Malware Analysis Report

2025-01-02 13:08

Sample ID 240317-ca7xnabf58
Target cfa077e790dfac211c6689a84d4953f2
SHA256 019c54e21983426d5f427e1169f8c1b2c5548d51376c55e1078b95342549919c
Tags
cybergate zgrat 30.07yt persistence rat stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

019c54e21983426d5f427e1169f8c1b2c5548d51376c55e1078b95342549919c

Threat Level: Known bad

The file cfa077e790dfac211c6689a84d4953f2 was found to be: Known bad.

Malicious Activity Summary

cybergate zgrat 30.07yt persistence rat stealer trojan upx

CyberGate, Rebhip

Detect ZGRat V1

ZGRat

Modifies Installed Components in the registry

Adds policy Run key to start application

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 01:53

Reported

2024-03-17 01:56

Platform

win7-20240221-en

Max time kernel

150s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe Restart" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Winlogui\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Winlogui\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jusched = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Winlogui\csrss.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
File opened for modification C:\Program Files (x86)\Winlogui\csrss.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
File opened for modification C:\Program Files (x86)\Winlogui\csrss.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Program Files (x86)\Winlogui\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
N/A N/A C:\Program Files (x86)\Winlogui\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Winlogui\csrss.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Winlogui\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2720 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe

"C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe"

C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe

C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Winlogui\csrss.exe

"C:\Program Files (x86)\Winlogui\csrss.exe"

C:\Users\Admin\AppData\Local\Temp\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mfvfmava.duckdns.org udp
FR 141.255.144.148:6666 mfvfmava.duckdns.org tcp
US 8.8.8.8:53 newanonjoe.ddns.net udp
BR 185.192.124.32:666 newanonjoe.ddns.net tcp
FR 141.255.144.148:6666 mfvfmava.duckdns.org tcp
BR 185.192.124.32:666 newanonjoe.ddns.net tcp
US 8.8.8.8:53 mfvfmava.duckdns.org udp
FR 141.255.144.148:6666 mfvfmava.duckdns.org tcp

Files

memory/2720-0-0x00000000011A0000-0x000000000122A000-memory.dmp

memory/2720-1-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2720-2-0x0000000000500000-0x0000000000540000-memory.dmp

memory/2720-3-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2720-4-0x0000000000DE0000-0x0000000000E66000-memory.dmp

memory/2720-5-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2720-6-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-7-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-9-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-11-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-15-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-13-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-17-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-19-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-20-0x0000000000500000-0x0000000000540000-memory.dmp

memory/2720-22-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-24-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-26-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-28-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-30-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-32-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-36-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-34-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-42-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-40-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-38-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-48-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-46-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-44-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-50-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-52-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-54-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-56-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-58-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-60-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-62-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-64-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-66-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-68-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-70-0x0000000004FA0000-0x0000000005015000-memory.dmp

memory/2720-2289-0x0000000000C00000-0x0000000000C08000-memory.dmp

memory/2720-2309-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/1912-2310-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2208-2560-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2208-2561-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2208-2845-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Program Files (x86)\Winlogui\csrss.exe

MD5 cfa077e790dfac211c6689a84d4953f2
SHA1 2304882c26bc8cf013ae3396e719eb59e1f96b3f
SHA256 019c54e21983426d5f427e1169f8c1b2c5548d51376c55e1078b95342549919c
SHA512 c1a0583c9e6493573c2fd8f454a72dcac6266b9cc67bfcc55233be91113765f5a7c9247901fc3f25e817f37e8fb98bf5f4cae2c006f39e9797aa209eb7c63584

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 fd8ac240a192de863efdc53b28ce607a
SHA1 7e7df0b97a3fe9b26e4d0fb04b58a369bdb12dd0
SHA256 851313efdb52401cf8c6b394ea4c984b7f76371e5b02d66b8723d75f5ebbea64
SHA512 25ed8addd4253d3762791e377587200be37867cb9e378d90a2d6367c3d08e1df031b155e83a283cc9a773043b3aa1fe85640a7525393f29c2297cfe8a1c01ab3

memory/1912-2933-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2936-3152-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1912-3151-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/1432-3175-0x00000000730D0000-0x00000000737BE000-memory.dmp

memory/1432-3174-0x00000000009E0000-0x0000000000A6A000-memory.dmp

memory/1432-3176-0x00000000049B0000-0x00000000049F0000-memory.dmp

memory/2208-3177-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 84406752de066cfa11c396098b6486b4
SHA1 0befb8b78c03badaf9376ba8795fe24044f3c6ed
SHA256 d30b3a3eb892c802238d8dbc5f1b7b990cd61cdc1ecc20ead4df50263664b202
SHA512 7d49ffd8e08479a328189026ca81976f717c8269eec315760e5ea0304cccbf77f110191c4502e7ae1075cea40bf1b45fb25ed145e25af1d6d271ea4dd24a2a22

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f76f06ccb4cf01d3f809503943cdd1f9
SHA1 cd466510826c32f314f3aeaf8fc97366bb595c32
SHA256 1d8b3e601eb1612d87ef46370bf798020bd5e74b95c82947e50b8c8f4660e171
SHA512 7c9b3fd5a309ba23045a33042c6fd9c1d2118ecd42c576ce519761c69eb979fef7416cefc93b7d5064cb5d0f2e48dd4c49820701c4228f459000bbf7073ccbc4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 872781d89e8fb68e3f11260e3d8b20c0
SHA1 88fb8919a7374b6bd9a93029c1378ea6b96b05c2
SHA256 4554a2a53ffb06922d180309ffadcd4a089692e9ea0a9959f2720d1159a03c3b
SHA512 9bd378c0c0bee26e1867e09e556d15d87b51c24954ea27057cd0345ae412c77f94b8bd272d0b213604eccb31fc546422a1457a3a00a5599205519d4a43a9b3a4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2089f854660eab742a579f9d0c46f092
SHA1 76a097d730737e3b785e2824918073c9733a2dc1
SHA256 f3182cf11536b65a86b5c09fcd7955b744389951976ad27e3c09ea1d98af0f77
SHA512 1db121362fbbf347ce2bc704bf2f490658e832eba4fa28be98301b6fbce7e9d1e928d81ed4187a94fc27b4562c335aff245d5d30dc0e8e1a69ea55364f55ab35

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2f0e014dea736305a8036403555acd9d
SHA1 e7639b639740f373b3ada710abcab742edbd30dd
SHA256 a9661eaedbd20d1ac397bdc57a4e9d02e66b44b5171e795a33c6feb6d56357ca
SHA512 05f8f0bba080a69b75053236d89020ff3957d76ed5c19a7f02d195e3dce8cb60cef4e4f991e9e7679ca9848ab7033cd6a751c1bd73362b68b028004a2fd42472

