Malware Analysis Report

2024-12-07 20:36

Sample ID 240305-vxl8ksdb44
Target b53e52adadcefcfca9271af10635bae1
SHA256 57f237109e20aa6c529841d017c8e31596275df1201ae2bf345610d5f23e1278
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57f237109e20aa6c529841d017c8e31596275df1201ae2bf345610d5f23e1278

Threat Level: Known bad

The file b53e52adadcefcfca9271af10635bae1 was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 17:22

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 17:22

Reported

2024-03-05 17:24

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Windows\SysWOW64\explorer.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\install\server.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe

"C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4180-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4180-4-0x0000000024010000-0x0000000024072000-memory.dmp

memory/3664-8-0x0000000000430000-0x0000000000431000-memory.dmp

memory/3664-9-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/4180-64-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3664-67-0x0000000003420000-0x0000000003421000-memory.dmp

memory/3664-68-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3664-69-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 b53e52adadcefcfca9271af10635bae1
SHA1 929ff81e1adcf798e78b684ce4031366eb10e8e6
SHA256 57f237109e20aa6c529841d017c8e31596275df1201ae2bf345610d5f23e1278
SHA512 282f56ffa44f5a623a3ef1a7205a27bfd318cdf303ef11711894313c94a4a0559bbf96d861938131b01930c72c86391034a4134d6f6f9c390b02cb7bb76a5e4e

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 14a1e0d3109db2bae57544c314957c6c
SHA1 5811b6e893317527c067d2d40382e5966df75e52
SHA256 962b844b34056933a198260d635f18aeb0943f5a5bfe9bc8e1cd21e2d2e23201
SHA512 0d284f7a1703f148e1be5b628597d2ca3de6466a31fa565640c5b3062e641455c18dd4cf681d956e313e53ca34bcfa4b279d11a870cfcd8c9a9a2eb52d5d2be8

memory/4180-134-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4280-135-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/3756-154-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3664-158-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 396f79fe51b0b61180bf2a0fcf642474
SHA1 118498ee827fee5c2dc0de4d54edc3055297e0d4
SHA256 0d55e17bbb93c979fd627055f6cd5148c97d2e7ed6800f40060196e3cd33fde5
SHA512 8b894ed87d72ac2746771b03e0dba7d0cfb57c5155213df37b75c730dfe15ae562520275129ed99c72ecf40efeaf47a0a5e159758312f90fc9ba424ef64a38b3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 48325aa0a2313745f9c49e91076cc3f2
SHA1 993a9cfb65305a2661400129085a0a4972da5636
SHA256 d0f3a950995856426f3a18f2e9527b202b638c82bef2f90db4ab701872203edb
SHA512 cc01dc499b0fce7e25396a64a014718124a7ee3629f4338e246745d19ce78d298f43414d5d0c33fb475f6d1dc31a1e7ad669fdf9d2be5fa28c01f03906166578

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 745ca9e2e81d6aea216fac3a4b054b30
SHA1 e2b285805c197a74c1bcc7a748678e6a40834c73
SHA256 2f019754ae3950ea62ca5d781f69c9542c7250dd4b44c77033578b74e4ba41df
SHA512 f05bfe0405e746f5cc623cf8c4c0b237118f738536a1e5aa1bb51097f3a9a092bcafc9bb5d549b5bb2da5e1b001a52a69b46eece021a2c4c571bd2ee936af20f

memory/4280-374-0x00000000240F0000-0x0000000024152000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 17:22

Reported

2024-03-05 17:24

Platform

win7-20240220-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe

"C:\Users\Admin\AppData\Local\Temp\b53e52adadcefcfca9271af10635bae1.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2348-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1196-4-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/2248-249-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2248-251-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2248-527-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 b53e52adadcefcfca9271af10635bae1
SHA1 929ff81e1adcf798e78b684ce4031366eb10e8e6
SHA256 57f237109e20aa6c529841d017c8e31596275df1201ae2bf345610d5f23e1278
SHA512 282f56ffa44f5a623a3ef1a7205a27bfd318cdf303ef11711894313c94a4a0559bbf96d861938131b01930c72c86391034a4134d6f6f9c390b02cb7bb76a5e4e

