77973bd5fcc42265a9aefe48194764f1e471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3073.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3118.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\cdp\mighost.exe
Filesize
858KB

MD5
b5686b5380e46eedb2a2c42e74bd1909

SHA1
ec62ce724505b1dbfd3936757fa4b7243b4c3ff5

SHA256
6a88a319546f2c4eb12bebd2e704cd1ea0f6ddc44f8a9d1cfe8a0f2d44530f3c

SHA512
43cd0e0c1371342b24dd3d7a747e12d16e6bc7f4970231d6273ff79b98997751c989ef95e72cedb3287bd01cd086c77768e9596e2a37b3dc0ca5598545895299

Download Submit
memory/288-1244-0x0000000000A40000-0x0000000000BDE000-memory.dmp

Filesize
1.6MB

Download
memory/288-1245-0x0000000000A40000-0x0000000000BDE000-memory.dmp

Filesize
1.6MB

Download
memory/288-951-0x0000000000A40000-0x0000000000BDE000-memory.dmp

Filesize
1.6MB

Download
memory/540-1974-0x0000000000FC0000-0x000000000115E000-memory.dmp

Filesize
1.6MB

Download
memory/1552-962-0x00000000000F0000-0x000000000014E000-memory.dmp

Filesize
376KB

Download
memory/1552-958-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1552-954-0x00000000000F0000-0x000000000014E000-memory.dmp

Filesize
376KB

Download
memory/1552-961-0x00000000000F0000-0x000000000014E000-memory.dmp

Filesize
376KB

Download
memory/1648-1676-0x0000000000A50000-0x0000000000BEE000-memory.dmp

Filesize
1.6MB

Download
memory/1648-1968-0x0000000000A50000-0x0000000000BEE000-memory.dmp

Filesize
1.6MB

Download
memory/1648-1972-0x0000000000A50000-0x0000000000BEE000-memory.dmp

Filesize
1.6MB

Download
memory/1740-1984-0x0000000000110000-0x000000000016E000-memory.dmp

Filesize
376KB

Download
memory/1740-1977-0x0000000000110000-0x000000000016E000-memory.dmp

Filesize
376KB

Download
memory/1740-1981-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1740-1985-0x0000000000110000-0x000000000016E000-memory.dmp

Filesize
376KB

Download
memory/1740-1986-0x0000000000FC0000-0x000000000115E000-memory.dmp

Filesize
1.6MB

Download
memory/2200-2-0x0000000000080000-0x00000000000DE000-memory.dmp

Filesize
376KB

Download
memory/2200-10-0x0000000000080000-0x00000000000DE000-memory.dmp

Filesize
376KB

Download
memory/2200-13-0x0000000000EC0000-0x000000000105E000-memory.dmp

Filesize
1.6MB

Download
memory/2200-3-0x0000000000080000-0x00000000000DE000-memory.dmp

Filesize
376KB

Download
memory/2200-11-0x0000000000080000-0x00000000000DE000-memory.dmp

Filesize
376KB

Download
memory/2200-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-1683-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-1687-0x00000000000C0000-0x000000000011E000-memory.dmp

Filesize
376KB

Download
memory/2416-1686-0x00000000000C0000-0x000000000011E000-memory.dmp

Filesize
376KB

Download
memory/2416-1688-0x0000000000A50000-0x0000000000BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-1679-0x00000000000C0000-0x000000000011E000-memory.dmp

Filesize
376KB

Download
memory/3016-0-0x0000000000EC0000-0x000000000105E000-memory.dmp

Filesize
1.6MB

Download
memory/3016-12-0x0000000002C00000-0x0000000002D9E000-memory.dmp

Filesize
1.6MB

Download
memory/3016-1-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3016-948-0x0000000000EC0000-0x000000000105E000-memory.dmp

Filesize
1.6MB

Download
memory/3016-515-0x0000000000EC0000-0x000000000105E000-memory.dmp

Filesize
1.6MB

Download