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cc1c6682543c35084eb9ca21c13e30f8
SHA1 4760361db9bff2b2c72950056adf73a0d5bc7b92
SHA256 7fffc1804e58e3e65697f1c4c6d820a80c86233170caa0e1d1e04304a3429a96
SHA512 e6374adc7adc2cbef9df58c49d752c28341655dc2e39ede2e39e6efd562988467eee96ba20bfa6d419da71e6a4d0339280e254633ffa18540db340a265a9ff6b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f45168e6ef6692a5ced8807671d29aaf
SHA1 b2b8b34b064db2c7616c4b7931e1cc4a6c759ab5
SHA256 f70c88f40decee53b0e8f4faea5d3e66889324e513de8f311689775af44ecbdb
SHA512 e86c5fc54124db017686b12099ba4435a1cfdf489277f12159663beafa464d53a612d1c2d2636a2db9064686ed4e8880c0a99c3e9a9e4447c667502d29d8c3ea

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 887a076c24363a41d68d32940d83d056
SHA1 ee3a086f483dd43a45d45427b1730480213a478c
SHA256 e84f6f1c156dbcd24ed5c0aa2b1f6191738d63fce78ebb69f7bc826c29e9ac64
SHA512 30c1b6b3207846fcaf8926b68eff37ac337b1e09226c1a7cb04ac6f5daf7fb142365b17cc42f39dd35fc17c4b5ad7e27c9ab27855bcf8520861c556972068336

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7696ffea775405591df3ef60121e912d
SHA1 84f2ac321a89ab9bff40927a029cf2f5d0247831
SHA256 2b8373b391541e4dd7355766667d2d8f474d67414eac03521daad7c833a9d113
SHA512 3fedd4b88f527d7a7bc441da63c0e90aa9525b6f65328037d910aef1c3f1315a560378b2319e8a34deeb31a19b5f5cef2d20fa3a506d1ffcafb739dc37c6e6a1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8540c34763783407b3f7c6b59dfa84cd
SHA1 d2460228e851b6c562a2965fd944e91469c60879
SHA256 941b51c0cec45fc8788414ed252d6f5d7a76a9f1dd31014da0675b7582adce50
SHA512 a973d2e01c1d51800e892cb371752e54496543188265874127cba86a0d5d214b441e564cc6e0c0a3a3875111825307fd2caad82811ac5b95c5c9e94f9514b405

memory/2936-3906-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/1432-3911-0x00000000730D0000-0x00000000737BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 af055fa6dc20b8bc40a8e23a626addac
SHA1 f5edc1ec6fcd3e82385200c503ed5707420e5834
SHA256 b908e11cdcc5ca9b0c33c382ef636586602de4a34b849aeed819481d78f6603c
SHA512 0ef1731148415447ca75bb28b9cc233b056b1e109cc45d7cca7b3b40399018bc830fc687a1b6a45859561b18a04fbd3149533845c1d4b0faeb8ac667dffb3137

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4d2aa98bae926729090cc6c30dd1e02c
SHA1 7b0aa0e4b7abd0e0f702727d47e007c975874386
SHA256 67bd5b1cd580941d7233565504c888ca9c9e9c4454684f2bc58abf17bcb382cf
SHA512 44acd869c15063a2ab37c0f05c538cb8a132c89ee733805cb2cb025b08e4f5991e62e86528a7a5e036443d3573d3b18512ccc47b4d36228bf29f3ce1efdecb79

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6f1f31153e838ada751a5637a1487bdf
SHA1 4346aefd590f6a6865b0524f5563a501c4d1af6d
SHA256 1268e12763098cc62d89260e59374db5019ae6686f2a98ec54770ec06761ea50
SHA512 6a42fac764fd7a7e16f953969334c285e37fb4b1b0ed80fa6d35c69ae6742eba83918c3c3a0c8712bb7549950976775a8ce2bcecd62e622954ad469ba23c5cf6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2b4c933df299fdd834eed1f08189d770
SHA1 5f3e3e71a1496383d68f6cae750ad6e830a2b16a
SHA256 7e8166fe59949bc12516adf702e15199cb813870be3db801112fd1b40b892340
SHA512 b152d42eff6de63a24449d0c8f32eb0c50ba1875cc0c9a2197bac8afd54697aa88f8114057136b4085ed580a5006625c0830ae55082e3ebc1b2c8457b685217c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 62f6d4a49fa69c3514f489ff5dab9851
SHA1 cc8f3820b39647b04ee2609665e26f51e48e88dd
SHA256 62821b70e1b68974d953138dc0a6bf04eb2d63d92d484a4bdbb15e7731a595d8
SHA512 bdb7f884522b5a55a455e716147ab5d6c1d98b0ae7646c541342db9313c37bf2db30a536bb18019b631d64f09721c317ab3ecfff7f5c5dc758f82ea593983726

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 58d6aca501b933bd584d3a74b970cdd3
SHA1 03b1c3a35153492a05daeb1854344eba7cea6a3b
SHA256 4137a217c3d8831c41378e5aaf43c41cc39d466b91efdf471beeed9dfaebde48
SHA512 38aaa8c83cb518c197693964dac406bd64ec72e3dbd563a4c61e295df8a96b9aa1236037dbd76074c50f8ca059c51cc91547e20cb41867281030f427e119c92b

memory/1432-4879-0x00000000049B0000-0x00000000049F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dc40b55bfb1c19aa3d7868983351d565
SHA1 c6a5050ac8a55f8f824623ba04bd7a833035c92b
SHA256 8c8022d7e375b45e9b856329d986b7dca4af0176d436be5667f99ebbf67f3ae0
SHA512 5ce38f149b6db6fc780bc2b2e23de2e4c11aa2af48ffa29dd89d09a9cac97e9d36882bc9bfe41a3ea82f0cd0f29f354d9f2056bce8371be36cbffb3351fdb2c5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 61603588eb744a18ff7c8ed8b793fd36
SHA1 7ea0c4fbd4b60089bf68e62e7612c793831d3842
SHA256 93c51cd69191f509686121a5f4fd7ace634994c6da9ee60240c989c9da69440d
SHA512 3e9d56818f425eca8303703421771aa0468afb8220341cc3561388d06af75a8306105da91d79234226f697d9fef387f51d75df533131cec4131c435cbc26fda7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 098d3891b5aa4d573d47e77dec7bfae1
SHA1 16e39da7b2cf222998b9ca27557cd10d4dcb3972
SHA256 890f74e3414ccc80845a5bbab73b9d5859432b418ca27b8cb4e4a90cc3934627
SHA512 8912baa253ea84edd630461bc1cdf93c3e6f812a788bc934dfcd342c4f92d312c17a662926e7042879e602ce631c9e2160d5e37bb236670cff0aa7c1ac426db0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ad8aaa12808b9112c509a9c8cbbd0679
SHA1 8ffb9a01e4bf5a45ba0f4e43d141bc4b329dcfca
SHA256 fbe8f834580e33db327114e8015b26b573cb1a0e390fd51f2570e286efdffdce
SHA512 125ec24d7b9ab3475b061fa2fba67922a86f99a2cf8508c517c48ed64045cfeb1b87ee557a42ce4636c7db960b4cefff61fab4935cfe626bd7d1c63ac309888d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e896e7206582e4ca6d53860f3f478b26
SHA1 1f4c102ead1fe0eb1113023a602e1f5851a41026
SHA256 2123fcf486dcc5b92dae205eff40886550d5da4f730651331d6298fe961771aa
SHA512 0ddbf662bb1122edf9ae6761eebf58a87581298b94e5aa58de8ee401c37d87c7479cdb8c40e6f891918c5451ffd5f10c743e08ca16c211ba5bae71bef7b77551

