Analysis Overview
SHA256
019c54e21983426d5f427e1169f8c1b2c5548d51376c55e1078b95342549919c
Threat Level: Known bad
The file cfa077e790dfac211c6689a84d4953f2 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Detect ZGRat V1
ZGRat
Modifies Installed Components in the registry
Adds policy Run key to start application
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-17 01:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-17 01:53
Reported
2024-03-17 01:56
Platform
win7-20240221-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
CyberGate, Rebhip
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe Restart" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jusched = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2720 set thread context of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe |
| PID 1432 set thread context of 2132 | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | C:\Users\Admin\AppData\Local\Temp\csrss.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Winlogui\csrss.exe | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winlogui\csrss.exe | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winlogui\csrss.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winlogui\ | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
"C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe"
C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Winlogui\csrss.exe
"C:\Program Files (x86)\Winlogui\csrss.exe"
C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mfvfmava.duckdns.org | udp |
| FR | 141.255.144.148:6666 | mfvfmava.duckdns.org | tcp |
| US | 8.8.8.8:53 | newanonjoe.ddns.net | udp |
| BR | 185.192.124.32:666 | newanonjoe.ddns.net | tcp |
| FR | 141.255.144.148:6666 | mfvfmava.duckdns.org | tcp |
| BR | 185.192.124.32:666 | newanonjoe.ddns.net | tcp |
| US | 8.8.8.8:53 | mfvfmava.duckdns.org | udp |
| FR | 141.255.144.148:6666 | mfvfmava.duckdns.org | tcp |
Files
memory/2720-0-0x00000000011A0000-0x000000000122A000-memory.dmp
memory/2720-1-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2720-2-0x0000000000500000-0x0000000000540000-memory.dmp
memory/2720-3-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2720-4-0x0000000000DE0000-0x0000000000E66000-memory.dmp
memory/2720-5-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2720-6-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-7-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-9-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-11-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-15-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-13-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-17-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-19-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-20-0x0000000000500000-0x0000000000540000-memory.dmp
memory/2720-22-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-24-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-26-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-28-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-30-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-32-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-36-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-34-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-42-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-40-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-38-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-48-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-46-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-44-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-50-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-52-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-54-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-56-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-58-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-60-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-62-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-64-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-66-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-68-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-70-0x0000000004FA0000-0x0000000005015000-memory.dmp
memory/2720-2289-0x0000000000C00000-0x0000000000C08000-memory.dmp
memory/2720-2309-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/1912-2310-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2208-2560-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2208-2561-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2208-2845-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Program Files (x86)\Winlogui\csrss.exe
| MD5 | cfa077e790dfac211c6689a84d4953f2 |
| SHA1 | 2304882c26bc8cf013ae3396e719eb59e1f96b3f |
| SHA256 | 019c54e21983426d5f427e1169f8c1b2c5548d51376c55e1078b95342549919c |
| SHA512 | c1a0583c9e6493573c2fd8f454a72dcac6266b9cc67bfcc55233be91113765f5a7c9247901fc3f25e817f37e8fb98bf5f4cae2c006f39e9797aa209eb7c63584 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | fd8ac240a192de863efdc53b28ce607a |
| SHA1 | 7e7df0b97a3fe9b26e4d0fb04b58a369bdb12dd0 |
| SHA256 | 851313efdb52401cf8c6b394ea4c984b7f76371e5b02d66b8723d75f5ebbea64 |
| SHA512 | 25ed8addd4253d3762791e377587200be37867cb9e378d90a2d6367c3d08e1df031b155e83a283cc9a773043b3aa1fe85640a7525393f29c2297cfe8a1c01ab3 |
memory/1912-2933-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2936-3152-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/1912-3151-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/1432-3175-0x00000000730D0000-0x00000000737BE000-memory.dmp
memory/1432-3174-0x00000000009E0000-0x0000000000A6A000-memory.dmp
memory/1432-3176-0x00000000049B0000-0x00000000049F0000-memory.dmp
memory/2208-3177-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 84406752de066cfa11c396098b6486b4 |
| SHA1 | 0befb8b78c03badaf9376ba8795fe24044f3c6ed |
| SHA256 | d30b3a3eb892c802238d8dbc5f1b7b990cd61cdc1ecc20ead4df50263664b202 |
