Analysis Overview
SHA256
045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f
Threat Level: Known bad
The file c0c225e9ae2c853eb7ed5b3349e04081 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Modifies Installed Components in the registry
Adds policy Run key to start application
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 13:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 13:56
Reported
2024-03-11 14:01
Platform
win7-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\ | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1284 set thread context of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe |
| PID 1152 set thread context of 1988 | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Windows\SysWOW64\spynet\iexplorer.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"
C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe
"C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe"
C:\Windows\SysWOW64\spynet\iexplorer.exe
"C:\Windows\system32\spynet\iexplorer.exe"
C:\Windows\SysWOW64\spynet\iexplorer.exe
C:\Windows\SysWOW64\spynet\iexplorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/3020-2-0x0000000000400000-0x0000000000488000-memory.dmp
memory/3020-3-0x0000000000400000-0x0000000000488000-memory.dmp
memory/3020-4-0x0000000000400000-0x0000000000488000-memory.dmp
memory/3020-5-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1200-9-0x0000000002950000-0x0000000002951000-memory.dmp
memory/2664-254-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2664-253-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/3020-534-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2664-535-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 3a227c36e41ee0fdddb4245676374fda |
| SHA1 | 0d6150da0476f3d3b3f53b8146cde8464d13d52c |
| SHA256 | 83cbbeb798040c68346f46f8f80f058a6aef01adf65309239dbd46d2a3602228 |
| SHA512 | 04dbbf5de36ce8875ab2e021577540bb4bedd2b1498a69a924315c4a0a6cf0f2b6c80dcc0646afa4f724ffa96bfdd620a1c34a528bc4b9ac31edcd2bd62f8219 |
C:\Windows\SysWOW64\spynet\iexplorer.exe
| MD5 | c0c225e9ae2c853eb7ed5b3349e04081 |
| SHA1 | abcb002a06b138ab79694bdd1da119c8430faa68 |
| SHA256 | 045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f |
| SHA512 | 6183a975c33fdf4b3d6962982381424df9ca6dceddeb0695635e8fb677ff1536c06fbe46a8016e94489d3c3fe916c1a3aac08665220d770c685621e1063f5479 |
memory/1824-841-0x0000000024160000-0x00000000241C2000-memory.dmp
memory/3020-842-0x0000000000400000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe
| MD5 | 85836e853dfd49a4d92ba5a851a0b2e8 |
| SHA1 | f4d66e1350ef8f17aa769d7b81adfb5b8e634793 |
| SHA256 | b399cba99301d54470ca657319517bc29b2b6c85487b0b4190da530d51160c6d |
| SHA512 | aef8ed3268be8cf2985a5ea9c0b7a5d359225c00d6afef5d3fe6ddeaff1a1da357d4068a93fd76f86583ff7a53f469924a361f27b855fea4764354d3b5f94e09 |
memory/2664-873-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/1824-875-0x0000000005700000-0x0000000005797000-memory.dmp
memory/2960-876-0x0000000000400000-0x0000000000497000-memory.dmp
memory/1824-877-0x0000000005700000-0x0000000005797000-memory.dmp