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2223c3f2ef61bbf1ae6f48c0d78da197
SHA1 08a17a2cb5070917873bb5d6d2628a132e4b9531
SHA256 6e9eb49690e8cef5475e96b7ce765f1e0426a27182b9956311f8593579eb253e
SHA512 9403174f6d501e4d98912979ad37985edb83ebda630b6c8093138da340ce06486282406781d5e27bccbdc6addaf5253d71899d1b644a710ed9d709e95cdbd37b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8ece309494e254dd24e4cf70086b1c4a
SHA1 b6a777c5e06c00f5539d1fc3bc6b7c9d115b7cce
SHA256 b960fd79bfd28ea162fcceb085ea61323cd0473926f074d2332cb98f5d24a7df
SHA512 a512c20abd74b481b0efcc94c5dd72212349b05dedcd9a75cc74b79fba91bbda993e75e077f2c3ddb2a2c4e33724a04698c78544123d54b83f32c76342ada277

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 241c88c982f951a37ec236cf872b5b93
SHA1 f888a6742209ac7749ec8079bab20d45f20665e7
SHA256 a0660f15822ed03ea92e8167f37cde06441b265b0438d93b3de35fe964060693
SHA512 dc87707d7a5bc1a7c34d144500b4622f3e853762e109ee148cc5cf79523263dad804dce8bedd37cc985747da2cfd71cf2d855dbead9fc785b4aab4f354c132f7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9926ddeabdb43340d285acb2603398ff
SHA1 dd3de27f591137654b76adf2b81beb00d26d38a4
SHA256 0f64b53c8493b11e602ccf5bcccdd7eec25a6ffd74a7dd21d92affbd3f30b1d7
SHA512 86afbf5875ffef7f4888b2aeb76ae00e091dc3070715e21acdd469e6f395b9d93d12c9b4af0288528b0cd6ef372186f3b77112f47a55e116e6a0bd14eb1d3a16

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07d56c8463f968eae189fd57e688702d
SHA1 23b265742c89c257cee0407308325578ad605877
SHA256 29266a9101f29c6c019dd01cfa9e7441af4caec4a9da553eb61536bb843a87e5
SHA512 53337757f23ffe1b86f2e64bcfa094d19a206c143d7be26be6f098fd3d46f70d943d5b744dd37e46a95220a0273fc81f561e1e65a1ab800e8b97de96fed1f2c3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ee9812992e1a14da26302d17e1c553fa
SHA1 429f558eaba2f8638f06129fade5820382ae2ee0
SHA256 8ad0ede2e1c647c0cc81c3a66d10bc8a01c916164ff75ec12c985eb677330345
SHA512 494e8d962cc16245c8c3893aa10eaba39817280a66dbc6054cf7d2ee0ea5edd33e0a736790962cc78d70c433d7f17a9fddb2c9cf031f9ae7f43dcff88da5b847

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6158f7d91ae80c5f291517a11c51e727
SHA1 9e3a64e3a72a48f5dfbcbbbe3e9783ba83d9b95a
SHA256 2f03598cb04aef4109faf891138197abd9eb8c43b7718138ef2d156dadc5695e
SHA512 f35daa1ab98df1960f78e77ea5c307e6ba765b544682975bd2e37dbc885e800ad162f1376e832787f80ef532d2996eba39ad8aa12c861740709b81005582a338

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 188218d801d0cd1bf6fb51ebfa2c05e9
SHA1 f2031e076887e172314ca9b2ab2cbaa8dc4c6bcb
SHA256 e82e0f6bc9562f4c06bc7aab0a722fbf5dca89030a91f14cabf5c93fd6844684
SHA512 f077800e85f810da258202769253838a39e2bec900c4d4c916108669582efe3f61ef12d9ad20db929863b9db8b469038f482ff5728b64ed62b627efc8cc4d1d5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 afdfda8997cdfe480b41a941b270ac86
SHA1 801138c2d5e91790be7917b4f1b0881000c39040
SHA256 57dda9adf314f0344b1556656b25a053743f2832926f8b5bbbebc02d8a3757b5
SHA512 e77426fb7ecd5a32ebdd39f8165386a1d33a5057d91ff72113248858f25dd410b910a66e01193f652e86d8e2788df6b18f6c4f753778f5a9393984eef188e26c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2614c5db85b3927a31765d073ef4d3ac
SHA1 fc4012966e339b5ae4b657dbf73eb6746d9524df
SHA256 b0600b66cc0c9c4e8bd93f2f4dcf3ec3234d9e6a7b9b15f537955e5a429c9e30
SHA512 d05f3ea8be65694dba378727f66037f4c6185c81ff3a2ad56d663f0ed13f1a2c760de049309f9bd260a8b691a5de29a5672fd92540c1bfe7e6062b5bb08132d9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3a28fb1dfb6d1a6dcc37e46429c3c661
SHA1 2f45680b877b3ec87bdcf44a721dac4b1ff8856c
SHA256 15b11772bf52e9c29c2e1984c75ad8768e9730c25004c2dbf5756b59f96159ae
SHA512 43d404ad07fa45b487a3971e6eb76e0a22787babaf5135602274a0e5fe62e7bb404c36aa1844f4c8bb0d102ec643b5fbc157b19c592fc5c8bae4db524af32600

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cd6a415f602f1c892c1e4c34e8736917
SHA1 2a4705461f5291299f0f07c10603b2bc1acb6db8
SHA256 e7dd903013e1e5d0b2d505d32d95946ab9f686342e724e9e163bb07d8e816638
SHA512 b5790f757d75a5d082780da6c790314ade07d93b49ec5cb55dfe231df932e6d2193bf527f266920c4cb53e2eba18db1cb56b8d633610a54851c5d13522f791ee

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4693633b3bbc7db8581d9e8cbc670635
SHA1 4807c46fb05e4d916d311766b037101379a9d1a0
SHA256 7cdfe81f91255aeb15a9347e885552bf6e3d06d62dc4fc48e9ecbc7d636bc617
SHA512 81377d0db817ebcac2927336a4842da5289652b0b533bead000cfc75be2549efce0373f1fbbe2e0fbe274214e3fea4579f72d76f0447b6b301bd418eb8ad8864

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ee88560dcf5d52a8bf4fd2578ad8fcca
SHA1 321d795d9a217e37aea6cc0d72ee6900bdc1db93
SHA256 55729639c73e28a01a04d3cce5353594f4a9fb89d0434ecd298deb8a1695c45f
SHA512 fd0b63f6f985f2830277d10b0e026c5fcac2839faad465eec8e5808fd315b3e42c9676d7827d5ee13d8a5be4d8c00b1fd6ba60bc3b6d510e29fcfbf91479824e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0fd522fa5850bb5d294dcd30790b73f0
SHA1 49e11d06b68695eeec28dfc36c803b04b60bb46a
SHA256 8fd41805050b8a2a368680494461795d017fa0bef12712bee12a27a022bf8e8b
SHA512 a7ad8d2afe1fe66456a5119cbdffe2d9cf24a3bc02ef201f25d3940eecfbb500d4691f254197e6968c003e9789545a3fecc94e41b58eb06254abb25434361219

