Analysis Overview
SHA256
8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67
Threat Level: Known bad
The file 9704acf70f601607084200c2b8f24146 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Modifies Installed Components in the registry
Adds policy Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-12 11:12
Signatures
Cybergate family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 11:12
Reported
2024-02-12 11:15
Platform
win7-20231215-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\install\ | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
"C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
"C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | www.weebly.com | udp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.109:80 | www.weebly.com | tcp |
Files
memory/2284-0-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2284-4-0x0000000010410000-0x0000000010472000-memory.dmp
memory/2304-8-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2304-14-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2284-16-0x0000000001CE0000-0x0000000001D38000-memory.dmp
memory/2304-18-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2304-22-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2304-308-0x0000000010480000-0x00000000104E2000-memory.dmp
memory/2284-307-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | cf9b9bbff175bf3bc37215889ab0eeb9 |
| SHA1 | 50168e04b22784056508d2436b0ebdbc0db30888 |
| SHA256 | 2767d1cdcf9539a7314d0f7e64e4b56715ae8f4350c2e20f5d7394bc1e9c4218 |
| SHA512 | ea47ca865327afd8e793ad430d099ae329cfc28266d5a9916db1f915503430a00f2342352987e5816e28cb35e1db1542df58f08090484536174f1577fa2b8b24 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Windows\install\server.exe
| MD5 | 9704acf70f601607084200c2b8f24146 |
| SHA1 | f8d29c3f73e71fabd9d3835c04603fa5fd00c805 |
| SHA256 | 8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67 |
| SHA512 | 31f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e61cf367fb2db122a053f9384cbb53b0 |
| SHA1 | 37cfc0291d0eb2598c40e7326f049e5a9a171960 |
| SHA256 | 87f12df24fbafa155b099da14726110d37f687dbbc01233c7d01f3573ea16294 |
| SHA512 | b7aced9c81a43a73232e148b6b34b686ef539f436a046adb3c077395786fd1910926c4dfa56e597907e2816636562fa4ff93fd293f7a29bb276b36ae40e8efed |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 40e96f5c65b61609109c94236901d482 |
| SHA1 | 01a10f088e8a293bd366660b019d776ebd50b9a2 |
| SHA256 | 9a924e8c883f68321a26900fdb30b27e21ea1f8e6fb309a6633666ddd5ef661d |
| SHA512 | ee46894d890f8f352a58d9f859ab67951f5c864a984e087d50b78bcc537bbbf65df25739f34b105854b3e86a04edea7b3f35dde6494f75bc2ab55a274b7cda7f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 817f7e7f5278a72ab3059a6f062bf1de |
| SHA1 | 361888179b9a499f12957697dd77d1ad9302b52a |
| SHA256 | e39a825cba58937c50a4ef86cb3f8db7367f17312bb2b35523b1c2218c0055b3 |
| SHA512 | c656f5fc3183d742a45fe09cdf2dc199015414715beedcfa1fa74ebce9e2c24df276ffc44144422fccd2bd96bf766212301917a6fa731ea480dad4f6c5b4796f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a733f008ed8412088800d0fa7ad82539 |
| SHA1 | c524651a26400bf629308138ee04b3030699477f |
| SHA256 | cdad163883cabacd83f3c99c1673d52f7885a45afdb96b71e4b2e7f36d8cf8f2 |
| SHA512 | e12818c53db65be58c11e61ac5b9631c82d497877003495874a7b478c2bb31796090dd6b6e36d1e78dade93d8e23a5c25651f834223e919812dbce41149fbc46 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c3dd1ab9ff55270b633ed2eff308ff5b |