| SHA512 | 7d49ffd8e08479a328189026ca81976f717c8269eec315760e5ea0304cccbf77f110191c4502e7ae1075cea40bf1b45fb25ed145e25af1d6d271ea4dd24a2a22 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f76f06ccb4cf01d3f809503943cdd1f9 |
| SHA1 | cd466510826c32f314f3aeaf8fc97366bb595c32 |
| SHA256 | 1d8b3e601eb1612d87ef46370bf798020bd5e74b95c82947e50b8c8f4660e171 |
| SHA512 | 7c9b3fd5a309ba23045a33042c6fd9c1d2118ecd42c576ce519761c69eb979fef7416cefc93b7d5064cb5d0f2e48dd4c49820701c4228f459000bbf7073ccbc4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 872781d89e8fb68e3f11260e3d8b20c0 |
| SHA1 | 88fb8919a7374b6bd9a93029c1378ea6b96b05c2 |
| SHA256 | 4554a2a53ffb06922d180309ffadcd4a089692e9ea0a9959f2720d1159a03c3b |
| SHA512 | 9bd378c0c0bee26e1867e09e556d15d87b51c24954ea27057cd0345ae412c77f94b8bd272d0b213604eccb31fc546422a1457a3a00a5599205519d4a43a9b3a4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2089f854660eab742a579f9d0c46f092 |
| SHA1 | 76a097d730737e3b785e2824918073c9733a2dc1 |
| SHA256 | f3182cf11536b65a86b5c09fcd7955b744389951976ad27e3c09ea1d98af0f77 |
| SHA512 | 1db121362fbbf347ce2bc704bf2f490658e832eba4fa28be98301b6fbce7e9d1e928d81ed4187a94fc27b4562c335aff245d5d30dc0e8e1a69ea55364f55ab35 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2f0e014dea736305a8036403555acd9d |
| SHA1 | e7639b639740f373b3ada710abcab742edbd30dd |
| SHA256 | a9661eaedbd20d1ac397bdc57a4e9d02e66b44b5171e795a33c6feb6d56357ca |
| SHA512 | 05f8f0bba080a69b75053236d89020ff3957d76ed5c19a7f02d195e3dce8cb60cef4e4f991e9e7679ca9848ab7033cd6a751c1bd73362b68b028004a2fd42472 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cc1c6682543c35084eb9ca21c13e30f8 |
| SHA1 | 4760361db9bff2b2c72950056adf73a0d5bc7b92 |
| SHA256 | 7fffc1804e58e3e65697f1c4c6d820a80c86233170caa0e1d1e04304a3429a96 |
| SHA512 | e6374adc7adc2cbef9df58c49d752c28341655dc2e39ede2e39e6efd562988467eee96ba20bfa6d419da71e6a4d0339280e254633ffa18540db340a265a9ff6b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f45168e6ef6692a5ced8807671d29aaf |
| SHA1 | b2b8b34b064db2c7616c4b7931e1cc4a6c759ab5 |
| SHA256 | f70c88f40decee53b0e8f4faea5d3e66889324e513de8f311689775af44ecbdb |
| SHA512 | e86c5fc54124db017686b12099ba4435a1cfdf489277f12159663beafa464d53a612d1c2d2636a2db9064686ed4e8880c0a99c3e9a9e4447c667502d29d8c3ea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 887a076c24363a41d68d32940d83d056 |
| SHA1 | ee3a086f483dd43a45d45427b1730480213a478c |
| SHA256 | e84f6f1c156dbcd24ed5c0aa2b1f6191738d63fce78ebb69f7bc826c29e9ac64 |
| SHA512 | 30c1b6b3207846fcaf8926b68eff37ac337b1e09226c1a7cb04ac6f5daf7fb142365b17cc42f39dd35fc17c4b5ad7e27c9ab27855bcf8520861c556972068336 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7696ffea775405591df3ef60121e912d |
| SHA1 | 84f2ac321a89ab9bff40927a029cf2f5d0247831 |
| SHA256 | 2b8373b391541e4dd7355766667d2d8f474d67414eac03521daad7c833a9d113 |
| SHA512 | 3fedd4b88f527d7a7bc441da63c0e90aa9525b6f65328037d910aef1c3f1315a560378b2319e8a34deeb31a19b5f5cef2d20fa3a506d1ffcafb739dc37c6e6a1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8540c34763783407b3f7c6b59dfa84cd |
| SHA1 | d2460228e851b6c562a2965fd944e91469c60879 |
| SHA256 | 941b51c0cec45fc8788414ed252d6f5d7a76a9f1dd31014da0675b7582adce50 |
| SHA512 | a973d2e01c1d51800e892cb371752e54496543188265874127cba86a0d5d214b441e564cc6e0c0a3a3875111825307fd2caad82811ac5b95c5c9e94f9514b405 |
memory/2936-3906-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/1432-3911-0x00000000730D0000-0x00000000737BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | af055fa6dc20b8bc40a8e23a626addac |
| SHA1 | f5edc1ec6fcd3e82385200c503ed5707420e5834 |
| SHA256 | b908e11cdcc5ca9b0c33c382ef636586602de4a34b849aeed819481d78f6603c |
| SHA512 | 0ef1731148415447ca75bb28b9cc233b056b1e109cc45d7cca7b3b40399018bc830fc687a1b6a45859561b18a04fbd3149533845c1d4b0faeb8ac667dffb3137 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4d2aa98bae926729090cc6c30dd1e02c |
| SHA1 | 7b0aa0e4b7abd0e0f702727d47e007c975874386 |
| SHA256 | 67bd5b1cd580941d7233565504c888ca9c9e9c4454684f2bc58abf17bcb382cf |
| SHA512 | 44acd869c15063a2ab37c0f05c538cb8a132c89ee733805cb2cb025b08e4f5991e62e86528a7a5e036443d3573d3b18512ccc47b4d36228bf29f3ce1efdecb79 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6f1f31153e838ada751a5637a1487bdf |
| SHA1 | 4346aefd590f6a6865b0524f5563a501c4d1af6d |
| SHA256 | 1268e12763098cc62d89260e59374db5019ae6686f2a98ec54770ec06761ea50 |
| SHA512 | 6a42fac764fd7a7e16f953969334c285e37fb4b1b0ed80fa6d35c69ae6742eba83918c3c3a0c8712bb7549950976775a8ce2bcecd62e622954ad469ba23c5cf6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2b4c933df299fdd834eed1f08189d770 |
| SHA1 | 5f3e3e71a1496383d68f6cae750ad6e830a2b16a |
| SHA256 | 7e8166fe59949bc12516adf702e15199cb813870be3db801112fd1b40b892340 |
| SHA512 | b152d42eff6de63a24449d0c8f32eb0c50ba1875cc0c9a2197bac8afd54697aa88f8114057136b4085ed580a5006625c0830ae55082e3ebc1b2c8457b685217c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 62f6d4a49fa69c3514f489ff5dab9851 |
| SHA1 | cc8f3820b39647b04ee2609665e26f51e48e88dd |
| SHA256 | 62821b70e1b68974d953138dc0a6bf04eb2d63d92d484a4bdbb15e7731a595d8 |
| SHA512 | bdb7f884522b5a55a455e716147ab5d6c1d98b0ae7646c541342db9313c37bf2db30a536bb18019b631d64f09721c317ab3ecfff7f5c5dc758f82ea593983726 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 58d6aca501b933bd584d3a74b970cdd3 |
| SHA1 | 03b1c3a35153492a05daeb1854344eba7cea6a3b |
| SHA256 | 4137a217c3d8831c41378e5aaf43c41cc39d466b91efdf471beeed9dfaebde48 |
| SHA512 | 38aaa8c83cb518c197693964dac406bd64ec72e3dbd563a4c61e295df8a96b9aa1236037dbd76074c50f8ca059c51cc91547e20cb41867281030f427e119c92b |
memory/1432-4879-0x00000000049B0000-0x00000000049F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | dc40b55bfb1c19aa3d7868983351d565 |
| SHA1 | c6a5050ac8a55f8f824623ba04bd7a833035c92b |
| SHA256 | 8c8022d7e375b45e9b856329d986b7dca4af0176d436be5667f99ebbf67f3ae0 |