memory/2960-878-0x0000000000230000-0x0000000000231000-memory.dmp
\Windows\SysWOW64\spynet\iexplorer.exe
| MD5 | f09cb51a613ba44089ddd47112dff76d |
| SHA1 | 1b748cad3e800a3cb9326933a7135f7a5aa06707 |
| SHA256 | 10e4e3eb346c268ecec11049ef9bc5294595d78994805f6a57a46115de733cf1 |
| SHA512 | 13c9b82b558e8f1c36f438b779ae9395f32584fbecf14a8d2bc9251ec724c8694b75dc79a16f0a9d97feaea213c45f9e5aac0a0b1bd5c986420d54c72c3c75fd |
memory/1988-888-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1988-891-0x0000000000400000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 03fbec0b667e1443323714e4906b10ea |
| SHA1 | 87e9ad83dba38f95f7a2bb8c4cb3ec493b8fe266 |
| SHA256 | 9156486aa2c7679d23ac4cea25a9c469a8d7b7805878da8081a88955dc6ba969 |
| SHA512 | 2fe5e952688540d92a7084a3f56b7de87c517ae02cc4f03cc58e10949f4c5047692bcbb703d50c0a6b0364b5412699d98455309011c39b43444d5d3b4639dd3c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 91a4eaf14ba3094803f34a928dae790a |
| SHA1 | a9a2b89b76910fb4daa20e5f47a1cb35c90f3873 |
| SHA256 | 1f95e62753f9bb048b61b2f36c9c931a5417a824ca478a4e866fb9bd2e46ecda |
| SHA512 | 155cc6b3f6f08742d707bebdf820a12fe19f2eed3de934b5d6ee8096c238f2d0a2c093c5be5791f8d39c169b2793b34ccde1d645cd0c3a539a4bbef8ef148349 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 92594d799f0ca167c93fce0fb3e87651 |
| SHA1 | 97c68e3b1f177861cd5e6835961873beb079c243 |
| SHA256 | 35a92849f11773a286b19561869539cf2bb41e0a5070b4e5ac37eaaef9bda0da |
| SHA512 | 25ee4d5001c592ff4157ff4bf3a041ff60c8b4a090e6f7a41919d33eb39081524859a39af298264ff99924240828d2e2cb73878fcbee52d264ad902a8b0c5f15 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ea97080ac24ffdd270359012de850fe3 |
| SHA1 | 08c28f0048ab4285a716d82199662d1e19295e4a |
| SHA256 | b4a9af827bd23d1e3c404a97867756448d3c352380ef3738837ff3653a63ad82 |
| SHA512 | f14c4f7ed36e120c6f3a3d116f447d01e3db11304526d2a15a83c138165128426d6d921803722971f725450197e5d576ccc371cf5fabf3ad237d8ba24862de5e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 53aaa0c196f4f5cff98ac8b6263c7872 |
| SHA1 | 36ea7e60be7bc12af40019a4da91c480a83a868f |
| SHA256 | f0af50f92d7f464ee445fb7a2fec5a47873f2af40834e0beb3cadb056cec9c22 |
| SHA512 | 24f74b58e3f0d0c6aa72be0a5c21201de4b348163a4d638a5f518e6ba941bbef642d0c63cd08e50d850b0dd8a7d405344cff39c38ee651dce9d31e2d61818bdb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 14cf90bb45d5544ab434f0172ec50d10 |
| SHA1 | a0d777af13eea732795a2eaa6f87a22c9570ed6a |
| SHA256 | 84a6790f5457499314be841085672c0c642d7aa3bcf82ffeea2e78b5611fce59 |
| SHA512 | 4cdcd95eae1b92dc2a881341bdee56ba39e671151db7c146fdbdb891a7094bb2e641fc33bafdba102c8be7ad67a3c7aee6bc1900886f8c84da04fbcc92cc6302 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 72569147ff7f638377130ebcc9d09806 |
| SHA1 | 5f8afe7ad1efbb0a48494eee47f6d68b6085b297 |
| SHA256 | 9db9a68d94756db7eb89c086d694465de6813b8579d2feb526df9223c71b6418 |
| SHA512 | 700a07fda55805e3a7088d8b064426f85fe25805ec33b64ebc29b7a6800364330bba37f0523aec28cf5a932d956a64222147e0be270db0cc4cbf856eb2f55410 |