| SHA1 | c3f4230e6a6f4b7171a9650819b7c707be4f53d8 |
| SHA256 | 02091676492070ecdfef404fa4f1c7cc5a4f66eaf66d0367b1ef648f54b1f582 |
| SHA512 | 2b314c1e0f1999c80d1e77985590b24281227337c40bfa984c977f12abbeb4989ce898080b01f8e5399b11e5b909954e15f064db21a6dd9517b1c8aae5b30a0a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5c3374031609016e075a0552a9c7f699 |
| SHA1 | dd1d1c7d6e4c6b7eed11c92514f8fa8a4c78ee8e |
| SHA256 | f221853e4cc356fbe7caa48d05b2153f9cdd81b7c6d44b5ba7fdbd921b649981 |
| SHA512 | 99514ff48c4af3848c032d3a03441aba41f563afa05ae06b8a6bf118a4a93a57e764ac3e04316062917bd67ef67d7499e31c3cc38055971bc52517481122731c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aabd3f6520ab94a83b238b935e53d002 |
| SHA1 | f15874894ceb39607fde9af11fdccefec60ad84a |
| SHA256 | 13955e5f34c9fb3cc277dba4632c025b4735ab4c29e23191c2b25e327d55e1df |
| SHA512 | 6fad79b45fe3f1ce274163f4ae0583fafff1be738a2860194f7123b82904970264acd3e7020d14d23babf1d3e7da6748ca3b24c0866041c5a18a488921caf0e7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 78ffa509b80c8f5ec3d01d30ddaad507 |
| SHA1 | f8483baa6b6f2fad46eac92f54a4552a901a8ecd |
| SHA256 | 3bb0b226b675991467e0e58acfc2b610d00c6057889a667cf26904c14bc3884c |
| SHA512 | f2040678072e30505f6e91caec1d0c5faf11edf9b79247917f49044b883b63a18027a7c02b0213ecf472e1c271db0c59c0879107f0b45da9d4ebb75c0069bce3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8bca05a85fd43fc1d30ef84557d6a6db |
| SHA1 | bf141fb385b3d74dbf6c433d7a0dcac973d7358d |
| SHA256 | d40ade2d8a89f2c49304a337d6942081a9c00169c0b1763b660744da4bbbb2e5 |
| SHA512 | a7915f7fff95eb0db6aebb52d00387d24b1ce92705e4f2155e3c67657a43c0dc4aec5c65d24e9a63a3d07a15634ee0f26a67672608b997ba236780746902d1ee |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fd549a11c6a8d82d5089501dc28cef81 |
| SHA1 | 6d9964cd2a7a55f5f9904ae6f2227e73af91d52d |
| SHA256 | 559de9146062a052e293413c3fd50312114d70dfad32514ac41ba211e2f3380e |
| SHA512 | c3704bf1c280c9c2838794badaae6f43dfc4405c59d528431c22dce7ce83859d05d3f749f76b81a597dd8b4787919834ea1d2c8c67cfe921b2e3581da7d83c13 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4dbdc7a22fa8351e4165454e0c3b058a |
| SHA1 | 86c58c2d3931c33b5d7a616c391a17e78295f7f9 |
| SHA256 | e5b0ff9e6c244d145fc10a082424f4a7e2f85aa50168c24fbe7f37c263ef0cd2 |
| SHA512 | e49e5399caf0aa8bf0b5ffb7679c0452ea11349e9e563bad940927abd20589361c5cfc8cc88f138b33b38c71c5bd3ea29d7dfa66e548044387c1126977622704 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 70b7283ffb2d91c4bfa15b647095e8b4 |
| SHA1 | 56041654695016edb9e4752797ab3fe422545738 |
| SHA256 | da8269a99ec1ccea9e814641426ee5d032bd74b171d467499412c6d8242b20cb |
| SHA512 | 2a2dc78d9bef79b80d6c945232450d418b5970f7991be24cb1732ae21e0cb55abbb5bd5b804ae2856521bce5f234304a426e2b0fee6cac8f83c971bb39d8710e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2f1c225f6e4aea6d369f062ebf2826e8 |
| SHA1 | 73a049986d2967d27caac55b5067cb1bca5969cf |
| SHA256 | 6490eb6b9b71f5896e11d247a76b1c0074111deed7fe3586ea66ce125ccb4504 |
| SHA512 | 2574b9f9f977bc8c73fddc8ee1d87c9cce21ebad1f5dcc2c54787fb3ef732bdbedfb978b0c62d19ae04a894a6c69a3c41f218d0fbd2a558f47783603facb17c7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7d8e1dd89bd7c90e9b0a87f4eac3fb13 |
| SHA1 | ba602f160b847f6331e9f3762fa1725cbc8e04c8 |