| SHA512 | 5ce38f149b6db6fc780bc2b2e23de2e4c11aa2af48ffa29dd89d09a9cac97e9d36882bc9bfe41a3ea82f0cd0f29f354d9f2056bce8371be36cbffb3351fdb2c5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 61603588eb744a18ff7c8ed8b793fd36 |
| SHA1 | 7ea0c4fbd4b60089bf68e62e7612c793831d3842 |
| SHA256 | 93c51cd69191f509686121a5f4fd7ace634994c6da9ee60240c989c9da69440d |
| SHA512 | 3e9d56818f425eca8303703421771aa0468afb8220341cc3561388d06af75a8306105da91d79234226f697d9fef387f51d75df533131cec4131c435cbc26fda7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 098d3891b5aa4d573d47e77dec7bfae1 |
| SHA1 | 16e39da7b2cf222998b9ca27557cd10d4dcb3972 |
| SHA256 | 890f74e3414ccc80845a5bbab73b9d5859432b418ca27b8cb4e4a90cc3934627 |
| SHA512 | 8912baa253ea84edd630461bc1cdf93c3e6f812a788bc934dfcd342c4f92d312c17a662926e7042879e602ce631c9e2160d5e37bb236670cff0aa7c1ac426db0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ad8aaa12808b9112c509a9c8cbbd0679 |
| SHA1 | 8ffb9a01e4bf5a45ba0f4e43d141bc4b329dcfca |
| SHA256 | fbe8f834580e33db327114e8015b26b573cb1a0e390fd51f2570e286efdffdce |
| SHA512 | 125ec24d7b9ab3475b061fa2fba67922a86f99a2cf8508c517c48ed64045cfeb1b87ee557a42ce4636c7db960b4cefff61fab4935cfe626bd7d1c63ac309888d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e896e7206582e4ca6d53860f3f478b26 |
| SHA1 | 1f4c102ead1fe0eb1113023a602e1f5851a41026 |
| SHA256 | 2123fcf486dcc5b92dae205eff40886550d5da4f730651331d6298fe961771aa |
| SHA512 | 0ddbf662bb1122edf9ae6761eebf58a87581298b94e5aa58de8ee401c37d87c7479cdb8c40e6f891918c5451ffd5f10c743e08ca16c211ba5bae71bef7b77551 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2223c3f2ef61bbf1ae6f48c0d78da197 |
| SHA1 | 08a17a2cb5070917873bb5d6d2628a132e4b9531 |
| SHA256 | 6e9eb49690e8cef5475e96b7ce765f1e0426a27182b9956311f8593579eb253e |
| SHA512 | 9403174f6d501e4d98912979ad37985edb83ebda630b6c8093138da340ce06486282406781d5e27bccbdc6addaf5253d71899d1b644a710ed9d709e95cdbd37b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8ece309494e254dd24e4cf70086b1c4a |
| SHA1 | b6a777c5e06c00f5539d1fc3bc6b7c9d115b7cce |
| SHA256 | b960fd79bfd28ea162fcceb085ea61323cd0473926f074d2332cb98f5d24a7df |
| SHA512 | a512c20abd74b481b0efcc94c5dd72212349b05dedcd9a75cc74b79fba91bbda993e75e077f2c3ddb2a2c4e33724a04698c78544123d54b83f32c76342ada277 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 241c88c982f951a37ec236cf872b5b93 |
| SHA1 | f888a6742209ac7749ec8079bab20d45f20665e7 |
| SHA256 | a0660f15822ed03ea92e8167f37cde06441b265b0438d93b3de35fe964060693 |
| SHA512 | dc87707d7a5bc1a7c34d144500b4622f3e853762e109ee148cc5cf79523263dad804dce8bedd37cc985747da2cfd71cf2d855dbead9fc785b4aab4f354c132f7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9926ddeabdb43340d285acb2603398ff |
| SHA1 | dd3de27f591137654b76adf2b81beb00d26d38a4 |
| SHA256 | 0f64b53c8493b11e602ccf5bcccdd7eec25a6ffd74a7dd21d92affbd3f30b1d7 |
| SHA512 | 86afbf5875ffef7f4888b2aeb76ae00e091dc3070715e21acdd469e6f395b9d93d12c9b4af0288528b0cd6ef372186f3b77112f47a55e116e6a0bd14eb1d3a16 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 07d56c8463f968eae189fd57e688702d |
| SHA1 | 23b265742c89c257cee0407308325578ad605877 |
| SHA256 | 29266a9101f29c6c019dd01cfa9e7441af4caec4a9da553eb61536bb843a87e5 |
| SHA512 | 53337757f23ffe1b86f2e64bcfa094d19a206c143d7be26be6f098fd3d46f70d943d5b744dd37e46a95220a0273fc81f561e1e65a1ab800e8b97de96fed1f2c3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ee9812992e1a14da26302d17e1c553fa |
| SHA1 | 429f558eaba2f8638f06129fade5820382ae2ee0 |
| SHA256 | 8ad0ede2e1c647c0cc81c3a66d10bc8a01c916164ff75ec12c985eb677330345 |
| SHA512 | 494e8d962cc16245c8c3893aa10eaba39817280a66dbc6054cf7d2ee0ea5edd33e0a736790962cc78d70c433d7f17a9fddb2c9cf031f9ae7f43dcff88da5b847 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6158f7d91ae80c5f291517a11c51e727 |
| SHA1 | 9e3a64e3a72a48f5dfbcbbbe3e9783ba83d9b95a |
| SHA256 | 2f03598cb04aef4109faf891138197abd9eb8c43b7718138ef2d156dadc5695e |
| SHA512 | f35daa1ab98df1960f78e77ea5c307e6ba765b544682975bd2e37dbc885e800ad162f1376e832787f80ef532d2996eba39ad8aa12c861740709b81005582a338 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 188218d801d0cd1bf6fb51ebfa2c05e9 |
| SHA1 | f2031e076887e172314ca9b2ab2cbaa8dc4c6bcb |
| SHA256 | e82e0f6bc9562f4c06bc7aab0a722fbf5dca89030a91f14cabf5c93fd6844684 |
| SHA512 | f077800e85f810da258202769253838a39e2bec900c4d4c916108669582efe3f61ef12d9ad20db929863b9db8b469038f482ff5728b64ed62b627efc8cc4d1d5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | afdfda8997cdfe480b41a941b270ac86 |
| SHA1 | 801138c2d5e91790be7917b4f1b0881000c39040 |
| SHA256 | 57dda9adf314f0344b1556656b25a053743f2832926f8b5bbbebc02d8a3757b5 |
| SHA512 | e77426fb7ecd5a32ebdd39f8165386a1d33a5057d91ff72113248858f25dd410b910a66e01193f652e86d8e2788df6b18f6c4f753778f5a9393984eef188e26c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2614c5db85b3927a31765d073ef4d3ac |
| SHA1 | fc4012966e339b5ae4b657dbf73eb6746d9524df |
| SHA256 | b0600b66cc0c9c4e8bd93f2f4dcf3ec3234d9e6a7b9b15f537955e5a429c9e30 |
| SHA512 | d05f3ea8be65694dba378727f66037f4c6185c81ff3a2ad56d663f0ed13f1a2c760de049309f9bd260a8b691a5de29a5672fd92540c1bfe7e6062b5bb08132d9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3a28fb1dfb6d1a6dcc37e46429c3c661 |
| SHA1 | 2f45680b877b3ec87bdcf44a721dac4b1ff8856c |
| SHA256 | 15b11772bf52e9c29c2e1984c75ad8768e9730c25004c2dbf5756b59f96159ae |
| SHA512 | 43d404ad07fa45b487a3971e6eb76e0a22787babaf5135602274a0e5fe62e7bb404c36aa1844f4c8bb0d102ec643b5fbc157b19c592fc5c8bae4db524af32600 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cd6a415f602f1c892c1e4c34e8736917 |
| SHA1 | 2a4705461f5291299f0f07c10603b2bc1acb6db8 |
| SHA256 | e7dd903013e1e5d0b2d505d32d95946ab9f686342e724e9e163bb07d8e816638 |
| SHA512 | b5790f757d75a5d082780da6c790314ade07d93b49ec5cb55dfe231df932e6d2193bf527f266920c4cb53e2eba18db1cb56b8d633610a54851c5d13522f791ee |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4693633b3bbc7db8581d9e8cbc670635 |
| SHA1 | 4807c46fb05e4d916d311766b037101379a9d1a0 |
| SHA256 | 7cdfe81f91255aeb15a9347e885552bf6e3d06d62dc4fc48e9ecbc7d636bc617 |