memory/1824-1223-0x0000000024160000-0x00000000241C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6e77d05e560adf001080a2f12c2350eb |
| SHA1 | 26c3ff2ddadd38a1e1cf1355d7280bde4db3d67b |
| SHA256 | 0b1b58320cf1528e24f90c6b9869f428f8931b7103579b1a5f5e766212b98c59 |
| SHA512 | f90cd1c6635928ec76ae8659fd0076c89a1cce8ae6456e4c99696c455dab8195262abe239ea3c1c663070d2e3c5033e8c2ae4671785ae1dfa04b14372525d0aa |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6c81bfd90f796a4d6670b3e424fa8732 |
| SHA1 | cbef3c07c6d4b9662fd41516677440e98b16fd9e |
| SHA256 | 750eb77e2fb152d0afddb18b3f29cbc14abaec0a7c8fd42e0fcbd7fa355d5a78 |
| SHA512 | 36a8edcd9be622751c6bb4e6e7c022e2de6ea61ef7dde8b29b54fad7ba7f652e8d6be52648bbb68ede8ac158235fa587ac4a51a44fae959196c67eb1b3f347fa |
memory/2960-1362-0x0000000000400000-0x0000000000497000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3c142bb6bf3ec5b6a609ba3672885a48 |
| SHA1 | ebc898a1d5d20d6770bc031519ef3bac8aac0061 |
| SHA256 | 207bf8dc72e1511c468799f34ef5e36aac475a1782b2f49db3b468f3d6a4da0a |
| SHA512 | 6c76620560b9511668ce77e961b279a50521405c557a03d4a69aab3aaaba5a7dbb2a9516b8b0ec25efe10bf63a8da4e8602b093c16247f3307eb74dd8bd0c5f3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3148ad0d03137c196cae4ed2ad5cb4ae |
| SHA1 | 29a5973c8f2aeb5151a298b9c884827a35e6f16b |
| SHA256 | f15e52758cc859a12950129c9a8d06e22cabae747858cea7fe503e118e7bd58a |
| SHA512 | 2b517ff8f4faf0df3d13847c782d2b92a8b77bd90ac91a2c8d956f0583664bd8c1259606d5a78c43eeb3a2dfae8f189e9bf1c57f9beea2d392ff80f19be9e638 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 88e564c1f37ab8366abaffbaf3ba506e |
| SHA1 | f83faa492972c04b01e9bf078b4b2060d62fae04 |
| SHA256 | 3e81869d49f820152a4d2afbb566e687a0fe30e374aaa2a38cc3d133e0a215fc |
| SHA512 | 005ca4fb30766c341aca207aeda5cb5e285d1114d06e33ed3116d9d2f8527d2c85f71d9279ec695d0df017790a4479044fc40eaa3fc6035b0b9add3fe401ea3f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bae9341309b053713ff74bd5d8f21da5 |
| SHA1 | e7d51b60f27ae077665f273f0631e96368122bf6 |
| SHA256 | c26aaf41d5a2b596cd62a3ee3b60ec9991736e5f1928f8f79ac37b79680d96df |
| SHA512 | 00902900dfe0a09c87f100c6aba594c23f75741739dac2e0be9c7e365df6ae668ee4783a3bc86a2b7dc9b39fe8ad708be37948d107fa116657c196ab6a0d177f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 170306ffe9471f336ae93eb0680ed905 |
| SHA1 | 02e3c0708fa4e9aebb733056494f71ed2ddfce39 |
| SHA256 | bedc68946e713b673d2a9de1a2be36288d781cf71e93bcda32abc0ae67e016fb |
| SHA512 | 94da64c858bfbafd55e9848f151bdd671607721662777a02cf1d09db70b4784c336f76d230afc7437ef03f377d69c768911bfe0fbbb91711c757a78b73ff57c8 |
memory/2960-1604-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 55760b19373537ef03c7ca17a92b35e3 |
| SHA1 | dddce0081d093a594730d78e92270a15ce447317 |
| SHA256 | 6699c40348dc31aeff2bcff4c506338327eed8eb847220ef6c21e2e76fe97e9f |
| SHA512 | 3e11d0959e507e2e094ad1ff139f654fa623f5fd9ca4a66c43df4a971b2912c3f7c7a5a3897d06dca561b8b5a7a2ee64b33bc8e013e46f864d16b58f7881547a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6f78ac43e83044ea6362bf6d441dd7b6 |
| SHA1 | f92422c08e238a47c7668f1bd5372a36d3d402f1 |