| SHA256 | 6208c188dcfc7f99be6265ae1030de4a2cb11f908a804e132cd727eadd38fe75 |
| SHA512 | c7bab79330d10a2eee6d0e9c4cc87087da1933ed15671d71cdbec0bea444a0c2c404542fa780ec27e6f592d9d2204c219219a800d1d13dfd07f087cb6e150e80 |
memory/2304-2915-0x0000000010480000-0x00000000104E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 48c5daaa22f18f64c950c71b9448093c |
| SHA1 | 830bcf5640a326a82fb37948a163d69fc4ba3147 |
| SHA256 | 7650de22861e7e2302f5d9734ba7d9bc03a7adc0f911af32460c9943dee7098c |
| SHA512 | 1e58331fd8a7d30574c327accf4283fb3cf65f815711432a7e573bd5fe06614b8f347694390a22abaa190c98690301a6aaf18572e5791f1a926512a0cf1dcdd1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 780d8fa1d864d630197523faf47d5644 |
| SHA1 | 97c931c9af41daae0dd90048a2535399e8d4247b |
| SHA256 | a1df2207aebe8fbd3abdeed9f9b939ba49f80d87b864ca03d7907692df88448e |
| SHA512 | 5ec3289786d0c8adf4b08ac123bda097289f91859885295cdd63552028b512bf933d1cb061d5be3383fad360306e58e92addf3b6895eeebb5d39a9f1bbea5fcc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 10c82b760d48ef76505ff697547d0083 |
| SHA1 | 734c2666aec190c486a907fc1e106b3c8852efae |
| SHA256 | ae046f46e0e98bfee1007a76af39dafc15455ad0518ccfca4da21897e0fe2d5e |
| SHA512 | da5b4abc8d73ac547c45fded862f7fbf0d6783e6ea249d3b3a1c804cd129a49e1196ec1cdc1468a04a98864b86cce305a3c8e1d909541cd5b1125d5fe82cc0eb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b084ba2e54a9a1b392f3ff925ba6ed5d |
| SHA1 | e3391c3214391c67e951acf66780a7c7e87293fb |
| SHA256 | e574055ee61fce8401623c33c59ecde24da3d0f4b3b164c8a38868cc0ef140d3 |
| SHA512 | 7abf2e188c426ec11a876252ab23ce24399d7f228d19f54a6ae84d066fed297b855812d830fac88e21302bd465a058a6277540dced38b42e1aad996185aae34b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 11:12
Reported
2024-02-12 11:15
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| File opened for modification | C:\Windows\install\ | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
"C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
"C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ba1574bb717fcafaf1df18725572d6ea a4JVRCOevk6z+x22777iSw.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.weebly.com | udp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 8.8.8.8:53 | 110.50.115.74.in-addr.arpa | udp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 74.115.50.110:80 | www.weebly.com | tcp |
Files
memory/4560-0-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4560-4-0x0000000010410000-0x0000000010472000-memory.dmp
memory/972-8-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/972-9-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/972-11-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4560-65-0x0000000010480000-0x00000000104E2000-memory.dmp
memory/972-68-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/972-69-0x0000000010480000-0x00000000104E2000-memory.dmp
memory/972-71-0x0000000010480000-0x00000000104E2000-memory.dmp
memory/4560-72-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | cf9b9bbff175bf3bc37215889ab0eeb9 |
| SHA1 | 50168e04b22784056508d2436b0ebdbc0db30888 |
| SHA256 | 2767d1cdcf9539a7314d0f7e64e4b56715ae8f4350c2e20f5d7394bc1e9c4218 |
| SHA512 | ea47ca865327afd8e793ad430d099ae329cfc28266d5a9916db1f915503430a00f2342352987e5816e28cb35e1db1542df58f08090484536174f1577fa2b8b24 |