| SHA512 | 81377d0db817ebcac2927336a4842da5289652b0b533bead000cfc75be2549efce0373f1fbbe2e0fbe274214e3fea4579f72d76f0447b6b301bd418eb8ad8864 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ee88560dcf5d52a8bf4fd2578ad8fcca |
| SHA1 | 321d795d9a217e37aea6cc0d72ee6900bdc1db93 |
| SHA256 | 55729639c73e28a01a04d3cce5353594f4a9fb89d0434ecd298deb8a1695c45f |
| SHA512 | fd0b63f6f985f2830277d10b0e026c5fcac2839faad465eec8e5808fd315b3e42c9676d7827d5ee13d8a5be4d8c00b1fd6ba60bc3b6d510e29fcfbf91479824e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0fd522fa5850bb5d294dcd30790b73f0 |
| SHA1 | 49e11d06b68695eeec28dfc36c803b04b60bb46a |
| SHA256 | 8fd41805050b8a2a368680494461795d017fa0bef12712bee12a27a022bf8e8b |
| SHA512 | a7ad8d2afe1fe66456a5119cbdffe2d9cf24a3bc02ef201f25d3940eecfbb500d4691f254197e6968c003e9789545a3fecc94e41b58eb06254abb25434361219 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 07053bbfd4fe2c008c48e380900ad423 |
| SHA1 | c5c0717f076ab1211193538be08d4001201d9e3c |
| SHA256 | b85ffd8afdd78d00ba5e58afa62c210fde7f6e996f5e3411e47f97433f4e5112 |
| SHA512 | 52990185ff2a66d6854263f2c5046b71ae12cf0da9b59d7d53a9c6b7e0a0de8e34b83e64674e43d9de44143109afed2f7daabfc7c7c296089c2ddb26c91f1b0e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 07a8233b9f6a0e3b6de27b055055b4fc |
| SHA1 | 80dc36a11f60547449c9efc0ab56d3a3c828d610 |
| SHA256 | 0a402674d7b30dac11a771107b01f908a3a9fd67d93a8cf98be0fb87a342e6ac |
| SHA512 | bb28755cf4a392b456f182052cb5a0d13f185cfbf33e9d50a7eb47b13406b1d9bee2c0f5cc7354764288c97160f1227d916da960f62884075bda35c58ff42ff9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | eaf7b2117b8ded7af1b8c8a3a3abc845 |
| SHA1 | 1ed9a7fe2488d695fcb59a65b63b65764665f143 |
| SHA256 | 42990f52617c07585d8549e7f2eb3e20725eb6671dba7bd30b277b040842f53a |
| SHA512 | 0e4482a0d5627dc85898c2f896e8105d434e6d8bf3df28b84850a68205952f950a380c6c43181cb79b9847b1f81ea201932db4e829048dfa7db2689baa52200c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2af1f44a9002b7fd56e9f8d43acfece2 |
| SHA1 | c2b482e9e158c39afbc0409ce0047cec546739b8 |
| SHA256 | dea830a906f7249ae19dbb090701f7b8153bf1603ae6a51e560946e439adb46a |
| SHA512 | 4debf880ffce7568917f91d680866a80fa85ba0aa5d801dfa160980f6be856e37f9e50c693a261ebd51b9876c2d5d3b672ae9e07a498edb3a788cfa656ef5db5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7e2656806a4fae582e9b82eb2e434de3 |
| SHA1 | ef9087e67846d94c6474fadf66b02fa7f3c2586d |
| SHA256 | 082b8f2f42362740e8123fab80f1944c30b0dc3f05169f152ab5a1592bd1a623 |
| SHA512 | 52a808a75d3fbd8e6e232a3ba8b94498d6ead87484d26543a84b062f44ba4743e4f5e292f398153f403715e1424691ee2350f1829f13c3287de72133363a6eb4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c17fb2acdc68d0f816b099e7b3bc3887 |
| SHA1 | 24194bed71d15bd0da62e8f868ab672c39e950af |
| SHA256 | ac138cc019d64934c69a6a953c3d1c5bdc56b58502210f416f60b88a93765e5a |
| SHA512 | 699013f5bcf1982a3f2501e56d2d4e6ee28a48738b050f3bf4ab3d575d59f9517b20ab8c3b788dd0bf06c2911711c8b3148bb9ca22ded031e6dcbeef9648de15 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7c1ff225827efb2ad800d1ad6b5aae6d |
| SHA1 | c38afc9e57b3316895c47f193894ad1490bfadac |
| SHA256 | bf1a486ec21d1703ebe92be75b06c17a99a0c6a5d31ff9d134c9f0ee780e7cf5 |
| SHA512 | 8761456f6da142514042f051b006e6d101c8e44f42c3e1d9b0a1c8c312a219a5901ba760a5bd6535007ffdf18ca386cab17f811c1d6ecddaeefcd05eb84b8295 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ca9884669dd88b20d55862cc7fc93c2b |
| SHA1 | 311b106a9a3ad97f9fd6ee08ec1e4fe9a98723a2 |
| SHA256 | 42b31cbdb66982cf7bbdfe1cb6bb66518d4c8a6d1df1c1ded7200dde49cf661d |
| SHA512 | f6903b645a4fdb994062c338abd30df5f3e5067d9af0b851288b166e9fb927290fee49ee23205cb45b946ee35a3f76550e74735dda3a81aba75bda8e2812929c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ccd85e1bce18df27f20450f3d0bcb95b |
| SHA1 | 17746a2b7608844d6e406a02b66a3a9c7e62cb6f |
| SHA256 | 8eb69f1e763539df30660ec5a49eb324d5cd50dd7e2f3bdd0444704f79338543 |
| SHA512 | 52549fd1ffc81b7e20fc88199ba2347434cc5bb977f5024c1579571dd281f3825032156841b6e1253b319d8939d3f9a7f835ca49680f0215e69298bda3b3b7ff |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a16bbc077877062790b55703a908d85c |
| SHA1 | 09010ff8ceeee2b01aa3612bccf1da7354084037 |
| SHA256 | 7d61235e231980e1afc0bfc70bed334ec3476240e58da2a4611716c77961d4ed |
| SHA512 | cdb47598561e8c10ae36ac5236cc5e89bb6b7d24082268b2219c362376e758f81fb3a825946fe28667a36e0ab7ad388f6945baff7df0f021b7406e254edf7756 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 748194ab5fc0bb94c5b1e01471864b28 |
| SHA1 | f4cee0906507f0d773e5571bcf2d9ee661fd49f6 |
| SHA256 | f8230ae6341ad41e52bc147f6cb2da670cc6191c41d1eed665b914118304a04f |
| SHA512 | 9fa2bd891a03bf2992e2ae740b5e59804f600c65b72a4efcbeed7c86f0a06992f364573538bb7eaa7858b0ead882ff7e69f1e4cdde3fb0235fc3f715f6c23926 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f8f817d5b083b2bfa3424b4b328c9cf3 |
| SHA1 | de7295dab2654bf2bb3372bf31aeda12deae48fc |
| SHA256 | 586c392a143342266bbfa6e8b900b65302ce0905288ed57353ade85b6c2bfd91 |
| SHA512 | e1d76e6ca5f33a30983b08756a5085b551b5a41ce5f7e576dbc3c264a72b893528534056c86d76f7377a5b0d6c953b15274295080005b1f1638f8896f518aff7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 693f05a5e2a9a2831f67773eec368afd |
| SHA1 | a303e73e087fe0c2ab297aa939cf7f24c29ee256 |
| SHA256 | 1af6a2d5ffe748bc67852f628027bc0d382f0d132efcde5125a3dd5ac627839a |
| SHA512 | 3d4d33d48838a61c0bc331de1dc0429dc01d559aacbf152ee3056332dfde3a4df3e418e34ea2cc79f2a00db5c21491506c0c4469f6f03049f1993621c193beaf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e81df3b7d62fb0de3a20dcc2939febc4 |
| SHA1 | c99b0940321f4a738fbc40318475aa52ca6f4b3e |
| SHA256 | 95374d8ff076c0c29eae8f4e1be1d5335f5dcf46023b6a106a44e7cbe76c8895 |
| SHA512 | 95a626aa3362bcb475f667d96561f7b26c6c7d0563e5b1f29cfcaedbc75e30a703951fbe3b2a57594c74e240ff2428aab2f1761699b748c5ea6b3d6cae75418a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 45227778d7da1434cbddc46b1e6a7cca |
| SHA1 | a7666bbcb872c18889fe85a65417eab017130d1b |
