Analysis Overview
SHA256
1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
Threat Level: Known bad
The file 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
UPX packed file
Adds policy Run key to start application
Executes dropped EXE
Modifies Installed Components in the registry
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-19 02:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-19 02:11
Reported
2022-09-19 03:15
Platform
win7-20220812-en
Max time kernel
151s
Max time network
88s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\SysWOW64\\spynet\\server.exe Restart" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe Restart" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| File created | C:\Windows\SysWOW64\spynet\server.exe | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\server.exe | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| File created | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\server.exe | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1112 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe |
| PID 796 set thread context of 1412 | N/A | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe |
| PID 1040 set thread context of 556 | N/A | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe |
| PID 1672 set thread context of 1444 | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | C:\Users\Admin\AppData\Roaming\spynet\server.exe |
| PID 1560 set thread context of 992 | N/A | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe |
| PID 912 set thread context of 1664 | N/A | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\spynet\server.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\system32\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\system32\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Users\Admin\AppData\Roaming\spynet\server.exe
"C:\Users\Admin\AppData\Roaming\spynet\server.exe"
C:\Users\Admin\AppData\Roaming\spynet\server.exe
"C:\Users\Admin\AppData\Roaming\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\system32\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Users\Admin\AppData\Roaming\spynet\server.exe
"C:\Users\Admin\AppData\Roaming\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 424
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
Files
memory/1112-56-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1944-57-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-58-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-60-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-61-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-62-0x0000000000455BF0-mapping.dmp
memory/1112-64-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1944-65-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-67-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-66-0x0000000076031000-0x0000000076033000-memory.dmp
memory/1944-68-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-69-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1944-71-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1284-74-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1532-77-0x0000000000000000-mapping.dmp
memory/1532-79-0x00000000746B1000-0x00000000746B3000-memory.dmp
memory/1944-80-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/1532-85-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/1532-86-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | b1ef4948f470b5f85d608b1448862fcf |
| SHA1 | 96aaceb48229d055c89469156f71de5d1e8984d5 |
| SHA256 | 18824ffee2f95c6a6948483ccca7a011c23ab44b11f14b62a4bae7ff2aa62e6e |
| SHA512 | 553c40d3ec5ac7b756e041acb4dbe52af36c0b5b74f189be552246ea019109e9329512196dd9651e86056a491221f16b8a174ce7d176a720532a42e0d1ed007e |
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1944-90-0x0000000002670000-0x00000000026CB000-memory.dmp
\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/796-92-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1944-95-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\699c4b9cdebca7aaea5193cae8a50098_7725c12a-7257-458e-a47f-7029d9191548
| MD5 | 5b63d4dd8c04c88c0e30e494ec6a609a |
| SHA1 | 884d5a8bdc25fe794dc22ef9518009dcf0069d09 |
| SHA256 | 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd |
| SHA512 | 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb |
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1412-103-0x0000000000455BF0-mapping.dmp
memory/796-105-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1412-108-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1412-109-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1412-110-0x0000000000400000-0x0000000000457000-memory.dmp
\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1040-113-0x0000000000000000-mapping.dmp
\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1532-115-0x00000000034F0000-0x000000000354B000-memory.dmp
memory/1532-116-0x00000000034F0000-0x000000000354B000-memory.dmp
memory/1040-117-0x0000000000400000-0x000000000045B000-memory.dmp
\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1672-121-0x0000000000000000-mapping.dmp
memory/1412-123-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/556-135-0x0000000000455BF0-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1444-143-0x0000000000455BF0-mapping.dmp
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1672-142-0x0000000000400000-0x000000000045B000-memory.dmp
memory/556-147-0x0000000000400000-0x0000000000457000-memory.dmp
memory/556-150-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1672-152-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1040-153-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1444-154-0x0000000000400000-0x0000000000457000-memory.dmp
memory/556-155-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 5a3dd26b1bcb08a974bc03e65b5cd7ce |
| SHA1 | 935d2b9ef80c8772c89fbc34b0ab25798e8bfd5d |
| SHA256 | 4ab2e19bf07cdd6e1056d4025c9eac9791c9d639aec7e1003991e7622648bc14 |
| SHA512 | 6081210051d926c45ac4f4befbab0ccd2cf7448052ed97467edbbaa6edbcde5460db007172ed3ba9d7e06187cb40b790149c2f3b53d04503df875037b1f3746b |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 9d69816cb0416875f1f60eaa139df185 |
| SHA1 | 203e6a64d9b0f8699b2c2ba332091ec7794b4c9e |
| SHA256 | 93d1bc5801744902380d35cb4ff22215b88846c0ba4b1230c198fff5e65d1c09 |
| SHA512 | b8eebac9ef5ca796af4a14f9c762b96961d17bdd09064e2f9898cc1ee4bb56e1493d88cbbd6865d682569a3cd39de582f6d80887db69651da3da4d064543c9cf |
memory/1560-160-0x0000000000000000-mapping.dmp
\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/992-169-0x0000000000455BF0-mapping.dmp
memory/1560-172-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1532-177-0x0000000003BC0000-0x0000000003C1B000-memory.dmp
memory/992-179-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1532-178-0x0000000003BC0000-0x0000000003C1B000-memory.dmp
memory/1532-176-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/952-182-0x0000000000000000-mapping.dmp
memory/1676-183-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/556-188-0x0000000024010000-0x0000000024072000-memory.dmp
memory/556-194-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 9d69816cb0416875f1f60eaa139df185 |
| SHA1 | 203e6a64d9b0f8699b2c2ba332091ec7794b4c9e |
| SHA256 | 93d1bc5801744902380d35cb4ff22215b88846c0ba4b1230c198fff5e65d1c09 |
| SHA512 | b8eebac9ef5ca796af4a14f9c762b96961d17bdd09064e2f9898cc1ee4bb56e1493d88cbbd6865d682569a3cd39de582f6d80887db69651da3da4d064543c9cf |