C:\Windows\install\server.exe
| MD5 | 9704acf70f601607084200c2b8f24146 |
| SHA1 | f8d29c3f73e71fabd9d3835c04603fa5fd00c805 |
| SHA256 | 8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67 |
| SHA512 | 31f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 40e96f5c65b61609109c94236901d482 |
| SHA1 | 01a10f088e8a293bd366660b019d776ebd50b9a2 |
| SHA256 | 9a924e8c883f68321a26900fdb30b27e21ea1f8e6fb309a6633666ddd5ef661d |
| SHA512 | ee46894d890f8f352a58d9f859ab67951f5c864a984e087d50b78bcc537bbbf65df25739f34b105854b3e86a04edea7b3f35dde6494f75bc2ab55a274b7cda7f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 817f7e7f5278a72ab3059a6f062bf1de |
| SHA1 | 361888179b9a499f12957697dd77d1ad9302b52a |
| SHA256 | e39a825cba58937c50a4ef86cb3f8db7367f17312bb2b35523b1c2218c0055b3 |
| SHA512 | c656f5fc3183d742a45fe09cdf2dc199015414715beedcfa1fa74ebce9e2c24df276ffc44144422fccd2bd96bf766212301917a6fa731ea480dad4f6c5b4796f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a733f008ed8412088800d0fa7ad82539 |
| SHA1 | c524651a26400bf629308138ee04b3030699477f |
| SHA256 | cdad163883cabacd83f3c99c1673d52f7885a45afdb96b71e4b2e7f36d8cf8f2 |
| SHA512 | e12818c53db65be58c11e61ac5b9631c82d497877003495874a7b478c2bb31796090dd6b6e36d1e78dade93d8e23a5c25651f834223e919812dbce41149fbc46 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c3dd1ab9ff55270b633ed2eff308ff5b |
| SHA1 | c3f4230e6a6f4b7171a9650819b7c707be4f53d8 |
| SHA256 | 02091676492070ecdfef404fa4f1c7cc5a4f66eaf66d0367b1ef648f54b1f582 |
| SHA512 | 2b314c1e0f1999c80d1e77985590b24281227337c40bfa984c977f12abbeb4989ce898080b01f8e5399b11e5b909954e15f064db21a6dd9517b1c8aae5b30a0a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5c3374031609016e075a0552a9c7f699 |
| SHA1 | dd1d1c7d6e4c6b7eed11c92514f8fa8a4c78ee8e |
| SHA256 | f221853e4cc356fbe7caa48d05b2153f9cdd81b7c6d44b5ba7fdbd921b649981 |
| SHA512 | 99514ff48c4af3848c032d3a03441aba41f563afa05ae06b8a6bf118a4a93a57e764ac3e04316062917bd67ef67d7499e31c3cc38055971bc52517481122731c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aabd3f6520ab94a83b238b935e53d002 |
| SHA1 | f15874894ceb39607fde9af11fdccefec60ad84a |
| SHA256 | 13955e5f34c9fb3cc277dba4632c025b4735ab4c29e23191c2b25e327d55e1df |
| SHA512 | 6fad79b45fe3f1ce274163f4ae0583fafff1be738a2860194f7123b82904970264acd3e7020d14d23babf1d3e7da6748ca3b24c0866041c5a18a488921caf0e7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 78ffa509b80c8f5ec3d01d30ddaad507 |
| SHA1 | f8483baa6b6f2fad46eac92f54a4552a901a8ecd |
| SHA256 | 3bb0b226b675991467e0e58acfc2b610d00c6057889a667cf26904c14bc3884c |
| SHA512 | f2040678072e30505f6e91caec1d0c5faf11edf9b79247917f49044b883b63a18027a7c02b0213ecf472e1c271db0c59c0879107f0b45da9d4ebb75c0069bce3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8bca05a85fd43fc1d30ef84557d6a6db |
| SHA1 | bf141fb385b3d74dbf6c433d7a0dcac973d7358d |
| SHA256 | d40ade2d8a89f2c49304a337d6942081a9c00169c0b1763b660744da4bbbb2e5 |
| SHA512 | a7915f7fff95eb0db6aebb52d00387d24b1ce92705e4f2155e3c67657a43c0dc4aec5c65d24e9a63a3d07a15634ee0f26a67672608b997ba236780746902d1ee |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fd549a11c6a8d82d5089501dc28cef81 |
| SHA1 | 6d9964cd2a7a55f5f9904ae6f2227e73af91d52d |
| SHA256 | 559de9146062a052e293413c3fd50312114d70dfad32514ac41ba211e2f3380e |