| SHA256 | 676fd429aa46989cad7c7f8afca8b1f67d09ca1c01bf2281f1e139b6ab28572f |
| SHA512 | 3834fdc2644711a23156a36a99b89f372d92282ae7ca39630ee9e0b8e93713d5418f724a3ab80676cbb887e0ed8e4b090f5ef7aa8a41d578d0c3945a728b8a90 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 51fd70bd5878a3726ba9bac85efc741b |
| SHA1 | 9ff8e4f54246f44f780f56ce5f448d03997173e8 |
| SHA256 | f6f71ed638c5491f567f5c3d9023c3c9cbf35af1dc9893a934d0516684668985 |
| SHA512 | de0148ac2ba24b7e90b61dc7171ce076d32a32b06ec4d1a10c6be1d1ccf0c91423d57f1a502b4721f92fd3cf229c2203833f3eb66d59b3e5de518b0c6cb97c85 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9affa1c52576677b4dea8b8ec243ac85 |
| SHA1 | 4e8ec899771e98297f92b0d3c712a279774119a1 |
| SHA256 | c8b3eb3919f12e55b0e627422086e8066dd39fc6d773921fd841ffedf9515eee |
| SHA512 | 9054d2ab764a60f134f7a288222f64f7acf2d10e0f94f511b6fe52d01f9932fc9493f4f4232b257df88cee005b986130209b1fc3eee8e1b37595e9f1d647ba49 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 746c367646fea6f1753f9caabe552166 |
| SHA1 | 99bf7c76a5640659a654ff30cc074059ad50d04e |
| SHA256 | b33cf883c3c7ad87074a4810a07565f69d9548ba2c13ab7332baee24ce1f9a5f |
| SHA512 | 776276e46b1ed5cf804556d32f12246a2a61563fbd94ca29982b05037da28ccd5e3ce7cd26d210a36a0962a38f54a8262fe5be27673851654eb03809c70da452 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 59c2f7a025b7383d986ac0451ef0f093 |
| SHA1 | 8ddf51600a319acf6cb2355e7f39de3017200eaa |
| SHA256 | 15a1e4145630a84954731c87a2865cdaf144bf9d07ffbf6b77dedcfb6f17c3f3 |
| SHA512 | d611aa0537bfecd0a072eecc3fabff3a6a066cfa0c869ad1bd6166dba95adffce2fcf8b3b98694c86360108e788378831bd006fd3606e6ae993f9659dfcbcba1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e46d7564cc8eaa54aba3b53fbcfaf2f0 |
| SHA1 | be3147a75af489ddf42318915ba0c69d2ae3adab |
| SHA256 | 5834a906f6775956305e73d3d8024f59780fb0a97a4e4736ed45fceae48d8af5 |
| SHA512 | 9973ed31ec2f4b6fc7ebfb9ef71c8f0bf403e396ae3a4816f1b4395d836c48ed3d13e01e546ccc6ca77649486b101bcaaed6905d71bd5880541a9ce2fcbc807c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 53f5b9f7ac440e0653e5cbcc4906df8b |
| SHA1 | 9a8464eb841781cb8364e50106d64198d9a8d847 |
| SHA256 | ac4b70426506f9c8fe2f6f2352d514f6f32ff8574481ebf99b59ee4a3e2320c6 |
| SHA512 | 615dec554d268fbebdd8486578d9d7b04f7937067d87baa418f2711a58e0c1912c32a251c765f4d9c1caa5c68145c29e15e45809d96d5f8f09012853abd2ebba |
memory/1432-9405-0x00000000730D0000-0x00000000737BE000-memory.dmp
memory/2132-9412-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b01e78eff5e0d935345fcc5d5ab7180e |
| SHA1 | 91a5c1291d05de02b91682a2725fa666da27cc3b |
| SHA256 | 426aad2b99cf2f074663d48a412dcec596b75973c9ab7295590e0fdf0cdb39d2 |
| SHA512 | 760102e1238e450599d164731f22f1d4a1e00ba758915c0853d3a9cbfca64ffbe6b325e4605bc40e1364d5b74427152295670c7a0480163f299b467529e91929 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f2df1998d8a64377f3880126ac24ad3a |
| SHA1 | f4a53650e1bc20631afae3eebe074eaf989130b9 |
| SHA256 | 196180652a762bb863d65748ccc4e4b87e18554a102699ec9914976b7a2afa38 |
| SHA512 | a55003f8e86abc31753bad9e7ba4052d44609f60f7b4e49797d68b15f007d8175fed80dc3f4609cf3057f92d47b9ad3c9bdae0e2bca25bca5c73bb4dc86cad8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b5eed3486e8d4239df90a71424d426b6 |
| SHA1 | 554df985862e9e3ec54a2f1f2605d7fa3dba8f01 |
| SHA256 | 4e5b4668757c06eb04d8f00b79979ffeb7eb4e862dca2ac57a97630966b20b08 |
| SHA512 | 8b0c20fe881de6a091bcf3f7927d3ce97f8fa7baadcc5f3cb5833d6c332b23a40c9a71e53e6c945d86c1880cf62ac29d60ccb0f4e76786c73ebbce17d96dccde |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ade683b6702c264fdca1be8140ced088 |
| SHA1 | f7e084c01a21747b1ef0cf1596c6a657e0b94909 |
| SHA256 | 34523488aefb91297ea18715db4c2af2317b34562db257e52562daaac43a88fc |
| SHA512 | 2ba7bba10e605f8b5c9b0371175808841b8b7c623c8567ed5471643aa4404046aa3d1ef1de915d1d925883a3cdf72f85b0c14df403766134234e0a71ec982454 |
memory/2132-9668-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 88b70f0458c634ee3668e5fc240881b8 |
| SHA1 | f757bac344eb68dd1a461dcac0228ae69bdae192 |
| SHA256 | 07f8f572d5010d6bcf5724f00292e478710b09ad72626d57994eea19fcfa5e15 |
| SHA512 | bff6858efee583da15e56115931fca05154a48772bc8c3fc88bdb0ef5b981b30cf070365e99bd98d2f2f47f9a06e9d4b71c051ca99b3709518a85cc4bcaf2045 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6349cd818ed77c27c99e78311d7ed627 |
| SHA1 | d73b81bc0fce685483173064a50405cdd51b710a |
| SHA256 | 55326b1e46f4f33e30a2d9a5176435be99e751e3e1e84165662c1a2d41a323f0 |
| SHA512 | bedfa0b8a446f12ab562b0a2ea3320d0f1f670d8808105a23d05df5e272008672eedb3d488960eecbf8e2852136fb02340e9e1b72eb4dbd1748ae162e9249ee3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 97515db8e4129613174db89a27f36ce0 |
| SHA1 | cbf8857ccd35f41b638d30afd4096dcd10ea147d |
| SHA256 | 0015cc24e145d1d93ccae776d0532e4ea7ee725967ea37d0f1f3da3610e45db0 |
| SHA512 | 7bfc75f921243ce139e792bfaf5e08b1b5ae6c7f2c4cc3843ac1d5591c928f2b7ff1a8bd752ebaf9c8c36a6567618a48568321c1cfa76d006e538d52b71d005e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 568b60a7ef390f862eda2b51cb9d05d2 |
| SHA1 | 1fbaafaebeead6a10bc0821131b9c7e89d69420f |
| SHA256 | 8d3ce7f152ad53e8811cb6487c0e8eacebb1b363af084717814a7205792213fa |
| SHA512 | c4cf6e0e5fb843fb46b4d42ff6f89739041ffff1a795dcb00c88fb20183690f98ddd3f9ca734d2fb6eecabf9e25ce066bb3cc0691dcf2ae745b200bcccfeb71b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 68ade3cfa5bef7fc7cd81870fd490249 |
| SHA1 | bd5d14f95462d2ad00e177291ebdcee27c3dc9c6 |
| SHA256 | c32ef71fea0477ab768949495c885e9fd3782ce3c844f7c76b5f3b9cdc333f7a |
| SHA512 | 601841b9f3bcb23e3d5ffdb78259aedd6759155f2076210f0eed23149d21e9c9c443052462c9a4b6746fbc3ca0eed5e140637ab32acbab4737382a00bfbb1d00 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2be9b9054a9cbc3ef0fb531e2ed6f4ed |
| SHA1 | 25d5a69cb339ab11c3b0e0e75969deb54bd87522 |
| SHA256 | abef53a40f05897df38e1058be5434022bd99c75411c2ec9b702c63d89d4aa6e |