| SHA256 | 27d029cf40688621773bf2399206824238bb515dabb401d0bbe6848965f316f8 |
| SHA512 | 5e609252a88c939df80d1f9b3c62376569473cb9edd44a7a6be509a3046d08cc5c949c42f705632b9efa25ff2d10a3964ffbe7af925a7d86417562f90d3e8d74 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 83a2e525223df0d614a4c28f5ccba5e7 |
| SHA1 | c8ea3f6254a9267a93d022e24ee7c8a2ceb3fddc |
| SHA256 | 6154f386b19aa5dfa007153a30c6050376dcc32facdf1e1de8cb1121b6eb2dc4 |
| SHA512 | c0df47c86beaa96499a6e9b4862e7c6ed56f5a91819aa124f3ff9b08e37838fe76175d481690c622e31b97dd1df1075a3041f51f1a1d96d4223f903edbac177e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a3b96158c21195ef581283e77fed7a12 |
| SHA1 | f0e92b544e92d3a83ffc6a3d0eb73f2f44f9858d |
| SHA256 | a4d66f37ed4411375d3308c241dd7f6869d3e6f826ef50e54732fce605e8983d |
| SHA512 | d5971ae5051829fc8222d8058d266abb47e98b381fcb82d729b779396d29b909ab089f1786f2692cb0bb4111ba111f552155546708aeb5966a927c076f50ca32 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 18f15eed6e4b2b66a7c982bcdb936229 |
| SHA1 | dfd6f3bc96e43bc08e1d29e22f7bafcad2e6a7f4 |
| SHA256 | 1aae81749c4d2e54f4816ab8d9a951cfcba5882d07af1402b84c7148c3be8953 |
| SHA512 | 49fda0861e3a6feac0c49a698776075bf4073070a74e4c876b3b224de2e44a492297a6d209f16590f19d3ef308481f86f7cb3c517ac24b94cebe866f32252886 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | be68813c3727504a248331834c44a356 |
| SHA1 | 1af6d6534c5fe63a586b12f77de42a09258c294d |
| SHA256 | 4a55a40629a4b363feec73147e169ba01fe36e51f89c5397bcd71470c67d4e41 |
| SHA512 | 4dcb6c2161511db596bf1dfdda11f78908df86f7deac210e1c55b3e65689f9e502485b2e7798fc5db5a448bda2c8910b005ffadcfd32050dee3dc803de2ed7aa |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a15f4ec68e6d5dae207a60f4e30d0d56 |
| SHA1 | 660c64689ce8c78038f28bb996148d4e2e1bddf4 |
| SHA256 | 2cdd983b6558a01ddcb0ad7c7687c2bf80ca764b7b7c9765d35db197c0593126 |
| SHA512 | c278cdabc2942b7809710e91ceb67c8fcb9f65fbd95af0f7a9a1631c8397f5602fdc1260a56abca3aab6562deceb9351a96115fd7539583f162d1426be7ff73d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 13:56
Reported
2024-03-11 14:01
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\iexplorer.exe" | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\ | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5056 set thread context of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe |
| PID 3080 set thread context of 532 | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | C:\Windows\SysWOW64\spynet\iexplorer.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\spynet\iexplorer.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\spynet\iexplorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe
"C:\Users\Admin\AppData\Local\Temp\c0c225e9ae2c853eb7ed5b3349e04081.exe"
C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe
"C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe"
C:\Windows\SysWOW64\spynet\iexplorer.exe
"C:\Windows\system32\spynet\iexplorer.exe"
C:\Windows\SysWOW64\spynet\iexplorer.exe
C:\Windows\SysWOW64\spynet\iexplorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 532 -ip 532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 580