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 14a1e0d3109db2bae57544c314957c6c
SHA1 5811b6e893317527c067d2d40382e5966df75e52
SHA256 962b844b34056933a198260d635f18aeb0943f5a5bfe9bc8e1cd21e2d2e23201
SHA512 0d284f7a1703f148e1be5b628597d2ca3de6466a31fa565640c5b3062e641455c18dd4cf681d956e313e53ca34bcfa4b279d11a870cfcd8c9a9a2eb52d5d2be8

memory/820-817-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/2348-816-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/820-836-0x00000000045B0000-0x0000000004607000-memory.dmp

memory/820-839-0x00000000045B0000-0x0000000004607000-memory.dmp

memory/2444-840-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2444-841-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2248-842-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bdab066b350b47a1130272647bd3812d
SHA1 35f824110ba89ebd9ccdc9753b271f733a73cecb
SHA256 0a4ab2f8fc1a192d49e90091ef3a410e6c5a5579a5e8712e3df5d6c7384a6b12
SHA512 eff8e13c353c15ee37140b2386aed7619c606559837b87a75e0cda5219cdbd3013ba7292da7d300bdf26f0783f7a19a3d347b8842f931cef28aea0b229c93034

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 396f79fe51b0b61180bf2a0fcf642474
SHA1 118498ee827fee5c2dc0de4d54edc3055297e0d4
SHA256 0d55e17bbb93c979fd627055f6cd5148c97d2e7ed6800f40060196e3cd33fde5
SHA512 8b894ed87d72ac2746771b03e0dba7d0cfb57c5155213df37b75c730dfe15ae562520275129ed99c72ecf40efeaf47a0a5e159758312f90fc9ba424ef64a38b3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 48325aa0a2313745f9c49e91076cc3f2
SHA1 993a9cfb65305a2661400129085a0a4972da5636
SHA256 d0f3a950995856426f3a18f2e9527b202b638c82bef2f90db4ab701872203edb
SHA512 cc01dc499b0fce7e25396a64a014718124a7ee3629f4338e246745d19ce78d298f43414d5d0c33fb475f6d1dc31a1e7ad669fdf9d2be5fa28c01f03906166578

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 745ca9e2e81d6aea216fac3a4b054b30
SHA1 e2b285805c197a74c1bcc7a748678e6a40834c73
SHA256 2f019754ae3950ea62ca5d781f69c9542c7250dd4b44c77033578b74e4ba41df
SHA512 f05bfe0405e746f5cc623cf8c4c0b237118f738536a1e5aa1bb51097f3a9a092bcafc9bb5d549b5bb2da5e1b001a52a69b46eece021a2c4c571bd2ee936af20f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3fd81eedf86aa99210436de286776193
SHA1 4218ac42b432d1b19745843a8b2a3085d84deb8e
SHA256 6eab64f5ceaafce20c29230bb8f37e90e304601023204fd66ed398dde1c3262b
SHA512 b14a0e392e15bd8d4e3e3fdfb367c579029bbc0c9c5ed65c9e09c5f0e2be62d1825307ebc814714c7fb915ec1a4f041a4c31fcb3de1fc75c724f95d4a9d49ff0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 194b05e9f57eb2299c4c055231c0be06
SHA1 115ca146723122eff5806bae74321f2044e1c0ef
SHA256 54a46a355d00ac1a5bbc544a9ebf3ada1f08f68eae8fb4cc1a00f9616460990d
SHA512 162ce5f4bdffa0eaa37fcfafa7b9f13d86461a6581d4398233831eb11f3175e58325c8cb928bb76396285041f3be73349e3809c21c37a59b293abf1966e5f8b2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 df130b1f6ff0571baf390d4ee86eb429
SHA1 0836edb4e58668d8a93e712b40e6e7f9307fe9c5
SHA256 1723286385a7c786d76019dea3e54a7af6b952cd845e0fdc5990103d90713da6
SHA512 76bcac9d2d91e6b0ec9b875dddbfd2fe735af5563c7076d2a39861c1c1db537454d2e0381e85941cd0e7436cff6ae4683cf0d43b8d06477116c30ee5fb15fc21