| SHA512 | d6381f4714be72af459b8fa9233ecb49e30ec9e45d5cb288894b5df35a2130c4c02a2684c417812ad8af14f45b2994c32cac36d64f9630057cfc8736b9e2fdb2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9e52eb57be5045bfed2c879e7269c2a1 |
| SHA1 | 60914db5c16b81ff3916dbfb3b2024ff854ce3a7 |
| SHA256 | 92734ae57b1b45224c96a40c35a9ecc8a418609e1b94c8e59c845a38158dfe0d |
| SHA512 | b4955eaccbb9e253684330aca607520c6f57bb75efd5b77a62c31d175ac4e3b07e632ce0c07c7b389c2c6738ed51c826f5e515ded583374a3b940e7fc0a793c7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 550af5809a1bd544c5af2c6e324426d2 |
| SHA1 | 6285fe1d0307720c4a5789ea2abf2496aae521c7 |
| SHA256 | 33e17518cdce0a9980f075ffc85334c3b39b1b5c9df541194b96cf8705a6a1c3 |
| SHA512 | 02b0fe14175f29f256db770df5ee620898327f83707faf9f21aadd58997441130c92c7be4ffc67cbec68c2a4c4fd5a7ec42d5a76cb638b055c20c96e90c3af2f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-17 01:53
Reported
2024-03-17 01:56
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe Restart" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jusched = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3432 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Winlogui\ | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Program Files (x86)\Winlogui\csrss.exe | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winlogui\csrss.exe | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winlogui\csrss.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Winlogui\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
"C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Winlogui\csrss.exe
"C:\Program Files (x86)\Winlogui\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mfvfmava.duckdns.org | udp |
| FR | 141.255.144.148:6666 | mfvfmava.duckdns.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | newanonjoe.ddns.net | udp |
| BR | 185.192.124.32:666 | newanonjoe.ddns.net | tcp |
Files
memory/3432-0-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/3432-1-0x0000000000C90000-0x0000000000D1A000-memory.dmp
memory/3432-2-0x0000000005BF0000-0x0000000006194000-memory.dmp
memory/3432-3-0x0000000005720000-0x00000000057B2000-memory.dmp
memory/3432-4-0x0000000005810000-0x0000000005820000-memory.dmp
memory/3432-5-0x00000000057C0000-0x00000000057CA000-memory.dmp
memory/3432-6-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/3432-7-0x0000000005810000-0x0000000005820000-memory.dmp
memory/3432-8-0x0000000008270000-0x00000000082F6000-memory.dmp
memory/3432-9-0x0000000008540000-0x00000000085BA000-memory.dmp
memory/3432-10-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-11-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-13-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-15-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-17-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-19-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-21-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-23-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-25-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-27-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-29-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-31-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-33-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-35-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-37-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-39-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-41-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-43-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-45-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-47-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-49-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-51-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-53-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-55-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-57-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-61-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-59-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-63-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-65-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-67-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-69-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-71-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-73-0x0000000008540000-0x00000000085B5000-memory.dmp
memory/3432-2292-0x0000000001100000-0x0000000001108000-memory.dmp
memory/2124-2297-0x0000000000400000-0x0000000000450000-memory.dmp
memory/3432-2304-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/3180-2319-0x0000000000640000-0x0000000000641000-memory.dmp
memory/3180-2321-0x0000000000700000-0x0000000000701000-memory.dmp
memory/3180-2369-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | fd8ac240a192de863efdc53b28ce607a |
| SHA1 | 7e7df0b97a3fe9b26e4d0fb04b58a369bdb12dd0 |
| SHA256 | 851313efdb52401cf8c6b394ea4c984b7f76371e5b02d66b8723d75f5ebbea64 |
| SHA512 | 25ed8addd4253d3762791e377587200be37867cb9e378d90a2d6367c3d08e1df031b155e83a283cc9a773043b3aa1fe85640a7525393f29c2297cfe8a1c01ab3 |
C:\Program Files (x86)\Winlogui\csrss.exe
| MD5 | cfa077e790dfac211c6689a84d4953f2 |
| SHA1 | 2304882c26bc8cf013ae3396e719eb59e1f96b3f |
| SHA256 | 019c54e21983426d5f427e1169f8c1b2c5548d51376c55e1078b95342549919c |
| SHA512 | c1a0583c9e6493573c2fd8f454a72dcac6266b9cc67bfcc55233be91113765f5a7c9247901fc3f25e817f37e8fb98bf5f4cae2c006f39e9797aa209eb7c63584 |
memory/2124-2384-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2124-2435-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2264-2436-0x00000000240F0000-0x0000000024152000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/1552-2458-0x00000000726D0000-0x0000000072E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ee9812992e1a14da26302d17e1c553fa |
| SHA1 | 429f558eaba2f8638f06129fade5820382ae2ee0 |
| SHA256 | 8ad0ede2e1c647c0cc81c3a66d10bc8a01c916164ff75ec12c985eb677330345 |