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.135.221.88.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 13.107.21.200:443 | tse1.mm.bing.net | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1864-2-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1864-3-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1864-4-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1864-5-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1864-9-0x0000000024010000-0x0000000024072000-memory.dmp
memory/4676-13-0x0000000000900000-0x0000000000901000-memory.dmp
memory/4676-14-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/1864-69-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/4676-74-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 3a227c36e41ee0fdddb4245676374fda |
| SHA1 | 0d6150da0476f3d3b3f53b8146cde8464d13d52c |
| SHA256 | 83cbbeb798040c68346f46f8f80f058a6aef01adf65309239dbd46d2a3602228 |
| SHA512 | 04dbbf5de36ce8875ab2e021577540bb4bedd2b1498a69a924315c4a0a6cf0f2b6c80dcc0646afa4f724ffa96bfdd620a1c34a528bc4b9ac31edcd2bd62f8219 |
C:\Windows\SysWOW64\spynet\iexplorer.exe
| MD5 | c0c225e9ae2c853eb7ed5b3349e04081 |
| SHA1 | abcb002a06b138ab79694bdd1da119c8430faa68 |
| SHA256 | 045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f |
| SHA512 | 6183a975c33fdf4b3d6962982381424df9ca6dceddeb0695635e8fb677ff1536c06fbe46a8016e94489d3c3fe916c1a3aac08665220d770c685621e1063f5479 |
memory/1864-85-0x0000000000400000-0x0000000000488000-memory.dmp
memory/3792-146-0x0000000024160000-0x00000000241C2000-memory.dmp
memory/1864-147-0x0000000000400000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
C:\Users\Admin\AppData\Local\Temp\CoDShitLoader84.exe
| MD5 | 85836e853dfd49a4d92ba5a851a0b2e8 |
| SHA1 | f4d66e1350ef8f17aa769d7b81adfb5b8e634793 |
| SHA256 | b399cba99301d54470ca657319517bc29b2b6c85487b0b4190da530d51160c6d |
| SHA512 | aef8ed3268be8cf2985a5ea9c0b7a5d359225c00d6afef5d3fe6ddeaff1a1da357d4068a93fd76f86583ff7a53f469924a361f27b855fea4764354d3b5f94e09 |
memory/4976-178-0x0000000000400000-0x0000000000497000-memory.dmp
memory/4976-179-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/532-187-0x0000000000400000-0x0000000000488000-memory.dmp
memory/4676-190-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f8fb48eba03a7719a243be0b18e4532b |
| SHA1 | 61954642e4389472d624dc212cf52b95fd1d5bed |
| SHA256 | b7ff8e3b109e07a7d67c497542805f82e668e62b314374c53de43946d0386ef4 |
| SHA512 | 5bb6c902ce29dfed6749e3d4a79657981643c843ebc019c65bdf7fed5aac31587821a758f272439c02e9505b39a5cd69cbfa6549d90d194e5b2df86e6ef136df |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9d58478d13fe98b09d6134b0fb159a11 |
| SHA1 | 0548ebd12bcf44e519bdab1d02f0e4f3379cde91 |
| SHA256 | 2218f9afd6c102dad8b32fc8c4d2d5d6950431905685634754015e4ea1845587 |
| SHA512 | de3889bacec19d7d5715c4d39eb007f5a97e1f9483d2d89c4d28de973826c05b24ea237014bac1198766353f1e172d040291d275e4a3ac4a31d513325c3f99f7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 43ee5f30873dcccc249acc4a7734f8a5 |