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07053bbfd4fe2c008c48e380900ad423
SHA1 c5c0717f076ab1211193538be08d4001201d9e3c
SHA256 b85ffd8afdd78d00ba5e58afa62c210fde7f6e996f5e3411e47f97433f4e5112
SHA512 52990185ff2a66d6854263f2c5046b71ae12cf0da9b59d7d53a9c6b7e0a0de8e34b83e64674e43d9de44143109afed2f7daabfc7c7c296089c2ddb26c91f1b0e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07a8233b9f6a0e3b6de27b055055b4fc
SHA1 80dc36a11f60547449c9efc0ab56d3a3c828d610
SHA256 0a402674d7b30dac11a771107b01f908a3a9fd67d93a8cf98be0fb87a342e6ac
SHA512 bb28755cf4a392b456f182052cb5a0d13f185cfbf33e9d50a7eb47b13406b1d9bee2c0f5cc7354764288c97160f1227d916da960f62884075bda35c58ff42ff9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 eaf7b2117b8ded7af1b8c8a3a3abc845
SHA1 1ed9a7fe2488d695fcb59a65b63b65764665f143
SHA256 42990f52617c07585d8549e7f2eb3e20725eb6671dba7bd30b277b040842f53a
SHA512 0e4482a0d5627dc85898c2f896e8105d434e6d8bf3df28b84850a68205952f950a380c6c43181cb79b9847b1f81ea201932db4e829048dfa7db2689baa52200c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2af1f44a9002b7fd56e9f8d43acfece2
SHA1 c2b482e9e158c39afbc0409ce0047cec546739b8
SHA256 dea830a906f7249ae19dbb090701f7b8153bf1603ae6a51e560946e439adb46a
SHA512 4debf880ffce7568917f91d680866a80fa85ba0aa5d801dfa160980f6be856e37f9e50c693a261ebd51b9876c2d5d3b672ae9e07a498edb3a788cfa656ef5db5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7e2656806a4fae582e9b82eb2e434de3
SHA1 ef9087e67846d94c6474fadf66b02fa7f3c2586d
SHA256 082b8f2f42362740e8123fab80f1944c30b0dc3f05169f152ab5a1592bd1a623
SHA512 52a808a75d3fbd8e6e232a3ba8b94498d6ead87484d26543a84b062f44ba4743e4f5e292f398153f403715e1424691ee2350f1829f13c3287de72133363a6eb4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c17fb2acdc68d0f816b099e7b3bc3887
SHA1 24194bed71d15bd0da62e8f868ab672c39e950af
SHA256 ac138cc019d64934c69a6a953c3d1c5bdc56b58502210f416f60b88a93765e5a
SHA512 699013f5bcf1982a3f2501e56d2d4e6ee28a48738b050f3bf4ab3d575d59f9517b20ab8c3b788dd0bf06c2911711c8b3148bb9ca22ded031e6dcbeef9648de15

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7c1ff225827efb2ad800d1ad6b5aae6d
SHA1 c38afc9e57b3316895c47f193894ad1490bfadac
SHA256 bf1a486ec21d1703ebe92be75b06c17a99a0c6a5d31ff9d134c9f0ee780e7cf5
SHA512 8761456f6da142514042f051b006e6d101c8e44f42c3e1d9b0a1c8c312a219a5901ba760a5bd6535007ffdf18ca386cab17f811c1d6ecddaeefcd05eb84b8295

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ca9884669dd88b20d55862cc7fc93c2b
SHA1 311b106a9a3ad97f9fd6ee08ec1e4fe9a98723a2
SHA256 42b31cbdb66982cf7bbdfe1cb6bb66518d4c8a6d1df1c1ded7200dde49cf661d
SHA512 f6903b645a4fdb994062c338abd30df5f3e5067d9af0b851288b166e9fb927290fee49ee23205cb45b946ee35a3f76550e74735dda3a81aba75bda8e2812929c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ccd85e1bce18df27f20450f3d0bcb95b
SHA1 17746a2b7608844d6e406a02b66a3a9c7e62cb6f
SHA256 8eb69f1e763539df30660ec5a49eb324d5cd50dd7e2f3bdd0444704f79338543
SHA512 52549fd1ffc81b7e20fc88199ba2347434cc5bb977f5024c1579571dd281f3825032156841b6e1253b319d8939d3f9a7f835ca49680f0215e69298bda3b3b7ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a16bbc077877062790b55703a908d85c
SHA1 09010ff8ceeee2b01aa3612bccf1da7354084037
SHA256 7d61235e231980e1afc0bfc70bed334ec3476240e58da2a4611716c77961d4ed
SHA512 cdb47598561e8c10ae36ac5236cc5e89bb6b7d24082268b2219c362376e758f81fb3a825946fe28667a36e0ab7ad388f6945baff7df0f021b7406e254edf7756

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 748194ab5fc0bb94c5b1e01471864b28
SHA1 f4cee0906507f0d773e5571bcf2d9ee661fd49f6
SHA256 f8230ae6341ad41e52bc147f6cb2da670cc6191c41d1eed665b914118304a04f
SHA512 9fa2bd891a03bf2992e2ae740b5e59804f600c65b72a4efcbeed7c86f0a06992f364573538bb7eaa7858b0ead882ff7e69f1e4cdde3fb0235fc3f715f6c23926

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f8f817d5b083b2bfa3424b4b328c9cf3
SHA1 de7295dab2654bf2bb3372bf31aeda12deae48fc
SHA256 586c392a143342266bbfa6e8b900b65302ce0905288ed57353ade85b6c2bfd91
SHA512 e1d76e6ca5f33a30983b08756a5085b551b5a41ce5f7e576dbc3c264a72b893528534056c86d76f7377a5b0d6c953b15274295080005b1f1638f8896f518aff7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 693f05a5e2a9a2831f67773eec368afd
SHA1 a303e73e087fe0c2ab297aa939cf7f24c29ee256
SHA256 1af6a2d5ffe748bc67852f628027bc0d382f0d132efcde5125a3dd5ac627839a
SHA512 3d4d33d48838a61c0bc331de1dc0429dc01d559aacbf152ee3056332dfde3a4df3e418e34ea2cc79f2a00db5c21491506c0c4469f6f03049f1993621c193beaf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e81df3b7d62fb0de3a20dcc2939febc4
SHA1 c99b0940321f4a738fbc40318475aa52ca6f4b3e
SHA256 95374d8ff076c0c29eae8f4e1be1d5335f5dcf46023b6a106a44e7cbe76c8895
SHA512 95a626aa3362bcb475f667d96561f7b26c6c7d0563e5b1f29cfcaedbc75e30a703951fbe3b2a57594c74e240ff2428aab2f1761699b748c5ea6b3d6cae75418a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 45227778d7da1434cbddc46b1e6a7cca
SHA1 a7666bbcb872c18889fe85a65417eab017130d1b
SHA256 676fd429aa46989cad7c7f8afca8b1f67d09ca1c01bf2281f1e139b6ab28572f
SHA512 3834fdc2644711a23156a36a99b89f372d92282ae7ca39630ee9e0b8e93713d5418f724a3ab80676cbb887e0ed8e4b090f5ef7aa8a41d578d0c3945a728b8a90