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8e4de4985f52e67bd0509bd23ba08940
SHA1 cc422e089d99bb85677d86e19d2efb160cdaaba3
SHA256 448e7556a33c1bfd24fbe391e83bdaada54facdaf68f39a3975be80bd8fd40d8
SHA512 a8dfe9382d81ec6db4999e7e378c57d4dd385a4c658036d7f3d44cd369a74f60fb95d1b7141f20b3a861500960d4818dfaa9a1dc7216cdbaebefc03a794c9a6b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5970bc0b470d9ee5d0682d9a588a4d3b
SHA1 042a1539a746e77dc7424ba5985a6b90b483738a
SHA256 1a4984cc40efa2d8fd8ed61654380ee7d7ce1ac6e36da4beb13886e4aaa52ec2
SHA512 a4a67e61b9f31120b3d385eaf950417a933b8695d31111ed2f0f22edd0d652bbd761cf991c10d16ef7640dbeebff72245ea51a0adca209a3e8778fcd7bcb5e45

memory/820-1376-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2f33345fe39d760e3515ae24a06537e3
SHA1 5889f0775b56fe225aa342d541323a962b9a7d97
SHA256 8db90395b0b0f42114b2db197acde2db97d91318bb1fe208bfd74a1a9883d06a
SHA512 ab016fecc9aa44944361610caa41a47e6b74a185c526ad1f7aecc62e03785402f91a25d8010bfdda465784a5aa76701e9853c8d8d495221bb0685e9786d46751

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 50507afff24259384b0e88d84cd51c9b
SHA1 2c5d5a75530dcf38bee6d747c51f06f38342215d
SHA256 da7f3aeffafe86dd10afb8257af1648d25300826b767b9d53e98d524157042cf
SHA512 ab7894b79f75e221b98f02466240593ac279a4a5548976671404b7f88043edd954c257b5f8f28b4dc1a38384c446025822a1c8a79075171d316c36868218d74b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a8ddaa5f61d25e7b4bae585c82da5688
SHA1 a3739128f74660e111b3dec32e1784da7b43a20b
SHA256 8051da9ee0baf073955a75a9746a808c005f2778dfb4ed8469dee02131468026
SHA512 4ce989b65c2ef9bad4a42b813ef586e37cc5bf748a827276ff987be8f44cbfe1c7edbcfc06a48a35e3dfaaecdcde89d184b5ee28b5333ac8d889ff04e8d5956a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c885593ec4d68825f0d2c171038bcae1
SHA1 27b576918e47f49cf079e88a4287951a358c40d0
SHA256 5bffae9b6ddb26a15edfbb30b1e8ec862f45beb8915c0fb7ca0a6b5748a71e7f
SHA512 7e83d86472a9eee575986321c7d217a5b791204f531540ce939c5ea7dd902cb6b94cf4b3d5fdc3f6d47a3f7738819eeaaae5e1c0e8b0d81a96dd601b3b88d18c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 56c20d0095b07b9127da2df849deb4c5
SHA1 92cc0c225dafc95803abc23524a7c8be6e7ea62a
SHA256 04bc4015d8f25ab6e192f52d122622709e34abf424feb81262c92c86167d0faa
SHA512 dddca62eae443734920948416be7b7f8c1db8d233d0305bcd20b2f96de4b47bee86614af4dd0eef498d53d1b195c8fc13aa01b06db52e7a9db7abd0fc1ed468d

memory/820-1668-0x00000000045B0000-0x0000000004607000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5f30d4021b0ccd93bf002fb0aa57e134
SHA1 f95ed9854f9678b3d9e60144331326c3613adce4
SHA256 39f3e5af7069493a1b599cdda34f2d4045cdce5e9c28887fb5fd81763fd00744
SHA512 63199e834f6126664e13181fd0230111222595eed616b22abc46a52ed149d3cd5f71e7225c6c69cce2c2552c80cd1b02b4ed29e1b9cbfa5922d0364cc1a15bac

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 52081d8a64775a3520783f05728359f6
SHA1 5a3e26969851d4f172dd76b0d95c1b8956fe85cb
SHA256 6c73ea7e00339934e2c819be88382c10f1c578f275c2614a67eb70d710ecf4fa
SHA512 d719760b062d3176660823f7e93e7212439563372599e3a23009236bd06f8a686c81c2d8b619498e1a0e1611b7e33cde04689eaa928db7b57965935759ccfd9a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b37b6937a161387c8c41309fb1df26d5
SHA1 00deda900f03fa0fbbad1f35ecbade239c2f5bc5
SHA256 8b912a64b8156f41d63d191d15dd0fbd430645961b6125e7d6fa2b9358814d1e
SHA512 15bfec7b2c9aeaaf2c25c75a34f9fa6ce23f9156d6f29f0d975981bce04ec55c7dc5d59ee9d1fd9d92c7d1ff548abaa77bce133bb518951984c2a06b6b3b6d9c