| SHA1 | 56ee612d5b8089910a85b334b146cef5c5fc6637 |
| SHA256 | a58c4cd0d556cf3f9bdc158299196554f82679d4957023c37ba65ed4e2458fa0 |
| SHA512 | e4c10a460add1af114ba319b658c1b6482a44314a04404f7eb18de871d23d2c6e4333f49d0b17615002a6fc152cbafdbad67fcfc3f5ef4b5df28fe46e94f18e4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d3b3fc3298c406a73374c496d6ce1106 |
| SHA1 | fc949b67ebfda24699a17a5608332bcc60f1dcd8 |
| SHA256 | 28bfd5e22e891b9bed983106fb3141c7590d6ac35bf1c848a13955deecf442ca |
| SHA512 | 1edc1d3986b60994d21b7b5ae18a6d84922c74a9baa8ab851f36c348c579cbb65586ef84a41be4be673de494a5eee4e2deb67ee5786686e07f5912c936d07fa3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ecf8c511ed99065f1862bce905315cc7 |
| SHA1 | f83e4336a6acdbdde88096d468bae40d5680a20a |
| SHA256 | 18345bd0cf10ca797d6856cf3108efd03c9d17654a1b6801537c5fad55a4a9b3 |
| SHA512 | 9dacdcf3144f3d826b2c28770eae66b8d67f9f072f73c28ce12efe325932665e9a5898024fa9b25943806ca846efa1dc8555a638bb749ac5345c84a316d3ec3b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 779f59de86b73213e53a7bf187326a88 |
| SHA1 | 0fa4cf466792349674f71a6149f902c4f6bcf676 |
| SHA256 | a3ee6fe3eb9ca866a5db229681bbd6edf81613dfd604c88655b63833910aab44 |
| SHA512 | 7a40bd676b210eb297db367de25ed6f653c9dddbc0dbeba589e18d9212b9af5b560b2c8484e4d033085833aca10f28e3d4d0ebbd0acf0c0e30532552ae275d7f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 451e179ccca20c2b8440b54a4c478bdd |
| SHA1 | b40f9e993170f0303bf5afa1b9af2cf404eb5a47 |
| SHA256 | 2c04b274e0f1095cd77eb992f076d271c2b35e44893e2ed695b25c62dcdb2fff |
| SHA512 | 4bb781cdf4cc72f7766113eb91c88dac9126b0a55ee5ff79b9b91053a5bff4dbaed690cf782e76c52ae1fca91aa17e3cc0008d2c0bd099216bbb6e541b711006 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c356b82a2ef19a125c1f9f47cd862690 |
| SHA1 | 29974fdfcd1e4aa1b08a3b1c3db3e32a5b8f9a43 |
| SHA256 | 477089c95dd941328fbc59854203a02a63d95dae0992e8a4d3f3d74139f102a6 |
| SHA512 | 525cd65bfe74d32398845fdf719174f9b7d169925c678b23a5981feff5e8c20611ff47167ffd736eeed71719044c4160af857a93da2d53ad69d2e0f8d23b41e0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 61b5b4a37c38f9a7603daa8bbb8a4661 |
| SHA1 | 947ac1150cb148f196a603715234eb0eb6cc8615 |
| SHA256 | 2c8c32b8f14e08b8d5899679193b7b80116837dae5b0e1d896674ee92826f250 |
| SHA512 | e15fb8c9b9a83503870a5c405bbbfec72c3ee10ac1f500b18a9d5a593fb0308f80b20d9e6fd20f9387cbf98e558cd275b75164556d54ea90a9e3dbe26c8f9692 |
memory/3792-945-0x0000000024160000-0x00000000241C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c6ec8ffc94ae433129996f0a30a62980 |
| SHA1 | 5d370ce21f1611cf989ac091873ad499b89713d1 |
| SHA256 | 2303fe61543cdceb7058b4a76caa3ea8dee68ccb8a41e9e92a854bd2e824de3a |
| SHA512 | 34c567795f5534103186a96fb0c18ccc245e8a4aef65601261dbdbb75f6233b881fa5a4a8f7349028ef6c1483d09c0382d3f6557dde2009444c7660c41516372 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6b7320b59983a7ad8efe4accdf56c413 |
| SHA1 | 49ad051c801dc7d4beeecca9d3750f3b08d1c956 |
| SHA256 | 3fe3596b97c54f139ed6407b97e4f94935582a59b1d2e2e79e2cecbfe4ec03d6 |