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 51fd70bd5878a3726ba9bac85efc741b
SHA1 9ff8e4f54246f44f780f56ce5f448d03997173e8
SHA256 f6f71ed638c5491f567f5c3d9023c3c9cbf35af1dc9893a934d0516684668985
SHA512 de0148ac2ba24b7e90b61dc7171ce076d32a32b06ec4d1a10c6be1d1ccf0c91423d57f1a502b4721f92fd3cf229c2203833f3eb66d59b3e5de518b0c6cb97c85

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9affa1c52576677b4dea8b8ec243ac85
SHA1 4e8ec899771e98297f92b0d3c712a279774119a1
SHA256 c8b3eb3919f12e55b0e627422086e8066dd39fc6d773921fd841ffedf9515eee
SHA512 9054d2ab764a60f134f7a288222f64f7acf2d10e0f94f511b6fe52d01f9932fc9493f4f4232b257df88cee005b986130209b1fc3eee8e1b37595e9f1d647ba49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 746c367646fea6f1753f9caabe552166
SHA1 99bf7c76a5640659a654ff30cc074059ad50d04e
SHA256 b33cf883c3c7ad87074a4810a07565f69d9548ba2c13ab7332baee24ce1f9a5f
SHA512 776276e46b1ed5cf804556d32f12246a2a61563fbd94ca29982b05037da28ccd5e3ce7cd26d210a36a0962a38f54a8262fe5be27673851654eb03809c70da452

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 59c2f7a025b7383d986ac0451ef0f093
SHA1 8ddf51600a319acf6cb2355e7f39de3017200eaa
SHA256 15a1e4145630a84954731c87a2865cdaf144bf9d07ffbf6b77dedcfb6f17c3f3
SHA512 d611aa0537bfecd0a072eecc3fabff3a6a066cfa0c869ad1bd6166dba95adffce2fcf8b3b98694c86360108e788378831bd006fd3606e6ae993f9659dfcbcba1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e46d7564cc8eaa54aba3b53fbcfaf2f0
SHA1 be3147a75af489ddf42318915ba0c69d2ae3adab
SHA256 5834a906f6775956305e73d3d8024f59780fb0a97a4e4736ed45fceae48d8af5
SHA512 9973ed31ec2f4b6fc7ebfb9ef71c8f0bf403e396ae3a4816f1b4395d836c48ed3d13e01e546ccc6ca77649486b101bcaaed6905d71bd5880541a9ce2fcbc807c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53f5b9f7ac440e0653e5cbcc4906df8b
SHA1 9a8464eb841781cb8364e50106d64198d9a8d847
SHA256 ac4b70426506f9c8fe2f6f2352d514f6f32ff8574481ebf99b59ee4a3e2320c6
SHA512 615dec554d268fbebdd8486578d9d7b04f7937067d87baa418f2711a58e0c1912c32a251c765f4d9c1caa5c68145c29e15e45809d96d5f8f09012853abd2ebba

memory/1432-9405-0x00000000730D0000-0x00000000737BE000-memory.dmp

memory/2132-9412-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b01e78eff5e0d935345fcc5d5ab7180e
SHA1 91a5c1291d05de02b91682a2725fa666da27cc3b
SHA256 426aad2b99cf2f074663d48a412dcec596b75973c9ab7295590e0fdf0cdb39d2
SHA512 760102e1238e450599d164731f22f1d4a1e00ba758915c0853d3a9cbfca64ffbe6b325e4605bc40e1364d5b74427152295670c7a0480163f299b467529e91929

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f2df1998d8a64377f3880126ac24ad3a
SHA1 f4a53650e1bc20631afae3eebe074eaf989130b9
SHA256 196180652a762bb863d65748ccc4e4b87e18554a102699ec9914976b7a2afa38
SHA512 a55003f8e86abc31753bad9e7ba4052d44609f60f7b4e49797d68b15f007d8175fed80dc3f4609cf3057f92d47b9ad3c9bdae0e2bca25bca5c73bb4dc86cad8a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b5eed3486e8d4239df90a71424d426b6
SHA1 554df985862e9e3ec54a2f1f2605d7fa3dba8f01
SHA256 4e5b4668757c06eb04d8f00b79979ffeb7eb4e862dca2ac57a97630966b20b08
SHA512 8b0c20fe881de6a091bcf3f7927d3ce97f8fa7baadcc5f3cb5833d6c332b23a40c9a71e53e6c945d86c1880cf62ac29d60ccb0f4e76786c73ebbce17d96dccde

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ade683b6702c264fdca1be8140ced088
SHA1 f7e084c01a21747b1ef0cf1596c6a657e0b94909
SHA256 34523488aefb91297ea18715db4c2af2317b34562db257e52562daaac43a88fc
SHA512 2ba7bba10e605f8b5c9b0371175808841b8b7c623c8567ed5471643aa4404046aa3d1ef1de915d1d925883a3cdf72f85b0c14df403766134234e0a71ec982454

memory/2132-9668-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 88b70f0458c634ee3668e5fc240881b8
SHA1 f757bac344eb68dd1a461dcac0228ae69bdae192
SHA256 07f8f572d5010d6bcf5724f00292e478710b09ad72626d57994eea19fcfa5e15
SHA512 bff6858efee583da15e56115931fca05154a48772bc8c3fc88bdb0ef5b981b30cf070365e99bd98d2f2f47f9a06e9d4b71c051ca99b3709518a85cc4bcaf2045

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6349cd818ed77c27c99e78311d7ed627
SHA1 d73b81bc0fce685483173064a50405cdd51b710a
SHA256 55326b1e46f4f33e30a2d9a5176435be99e751e3e1e84165662c1a2d41a323f0
SHA512 bedfa0b8a446f12ab562b0a2ea3320d0f1f670d8808105a23d05df5e272008672eedb3d488960eecbf8e2852136fb02340e9e1b72eb4dbd1748ae162e9249ee3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 97515db8e4129613174db89a27f36ce0
SHA1 cbf8857ccd35f41b638d30afd4096dcd10ea147d
SHA256 0015cc24e145d1d93ccae776d0532e4ea7ee725967ea37d0f1f3da3610e45db0
SHA512 7bfc75f921243ce139e792bfaf5e08b1b5ae6c7f2c4cc3843ac1d5591c928f2b7ff1a8bd752ebaf9c8c36a6567618a48568321c1cfa76d006e538d52b71d005e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 568b60a7ef390f862eda2b51cb9d05d2
SHA1 1fbaafaebeead6a10bc0821131b9c7e89d69420f
SHA256 8d3ce7f152ad53e8811cb6487c0e8eacebb1b363af084717814a7205792213fa
SHA512 c4cf6e0e5fb843fb46b4d42ff6f89739041ffff1a795dcb00c88fb20183690f98ddd3f9ca734d2fb6eecabf9e25ce066bb3cc0691dcf2ae745b200bcccfeb71b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 68ade3cfa5bef7fc7cd81870fd490249
SHA1 bd5d14f95462d2ad00e177291ebdcee27c3dc9c6
SHA256 c32ef71fea0477ab768949495c885e9fd3782ce3c844f7c76b5f3b9cdc333f7a
SHA512 601841b9f3bcb23e3d5ffdb78259aedd6759155f2076210f0eed23149d21e9c9c443052462c9a4b6746fbc3ca0eed5e140637ab32acbab4737382a00bfbb1d00