| SHA512 | c3704bf1c280c9c2838794badaae6f43dfc4405c59d528431c22dce7ce83859d05d3f749f76b81a597dd8b4787919834ea1d2c8c67cfe921b2e3581da7d83c13 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4dbdc7a22fa8351e4165454e0c3b058a |
| SHA1 | 86c58c2d3931c33b5d7a616c391a17e78295f7f9 |
| SHA256 | e5b0ff9e6c244d145fc10a082424f4a7e2f85aa50168c24fbe7f37c263ef0cd2 |
| SHA512 | e49e5399caf0aa8bf0b5ffb7679c0452ea11349e9e563bad940927abd20589361c5cfc8cc88f138b33b38c71c5bd3ea29d7dfa66e548044387c1126977622704 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 70b7283ffb2d91c4bfa15b647095e8b4 |
| SHA1 | 56041654695016edb9e4752797ab3fe422545738 |
| SHA256 | da8269a99ec1ccea9e814641426ee5d032bd74b171d467499412c6d8242b20cb |
| SHA512 | 2a2dc78d9bef79b80d6c945232450d418b5970f7991be24cb1732ae21e0cb55abbb5bd5b804ae2856521bce5f234304a426e2b0fee6cac8f83c971bb39d8710e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2f1c225f6e4aea6d369f062ebf2826e8 |
| SHA1 | 73a049986d2967d27caac55b5067cb1bca5969cf |
| SHA256 | 6490eb6b9b71f5896e11d247a76b1c0074111deed7fe3586ea66ce125ccb4504 |
| SHA512 | 2574b9f9f977bc8c73fddc8ee1d87c9cce21ebad1f5dcc2c54787fb3ef732bdbedfb978b0c62d19ae04a894a6c69a3c41f218d0fbd2a558f47783603facb17c7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7d8e1dd89bd7c90e9b0a87f4eac3fb13 |
| SHA1 | ba602f160b847f6331e9f3762fa1725cbc8e04c8 |
| SHA256 | 6208c188dcfc7f99be6265ae1030de4a2cb11f908a804e132cd727eadd38fe75 |
| SHA512 | c7bab79330d10a2eee6d0e9c4cc87087da1933ed15671d71cdbec0bea444a0c2c404542fa780ec27e6f592d9d2204c219219a800d1d13dfd07f087cb6e150e80 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 48c5daaa22f18f64c950c71b9448093c |
| SHA1 | 830bcf5640a326a82fb37948a163d69fc4ba3147 |
| SHA256 | 7650de22861e7e2302f5d9734ba7d9bc03a7adc0f911af32460c9943dee7098c |
| SHA512 | 1e58331fd8a7d30574c327accf4283fb3cf65f815711432a7e573bd5fe06614b8f347694390a22abaa190c98690301a6aaf18572e5791f1a926512a0cf1dcdd1 |
memory/972-1701-0x0000000010480000-0x00000000104E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 780d8fa1d864d630197523faf47d5644 |
| SHA1 | 97c931c9af41daae0dd90048a2535399e8d4247b |
| SHA256 | a1df2207aebe8fbd3abdeed9f9b939ba49f80d87b864ca03d7907692df88448e |
| SHA512 | 5ec3289786d0c8adf4b08ac123bda097289f91859885295cdd63552028b512bf933d1cb061d5be3383fad360306e58e92addf3b6895eeebb5d39a9f1bbea5fcc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 10c82b760d48ef76505ff697547d0083 |
| SHA1 | 734c2666aec190c486a907fc1e106b3c8852efae |
| SHA256 | ae046f46e0e98bfee1007a76af39dafc15455ad0518ccfca4da21897e0fe2d5e |
| SHA512 | da5b4abc8d73ac547c45fded862f7fbf0d6783e6ea249d3b3a1c804cd129a49e1196ec1cdc1468a04a98864b86cce305a3c8e1d909541cd5b1125d5fe82cc0eb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b084ba2e54a9a1b392f3ff925ba6ed5d |
| SHA1 | e3391c3214391c67e951acf66780a7c7e87293fb |
| SHA256 | e574055ee61fce8401623c33c59ecde24da3d0f4b3b164c8a38868cc0ef140d3 |
| SHA512 | 7abf2e188c426ec11a876252ab23ce24399d7f228d19f54a6ae84d066fed297b855812d830fac88e21302bd465a058a6277540dced38b42e1aad996185aae34b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9e3999a21e3677f49a884cee1582bba1 |
| SHA1 | 5834d244f830793441248d862e9c372377a1ed3f |
| SHA256 | 912c27e80f8a3dafb7feea03e5398d34e85981abbfe135af70f3f8db1274a56a |
| SHA512 | cb5938daf2fd818fffdd4c7c5c7352b51369e6b20558d10b253f4332bfde08724c0adddd58c1c9f260e27769acbe570faa2cca0bc722fe6c6282f4eeb3b4f208 |