| SHA512 | 4a930b0ca2b8f8672b39505293be1571878f88aff097ecd546a21a27f443f34555c1e5475381925c22476a2ae0f57639cc615c9585da201674d779da96b66cd4 |
memory/4976-1173-0x0000000000400000-0x0000000000497000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ba3f865d83d26a077c2f7206edf72804 |
| SHA1 | 3c49fbab3b3369beeb7e797daff958620bb36d5c |
| SHA256 | 96e1f10051dd9e0f0ff5be16c27ef63bbb0a403b6e158c6239090c6704f5f74c |
| SHA512 | 5af3e4d8abf4aece1810232d51b79ea1f11a72430f8d4c3c5ed5bda6bfd4cd67738178b281a64beff1bb7de98bc94e724f86e3714a2b7d478f46ad55daeb8ba8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c0159678b210e8dc2d29e100bdc9aa69 |
| SHA1 | 6e9379136198ee8e8b270492f6ddd6fe13c09c2d |
| SHA256 | e95b8d39dd875655db542a7f0d079e5b498660983dde867fb5c5e6ff16347eb0 |
| SHA512 | fe3f9f90485e9f95f9c516b4d47592363a858597cc460d7eedc20c5aeed34db6b566f238e88ffb4af0636b95e02410f7320dcf1681ab56868b12600077e19775 |
memory/4976-1407-0x0000000000A00000-0x0000000000A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f75f1d0e21bea076832fe96e5c516440 |
| SHA1 | 66990846bdae6facc20474804bffcb79856d5364 |
| SHA256 | 04a08782378f215510432b4725ada3b3db649e1daeccd04d3e4942d86435f312 |
| SHA512 | 8fd00cde23c2306169e42760094aa9b86fb6626253ec75c8bce59b3bc69b989f9cb3bd1d01b7b7532c7e56be5c9a681387f22fc4ca0e1c2e7c915db9e7f61328 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 896c7ff7a739bb5865e7ac9900dc7c37 |
| SHA1 | 7662f88eab88358cf07d0dd76b3fbc532de0ccb2 |
| SHA256 | 3eb337dca0f48f9257ea6fd42815e8f04193e22164f3467f90f42361558a2752 |
| SHA512 | dd4f151a54cf1204c9ad3cb222f04016c29fe039a5fa61ea90564d07de69ed488f6438879b6227e41ec71a0128c682f802abc0ca6061e1de4e6c2bc3f3d5bd3f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bcba3ca029d59046554b22c21e565090 |
| SHA1 | 1416d069f9f2f30fc3523d6f334c6943e8d966e4 |
| SHA256 | db4ac5b8345c25ba8c7c79082cc2876a3f6c17e1864bb6b51c20662a2325e2dc |
| SHA512 | f169c55642cceb92c74de83f7991ba0f4f86f95d5d1177c6aa04af0a7a40ad9ad7fc3363509b20d80dee26cdc5f7563a980af21ab7c1564bfc40b16076a241f3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fa866b1de89820471351480cec1bb5e2 |
| SHA1 | cc26f4c25ed300c3bafb36c79bc939f2ed9bd648 |
| SHA256 | fead11324714f90cc55209e987d890ce0b230a3e70b3820589a71790040ac7be |
| SHA512 | bb446af2ff37c4c8c2220d89453b975d9621a4711c338d8e8b24b2d8abb06f4e12b44c33a5584f6b0c76deda1597873f71a1bd4da4cff415b1cf6431d6f093d8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fdaaeb8412e87f8ba8e66771ee76ac9a |
| SHA1 | ef325c5bd23e9ba6354a206ca24146f3a983d0a3 |
| SHA256 | 3d8b51bcc0d233119f61d5b0e8e864ffe80f3b34bb290df405ec972ae0788ad6 |
| SHA512 | e2c635b8c97602109898ea13d54149b2901aa90509fe2b8951b3383c84ba9c8607cc2ccc6803f13725499cbac518d6581d866fc12ad50692c63f2d33500a4767 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 55127b140b850f0e944b1ab53857a537 |
| SHA1 | 503a47a86ccde136f237dc4ab2125972e8ce9020 |
| SHA256 | 6c71006052d562635fb316118a24555e316eb42998713cbfb7697dd757d0ff21 |
| SHA512 | 01fe31d31ebf594dc3181112c8112e923ec5dbfad9baadf56505408fbefd1c0c5922e07ef5e95aaf39106fb5f20917c2d1b128de377141653f47e96a8a15a5b9 |