| SHA512 | 494e8d962cc16245c8c3893aa10eaba39817280a66dbc6054cf7d2ee0ea5edd33e0a736790962cc78d70c433d7f17a9fddb2c9cf031f9ae7f43dcff88da5b847 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 07053bbfd4fe2c008c48e380900ad423 |
| SHA1 | c5c0717f076ab1211193538be08d4001201d9e3c |
| SHA256 | b85ffd8afdd78d00ba5e58afa62c210fde7f6e996f5e3411e47f97433f4e5112 |
| SHA512 | 52990185ff2a66d6854263f2c5046b71ae12cf0da9b59d7d53a9c6b7e0a0de8e34b83e64674e43d9de44143109afed2f7daabfc7c7c296089c2ddb26c91f1b0e |
memory/3180-2534-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 07a8233b9f6a0e3b6de27b055055b4fc |
| SHA1 | 80dc36a11f60547449c9efc0ab56d3a3c828d610 |
| SHA256 | 0a402674d7b30dac11a771107b01f908a3a9fd67d93a8cf98be0fb87a342e6ac |
| SHA512 | bb28755cf4a392b456f182052cb5a0d13f185cfbf33e9d50a7eb47b13406b1d9bee2c0f5cc7354764288c97160f1227d916da960f62884075bda35c58ff42ff9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | eaf7b2117b8ded7af1b8c8a3a3abc845 |
| SHA1 | 1ed9a7fe2488d695fcb59a65b63b65764665f143 |
| SHA256 | 42990f52617c07585d8549e7f2eb3e20725eb6671dba7bd30b277b040842f53a |
| SHA512 | 0e4482a0d5627dc85898c2f896e8105d434e6d8bf3df28b84850a68205952f950a380c6c43181cb79b9847b1f81ea201932db4e829048dfa7db2689baa52200c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2af1f44a9002b7fd56e9f8d43acfece2 |
| SHA1 | c2b482e9e158c39afbc0409ce0047cec546739b8 |
| SHA256 | dea830a906f7249ae19dbb090701f7b8153bf1603ae6a51e560946e439adb46a |
| SHA512 | 4debf880ffce7568917f91d680866a80fa85ba0aa5d801dfa160980f6be856e37f9e50c693a261ebd51b9876c2d5d3b672ae9e07a498edb3a788cfa656ef5db5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7e2656806a4fae582e9b82eb2e434de3 |
| SHA1 | ef9087e67846d94c6474fadf66b02fa7f3c2586d |
| SHA256 | 082b8f2f42362740e8123fab80f1944c30b0dc3f05169f152ab5a1592bd1a623 |
| SHA512 | 52a808a75d3fbd8e6e232a3ba8b94498d6ead87484d26543a84b062f44ba4743e4f5e292f398153f403715e1424691ee2350f1829f13c3287de72133363a6eb4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c17fb2acdc68d0f816b099e7b3bc3887 |
| SHA1 | 24194bed71d15bd0da62e8f868ab672c39e950af |
| SHA256 | ac138cc019d64934c69a6a953c3d1c5bdc56b58502210f416f60b88a93765e5a |
| SHA512 | 699013f5bcf1982a3f2501e56d2d4e6ee28a48738b050f3bf4ab3d575d59f9517b20ab8c3b788dd0bf06c2911711c8b3148bb9ca22ded031e6dcbeef9648de15 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7c1ff225827efb2ad800d1ad6b5aae6d |
| SHA1 | c38afc9e57b3316895c47f193894ad1490bfadac |
| SHA256 | bf1a486ec21d1703ebe92be75b06c17a99a0c6a5d31ff9d134c9f0ee780e7cf5 |
| SHA512 | 8761456f6da142514042f051b006e6d101c8e44f42c3e1d9b0a1c8c312a219a5901ba760a5bd6535007ffdf18ca386cab17f811c1d6ecddaeefcd05eb84b8295 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ca9884669dd88b20d55862cc7fc93c2b |
| SHA1 | 311b106a9a3ad97f9fd6ee08ec1e4fe9a98723a2 |
| SHA256 | 42b31cbdb66982cf7bbdfe1cb6bb66518d4c8a6d1df1c1ded7200dde49cf661d |
| SHA512 | f6903b645a4fdb994062c338abd30df5f3e5067d9af0b851288b166e9fb927290fee49ee23205cb45b946ee35a3f76550e74735dda3a81aba75bda8e2812929c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ccd85e1bce18df27f20450f3d0bcb95b |
| SHA1 | 17746a2b7608844d6e406a02b66a3a9c7e62cb6f |
| SHA256 | 8eb69f1e763539df30660ec5a49eb324d5cd50dd7e2f3bdd0444704f79338543 |
| SHA512 | 52549fd1ffc81b7e20fc88199ba2347434cc5bb977f5024c1579571dd281f3825032156841b6e1253b319d8939d3f9a7f835ca49680f0215e69298bda3b3b7ff |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a16bbc077877062790b55703a908d85c |
| SHA1 | 09010ff8ceeee2b01aa3612bccf1da7354084037 |
| SHA256 | 7d61235e231980e1afc0bfc70bed334ec3476240e58da2a4611716c77961d4ed |
| SHA512 | cdb47598561e8c10ae36ac5236cc5e89bb6b7d24082268b2219c362376e758f81fb3a825946fe28667a36e0ab7ad388f6945baff7df0f021b7406e254edf7756 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 748194ab5fc0bb94c5b1e01471864b28 |
| SHA1 | f4cee0906507f0d773e5571bcf2d9ee661fd49f6 |
| SHA256 | f8230ae6341ad41e52bc147f6cb2da670cc6191c41d1eed665b914118304a04f |
| SHA512 | 9fa2bd891a03bf2992e2ae740b5e59804f600c65b72a4efcbeed7c86f0a06992f364573538bb7eaa7858b0ead882ff7e69f1e4cdde3fb0235fc3f715f6c23926 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f8f817d5b083b2bfa3424b4b328c9cf3 |
| SHA1 | de7295dab2654bf2bb3372bf31aeda12deae48fc |
| SHA256 | 586c392a143342266bbfa6e8b900b65302ce0905288ed57353ade85b6c2bfd91 |
| SHA512 | e1d76e6ca5f33a30983b08756a5085b551b5a41ce5f7e576dbc3c264a72b893528534056c86d76f7377a5b0d6c953b15274295080005b1f1638f8896f518aff7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 693f05a5e2a9a2831f67773eec368afd |
| SHA1 | a303e73e087fe0c2ab297aa939cf7f24c29ee256 |
| SHA256 | 1af6a2d5ffe748bc67852f628027bc0d382f0d132efcde5125a3dd5ac627839a |
| SHA512 | 3d4d33d48838a61c0bc331de1dc0429dc01d559aacbf152ee3056332dfde3a4df3e418e34ea2cc79f2a00db5c21491506c0c4469f6f03049f1993621c193beaf |
memory/2264-3666-0x00000000240F0000-0x0000000024152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e81df3b7d62fb0de3a20dcc2939febc4 |
| SHA1 | c99b0940321f4a738fbc40318475aa52ca6f4b3e |
| SHA256 | 95374d8ff076c0c29eae8f4e1be1d5335f5dcf46023b6a106a44e7cbe76c8895 |
| SHA512 | 95a626aa3362bcb475f667d96561f7b26c6c7d0563e5b1f29cfcaedbc75e30a703951fbe3b2a57594c74e240ff2428aab2f1761699b748c5ea6b3d6cae75418a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 45227778d7da1434cbddc46b1e6a7cca |
| SHA1 | a7666bbcb872c18889fe85a65417eab017130d1b |
| SHA256 | 676fd429aa46989cad7c7f8afca8b1f67d09ca1c01bf2281f1e139b6ab28572f |
| SHA512 | 3834fdc2644711a23156a36a99b89f372d92282ae7ca39630ee9e0b8e93713d5418f724a3ab80676cbb887e0ed8e4b090f5ef7aa8a41d578d0c3945a728b8a90 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 51fd70bd5878a3726ba9bac85efc741b |
| SHA1 | 9ff8e4f54246f44f780f56ce5f448d03997173e8 |
| SHA256 | f6f71ed638c5491f567f5c3d9023c3c9cbf35af1dc9893a934d0516684668985 |
| SHA512 | de0148ac2ba24b7e90b61dc7171ce076d32a32b06ec4d1a10c6be1d1ccf0c91423d57f1a502b4721f92fd3cf229c2203833f3eb66d59b3e5de518b0c6cb97c85 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9affa1c52576677b4dea8b8ec243ac85 |
| SHA1 | 4e8ec899771e98297f92b0d3c712a279774119a1 |