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2be9b9054a9cbc3ef0fb531e2ed6f4ed
SHA1 25d5a69cb339ab11c3b0e0e75969deb54bd87522
SHA256 abef53a40f05897df38e1058be5434022bd99c75411c2ec9b702c63d89d4aa6e
SHA512 d6381f4714be72af459b8fa9233ecb49e30ec9e45d5cb288894b5df35a2130c4c02a2684c417812ad8af14f45b2994c32cac36d64f9630057cfc8736b9e2fdb2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9e52eb57be5045bfed2c879e7269c2a1
SHA1 60914db5c16b81ff3916dbfb3b2024ff854ce3a7
SHA256 92734ae57b1b45224c96a40c35a9ecc8a418609e1b94c8e59c845a38158dfe0d
SHA512 b4955eaccbb9e253684330aca607520c6f57bb75efd5b77a62c31d175ac4e3b07e632ce0c07c7b389c2c6738ed51c826f5e515ded583374a3b940e7fc0a793c7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 550af5809a1bd544c5af2c6e324426d2
SHA1 6285fe1d0307720c4a5789ea2abf2496aae521c7
SHA256 33e17518cdce0a9980f075ffc85334c3b39b1b5c9df541194b96cf8705a6a1c3
SHA512 02b0fe14175f29f256db770df5ee620898327f83707faf9f21aadd58997441130c92c7be4ffc67cbec68c2a4c4fd5a7ec42d5a76cb638b055c20c96e90c3af2f

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 01:53

Reported

2024-03-17 01:56

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe Restart" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55}\StubPath = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V382127L-L634-XE81-R7HS-55731536TE55} C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Winlogui\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jusched = "C:\\Program Files (x86)\\Winlogui\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3432 set thread context of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Winlogui\ C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Program Files (x86)\Winlogui\csrss.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
File opened for modification C:\Program Files (x86)\Winlogui\csrss.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
File opened for modification C:\Program Files (x86)\Winlogui\csrss.exe C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Winlogui\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 3432 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe

"C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe

C:\Users\Admin\AppData\Local\Temp\cfa077e790dfac211c6689a84d4953f2.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Winlogui\csrss.exe

"C:\Program Files (x86)\Winlogui\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 mfvfmava.duckdns.org udp
FR 141.255.144.148:6666 mfvfmava.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 newanonjoe.ddns.net udp
BR 185.192.124.32:666 newanonjoe.ddns.net tcp

Files

memory/3432-0-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3432-1-0x0000000000C90000-0x0000000000D1A000-memory.dmp

memory/3432-2-0x0000000005BF0000-0x0000000006194000-memory.dmp

memory/3432-3-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/3432-4-0x0000000005810000-0x0000000005820000-memory.dmp

memory/3432-5-0x00000000057C0000-0x00000000057CA000-memory.dmp

memory/3432-6-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3432-7-0x0000000005810000-0x0000000005820000-memory.dmp

memory/3432-8-0x0000000008270000-0x00000000082F6000-memory.dmp

memory/3432-9-0x0000000008540000-0x00000000085BA000-memory.dmp

memory/3432-10-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-11-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-13-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-15-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-17-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-19-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-21-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-23-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-25-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-27-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-29-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-31-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-33-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-35-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-37-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-39-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-41-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-43-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-45-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-47-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-49-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-51-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-53-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-55-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-57-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-61-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-59-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-63-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-65-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-67-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-69-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-71-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-73-0x0000000008540000-0x00000000085B5000-memory.dmp

memory/3432-2292-0x0000000001100000-0x0000000001108000-memory.dmp

memory/2124-2297-0x0000000000400000-0x0000000000450000-memory.dmp

memory/3432-2304-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3180-2319-0x0000000000640000-0x0000000000641000-memory.dmp

memory/3180-2321-0x0000000000700000-0x0000000000701000-memory.dmp

memory/3180-2369-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 fd8ac240a192de863efdc53b28ce607a
SHA1 7e7df0b97a3fe9b26e4d0fb04b58a369bdb12dd0
SHA256 851313efdb52401cf8c6b394ea4c984b7f76371e5b02d66b8723d75f5ebbea64
SHA512 25ed8addd4253d3762791e377587200be37867cb9e378d90a2d6367c3d08e1df031b155e83a283cc9a773043b3aa1fe85640a7525393f29c2297cfe8a1c01ab3

C:\Program Files (x86)\Winlogui\csrss.exe

MD5 cfa077e790dfac211c6689a84d4953f2
SHA1 2304882c26bc8cf013ae3396e719eb59e1f96b3f
SHA256 019c54e21983426d5f427e1169f8c1b2c5548d51376c55e1078b95342549919c
SHA512 c1a0583c9e6493573c2fd8f454a72dcac6266b9cc67bfcc55233be91113765f5a7c9247901fc3f25e817f37e8fb98bf5f4cae2c006f39e9797aa209eb7c63584

memory/2124-2384-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2124-2435-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2264-2436-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/1552-2458-0x00000000726D0000-0x0000000072E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ee9812992e1a14da26302d17e1c553fa
SHA1 429f558eaba2f8638f06129fade5820382ae2ee0
SHA256 8ad0ede2e1c647c0cc81c3a66d10bc8a01c916164ff75ec12c985eb677330345
SHA512 494e8d962cc16245c8c3893aa10eaba39817280a66dbc6054cf7d2ee0ea5edd33e0a736790962cc78d70c433d7f17a9fddb2c9cf031f9ae7f43dcff88da5b847

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07053bbfd4fe2c008c48e380900ad423
SHA1 c5c0717f076ab1211193538be08d4001201d9e3c
SHA256 b85ffd8afdd78d00ba5e58afa62c210fde7f6e996f5e3411e47f97433f4e5112
SHA512 52990185ff2a66d6854263f2c5046b71ae12cf0da9b59d7d53a9c6b7e0a0de8e34b83e64674e43d9de44143109afed2f7daabfc7c7c296089c2ddb26c91f1b0e