memory/912-201-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1444-203-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1372-207-0x0000000000000000-mapping.dmp
memory/1664-213-0x0000000000455BF0-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/912-216-0x0000000000400000-0x000000000045B000-memory.dmp
\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1676-225-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1664-226-0x0000000000400000-0x0000000000457000-memory.dmp
memory/952-227-0x0000000000400000-0x000000000045B000-memory.dmp
memory/952-228-0x0000000024010000-0x0000000024072000-memory.dmp
memory/992-229-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1664-230-0x0000000000400000-0x0000000000457000-memory.dmp
memory/952-231-0x0000000024010000-0x0000000024072000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-19 02:11
Reported
2022-09-19 03:15
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\SysWOW64\\spynet\\server.exe Restart" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe Restart" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| File created | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| File created | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| File created | C:\Windows\SysWOW64\spynet\server.exe | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\server.exe | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1456 set thread context of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe |
| PID 4952 set thread context of 4652 | N/A | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe |
| PID 1752 set thread context of 1900 | N/A | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe |
| PID 224 set thread context of 1676 | N/A | C:\Windows\SysWOW64\spynet\server.exe | C:\Windows\SysWOW64\spynet\server.exe |
| PID 1500 set thread context of 3020 | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | C:\Users\Admin\AppData\Roaming\spynet\server.exe |
| PID 4596 set thread context of 2500 | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | C:\Users\Admin\AppData\Roaming\spynet\server.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\spynet\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\spynet\server.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\spynet\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\system32\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\system32\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\system32\spynet\server.exe"
C:\Windows\SysWOW64\spynet\server.exe
"C:\Windows\SysWOW64\spynet\server.exe"
C:\Users\Admin\AppData\Roaming\spynet\server.exe
"C:\Users\Admin\AppData\Roaming\spynet\server.exe"
C:\Users\Admin\AppData\Roaming\spynet\server.exe
"C:\Users\Admin\AppData\Roaming\spynet\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3020 -ip 3020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 532
C:\Users\Admin\AppData\Roaming\spynet\server.exe
"C:\Users\Admin\AppData\Roaming\spynet\server.exe"
C:\Users\Admin\AppData\Roaming\spynet\server.exe
"C:\Users\Admin\AppData\Roaming\spynet\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2500 -ip 2500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 532
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 52.182.141.63:443 | tcp | |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
| US | 8.8.8.8:53 | mallboro.zapto.org | udp |
Files
memory/1456-134-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1648-135-0x0000000000000000-mapping.dmp
memory/1648-136-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1456-138-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1648-139-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1648-140-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1648-141-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1648-143-0x0000000024010000-0x0000000024072000-memory.dmp
memory/3660-147-0x0000000000000000-mapping.dmp
memory/1648-148-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/3660-151-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | b1ef4948f470b5f85d608b1448862fcf |
| SHA1 | 96aaceb48229d055c89469156f71de5d1e8984d5 |
| SHA256 | 18824ffee2f95c6a6948483ccca7a011c23ab44b11f14b62a4bae7ff2aa62e6e |
| SHA512 | 553c40d3ec5ac7b756e041acb4dbe52af36c0b5b74f189be552246ea019109e9329512196dd9651e86056a491221f16b8a174ce7d176a720532a42e0d1ed007e |
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/3660-154-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/1648-155-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1752-157-0x0000000000000000-mapping.dmp
memory/4952-156-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1752-163-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4952-161-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\699c4b9cdebca7aaea5193cae8a50098_e32e1c79-b88e-4709-94fb-81034ca3398e
| MD5 | 5b63d4dd8c04c88c0e30e494ec6a609a |
| SHA1 | 884d5a8bdc25fe794dc22ef9518009dcf0069d09 |
| SHA256 | 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd |
| SHA512 | 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb |
memory/4652-167-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1900-169-0x0000000000000000-mapping.dmp
memory/4952-176-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1752-178-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1900-181-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4652-182-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2808-185-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/224-187-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1676-191-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/224-196-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2808-198-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1676-199-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1900-200-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1900-204-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2808-203-0x0000000024010000-0x0000000024072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 703a4710246706488f49b14da0853e1f |
| SHA1 | e4226dc1d0ab1edc855c4ad0589b1f1a350a52d7 |
| SHA256 | 9e4704b2428037f2acc4d0123a9083ffd690ce50aea74ae1b1b1e7c8050de66f |
| SHA512 | 4d79edefdf98665123ed39d327116b64398c6ca538769eb319aac52ba286ee456b8fd9117c45cd7fef2d1b36163048aaaa0d90706c3d1f9892a22697f0dd596b |
memory/2808-207-0x0000000024010000-0x0000000024072000-memory.dmp
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1500-208-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/4652-210-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3020-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/1500-217-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1676-220-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3020-221-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4596-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/2500-226-0x0000000000000000-mapping.dmp
memory/4596-231-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Roaming\spynet\server.exe
| MD5 | 03d814ec7f480f5e853828aa67b140a5 |
| SHA1 | e13ec9e24a5af82ae0b7cb567ad888955880e86c |
| SHA256 | 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365 |
| SHA512 | 8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e |
memory/2500-233-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2808-234-0x0000000024010000-0x0000000024072000-memory.dmp