| SHA256 | c8b3eb3919f12e55b0e627422086e8066dd39fc6d773921fd841ffedf9515eee |
| SHA512 | 9054d2ab764a60f134f7a288222f64f7acf2d10e0f94f511b6fe52d01f9932fc9493f4f4232b257df88cee005b986130209b1fc3eee8e1b37595e9f1d647ba49 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 746c367646fea6f1753f9caabe552166 |
| SHA1 | 99bf7c76a5640659a654ff30cc074059ad50d04e |
| SHA256 | b33cf883c3c7ad87074a4810a07565f69d9548ba2c13ab7332baee24ce1f9a5f |
| SHA512 | 776276e46b1ed5cf804556d32f12246a2a61563fbd94ca29982b05037da28ccd5e3ce7cd26d210a36a0962a38f54a8262fe5be27673851654eb03809c70da452 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 59c2f7a025b7383d986ac0451ef0f093 |
| SHA1 | 8ddf51600a319acf6cb2355e7f39de3017200eaa |
| SHA256 | 15a1e4145630a84954731c87a2865cdaf144bf9d07ffbf6b77dedcfb6f17c3f3 |
| SHA512 | d611aa0537bfecd0a072eecc3fabff3a6a066cfa0c869ad1bd6166dba95adffce2fcf8b3b98694c86360108e788378831bd006fd3606e6ae993f9659dfcbcba1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e46d7564cc8eaa54aba3b53fbcfaf2f0 |
| SHA1 | be3147a75af489ddf42318915ba0c69d2ae3adab |
| SHA256 | 5834a906f6775956305e73d3d8024f59780fb0a97a4e4736ed45fceae48d8af5 |
| SHA512 | 9973ed31ec2f4b6fc7ebfb9ef71c8f0bf403e396ae3a4816f1b4395d836c48ed3d13e01e546ccc6ca77649486b101bcaaed6905d71bd5880541a9ce2fcbc807c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 53f5b9f7ac440e0653e5cbcc4906df8b |
| SHA1 | 9a8464eb841781cb8364e50106d64198d9a8d847 |
| SHA256 | ac4b70426506f9c8fe2f6f2352d514f6f32ff8574481ebf99b59ee4a3e2320c6 |
| SHA512 | 615dec554d268fbebdd8486578d9d7b04f7937067d87baa418f2711a58e0c1912c32a251c765f4d9c1caa5c68145c29e15e45809d96d5f8f09012853abd2ebba |
memory/1552-4535-0x00000000726D0000-0x0000000072E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b01e78eff5e0d935345fcc5d5ab7180e |
| SHA1 | 91a5c1291d05de02b91682a2725fa666da27cc3b |
| SHA256 | 426aad2b99cf2f074663d48a412dcec596b75973c9ab7295590e0fdf0cdb39d2 |
| SHA512 | 760102e1238e450599d164731f22f1d4a1e00ba758915c0853d3a9cbfca64ffbe6b325e4605bc40e1364d5b74427152295670c7a0480163f299b467529e91929 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f2df1998d8a64377f3880126ac24ad3a |
| SHA1 | f4a53650e1bc20631afae3eebe074eaf989130b9 |
| SHA256 | 196180652a762bb863d65748ccc4e4b87e18554a102699ec9914976b7a2afa38 |
| SHA512 | a55003f8e86abc31753bad9e7ba4052d44609f60f7b4e49797d68b15f007d8175fed80dc3f4609cf3057f92d47b9ad3c9bdae0e2bca25bca5c73bb4dc86cad8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b5eed3486e8d4239df90a71424d426b6 |
| SHA1 | 554df985862e9e3ec54a2f1f2605d7fa3dba8f01 |
| SHA256 | 4e5b4668757c06eb04d8f00b79979ffeb7eb4e862dca2ac57a97630966b20b08 |
| SHA512 | 8b0c20fe881de6a091bcf3f7927d3ce97f8fa7baadcc5f3cb5833d6c332b23a40c9a71e53e6c945d86c1880cf62ac29d60ccb0f4e76786c73ebbce17d96dccde |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ade683b6702c264fdca1be8140ced088 |
| SHA1 | f7e084c01a21747b1ef0cf1596c6a657e0b94909 |
| SHA256 | 34523488aefb91297ea18715db4c2af2317b34562db257e52562daaac43a88fc |
| SHA512 | 2ba7bba10e605f8b5c9b0371175808841b8b7c623c8567ed5471643aa4404046aa3d1ef1de915d1d925883a3cdf72f85b0c14df403766134234e0a71ec982454 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 88b70f0458c634ee3668e5fc240881b8 |
| SHA1 | f757bac344eb68dd1a461dcac0228ae69bdae192 |
| SHA256 | 07f8f572d5010d6bcf5724f00292e478710b09ad72626d57994eea19fcfa5e15 |
| SHA512 | bff6858efee583da15e56115931fca05154a48772bc8c3fc88bdb0ef5b981b30cf070365e99bd98d2f2f47f9a06e9d4b71c051ca99b3709518a85cc4bcaf2045 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6349cd818ed77c27c99e78311d7ed627 |
| SHA1 | d73b81bc0fce685483173064a50405cdd51b710a |
| SHA256 | 55326b1e46f4f33e30a2d9a5176435be99e751e3e1e84165662c1a2d41a323f0 |
| SHA512 | bedfa0b8a446f12ab562b0a2ea3320d0f1f670d8808105a23d05df5e272008672eedb3d488960eecbf8e2852136fb02340e9e1b72eb4dbd1748ae162e9249ee3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 97515db8e4129613174db89a27f36ce0 |
| SHA1 | cbf8857ccd35f41b638d30afd4096dcd10ea147d |
| SHA256 | 0015cc24e145d1d93ccae776d0532e4ea7ee725967ea37d0f1f3da3610e45db0 |
| SHA512 | 7bfc75f921243ce139e792bfaf5e08b1b5ae6c7f2c4cc3843ac1d5591c928f2b7ff1a8bd752ebaf9c8c36a6567618a48568321c1cfa76d006e538d52b71d005e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 568b60a7ef390f862eda2b51cb9d05d2 |
| SHA1 | 1fbaafaebeead6a10bc0821131b9c7e89d69420f |
| SHA256 | 8d3ce7f152ad53e8811cb6487c0e8eacebb1b363af084717814a7205792213fa |
| SHA512 | c4cf6e0e5fb843fb46b4d42ff6f89739041ffff1a795dcb00c88fb20183690f98ddd3f9ca734d2fb6eecabf9e25ce066bb3cc0691dcf2ae745b200bcccfeb71b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 68ade3cfa5bef7fc7cd81870fd490249 |
| SHA1 | bd5d14f95462d2ad00e177291ebdcee27c3dc9c6 |
| SHA256 | c32ef71fea0477ab768949495c885e9fd3782ce3c844f7c76b5f3b9cdc333f7a |
| SHA512 | 601841b9f3bcb23e3d5ffdb78259aedd6759155f2076210f0eed23149d21e9c9c443052462c9a4b6746fbc3ca0eed5e140637ab32acbab4737382a00bfbb1d00 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2be9b9054a9cbc3ef0fb531e2ed6f4ed |
| SHA1 | 25d5a69cb339ab11c3b0e0e75969deb54bd87522 |
| SHA256 | abef53a40f05897df38e1058be5434022bd99c75411c2ec9b702c63d89d4aa6e |
| SHA512 | d6381f4714be72af459b8fa9233ecb49e30ec9e45d5cb288894b5df35a2130c4c02a2684c417812ad8af14f45b2994c32cac36d64f9630057cfc8736b9e2fdb2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9e52eb57be5045bfed2c879e7269c2a1 |
| SHA1 | 60914db5c16b81ff3916dbfb3b2024ff854ce3a7 |
| SHA256 | 92734ae57b1b45224c96a40c35a9ecc8a418609e1b94c8e59c845a38158dfe0d |
| SHA512 | b4955eaccbb9e253684330aca607520c6f57bb75efd5b77a62c31d175ac4e3b07e632ce0c07c7b389c2c6738ed51c826f5e515ded583374a3b940e7fc0a793c7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 550af5809a1bd544c5af2c6e324426d2 |
| SHA1 | 6285fe1d0307720c4a5789ea2abf2496aae521c7 |
| SHA256 | 33e17518cdce0a9980f075ffc85334c3b39b1b5c9df541194b96cf8705a6a1c3 |
| SHA512 | 02b0fe14175f29f256db770df5ee620898327f83707faf9f21aadd58997441130c92c7be4ffc67cbec68c2a4c4fd5a7ec42d5a76cb638b055c20c96e90c3af2f |