memory/3180-2534-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07a8233b9f6a0e3b6de27b055055b4fc
SHA1 80dc36a11f60547449c9efc0ab56d3a3c828d610
SHA256 0a402674d7b30dac11a771107b01f908a3a9fd67d93a8cf98be0fb87a342e6ac
SHA512 bb28755cf4a392b456f182052cb5a0d13f185cfbf33e9d50a7eb47b13406b1d9bee2c0f5cc7354764288c97160f1227d916da960f62884075bda35c58ff42ff9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 eaf7b2117b8ded7af1b8c8a3a3abc845
SHA1 1ed9a7fe2488d695fcb59a65b63b65764665f143
SHA256 42990f52617c07585d8549e7f2eb3e20725eb6671dba7bd30b277b040842f53a
SHA512 0e4482a0d5627dc85898c2f896e8105d434e6d8bf3df28b84850a68205952f950a380c6c43181cb79b9847b1f81ea201932db4e829048dfa7db2689baa52200c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2af1f44a9002b7fd56e9f8d43acfece2
SHA1 c2b482e9e158c39afbc0409ce0047cec546739b8
SHA256 dea830a906f7249ae19dbb090701f7b8153bf1603ae6a51e560946e439adb46a
SHA512 4debf880ffce7568917f91d680866a80fa85ba0aa5d801dfa160980f6be856e37f9e50c693a261ebd51b9876c2d5d3b672ae9e07a498edb3a788cfa656ef5db5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7e2656806a4fae582e9b82eb2e434de3
SHA1 ef9087e67846d94c6474fadf66b02fa7f3c2586d
SHA256 082b8f2f42362740e8123fab80f1944c30b0dc3f05169f152ab5a1592bd1a623
SHA512 52a808a75d3fbd8e6e232a3ba8b94498d6ead87484d26543a84b062f44ba4743e4f5e292f398153f403715e1424691ee2350f1829f13c3287de72133363a6eb4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c17fb2acdc68d0f816b099e7b3bc3887
SHA1 24194bed71d15bd0da62e8f868ab672c39e950af
SHA256 ac138cc019d64934c69a6a953c3d1c5bdc56b58502210f416f60b88a93765e5a
SHA512 699013f5bcf1982a3f2501e56d2d4e6ee28a48738b050f3bf4ab3d575d59f9517b20ab8c3b788dd0bf06c2911711c8b3148bb9ca22ded031e6dcbeef9648de15

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7c1ff225827efb2ad800d1ad6b5aae6d
SHA1 c38afc9e57b3316895c47f193894ad1490bfadac
SHA256 bf1a486ec21d1703ebe92be75b06c17a99a0c6a5d31ff9d134c9f0ee780e7cf5
SHA512 8761456f6da142514042f051b006e6d101c8e44f42c3e1d9b0a1c8c312a219a5901ba760a5bd6535007ffdf18ca386cab17f811c1d6ecddaeefcd05eb84b8295

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ca9884669dd88b20d55862cc7fc93c2b
SHA1 311b106a9a3ad97f9fd6ee08ec1e4fe9a98723a2
SHA256 42b31cbdb66982cf7bbdfe1cb6bb66518d4c8a6d1df1c1ded7200dde49cf661d
SHA512 f6903b645a4fdb994062c338abd30df5f3e5067d9af0b851288b166e9fb927290fee49ee23205cb45b946ee35a3f76550e74735dda3a81aba75bda8e2812929c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ccd85e1bce18df27f20450f3d0bcb95b
SHA1 17746a2b7608844d6e406a02b66a3a9c7e62cb6f
SHA256 8eb69f1e763539df30660ec5a49eb324d5cd50dd7e2f3bdd0444704f79338543
SHA512 52549fd1ffc81b7e20fc88199ba2347434cc5bb977f5024c1579571dd281f3825032156841b6e1253b319d8939d3f9a7f835ca49680f0215e69298bda3b3b7ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a16bbc077877062790b55703a908d85c
SHA1 09010ff8ceeee2b01aa3612bccf1da7354084037
SHA256 7d61235e231980e1afc0bfc70bed334ec3476240e58da2a4611716c77961d4ed
SHA512 cdb47598561e8c10ae36ac5236cc5e89bb6b7d24082268b2219c362376e758f81fb3a825946fe28667a36e0ab7ad388f6945baff7df0f021b7406e254edf7756

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 748194ab5fc0bb94c5b1e01471864b28
SHA1 f4cee0906507f0d773e5571bcf2d9ee661fd49f6
SHA256 f8230ae6341ad41e52bc147f6cb2da670cc6191c41d1eed665b914118304a04f
SHA512 9fa2bd891a03bf2992e2ae740b5e59804f600c65b72a4efcbeed7c86f0a06992f364573538bb7eaa7858b0ead882ff7e69f1e4cdde3fb0235fc3f715f6c23926

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f8f817d5b083b2bfa3424b4b328c9cf3
SHA1 de7295dab2654bf2bb3372bf31aeda12deae48fc
SHA256 586c392a143342266bbfa6e8b900b65302ce0905288ed57353ade85b6c2bfd91
SHA512 e1d76e6ca5f33a30983b08756a5085b551b5a41ce5f7e576dbc3c264a72b893528534056c86d76f7377a5b0d6c953b15274295080005b1f1638f8896f518aff7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 693f05a5e2a9a2831f67773eec368afd
SHA1 a303e73e087fe0c2ab297aa939cf7f24c29ee256
SHA256 1af6a2d5ffe748bc67852f628027bc0d382f0d132efcde5125a3dd5ac627839a
SHA512 3d4d33d48838a61c0bc331de1dc0429dc01d559aacbf152ee3056332dfde3a4df3e418e34ea2cc79f2a00db5c21491506c0c4469f6f03049f1993621c193beaf

memory/2264-3666-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e81df3b7d62fb0de3a20dcc2939febc4
SHA1 c99b0940321f4a738fbc40318475aa52ca6f4b3e
SHA256 95374d8ff076c0c29eae8f4e1be1d5335f5dcf46023b6a106a44e7cbe76c8895
SHA512 95a626aa3362bcb475f667d96561f7b26c6c7d0563e5b1f29cfcaedbc75e30a703951fbe3b2a57594c74e240ff2428aab2f1761699b748c5ea6b3d6cae75418a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 45227778d7da1434cbddc46b1e6a7cca
SHA1 a7666bbcb872c18889fe85a65417eab017130d1b
SHA256 676fd429aa46989cad7c7f8afca8b1f67d09ca1c01bf2281f1e139b6ab28572f
SHA512 3834fdc2644711a23156a36a99b89f372d92282ae7ca39630ee9e0b8e93713d5418f724a3ab80676cbb887e0ed8e4b090f5ef7aa8a41d578d0c3945a728b8a90

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 51fd70bd5878a3726ba9bac85efc741b
SHA1 9ff8e4f54246f44f780f56ce5f448d03997173e8
SHA256 f6f71ed638c5491f567f5c3d9023c3c9cbf35af1dc9893a934d0516684668985
SHA512 de0148ac2ba24b7e90b61dc7171ce076d32a32b06ec4d1a10c6be1d1ccf0c91423d57f1a502b4721f92fd3cf229c2203833f3eb66d59b3e5de518b0c6cb97c85

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9affa1c52576677b4dea8b8ec243ac85
SHA1 4e8ec899771e98297f92b0d3c712a279774119a1
SHA256 c8b3eb3919f12e55b0e627422086e8066dd39fc6d773921fd841ffedf9515eee
SHA512 9054d2ab764a60f134f7a288222f64f7acf2d10e0f94f511b6fe52d01f9932fc9493f4f4232b257df88cee005b986130209b1fc3eee8e1b37595e9f1d647ba49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 746c367646fea6f1753f9caabe552166
SHA1 99bf7c76a5640659a654ff30cc074059ad50d04e
SHA256 b33cf883c3c7ad87074a4810a07565f69d9548ba2c13ab7332baee24ce1f9a5f
SHA512 776276e46b1ed5cf804556d32f12246a2a61563fbd94ca29982b05037da28ccd5e3ce7cd26d210a36a0962a38f54a8262fe5be27673851654eb03809c70da452

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 59c2f7a025b7383d986ac0451ef0f093
SHA1 8ddf51600a319acf6cb2355e7f39de3017200eaa
SHA256 15a1e4145630a84954731c87a2865cdaf144bf9d07ffbf6b77dedcfb6f17c3f3
SHA512 d611aa0537bfecd0a072eecc3fabff3a6a066cfa0c869ad1bd6166dba95adffce2fcf8b3b98694c86360108e788378831bd006fd3606e6ae993f9659dfcbcba1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e46d7564cc8eaa54aba3b53fbcfaf2f0
SHA1 be3147a75af489ddf42318915ba0c69d2ae3adab
SHA256 5834a906f6775956305e73d3d8024f59780fb0a97a4e4736ed45fceae48d8af5
SHA512 9973ed31ec2f4b6fc7ebfb9ef71c8f0bf403e396ae3a4816f1b4395d836c48ed3d13e01e546ccc6ca77649486b101bcaaed6905d71bd5880541a9ce2fcbc807c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53f5b9f7ac440e0653e5cbcc4906df8b
SHA1 9a8464eb841781cb8364e50106d64198d9a8d847
SHA256 ac4b70426506f9c8fe2f6f2352d514f6f32ff8574481ebf99b59ee4a3e2320c6
SHA512 615dec554d268fbebdd8486578d9d7b04f7937067d87baa418f2711a58e0c1912c32a251c765f4d9c1caa5c68145c29e15e45809d96d5f8f09012853abd2ebba

memory/1552-4535-0x00000000726D0000-0x0000000072E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b01e78eff5e0d935345fcc5d5ab7180e
SHA1 91a5c1291d05de02b91682a2725fa666da27cc3b
SHA256 426aad2b99cf2f074663d48a412dcec596b75973c9ab7295590e0fdf0cdb39d2
SHA512 760102e1238e450599d164731f22f1d4a1e00ba758915c0853d3a9cbfca64ffbe6b325e4605bc40e1364d5b74427152295670c7a0480163f299b467529e91929

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f2df1998d8a64377f3880126ac24ad3a
SHA1 f4a53650e1bc20631afae3eebe074eaf989130b9
SHA256 196180652a762bb863d65748ccc4e4b87e18554a102699ec9914976b7a2afa38
SHA512 a55003f8e86abc31753bad9e7ba4052d44609f60f7b4e49797d68b15f007d8175fed80dc3f4609cf3057f92d47b9ad3c9bdae0e2bca25bca5c73bb4dc86cad8a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b5eed3486e8d4239df90a71424d426b6
SHA1 554df985862e9e3ec54a2f1f2605d7fa3dba8f01
SHA256 4e5b4668757c06eb04d8f00b79979ffeb7eb4e862dca2ac57a97630966b20b08
SHA512 8b0c20fe881de6a091bcf3f7927d3ce97f8fa7baadcc5f3cb5833d6c332b23a40c9a71e53e6c945d86c1880cf62ac29d60ccb0f4e76786c73ebbce17d96dccde

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ade683b6702c264fdca1be8140ced088
SHA1 f7e084c01a21747b1ef0cf1596c6a657e0b94909
SHA256 34523488aefb91297ea18715db4c2af2317b34562db257e52562daaac43a88fc
SHA512 2ba7bba10e605f8b5c9b0371175808841b8b7c623c8567ed5471643aa4404046aa3d1ef1de915d1d925883a3cdf72f85b0c14df403766134234e0a71ec982454

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 88b70f0458c634ee3668e5fc240881b8
SHA1 f757bac344eb68dd1a461dcac0228ae69bdae192
SHA256 07f8f572d5010d6bcf5724f00292e478710b09ad72626d57994eea19fcfa5e15
SHA512 bff6858efee583da15e56115931fca05154a48772bc8c3fc88bdb0ef5b981b30cf070365e99bd98d2f2f47f9a06e9d4b71c051ca99b3709518a85cc4bcaf2045

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6349cd818ed77c27c99e78311d7ed627
SHA1 d73b81bc0fce685483173064a50405cdd51b710a
SHA256 55326b1e46f4f33e30a2d9a5176435be99e751e3e1e84165662c1a2d41a323f0
SHA512 bedfa0b8a446f12ab562b0a2ea3320d0f1f670d8808105a23d05df5e272008672eedb3d488960eecbf8e2852136fb02340e9e1b72eb4dbd1748ae162e9249ee3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 97515db8e4129613174db89a27f36ce0
SHA1 cbf8857ccd35f41b638d30afd4096dcd10ea147d
SHA256 0015cc24e145d1d93ccae776d0532e4ea7ee725967ea37d0f1f3da3610e45db0
SHA512 7bfc75f921243ce139e792bfaf5e08b1b5ae6c7f2c4cc3843ac1d5591c928f2b7ff1a8bd752ebaf9c8c36a6567618a48568321c1cfa76d006e538d52b71d005e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 568b60a7ef390f862eda2b51cb9d05d2
SHA1 1fbaafaebeead6a10bc0821131b9c7e89d69420f
SHA256 8d3ce7f152ad53e8811cb6487c0e8eacebb1b363af084717814a7205792213fa
SHA512 c4cf6e0e5fb843fb46b4d42ff6f89739041ffff1a795dcb00c88fb20183690f98ddd3f9ca734d2fb6eecabf9e25ce066bb3cc0691dcf2ae745b200bcccfeb71b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 68ade3cfa5bef7fc7cd81870fd490249
SHA1 bd5d14f95462d2ad00e177291ebdcee27c3dc9c6
SHA256 c32ef71fea0477ab768949495c885e9fd3782ce3c844f7c76b5f3b9cdc333f7a
SHA512 601841b9f3bcb23e3d5ffdb78259aedd6759155f2076210f0eed23149d21e9c9c443052462c9a4b6746fbc3ca0eed5e140637ab32acbab4737382a00bfbb1d00

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2be9b9054a9cbc3ef0fb531e2ed6f4ed
SHA1 25d5a69cb339ab11c3b0e0e75969deb54bd87522
SHA256 abef53a40f05897df38e1058be5434022bd99c75411c2ec9b702c63d89d4aa6e
SHA512 d6381f4714be72af459b8fa9233ecb49e30ec9e45d5cb288894b5df35a2130c4c02a2684c417812ad8af14f45b2994c32cac36d64f9630057cfc8736b9e2fdb2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9e52eb57be5045bfed2c879e7269c2a1
SHA1 60914db5c16b81ff3916dbfb3b2024ff854ce3a7
SHA256 92734ae57b1b45224c96a40c35a9ecc8a418609e1b94c8e59c845a38158dfe0d
SHA512 b4955eaccbb9e253684330aca607520c6f57bb75efd5b77a62c31d175ac4e3b07e632ce0c07c7b389c2c6738ed51c826f5e515ded583374a3b940e7fc0a793c7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 550af5809a1bd544c5af2c6e324426d2
SHA1 6285fe1d0307720c4a5789ea2abf2496aae521c7
SHA256 33e17518cdce0a9980f075ffc85334c3b39b1b5c9df541194b96cf8705a6a1c3
SHA512 02b0fe14175f29f256db770df5ee620898327f83707faf9f21aadd58997441130c92c7be4ffc67cbec68c2a4c4fd5a7ec42d5a76cb638b055c20c96e90c3af2f